Sorry, clicked post just accidently, and sorry for the unclear description.
The intention is not to have several copies of the client.
If I understand the way the operator works correctly, if you run it in multi-tenant mode, if it finds a keycloakclient CR in a namespace it will create that client with the keycloak API and will in return create an OCP secret and that same namespace.
The workflow we had in mind is the exact same one. Just with the addition to push the client secret also into a vault. If then a customer needs that secret in several namespaces they can synchronize them from the vault directly.
For example one customer creates a CR in namespaceA, the keycloak operator creates the secret in namespaceA and the customer's application can use it there. If the same customer wants to run another instance of their application in namespaceB they don't need to create another client CR there, instead they can sync the client secret (from the vault) into namespaceB and use the same client_id, client_secret combination in both namespaces.
If you think it is too involved for the keycloak operator, I fully understand.
Thanks again and best regards.