ci: deploy job to inherit secrets

Co-authored-by: Timo Behrendt <t.behrendt@t00n.de>
Co-committed-by: Timo Behrendt <t.behrendt@t00n.de>

.dockerignore

@@ -1,6 +1,7 @@
 *
 
 !pkg
+!internal
 !controller.go
 !main.go
 !go.mod

.gitea/workflows/cd.yaml

@@ -10,48 +10,15 @@ on:
       - "**/*.go"
       - "Dockerfile"
       - "Makefile"
+  pull_request:
+    branches:
+      - main
   workflow_dispatch:
 
 env:
   DOCKER_REGISTRY: gitea.t000-n.de
 
 jobs:
-  build_and_push:
-    name: Build and push
-    strategy:
-      matrix:
-        arch: [amd64]
-    runs-on:
-      - ubuntu-latest
-      - linux_${{ matrix.arch }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
-      - name: Login to Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
-        with:
-          registry: ${{ env.DOCKER_REGISTRY }}
-          username: ${{ secrets.REGISTRY_USER }}
-          password: ${{ secrets.REGISTRY_PASSWORD }}
-      - name: Get Metadata
-        id: meta
-        run: |
-          echo REPO_NAME=$(echo ${GITHUB_REPOSITORY} | awk -F"/" '{print $2}' | tr '[:upper:]' '[:lower:]') >> $GITHUB_OUTPUT
-          echo REPO_VERSION=$(git describe --tags --always | sed 's/^v//') >> $GITHUB_OUTPUT
-      - name: Build and push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
-        with:
-          context: .
-          file: ./Dockerfile
-          platforms: linux/${{ matrix.arch }}
-          push: true
-          provenance: false
-          build-args: GOARCH=${{ matrix.arch }}
-          tags: |
-            ${{ env.DOCKER_REGISTRY }}/t.behrendt/${{ steps.meta.outputs.REPO_NAME }}:${{ steps.meta.outputs.REPO_VERSION }}-${{ matrix.arch }}
-
   create_tag:
     name: Create tag
     runs-on: ubuntu-latest
@@ -73,32 +40,21 @@ jobs:
         run: |
           echo "tag=${{ steps.tag.outputs.new-tag }}" >> $GITHUB_OUTPUT
 
-  create_manifest:
+  build_and_push_image:
-    name: Create manifest
+    needs: create_tag
-    needs:
+    uses: https://gitea.t000-n.de/t.behrendt/gitea-workflows/.gitea/workflows/build-container.yaml@0.1.1
-      - build_and_push
+    with:
-      - create_tag
+      registry: gitea.t000-n.de/t.behrendt
-    runs-on: ubuntu-latest
+      registry-user: ${{ secrets.REGISTRY_USER }}
-    steps:
+      registry-password: ${{ secrets.REGISTRY_PASSWORD }}
-      - name: Checkout
+      repo-name: authentik-kubernetes-operator
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      tag: ${{ needs.create_tag.outputs.tag }}
 
-      - name: Get Metadata
+  deploy:
-        id: meta
+    needs: build_and_push_image
-        run: |
+    uses: https://gitea.t000-n.de/t.behrendt/k_deploy_workflows/.gitea/workflows/deploy.yaml@1.1.0
-          echo REPO_NAME=$(echo ${GITHUB_REPOSITORY} | awk -F"/" '{print $2}' | tr '[:upper:]' '[:lower:]') >> $GITHUB_OUTPUT
+    with:
-          echo REPO_VERSION=$(git describe --tags --always | sed 's/^v//') >> $GITHUB_OUTPUT
+      k8s_dir: ./k8s
-
+      skip_helm_deployment: true
-      - name: Login to Registry
+      skip_shared_secrets_deployment: true
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+    secrets: inherit
-        with:
-          registry: ${{ env.DOCKER_REGISTRY }}
-          username: ${{ secrets.REGISTRY_USER }}
-          password: ${{ secrets.REGISTRY_PASSWORD }}
-
-      - name: Create manifest
-        run: |
-          docker manifest create ${{ env.DOCKER_REGISTRY }}/t.behrendt/${{ steps.meta.outputs.REPO_NAME }}:${{ needs.create_tag.outputs.tag }} \
-            ${{ env.DOCKER_REGISTRY }}/t.behrendt/${{ steps.meta.outputs.REPO_NAME }}:${{ steps.meta.outputs.REPO_VERSION }}-amd64
-
-          docker manifest push ${{ env.DOCKER_REGISTRY }}/t.behrendt/${{ steps.meta.outputs.REPO_NAME }}:${{ needs.create_tag.outputs.tag }}

Dockerfile

@@ -9,6 +9,6 @@ COPY . .
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=${GOARCH} \
     go build -trimpath -ldflags="-s -w" -o main .
 
-FROM gcr.io/distroless/static-debian12@sha256:20bc6c0bc4d625a22a8fde3e55f6515709b32055ef8fb9cfbddaa06d1760f838
+FROM gcr.io/distroless/static-debian12@sha256:9c346e4be81b5ca7ff31a0d89eaeade58b0f95cfd3baed1f36083ddb47ca3160
 COPY --from=build /app/main /
 CMD ["/main"]

Makefile

@@ -20,7 +20,7 @@ codegen:
 test: test-unit test-coverage
 
 test-unit:
-	go test . -coverprofile=coverage.out
+	go test ./... -coverprofile=coverage.out
 
 test-coverage:
 	go tool gcov2lcov -infile coverage.out > lcov.info

README.md

@@ -11,6 +11,8 @@ Manual changes to the resources in Authentik will be overwritten by the operator
 | Custom Resource | CRD File                                                   | Short Name |
 | --------------- | ---------------------------------------------------------- | ---------- |
 | ProxyProvider   | [`proxyProvider.yaml`](`artifacts/crd/proxyProvider.yaml`) | pp         |
+| Application     | [`application.yaml`](`artifacts/crd/application.yaml`)     | app        |
+| PolicyBinding   | [`policyBinding.yaml`](`artifacts/crd/policyBinding.yaml`) | pb         |
 
 ### ProxyProvider
 
@@ -32,9 +34,49 @@ spec:
   invalidation_flow: 7acac1ef-19e3-4a6f-8d8d-14ca7031d184
   # The external host of your application.
   external_host: https://example.t00n.de
+  # The ID of the outpost, which at current point in time can only be retrieved from Authentik directly. In this example: "Proxy-Forward-Auth-Auto"
+  outpost: e004ffe7-4af6-4ac1-9e9d-522354799e1f
 ```
 
-The ProxyProvider will be created in Authentik, but will not be assigned to an outpost or an application (Resources are TBD).
+The ProxyProvider will be created in Authentik and assigned to the configured outpost.
+
+### Application
+
+The Application only supports a reduced set of fields.
+
+Example [`application.yaml`](`artifacts/examples/application.yaml`):
+
+```yaml
+apiVersion: application.t000-n.de/v1alpha1
+kind: Application
+metadata:
+  name: application-example
+spec:
+  name: Application Example
+  slug: application-example
+  # The ID of the provider, which can be retrieved from e.g. the ProxyPRovider via "kubectl get pp proxy-provider-example -o jsonpath='{.status.pk}'"
+  provider: 105
+```
+
+### PolicyBinding
+
+The PolicyBinding is used to bind a policy to a target, e.g. allow a group or user to access an application.
+The PolicyBinding only supports a reduced set of fields.
+
+Example [`policyBinding.yaml`](`artifacts/examples/policyBinding.yaml`):
+
+```yaml
+apiVersion: policybinding.t000-n.de/v1alpha1
+kind: PolicyBinding
+metadata:
+  name: policy-binding-example
+spec:
+  group: 14ab813f-a7f9-481b-9b08-781953ae9ebf
+  # The ID of the target, e.g. an Application, which can be retrieved from e.g. the Application via "kubectl get app application-example -o jsonpath='{.status.pk}'"
+  target: 8dd85627-9c48-49c2-8afc-d73dd122ffc2
+  # The order in which the policy is applied. This needs to be unique for each PolicyBinding.
+  order: 1
+```
 
 ## Versioning
 

artifacts/crd/proxyProvider.yaml

@@ -16,6 +16,9 @@ spec:
         - name: PK
           type: string
           jsonPath: .status.pk
+        - name: Outpost
+          type: string
+          jsonPath: .spec.outpost
       schema:
         openAPIV3Schema:
           type: object
@@ -31,11 +34,15 @@ spec:
                   type: string
                 external_host:
                   type: string
+                outpost:
+                  type: string
+                  format: uuid
               required:
                 - name
                 - authorization_flow
                 - invalidation_flow
                 - external_host
+                - outpost
             status:
               type: object
               properties:

artifacts/examples/application.yaml

@@ -0,0 +1,8 @@
+apiVersion: application.t000-n.de/v1alpha1
+kind: Application
+metadata:
+  name: application-example
+spec:
+  name: Application Example
+  slug: application-example
+  provider: 105

artifacts/examples/policyBinding.yaml

@@ -0,0 +1,8 @@
+apiVersion: policybinding.t000-n.de/v1alpha1
+kind: PolicyBinding
+metadata:
+  name: policy-binding-example
+spec:
+  group: 14ab813f-a7f9-481b-9b08-781953ae9ebf
+  target: 8dd85627-9c48-49c2-8afc-d73dd122ffc2
+  order: 1

artifacts/examples/proxyProvider.yaml

@@ -9,3 +9,4 @@ spec:
   authorization_flow: 16896c6d-b326-42d1-8d3f-93f32921962e
   invalidation_flow: 7acac1ef-19e3-4a6f-8d8d-14ca7031d184
   external_host: https://example.t00n.de
+  outpost: ce8f74c0-88cd-47fe-96f5-d6507b739ceb

go.mod

@@ -7,9 +7,9 @@ godebug default=go1.26
 require (
 	goauthentik.io/api/v3 v3.2026020.16
 	golang.org/x/time v0.15.0
-	k8s.io/api v0.0.0-20260509204538-0dfb117cc6ec
+	k8s.io/api v0.36.0
-	k8s.io/apimachinery v0.0.0-20260513183604-f9371b815e42
+	k8s.io/apimachinery v0.36.0
-	k8s.io/client-go v0.0.0-20260509205101-ca52b81a2940
+	k8s.io/client-go v0.36.0
 	k8s.io/klog/v2 v2.140.0
 	k8s.io/kube-openapi v0.0.0-20260511211612-da4e56fe5676
 	sigs.k8s.io/structured-merge-diff/v6 v6.4.0

go.sum

@@ -121,10 +121,16 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 k8s.io/api v0.0.0-20260509204538-0dfb117cc6ec h1:xf12Yh3ltN4fnNyP0CyyM0TwNVnZDfLJjV3+bf9fPFY=
 k8s.io/api v0.0.0-20260509204538-0dfb117cc6ec/go.mod h1:C+fcNlNQ9TcKHspN+DD7UybdfnjDAGyBjfCd6W7ogbY=
+k8s.io/api v0.36.0 h1:SgqDhZzHdOtMk40xVSvCXkP9ME0H05hPM3p9AB1kL80=
+k8s.io/api v0.36.0/go.mod h1:m1LVrGPNYax5NBHdO+QuAedXyuzTt4RryI/qnmNvs34=
 k8s.io/apimachinery v0.0.0-20260513183604-f9371b815e42 h1:rWdGOTor3z0WSyZcRl9ms4dn9Cw9CqmNBqXuf2z0k1k=
 k8s.io/apimachinery v0.0.0-20260513183604-f9371b815e42/go.mod h1:hiubQ6UTHIdr0bS8ExXOJEywFVOoudnldm/l/NiNVlA=
+k8s.io/apimachinery v0.36.0 h1:jZyPzhd5Z+3h9vJLt0z9XdzW9VzNzWAUw+P1xZ9PXtQ=
+k8s.io/apimachinery v0.36.0/go.mod h1:FklypaRJt6n5wUIwWXIP6GJlIpUizTgfo1T/As+Tyxc=
 k8s.io/client-go v0.0.0-20260509205101-ca52b81a2940 h1:n5t5Jx3VpLdiAGxIvIHsZDmsExtZVwghUPLM3wFi6Go=
 k8s.io/client-go v0.0.0-20260509205101-ca52b81a2940/go.mod h1:0e7OLwg7kdXISVFwn7ishFdvxfVgi7wsqHqsQPHl61w=
+k8s.io/client-go v0.36.0 h1:pOYi7C4RHChYjMiHpZSpSbIM6ZxVbRXBy7CuiIwqA3c=
+k8s.io/client-go v0.36.0/go.mod h1:ZKKcpwF0aLYfkHFCjillCKaTK/yBkEDHTDXCFY6AS9Y=
 k8s.io/klog/v2 v2.140.0 h1:Tf+J3AH7xnUzZyVVXhTgGhEKnFqye14aadWv7bzXdzc=
 k8s.io/klog/v2 v2.140.0/go.mod h1:o+/RWfJ6PwpnFn7OyAG3QnO47BFsymfEfrz6XyYSSp0=
 k8s.io/kube-openapi v0.0.0-20260511211612-da4e56fe5676 h1:ahjrVu/DBcaAhw/GcblfaOvvQ2wi8kqXWvn62nud3UU=

internal/baseController/controller.go

@@ -0,0 +1,94 @@
+package baseController
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/client-go/tools/record"
+	"k8s.io/client-go/util/workqueue"
+	"k8s.io/klog/v2"
+)
+
+type SyncHandler func(ctx context.Context, objRef cache.ObjectName) error
+
+type Controller struct {
+	workqueue   workqueue.TypedRateLimitingInterface[cache.ObjectName]
+	recorder    record.EventRecorder
+	synced      cache.InformerSynced
+	syncHandler SyncHandler
+}
+
+func NewController(
+	ctx context.Context,
+	workqueue workqueue.TypedRateLimitingInterface[cache.ObjectName],
+	recorder record.EventRecorder,
+	synced cache.InformerSynced,
+	syncHandler SyncHandler,
+) *Controller {
+	return &Controller{
+		workqueue:   workqueue,
+		recorder:    recorder,
+		synced:      synced,
+		syncHandler: syncHandler,
+	}
+}
+
+func (c *Controller) Run(ctx context.Context, workers int) error {
+	defer utilruntime.HandleCrash()
+	defer c.workqueue.ShutDown()
+	logger := klog.FromContext(ctx)
+
+	logger.Info("Starting PolicyBinding controller")
+
+	logger.Info("Waiting for informer caches to sync")
+	if ok := cache.WaitForCacheSync(ctx.Done(), c.synced); !ok {
+		return fmt.Errorf("failed to wait for caches to sync")
+	}
+
+	logger.Info("Starting workers", "count", workers)
+	for i := 0; i < workers; i++ {
+		go wait.UntilWithContext(ctx, c.runWorker, time.Second)
+	}
+
+	logger.Info("Started workers")
+	<-ctx.Done()
+	logger.Info("Shutting down workers")
+	return nil
+}
+
+func (c *Controller) runWorker(ctx context.Context) {
+	for c.processNextWorkItem(ctx) {
+	}
+}
+
+func (c *Controller) processNextWorkItem(ctx context.Context) bool {
+	objRef, shutdown := c.workqueue.Get()
+	logger := klog.FromContext(ctx)
+	if shutdown {
+		return false
+	}
+	defer c.workqueue.Done(objRef)
+
+	err := c.syncHandler(ctx, objRef)
+	if err == nil {
+		c.workqueue.Forget(objRef)
+		logger.Info("Successfully synced", "objectName", objRef)
+		return true
+	}
+	utilruntime.HandleErrorWithContext(ctx, err, "Error syncing; requeuing for later retry", "objectReference", objRef)
+	c.workqueue.AddRateLimited(objRef)
+	return true
+}
+
+func (c *Controller) Enqueue(obj interface{}) {
+	objectRef, err := cache.ObjectToName(obj)
+	if err != nil {
+		utilruntime.HandleError(err)
+		return
+	}
+	c.workqueue.Add(objectRef)
+}

internal/baseController/controller_test.go

@@ -0,0 +1,190 @@
+// AI generated tests and not yet reviewed.
+package baseController
+
+import (
+	"context"
+	"errors"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/client-go/tools/record"
+	"k8s.io/client-go/util/workqueue"
+)
+
+func newTestController(t *testing.T, synced cache.InformerSynced, syncHandler SyncHandler) (*Controller, workqueue.TypedRateLimitingInterface[cache.ObjectName]) {
+	t.Helper()
+
+	ratelimiter := workqueue.NewTypedItemExponentialFailureRateLimiter[cache.ObjectName](time.Millisecond, time.Second)
+	q := workqueue.NewTypedRateLimitingQueue(ratelimiter)
+	t.Cleanup(q.ShutDown)
+
+	if synced == nil {
+		synced = func() bool { return true }
+	}
+
+	ctrl := NewController(
+		context.Background(),
+		q,
+		record.NewFakeRecorder(10),
+		synced,
+		syncHandler,
+	)
+	return ctrl, q
+}
+
+func TestController_processNextWorkItem_success(t *testing.T) {
+	objRef := cache.ObjectName{Namespace: "default", Name: "test"}
+
+	var syncedRef cache.ObjectName
+	ctrl, q := newTestController(t, nil, func(_ context.Context, ref cache.ObjectName) error {
+		syncedRef = ref
+		return nil
+	})
+	q.Add(objRef)
+
+	if !ctrl.processNextWorkItem(context.Background()) {
+		t.Fatal("processNextWorkItem() = false, want true")
+	}
+	if syncedRef != objRef {
+		t.Fatalf("syncHandler object = %+v, want %+v", syncedRef, objRef)
+	}
+	if q.Len() != 0 {
+		t.Fatalf("queue length = %d, want 0 after successful sync", q.Len())
+	}
+	if q.NumRequeues(objRef) != 0 {
+		t.Fatalf("requeues = %d, want 0 after successful sync", q.NumRequeues(objRef))
+	}
+}
+
+func TestController_processNextWorkItem_syncError(t *testing.T) {
+	objRef := cache.ObjectName{Namespace: "default", Name: "test"}
+	syncErr := errors.New("sync failed")
+
+	ctrl, q := newTestController(t, nil, func(context.Context, cache.ObjectName) error {
+		return syncErr
+	})
+	q.Add(objRef)
+
+	if !ctrl.processNextWorkItem(context.Background()) {
+		t.Fatal("processNextWorkItem() = false, want true")
+	}
+	if q.NumRequeues(objRef) != 1 {
+		t.Fatalf("requeues = %d, want 1 after sync error", q.NumRequeues(objRef))
+	}
+}
+
+func TestController_processNextWorkItem_shutdown(t *testing.T) {
+	ctrl, q := newTestController(t, nil, func(context.Context, cache.ObjectName) error {
+		return nil
+	})
+	q.ShutDown()
+
+	if ctrl.processNextWorkItem(context.Background()) {
+		t.Fatal("processNextWorkItem() = true, want false on shutdown")
+	}
+}
+
+func TestController_Enqueue(t *testing.T) {
+	ctrl, q := newTestController(t, nil, func(context.Context, cache.ObjectName) error {
+		return nil
+	})
+
+	obj := &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: "default",
+			Name:      "test",
+		},
+	}
+	ctrl.Enqueue(obj)
+
+	if q.Len() != 1 {
+		t.Fatalf("queue length = %d, want 1 after Enqueue", q.Len())
+	}
+}
+
+func TestController_Enqueue_invalidObject(t *testing.T) {
+	ctrl, q := newTestController(t, nil, func(context.Context, cache.ObjectName) error {
+		return nil
+	})
+
+	ctrl.Enqueue("not-a-kubernetes-object")
+
+	if q.Len() != 0 {
+		t.Fatalf("queue length = %d, want 0 for invalid object", q.Len())
+	}
+}
+
+func TestController_Run_cacheSyncFails(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	ctrl, _ := newTestController(t, func() bool { return false }, func(context.Context, cache.ObjectName) error {
+		return nil
+	})
+
+	go func() {
+		time.Sleep(10 * time.Millisecond)
+		cancel()
+	}()
+
+	err := ctrl.Run(ctx, 1)
+	if err == nil {
+		t.Fatal("Run() error = nil, want cache sync failure")
+	}
+}
+
+func TestController_Run_shutsDownOnCancel(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+
+	ctrl, _ := newTestController(t, nil, func(context.Context, cache.ObjectName) error {
+		return nil
+	})
+
+	errCh := make(chan error, 1)
+	go func() {
+		errCh <- ctrl.Run(ctx, 1)
+	}()
+
+	time.Sleep(50 * time.Millisecond)
+	cancel()
+
+	select {
+	case err := <-errCh:
+		if err != nil {
+			t.Fatalf("Run() error = %v, want nil on context cancel", err)
+		}
+	case <-time.After(2 * time.Second):
+		t.Fatal("Run() did not return after context cancellation")
+	}
+}
+
+func TestController_runWorker_processesQueuedItem(t *testing.T) {
+	objRef := cache.ObjectName{Namespace: "default", Name: "test"}
+	var calls atomic.Int32
+
+	ctrl, q := newTestController(t, nil, func(context.Context, cache.ObjectName) error {
+		calls.Add(1)
+		return nil
+	})
+	q.Add(objRef)
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	go ctrl.runWorker(ctx)
+
+	deadline := time.Now().Add(2 * time.Second)
+	for time.Now().Before(deadline) {
+		if calls.Load() == 1 && q.Len() == 0 {
+			cancel()
+			return
+		}
+		time.Sleep(5 * time.Millisecond)
+	}
+	cancel()
+	t.Fatalf("runWorker did not process queued item: calls=%d queueLen=%d", calls.Load(), q.Len())
+}

k8s/test.yaml

@@ -0,0 +1 @@
+---

pkg/apis/policybinding/v1alpha1/types.go

@@ -35,7 +35,7 @@ type PolicyBinding struct {
 type PolicyBindingSpec struct {
 	Policy string `json:"policy,omitempty"`
 	Group  string `json:"group,omitempty"`
-	User   int32  `json:"user"`
+	User   int32  `json:"user,omitempty"`
 	Target string `json:"target"`
 	Order  int32  `json:"order"`
 }

pkg/apis/proxyprovider/v1alpha1/types.go

@@ -37,6 +37,7 @@ type ProxyProviderSpec struct {
 	AuthorizationFlow string `json:"authorization_flow"`
 	InvalidationFlow  string `json:"invalidation_flow"`
 	ExternalHost      string `json:"external_host"`
+	Outpost           string `json:"outpost"`
 }
 
 type ProxyProviderStatus struct {

pkg/controllers/application/controller.go

@@ -21,7 +21,6 @@ import (
 	"fmt"
 	"net/http"
 	"slices"
-	"strconv"
 	"time"
 
 	"golang.org/x/time/rate"
@@ -30,7 +29,6 @@ import (
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
-	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/kubernetes/scheme"
 	typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
@@ -39,6 +37,7 @@ import (
 	"k8s.io/client-go/util/workqueue"
 	"k8s.io/klog/v2"
 
+	"gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/internal/baseController"
 	v1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/application/v1alpha1"
 	clientset "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/clientset/versioned"
 	operatorscheme "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/clientset/versioned/scheme"
@@ -62,16 +61,14 @@ const (
 	DeleteAuthentikApplicationFinalizer = "application.t000-n.de/delete-authentik-application"
 )
 
-type Controller struct {
+type ApplicationController struct {
 	kubeclientset        kubernetes.Interface
 	applicationClientset clientset.Interface
 	authentik            *authentikapi.APIClient
 
 	applicationListener listers.ApplicationLister
-	applicationSynced   cache.InformerSynced
 
-	workqueue workqueue.TypedRateLimitingInterface[cache.ObjectName]
+	controller *baseController.Controller
-	recorder  record.EventRecorder
 }
 
 func NewController(
@@ -80,7 +77,7 @@ func NewController(
 	applicationClientset clientset.Interface,
 	authentik *authentikapi.APIClient,
 	applicationInformer informers.ApplicationInformer,
-) *Controller {
+) *ApplicationController {
 	logger := klog.FromContext(ctx)
 
 	utilruntime.Must(operatorscheme.AddToScheme(scheme.Scheme))
@@ -95,75 +92,36 @@ func NewController(
 		&workqueue.TypedBucketRateLimiter[cache.ObjectName]{Limiter: rate.NewLimiter(rate.Limit(50), 300)},
 	)
 
-	c := &Controller{
+	c := &ApplicationController{
 		kubeclientset:        kubeclientset,
 		applicationClientset: applicationClientset,
 		authentik:            authentik,
 		applicationListener:  applicationInformer.Lister(),
-		applicationSynced:    applicationInformer.Informer().HasSynced,
-		workqueue:            workqueue.NewTypedRateLimitingQueue(ratelimiter),
-		recorder:             recorder,
 	}
+	c.controller = baseController.NewController(
+		ctx,
+		workqueue.NewTypedRateLimitingQueue(ratelimiter),
+		recorder,
+		applicationInformer.Informer().HasSynced,
+		c.syncHandler,
+	)
 
 	logger.Info("Setting up event handlers")
 	applicationInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
-		AddFunc: c.enqueueApplication,
+		AddFunc: c.controller.Enqueue,
 		UpdateFunc: func(_, newObj interface{}) {
-			c.enqueueApplication(newObj)
+			c.controller.Enqueue(newObj)
 		},
 	})
 
 	return c
 }
 
-func (c *Controller) Run(ctx context.Context, workers int) error {
+func (c *ApplicationController) Run(ctx context.Context, workers int) error {
-	defer utilruntime.HandleCrash()
+	return c.controller.Run(ctx, workers)
-	defer c.workqueue.ShutDown()
-	logger := klog.FromContext(ctx)
-
-	logger.Info("Starting Application controller")
-
-	logger.Info("Waiting for informer caches to sync")
-	if ok := cache.WaitForCacheSync(ctx.Done(), c.applicationSynced); !ok {
-		return fmt.Errorf("failed to wait for caches to sync")
-	}
-
-	logger.Info("Starting workers", "count", workers)
-	for i := 0; i < workers; i++ {
-		go wait.UntilWithContext(ctx, c.runWorker, time.Second)
-	}
-
-	logger.Info("Started workers")
-	<-ctx.Done()
-	logger.Info("Shutting down workers")
-	return nil
 }
 
-func (c *Controller) runWorker(ctx context.Context) {
+func (c *ApplicationController) syncHandler(ctx context.Context, objectRef cache.ObjectName) error {
-	for c.processNextWorkItem(ctx) {
-	}
-}
-
-func (c *Controller) processNextWorkItem(ctx context.Context) bool {
-	objRef, shutdown := c.workqueue.Get()
-	logger := klog.FromContext(ctx)
-	if shutdown {
-		return false
-	}
-	defer c.workqueue.Done(objRef)
-
-	err := c.syncHandler(ctx, objRef)
-	if err == nil {
-		c.workqueue.Forget(objRef)
-		logger.Info("Successfully synced", "objectName", objRef)
-		return true
-	}
-	utilruntime.HandleErrorWithContext(ctx, err, "Error syncing; requeuing for later retry", "objectReference", objRef)
-	c.workqueue.AddRateLimited(objRef)
-	return true
-}
-
-func (c *Controller) syncHandler(ctx context.Context, objectRef cache.ObjectName) error {
 	logger := klog.LoggerWithValues(klog.FromContext(ctx), "objectRef", objectRef)
 
 	app, err := c.applicationListener.Applications(objectRef.Namespace).Get(objectRef.Name)
@@ -196,22 +154,17 @@ func (c *Controller) syncHandler(ctx context.Context, objectRef cache.ObjectName
 	return c.reconcileUpdate(ctx, app)
 }
 
-func (c *Controller) ensureFinalizers(ctx context.Context, app *v1alpha1.Application) error {
+func (c *ApplicationController) ensureFinalizers(ctx context.Context, app *v1alpha1.Application) error {
 	app.ObjectMeta.Finalizers = append(app.ObjectMeta.Finalizers, DeleteAuthentikApplicationFinalizer)
 	return c.updateApplication(ctx, app)
 }
 
-func (c *Controller) reconcileDelete(ctx context.Context, app *v1alpha1.Application) error {
+func (c *ApplicationController) reconcileDelete(ctx context.Context, app *v1alpha1.Application) error {
-	pk, err := strconv.ParseInt(app.Status.PK, 10, 32)
+	r, err := c.authentik.CoreApi.CoreApplicationsDestroy(ctx, app.Spec.Slug).Execute()
 	if err != nil {
-		return fmt.Errorf("error parsing PK: %v", err)
+		// This handles an edge-case, where when the Application on Authentik has already been deleted, but the finalizer is still present. We just remove the finalizer and return.
-	}
-
-	r, err := c.authentik.ProvidersApi.ProvidersProxyDestroy(ctx, int32(pk)).Execute()
-	if err != nil {
-		// This handles an edge-case, where when the ProxyProvider on Authentik has already been deleted, but the finalizer is still present. We just remove the finalizer and return.
 		if r != nil && r.StatusCode != http.StatusNotFound {
-			return fmt.Errorf("error when calling `ProvidersAPI.ProvidersProxyDestroy`: %w with response %v", err, r)
+			return fmt.Errorf("error when calling `CoreAPI.CoreApplicationsDestroy`: %w with response %v", err, r)
 		}
 	}
 
@@ -219,7 +172,7 @@ func (c *Controller) reconcileDelete(ctx context.Context, app *v1alpha1.Applicat
 	return c.updateApplication(ctx, app)
 }
 
-func (c *Controller) reconcileUpdate(ctx context.Context, app *v1alpha1.Application) error {
+func (c *ApplicationController) reconcileUpdate(ctx context.Context, app *v1alpha1.Application) error {
 	_, r, err := c.authentik.CoreApi.CoreApplicationsRetrieve(ctx, app.Spec.Slug).Execute()
 	if err != nil {
 		if r != nil && r.StatusCode == http.StatusNotFound {
@@ -238,14 +191,14 @@ func (c *Controller) reconcileUpdate(ctx context.Context, app *v1alpha1.Applicat
 	}
 	resp, r, err := c.authentik.CoreApi.CoreApplicationsPartialUpdate(ctx, app.Spec.Slug).PatchedApplicationRequest(*patchedApplicationRequest).Execute()
 	if err != nil {
-		return fmt.Errorf("error when calling `ProvidersAPI.ProvidersProxyPartialUpdate`: %w with response %v", err, r)
+		return fmt.Errorf("error when calling `CoreAPI.CoreApplicationsPartialUpdate`: %w with response %v", err, r)
 	}
 
 	app.Status.PK = resp.Pk
 	return c.updateApplicationStatus(ctx, app)
 }
 
-func (c *Controller) reconcileCreate(ctx context.Context, app *v1alpha1.Application) error {
+func (c *ApplicationController) reconcileCreate(ctx context.Context, app *v1alpha1.Application) error {
 	applicationRequest := &authentikapi.ApplicationRequest{
 		Name:     app.Spec.Name,
 		Slug:     app.Spec.Slug,
@@ -260,23 +213,14 @@ func (c *Controller) reconcileCreate(ctx context.Context, app *v1alpha1.Applicat
 	return c.updateApplicationStatus(ctx, app)
 }
 
-func (c *Controller) enqueueApplication(obj interface{}) {
+func (c *ApplicationController) updateApplicationStatus(ctx context.Context, app *v1alpha1.Application) error {
-	objectRef, err := cache.ObjectToName(obj)
-	if err != nil {
-		utilruntime.HandleError(err)
-		return
-	}
-	c.workqueue.Add(objectRef)
-}
-
-func (c *Controller) updateApplicationStatus(ctx context.Context, app *v1alpha1.Application) error {
 	appCopy := app.DeepCopy()
 	_, err := c.applicationClientset.ApplicationV1alpha1().Applications(appCopy.Namespace).UpdateStatus(ctx, appCopy, metav1.UpdateOptions{FieldManager: FieldManager})
 	return err
 }
 
 // Update metadata, spec, etc. of the Application object.
-func (c *Controller) updateApplication(ctx context.Context, app *v1alpha1.Application) error {
+func (c *ApplicationController) updateApplication(ctx context.Context, app *v1alpha1.Application) error {
 	appCopy := app.DeepCopy()
 	_, err := c.applicationClientset.ApplicationV1alpha1().Applications(appCopy.Namespace).Update(ctx, appCopy, metav1.UpdateOptions{FieldManager: FieldManager})
 	if err != nil {

pkg/controllers/application/controller_test.go

@@ -130,7 +130,7 @@ func TestController_syncHandler_delete(t *testing.T) {
 
 	var destroyCalled bool
 	server := newAuthentikTestServer(t, authentikTestHandlers{
-		proxyDestroy: func(w http.ResponseWriter, r *http.Request) {
+		applicationDestroy: func(w http.ResponseWriter, r *http.Request) {
 			destroyCalled = true
 			if r.Method != http.MethodDelete {
 				t.Errorf("destroy method = %s, want DELETE", r.Method)
@@ -165,7 +165,7 @@ func TestController_syncHandler_delete_providerAlreadyGone(t *testing.T) {
 	app.Finalizers = []string{DeleteAuthentikApplicationFinalizer}
 
 	server := newAuthentikTestServer(t, authentikTestHandlers{
-		proxyDestroy: func(w http.ResponseWriter, _ *http.Request) {
+		applicationDestroy: func(w http.ResponseWriter, _ *http.Request) {
 			http.NotFound(w, nil)
 		},
 	})
@@ -198,39 +198,31 @@ func TestController_syncHandler_notFound(t *testing.T) {
 	}
 }
 
-func TestController_syncHandler_invalidPK(t *testing.T) {
+func TestController_syncHandler_delete_usesSlugNotPK(t *testing.T) {
 	now := metav1.Now()
 	app := testApplication()
 	app.Status.PK = "not-a-number"
 	app.DeletionTimestamp = &now
 	app.Finalizers = []string{DeleteAuthentikApplicationFinalizer}
 
-	server := newAuthentikTestServer(t, authentikTestHandlers{})
+	var destroySlug string
+	server := newAuthentikTestServer(t, authentikTestHandlers{
+		applicationDestroy: func(w http.ResponseWriter, r *http.Request) {
+			destroySlug = strings.TrimSuffix(strings.TrimPrefix(r.URL.Path, "/api/v3/core/applications/"), "/")
+			w.WriteHeader(http.StatusNoContent)
+		},
+	})
 	t.Cleanup(server.Close)
 
 	ctrl, ctx, cancel := newTestController(t, app, server.URL)
 	t.Cleanup(cancel)
 
 	err := ctrl.syncHandler(ctx, cache.ObjectName{Namespace: app.Namespace, Name: app.Name})
-	if err == nil {
+	if err != nil {
-		t.Fatal("syncHandler() error = nil, want parse error")
+		t.Fatalf("syncHandler() error = %v", err)
 	}
-	if !strings.Contains(err.Error(), "error parsing PK") {
+	if destroySlug != app.Spec.Slug {
-		t.Fatalf("syncHandler() error = %v, want PK parse error", err)
+		t.Fatalf("destroy slug = %q, want %q (delete must use spec.slug, not status.pk)", destroySlug, app.Spec.Slug)
-	}
-}
-
-func TestController_enqueueApplication(t *testing.T) {
-	server := newAuthentikTestServer(t, authentikTestHandlers{})
-	t.Cleanup(server.Close)
-
-	ctrl, _, cancel := newTestController(t, testApplication(), server.URL)
-	t.Cleanup(cancel)
-
-	ctrl.enqueueApplication(testApplication())
-
-	if ctrl.workqueue.Len() != 1 {
-		t.Fatalf("workqueue length = %d, want 1", ctrl.workqueue.Len())
 	}
 }
 
@@ -254,7 +246,7 @@ func testApplication() *v1alpha1.Application {
 	}
 }
 
-func newTestController(t *testing.T, app *v1alpha1.Application, authentikURL string) (*Controller, context.Context, context.CancelFunc) {
+func newTestController(t *testing.T, app *v1alpha1.Application, authentikURL string) (*ApplicationController, context.Context, context.CancelFunc) {
 	t.Helper()
 	ctx, cancel := context.WithCancel(context.Background())
 	ctrl, _, stop := newTestControllerWithContext(t, ctx, app, authentikURL)
@@ -264,7 +256,7 @@ func newTestController(t *testing.T, app *v1alpha1.Application, authentikURL str
 	}
 }
 
-func newTestControllerWithContext(t *testing.T, ctx context.Context, app *v1alpha1.Application, authentikURL string) (*Controller, context.Context, func()) {
+func newTestControllerWithContext(t *testing.T, ctx context.Context, app *v1alpha1.Application, authentikURL string) (*ApplicationController, context.Context, func()) {
 	t.Helper()
 
 	authentikClient := newAuthentikAPIClientForTest(t, authentikURL)
@@ -309,7 +301,7 @@ type authentikTestHandlers struct {
 	applicationCreate        http.HandlerFunc
 	applicationRetrieve      http.HandlerFunc
 	applicationPartialUpdate http.HandlerFunc
-	proxyDestroy             http.HandlerFunc
+	applicationDestroy       http.HandlerFunc
 }
 
 func newAuthentikTestServer(t *testing.T, handlers authentikTestHandlers) *httptest.Server {
@@ -345,25 +337,15 @@ func newAuthentikTestServer(t *testing.T, handlers authentikTestHandlers) *httpt
 					return
 				}
 				http.NotFound(w, r)
-			default:
+			case http.MethodDelete:
-				http.Error(w, "unexpected method on application instance", http.StatusMethodNotAllowed)
+				if handlers.applicationDestroy != nil {
-			}
+					handlers.applicationDestroy(w, r)
-
-		case strings.HasPrefix(path, "/api/v3/providers/proxy/") && strings.HasSuffix(path, "/"):
-			idPath := strings.TrimPrefix(path, "/api/v3/providers/proxy/")
-			if idPath == "" {
-				http.NotFound(w, r)
-				return
-			}
-			if r.Method == http.MethodDelete {
-				if handlers.proxyDestroy != nil {
-					handlers.proxyDestroy(w, r)
 					return
 				}
 				http.NotFound(w, r)
-				return
+			default:
+				http.Error(w, "unexpected method on application instance", http.StatusMethodNotAllowed)
 			}
-			http.Error(w, "unexpected method on proxy instance", http.StatusMethodNotAllowed)
 
 		default:
 			http.NotFound(w, r)
@@ -382,7 +364,7 @@ func writeJSON(t *testing.T, w http.ResponseWriter, status int, body any) {
 	}
 }
 
-func getApplication(t *testing.T, ctrl *Controller, namespace, name string) *v1alpha1.Application {
+func getApplication(t *testing.T, ctrl *ApplicationController, namespace, name string) *v1alpha1.Application {
 	t.Helper()
 
 	got, err := ctrl.applicationClientset.ApplicationV1alpha1().Applications(namespace).Get(

pkg/controllers/policybinding/controller.go

@@ -21,7 +21,6 @@ import (
 	"fmt"
 	"net/http"
 	"slices"
-	"strconv"
 	"time"
 
 	"golang.org/x/time/rate"
@@ -30,7 +29,6 @@ import (
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
-	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/kubernetes/scheme"
 	typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
@@ -39,6 +37,7 @@ import (
 	"k8s.io/client-go/util/workqueue"
 	"k8s.io/klog/v2"
 
+	"gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/internal/baseController"
 	v1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/policybinding/v1alpha1"
 	clientset "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/clientset/versioned"
 	operatorscheme "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/clientset/versioned/scheme"
@@ -62,16 +61,14 @@ const (
 	DeleteAuthentikPolicyBindingFinalizer = "policybinding.t000-n.de/delete-authentik-policybinding"
 )
 
-type Controller struct {
+type PolicyBindingController struct {
 	kubeclientset          kubernetes.Interface
 	policyBindingClientset clientset.Interface
 	authentik              *authentikapi.APIClient
 
 	policyBindingListener listers.PolicyBindingLister
-	policyBindingSynced   cache.InformerSynced
 
-	workqueue workqueue.TypedRateLimitingInterface[cache.ObjectName]
+	controller *baseController.Controller
-	recorder  record.EventRecorder
 }
 
 func NewController(
@@ -80,7 +77,7 @@ func NewController(
 	policyBindingClientset clientset.Interface,
 	authentik *authentikapi.APIClient,
 	policyBindingInformer informers.PolicyBindingInformer,
-) *Controller {
+) *PolicyBindingController {
 	logger := klog.FromContext(ctx)
 
 	utilruntime.Must(operatorscheme.AddToScheme(scheme.Scheme))
@@ -95,75 +92,36 @@ func NewController(
 		&workqueue.TypedBucketRateLimiter[cache.ObjectName]{Limiter: rate.NewLimiter(rate.Limit(50), 300)},
 	)
 
-	c := &Controller{
+	c := &PolicyBindingController{
 		kubeclientset:          kubeclientset,
 		policyBindingClientset: policyBindingClientset,
 		authentik:              authentik,
 		policyBindingListener:  policyBindingInformer.Lister(),
-		policyBindingSynced:    policyBindingInformer.Informer().HasSynced,
-		workqueue:              workqueue.NewTypedRateLimitingQueue(ratelimiter),
-		recorder:               recorder,
 	}
+	c.controller = baseController.NewController(
+		ctx,
+		workqueue.NewTypedRateLimitingQueue(ratelimiter),
+		recorder,
+		policyBindingInformer.Informer().HasSynced,
+		c.syncHandler,
+	)
 
 	logger.Info("Setting up event handlers")
 	policyBindingInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
-		AddFunc: c.enqueuePolicyBinding,
+		AddFunc: c.controller.Enqueue,
 		UpdateFunc: func(_, newObj interface{}) {
-			c.enqueuePolicyBinding(newObj)
+			c.controller.Enqueue(newObj)
 		},
 	})
 
 	return c
 }
 
-func (c *Controller) Run(ctx context.Context, workers int) error {
+func (c *PolicyBindingController) Run(ctx context.Context, workers int) error {
-	defer utilruntime.HandleCrash()
+	return c.controller.Run(ctx, workers)
-	defer c.workqueue.ShutDown()
-	logger := klog.FromContext(ctx)
-
-	logger.Info("Starting PolicyBinding controller")
-
-	logger.Info("Waiting for informer caches to sync")
-	if ok := cache.WaitForCacheSync(ctx.Done(), c.policyBindingSynced); !ok {
-		return fmt.Errorf("failed to wait for caches to sync")
-	}
-
-	logger.Info("Starting workers", "count", workers)
-	for i := 0; i < workers; i++ {
-		go wait.UntilWithContext(ctx, c.runWorker, time.Second)
-	}
-
-	logger.Info("Started workers")
-	<-ctx.Done()
-	logger.Info("Shutting down workers")
-	return nil
 }
 
-func (c *Controller) runWorker(ctx context.Context) {
+func (c *PolicyBindingController) syncHandler(ctx context.Context, objectRef cache.ObjectName) error {
-	for c.processNextWorkItem(ctx) {
-	}
-}
-
-func (c *Controller) processNextWorkItem(ctx context.Context) bool {
-	objRef, shutdown := c.workqueue.Get()
-	logger := klog.FromContext(ctx)
-	if shutdown {
-		return false
-	}
-	defer c.workqueue.Done(objRef)
-
-	err := c.syncHandler(ctx, objRef)
-	if err == nil {
-		c.workqueue.Forget(objRef)
-		logger.Info("Successfully synced", "objectName", objRef)
-		return true
-	}
-	utilruntime.HandleErrorWithContext(ctx, err, "Error syncing; requeuing for later retry", "objectReference", objRef)
-	c.workqueue.AddRateLimited(objRef)
-	return true
-}
-
-func (c *Controller) syncHandler(ctx context.Context, objectRef cache.ObjectName) error {
 	logger := klog.LoggerWithValues(klog.FromContext(ctx), "objectRef", objectRef)
 
 	pb, err := c.policyBindingListener.PolicyBindings(objectRef.Namespace).Get(objectRef.Name)
@@ -196,22 +154,17 @@ func (c *Controller) syncHandler(ctx context.Context, objectRef cache.ObjectName
 	return c.reconcileUpdate(ctx, pb)
 }
 
-func (c *Controller) ensureFinalizers(ctx context.Context, pb *v1alpha1.PolicyBinding) error {
+func (c *PolicyBindingController) ensureFinalizers(ctx context.Context, pb *v1alpha1.PolicyBinding) error {
 	pb.ObjectMeta.Finalizers = append(pb.ObjectMeta.Finalizers, DeleteAuthentikPolicyBindingFinalizer)
 	return c.updatePolicyBinding(ctx, pb)
 }
 
-func (c *Controller) reconcileDelete(ctx context.Context, pb *v1alpha1.PolicyBinding) error {
+func (c *PolicyBindingController) reconcileDelete(ctx context.Context, pb *v1alpha1.PolicyBinding) error {
-	pk, err := strconv.ParseInt(pb.Status.PK, 10, 32)
+	r, err := c.authentik.PoliciesApi.PoliciesBindingsDestroy(ctx, pb.Status.PK).Execute()
 	if err != nil {
-		return fmt.Errorf("error parsing PK: %v", err)
+		// This handles an edge-case, where when the PolicyBinding on Authentik has already been deleted, but the finalizer is still present. We just remove the finalizer and return.
-	}
-
-	r, err := c.authentik.ProvidersApi.ProvidersProxyDestroy(ctx, int32(pk)).Execute()
-	if err != nil {
-		// This handles an edge-case, where when the ProxyProvider on Authentik has already been deleted, but the finalizer is still present. We just remove the finalizer and return.
 		if r != nil && r.StatusCode != http.StatusNotFound {
-			return fmt.Errorf("error when calling `ProvidersAPI.ProvidersProxyDestroy`: %w with response %v", err, r)
+			return fmt.Errorf("error when calling `PoliciesAPI.PoliciesBindingsDestroy`: %w with response %v", err, r)
 		}
 	}
 
@@ -219,7 +172,7 @@ func (c *Controller) reconcileDelete(ctx context.Context, pb *v1alpha1.PolicyBin
 	return c.updatePolicyBinding(ctx, pb)
 }
 
-func (c *Controller) reconcileUpdate(ctx context.Context, pb *v1alpha1.PolicyBinding) error {
+func (c *PolicyBindingController) reconcileUpdate(ctx context.Context, pb *v1alpha1.PolicyBinding) error {
 	_, r, err := c.authentik.PoliciesApi.PoliciesBindingsRetrieve(ctx, pb.Status.PK).Execute()
 	if err != nil {
 		if r != nil && r.StatusCode == http.StatusNotFound {
@@ -232,29 +185,43 @@ func (c *Controller) reconcileUpdate(ctx context.Context, pb *v1alpha1.PolicyBin
 	}
 
 	patchedPolicyBindingRequest := &authentikapi.PatchedPolicyBindingRequest{
-		Policy: *authentikapi.NewNullableString(&pb.Spec.Policy),
-		Group:  *authentikapi.NewNullableString(&pb.Spec.Group),
-		User:   *authentikapi.NewNullableInt32(&pb.Spec.User),
 		Target: &pb.Spec.Target,
 		Order:  &pb.Spec.Order,
 	}
+	if pb.Spec.Policy != "" {
+		patchedPolicyBindingRequest.SetPolicy(pb.Spec.Policy)
+	}
+	if pb.Spec.Group != "" {
+		patchedPolicyBindingRequest.SetGroup(pb.Spec.Group)
+	}
+	if pb.Spec.User != 0 {
+		patchedPolicyBindingRequest.SetUser(pb.Spec.User)
+	}
+
 	resp, r, err := c.authentik.PoliciesApi.PoliciesBindingsPartialUpdate(ctx, pb.Status.PK).PatchedPolicyBindingRequest(*patchedPolicyBindingRequest).Execute()
 	if err != nil {
-		return fmt.Errorf("error when calling `ProvidersAPI.ProvidersProxyPartialUpdate`: %w with response %v", err, r)
+		return fmt.Errorf("error when calling `PoliciesAPI.PoliciesBindingsPartialUpdate`: %w with response %v", err, r)
 	}
 
 	pb.Status.PK = resp.Pk
 	return c.updatePolicyBindingStatus(ctx, pb)
 }
 
-func (c *Controller) reconcileCreate(ctx context.Context, pb *v1alpha1.PolicyBinding) error {
+func (c *PolicyBindingController) reconcileCreate(ctx context.Context, pb *v1alpha1.PolicyBinding) error {
 	policyBindingRequest := &authentikapi.PolicyBindingRequest{
-		Policy: *authentikapi.NewNullableString(&pb.Spec.Policy),
-		Group:  *authentikapi.NewNullableString(&pb.Spec.Group),
-		User:   *authentikapi.NewNullableInt32(&pb.Spec.User),
 		Target: pb.Spec.Target,
 		Order:  pb.Spec.Order,
 	}
+	if pb.Spec.Policy != "" {
+		policyBindingRequest.SetPolicy(pb.Spec.Policy)
+	}
+	if pb.Spec.Group != "" {
+		policyBindingRequest.SetGroup(pb.Spec.Group)
+	}
+	if pb.Spec.User != 0 {
+		policyBindingRequest.SetUser(pb.Spec.User)
+	}
+
 	resp, r, err := c.authentik.PoliciesApi.PoliciesBindingsCreate(ctx).PolicyBindingRequest(*policyBindingRequest).Execute()
 	if err != nil {
 		return fmt.Errorf("error when calling `PoliciesAPI.PoliciesBindingsCreate`: %w with response %v", err, r)
@@ -264,23 +231,14 @@ func (c *Controller) reconcileCreate(ctx context.Context, pb *v1alpha1.PolicyBin
 	return c.updatePolicyBindingStatus(ctx, pb)
 }
 
-func (c *Controller) enqueuePolicyBinding(obj interface{}) {
+func (c *PolicyBindingController) updatePolicyBindingStatus(ctx context.Context, pb *v1alpha1.PolicyBinding) error {
-	objectRef, err := cache.ObjectToName(obj)
-	if err != nil {
-		utilruntime.HandleError(err)
-		return
-	}
-	c.workqueue.Add(objectRef)
-}
-
-func (c *Controller) updatePolicyBindingStatus(ctx context.Context, pb *v1alpha1.PolicyBinding) error {
 	pbCopy := pb.DeepCopy()
 	_, err := c.policyBindingClientset.PolicyBindingV1alpha1().PolicyBindings(pbCopy.Namespace).UpdateStatus(ctx, pbCopy, metav1.UpdateOptions{FieldManager: FieldManager})
 	return err
 }
 
 // Update metadata, spec, etc. of the PolicyBinding object.
-func (c *Controller) updatePolicyBinding(ctx context.Context, pb *v1alpha1.PolicyBinding) error {
+func (c *PolicyBindingController) updatePolicyBinding(ctx context.Context, pb *v1alpha1.PolicyBinding) error {
 	pbCopy := pb.DeepCopy()
 	_, err := c.policyBindingClientset.PolicyBindingV1alpha1().PolicyBindings(pbCopy.Namespace).Update(ctx, pbCopy, metav1.UpdateOptions{FieldManager: FieldManager})
 	return err

pkg/controllers/policybinding/controller_test.go

@@ -0,0 +1,349 @@
+// AI generated tests and not yet reviewed.
+package policybinding
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"slices"
+	"strings"
+	"testing"
+
+	v1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/policybinding/v1alpha1"
+	operatorfake "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/clientset/versioned/fake"
+	operatorinformers "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/informers/externalversions"
+	authentikapi "goauthentik.io/api/v3"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/kubernetes/fake"
+	"k8s.io/client-go/tools/cache"
+)
+
+func TestController_syncHandler_create(t *testing.T) {
+	const wantPK = "42"
+
+	server := newAuthentikTestServer(t, authentikTestHandlers{
+		policyBindingCreate: func(w http.ResponseWriter, _ *http.Request) {
+			writeJSON(t, w, http.StatusCreated, map[string]any{"pk": wantPK})
+		},
+	})
+	t.Cleanup(server.Close)
+
+	ctrl, ctx, cancel := newTestController(t, testPolicyBinding(), server.URL)
+	t.Cleanup(cancel)
+
+	err := ctrl.syncHandler(ctx, cache.ObjectName{Namespace: "default", Name: "test-pb"})
+	if err != nil {
+		t.Fatalf("syncHandler() error = %v", err)
+	}
+
+	got := getPolicyBinding(t, ctrl, "default", "test-pb")
+	if got.Status.PK != wantPK {
+		t.Fatalf("status.pk = %q, want %q", got.Status.PK, wantPK)
+	}
+}
+
+func TestController_syncHandler_ensureFinalizers(t *testing.T) {
+	pb := testPolicyBinding()
+	pb.Status.PK = "42"
+
+	server := newAuthentikTestServer(t, authentikTestHandlers{})
+	t.Cleanup(server.Close)
+
+	ctrl, ctx, cancel := newTestController(t, pb, server.URL)
+	t.Cleanup(cancel)
+
+	err := ctrl.syncHandler(ctx, cache.ObjectName{Namespace: pb.Namespace, Name: pb.Name})
+	if err != nil {
+		t.Fatalf("syncHandler() error = %v", err)
+	}
+
+	got := getPolicyBinding(t, ctrl, pb.Namespace, pb.Name)
+	if !slices.Contains(got.Finalizers, DeleteAuthentikPolicyBindingFinalizer) {
+		t.Fatalf("finalizers = %v, want %q", got.Finalizers, DeleteAuthentikPolicyBindingFinalizer)
+	}
+}
+
+func TestController_syncHandler_update(t *testing.T) {
+	pb := testPolicyBinding()
+	pb.Status.PK = "42"
+	pb.Finalizers = []string{DeleteAuthentikPolicyBindingFinalizer}
+
+	server := newAuthentikTestServer(t, authentikTestHandlers{
+		policyBindingRetrieve: func(w http.ResponseWriter, _ *http.Request) {
+			writeJSON(t, w, http.StatusOK, map[string]any{"pk": "42"})
+		},
+		policyBindingPartialUpdate: func(w http.ResponseWriter, _ *http.Request) {
+			writeJSON(t, w, http.StatusOK, map[string]any{"pk": "42"})
+		},
+	})
+	t.Cleanup(server.Close)
+
+	ctrl, ctx, cancel := newTestController(t, pb, server.URL)
+	t.Cleanup(cancel)
+
+	err := ctrl.syncHandler(ctx, cache.ObjectName{Namespace: pb.Namespace, Name: pb.Name})
+	if err != nil {
+		t.Fatalf("syncHandler() error = %v", err)
+	}
+
+	got := getPolicyBinding(t, ctrl, pb.Namespace, pb.Name)
+	if got.Status.PK != "42" {
+		t.Fatalf("status.pk = %q, want 42", got.Status.PK)
+	}
+}
+
+func TestController_syncHandler_update_policyBindingNotFound(t *testing.T) {
+	pb := testPolicyBinding()
+	pb.Status.PK = "42"
+	pb.Finalizers = []string{DeleteAuthentikPolicyBindingFinalizer}
+
+	server := newAuthentikTestServer(t, authentikTestHandlers{
+		policyBindingRetrieve: func(w http.ResponseWriter, _ *http.Request) {
+			http.NotFound(w, nil)
+		},
+	})
+	t.Cleanup(server.Close)
+
+	ctrl, ctx, cancel := newTestController(t, pb, server.URL)
+	t.Cleanup(cancel)
+
+	err := ctrl.syncHandler(ctx, cache.ObjectName{Namespace: pb.Namespace, Name: pb.Name})
+	if err != nil {
+		t.Fatalf("syncHandler() error = %v", err)
+	}
+
+	got := getPolicyBinding(t, ctrl, pb.Namespace, pb.Name)
+	if got.Status.PK != "" {
+		t.Fatalf("status.pk = %q, want empty after policy binding not found", got.Status.PK)
+	}
+}
+
+func TestController_syncHandler_delete(t *testing.T) {
+	now := metav1.Now()
+	pb := testPolicyBinding()
+	pb.Status.PK = "42"
+	pb.DeletionTimestamp = &now
+	pb.Finalizers = []string{DeleteAuthentikPolicyBindingFinalizer}
+
+	var destroyCalled bool
+	server := newAuthentikTestServer(t, authentikTestHandlers{
+		policyBindingDestroy: func(w http.ResponseWriter, r *http.Request) {
+			destroyCalled = true
+			if r.Method != http.MethodDelete {
+				t.Errorf("destroy method = %s, want DELETE", r.Method)
+			}
+			w.WriteHeader(http.StatusNoContent)
+		},
+	})
+	t.Cleanup(server.Close)
+
+	ctrl, ctx, cancel := newTestController(t, pb, server.URL)
+	t.Cleanup(cancel)
+
+	err := ctrl.syncHandler(ctx, cache.ObjectName{Namespace: pb.Namespace, Name: pb.Name})
+	if err != nil {
+		t.Fatalf("syncHandler() error = %v", err)
+	}
+	if !destroyCalled {
+		t.Fatal("expected Authentik destroy call")
+	}
+
+	got := getPolicyBinding(t, ctrl, pb.Namespace, pb.Name)
+	if slices.Contains(got.Finalizers, DeleteAuthentikPolicyBindingFinalizer) {
+		t.Fatalf("finalizers = %v, want finalizer removed", got.Finalizers)
+	}
+}
+
+func TestController_syncHandler_delete_policyBindingAlreadyGone(t *testing.T) {
+	now := metav1.Now()
+	pb := testPolicyBinding()
+	pb.Status.PK = "42"
+	pb.DeletionTimestamp = &now
+	pb.Finalizers = []string{DeleteAuthentikPolicyBindingFinalizer}
+
+	server := newAuthentikTestServer(t, authentikTestHandlers{
+		policyBindingDestroy: func(w http.ResponseWriter, _ *http.Request) {
+			http.NotFound(w, nil)
+		},
+	})
+	t.Cleanup(server.Close)
+
+	ctrl, ctx, cancel := newTestController(t, pb, server.URL)
+	t.Cleanup(cancel)
+
+	err := ctrl.syncHandler(ctx, cache.ObjectName{Namespace: pb.Namespace, Name: pb.Name})
+	if err != nil {
+		t.Fatalf("syncHandler() error = %v", err)
+	}
+
+	got := getPolicyBinding(t, ctrl, pb.Namespace, pb.Name)
+	if slices.Contains(got.Finalizers, DeleteAuthentikPolicyBindingFinalizer) {
+		t.Fatalf("finalizers = %v, want finalizer removed after 404", got.Finalizers)
+	}
+}
+
+func TestController_syncHandler_notFound(t *testing.T) {
+	server := newAuthentikTestServer(t, authentikTestHandlers{})
+	t.Cleanup(server.Close)
+
+	ctrl, ctx, cancel := newTestController(t, nil, server.URL)
+	t.Cleanup(cancel)
+
+	err := ctrl.syncHandler(ctx, cache.ObjectName{Namespace: "default", Name: "missing"})
+	if err != nil {
+		t.Fatalf("syncHandler() error = %v, want nil for missing object", err)
+	}
+}
+
+// --- test helpers ---
+
+func testPolicyBinding() *v1alpha1.PolicyBinding {
+	return &v1alpha1.PolicyBinding{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: v1alpha1.SchemeGroupVersion.String(),
+			Kind:       "PolicyBinding",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-pb",
+			Namespace: "default",
+		},
+		Spec: v1alpha1.PolicyBindingSpec{
+			Group:  "14ab813f-a7f9-481b-9b08-781953ae9ebf",
+			Target: "8dd85627-9c48-49c2-8afc-d73dd122ffc2",
+			Order:  1,
+		},
+	}
+}
+
+func newTestController(t *testing.T, pb *v1alpha1.PolicyBinding, authentikURL string) (*PolicyBindingController, context.Context, context.CancelFunc) {
+	t.Helper()
+	ctx, cancel := context.WithCancel(context.Background())
+	ctrl, _, stop := newTestControllerWithContext(t, ctx, pb, authentikURL)
+	return ctrl, ctx, func() {
+		cancel()
+		stop()
+	}
+}
+
+func newTestControllerWithContext(t *testing.T, ctx context.Context, pb *v1alpha1.PolicyBinding, authentikURL string) (*PolicyBindingController, context.Context, func()) {
+	t.Helper()
+
+	authentikClient := newAuthentikAPIClientForTest(t, authentikURL)
+
+	var objects []runtime.Object
+	if pb != nil {
+		objects = append(objects, pb)
+	}
+	policyBindingClient := operatorfake.NewSimpleClientset(objects...)
+
+	informerFactory := operatorinformers.NewSharedInformerFactory(policyBindingClient, 0)
+	policyBindingInformer := informerFactory.PolicyBinding().V1alpha1().PolicyBindings()
+
+	ctrl := NewController(ctx, fake.NewClientset(), policyBindingClient, authentikClient, policyBindingInformer)
+
+	informerFactory.Start(ctx.Done())
+	for informerType, synced := range informerFactory.WaitForCacheSync(ctx.Done()) {
+		if !synced {
+			t.Fatalf("informer %v failed to sync", informerType)
+		}
+	}
+
+	return ctrl, ctx, func() {}
+}
+
+func newAuthentikAPIClientForTest(t *testing.T, serverURL string) *authentikapi.APIClient {
+	t.Helper()
+
+	u, err := url.Parse(serverURL)
+	if err != nil {
+		t.Fatalf("parse server URL: %v", err)
+	}
+
+	cfg := authentikapi.NewConfiguration()
+	cfg.Scheme = u.Scheme
+	cfg.Host = u.Host
+
+	return authentikapi.NewAPIClient(cfg)
+}
+
+type authentikTestHandlers struct {
+	policyBindingCreate        http.HandlerFunc
+	policyBindingRetrieve      http.HandlerFunc
+	policyBindingPartialUpdate http.HandlerFunc
+	policyBindingDestroy       http.HandlerFunc
+}
+
+func newAuthentikTestServer(t *testing.T, handlers authentikTestHandlers) *httptest.Server {
+	t.Helper()
+
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		path := r.URL.Path
+
+		switch {
+		case path == "/api/v3/policies/bindings/" && r.Method == http.MethodPost:
+			if handlers.policyBindingCreate != nil {
+				handlers.policyBindingCreate(w, r)
+				return
+			}
+			http.NotFound(w, r)
+
+		case strings.HasPrefix(path, "/api/v3/policies/bindings/") && strings.HasSuffix(path, "/"):
+			idPath := strings.TrimPrefix(path, "/api/v3/policies/bindings/")
+			if idPath == "" {
+				http.NotFound(w, r)
+				return
+			}
+			switch r.Method {
+			case http.MethodGet:
+				if handlers.policyBindingRetrieve != nil {
+					handlers.policyBindingRetrieve(w, r)
+					return
+				}
+				http.NotFound(w, r)
+			case http.MethodPatch:
+				if handlers.policyBindingPartialUpdate != nil {
+					handlers.policyBindingPartialUpdate(w, r)
+					return
+				}
+				http.NotFound(w, r)
+			case http.MethodDelete:
+				if handlers.policyBindingDestroy != nil {
+					handlers.policyBindingDestroy(w, r)
+					return
+				}
+				http.NotFound(w, r)
+			default:
+				http.Error(w, "unexpected method on policy binding instance", http.StatusMethodNotAllowed)
+			}
+
+		default:
+			http.NotFound(w, r)
+		}
+	})
+
+	return httptest.NewServer(handler)
+}
+
+func writeJSON(t *testing.T, w http.ResponseWriter, status int, body any) {
+	t.Helper()
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(status)
+	if err := json.NewEncoder(w).Encode(body); err != nil {
+		t.Fatalf("write JSON response: %v", err)
+	}
+}
+
+func getPolicyBinding(t *testing.T, ctrl *PolicyBindingController, namespace, name string) *v1alpha1.PolicyBinding {
+	t.Helper()
+
+	got, err := ctrl.policyBindingClientset.PolicyBindingV1alpha1().PolicyBindings(namespace).Get(
+		context.Background(), name, metav1.GetOptions{},
+	)
+	if err != nil {
+		t.Fatalf("get PolicyBinding: %v", err)
+	}
+	return got
+}

pkg/controllers/proxyprovider/controller.go

@@ -30,7 +30,6 @@ import (
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
-	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/kubernetes/scheme"
 	typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
@@ -39,6 +38,7 @@ import (
 	"k8s.io/client-go/util/workqueue"
 	"k8s.io/klog/v2"
 
+	"gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/internal/baseController"
 	v1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/proxyprovider/v1alpha1"
 	clientset "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/clientset/versioned"
 	operatorscheme "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/clientset/versioned/scheme"
@@ -62,16 +62,14 @@ const (
 	DeleteAuthentikProxyProviderFinalizer = "proxyprovider.t000-n.de/delete-authentik-proxyprovider"
 )
 
-type Controller struct {
+type ProxyProviderController struct {
 	kubeclientset          kubernetes.Interface
 	proxyProviderClientset clientset.Interface
 	authentik              *authentikapi.APIClient
 
 	proxyLister listers.ProxyProviderLister
-	proxySynced cache.InformerSynced
 
-	workqueue workqueue.TypedRateLimitingInterface[cache.ObjectName]
+	controller *baseController.Controller
-	recorder  record.EventRecorder
 }
 
 func NewController(
@@ -80,7 +78,7 @@ func NewController(
 	proxyProviderClientset clientset.Interface,
 	authentik *authentikapi.APIClient,
 	proxyInformer informers.ProxyProviderInformer,
-) *Controller {
+) *ProxyProviderController {
 	logger := klog.FromContext(ctx)
 
 	utilruntime.Must(operatorscheme.AddToScheme(scheme.Scheme))
@@ -95,75 +93,36 @@ func NewController(
 		&workqueue.TypedBucketRateLimiter[cache.ObjectName]{Limiter: rate.NewLimiter(rate.Limit(50), 300)},
 	)
 
-	c := &Controller{
+	c := &ProxyProviderController{
 		kubeclientset:          kubeclientset,
 		proxyProviderClientset: proxyProviderClientset,
 		authentik:              authentik,
 		proxyLister:            proxyInformer.Lister(),
-		proxySynced:            proxyInformer.Informer().HasSynced,
-		workqueue:              workqueue.NewTypedRateLimitingQueue(ratelimiter),
-		recorder:               recorder,
 	}
+	c.controller = baseController.NewController(
+		ctx,
+		workqueue.NewTypedRateLimitingQueue(ratelimiter),
+		recorder,
+		proxyInformer.Informer().HasSynced,
+		c.syncHandler,
+	)
 
 	logger.Info("Setting up event handlers")
 	proxyInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
-		AddFunc: c.enqueueProxyProvider,
+		AddFunc: c.controller.Enqueue,
 		UpdateFunc: func(_, newObj interface{}) {
-			c.enqueueProxyProvider(newObj)
+			c.controller.Enqueue(newObj)
 		},
 	})
 
 	return c
 }
 
-func (c *Controller) Run(ctx context.Context, workers int) error {
+func (c *ProxyProviderController) Run(ctx context.Context, workers int) error {
-	defer utilruntime.HandleCrash()
+	return c.controller.Run(ctx, workers)
-	defer c.workqueue.ShutDown()
-	logger := klog.FromContext(ctx)
-
-	logger.Info("Starting ProxyProvider controller")
-
-	logger.Info("Waiting for informer caches to sync")
-	if ok := cache.WaitForCacheSync(ctx.Done(), c.proxySynced); !ok {
-		return fmt.Errorf("failed to wait for caches to sync")
-	}
-
-	logger.Info("Starting workers", "count", workers)
-	for i := 0; i < workers; i++ {
-		go wait.UntilWithContext(ctx, c.runWorker, time.Second)
-	}
-
-	logger.Info("Started workers")
-	<-ctx.Done()
-	logger.Info("Shutting down workers")
-	return nil
 }
 
-func (c *Controller) runWorker(ctx context.Context) {
+func (c *ProxyProviderController) syncHandler(ctx context.Context, objectRef cache.ObjectName) error {
-	for c.processNextWorkItem(ctx) {
-	}
-}
-
-func (c *Controller) processNextWorkItem(ctx context.Context) bool {
-	objRef, shutdown := c.workqueue.Get()
-	logger := klog.FromContext(ctx)
-	if shutdown {
-		return false
-	}
-	defer c.workqueue.Done(objRef)
-
-	err := c.syncHandler(ctx, objRef)
-	if err == nil {
-		c.workqueue.Forget(objRef)
-		logger.Info("Successfully synced", "objectName", objRef)
-		return true
-	}
-	utilruntime.HandleErrorWithContext(ctx, err, "Error syncing; requeuing for later retry", "objectReference", objRef)
-	c.workqueue.AddRateLimited(objRef)
-	return true
-}
-
-func (c *Controller) syncHandler(ctx context.Context, objectRef cache.ObjectName) error {
 	logger := klog.LoggerWithValues(klog.FromContext(ctx), "objectRef", objectRef)
 
 	pp, err := c.proxyLister.ProxyProviders(objectRef.Namespace).Get(objectRef.Name)
@@ -196,17 +155,23 @@ func (c *Controller) syncHandler(ctx context.Context, objectRef cache.ObjectName
 	return c.reconcileUpdate(ctx, pp)
 }
 
-func (c *Controller) ensureFinalizers(ctx context.Context, pp *v1alpha1.ProxyProvider) error {
+func (c *ProxyProviderController) ensureFinalizers(ctx context.Context, pp *v1alpha1.ProxyProvider) error {
 	pp.ObjectMeta.Finalizers = append(pp.ObjectMeta.Finalizers, DeleteAuthentikProxyProviderFinalizer)
 	return c.updateProxyProvider(ctx, pp)
 }
 
-func (c *Controller) reconcileDelete(ctx context.Context, pp *v1alpha1.ProxyProvider) error {
+func (c *ProxyProviderController) reconcileDelete(ctx context.Context, pp *v1alpha1.ProxyProvider) error {
 	pk, err := strconv.ParseInt(pp.Status.PK, 10, 32)
 	if err != nil {
 		return fmt.Errorf("error parsing PK: %v", err)
 	}
 
+	err = c.reconcileOutpost(ctx, pp.Spec.Outpost, int32(pk), ReconcileOutpostModeRemove)
+	if err != nil {
+		return fmt.Errorf("error when calling `reconcileOutpost`: %w", err)
+	}
+
+	// Delete ProxyProvider
 	r, err := c.authentik.ProvidersApi.ProvidersProxyDestroy(ctx, int32(pk)).Execute()
 	if err != nil {
 		// This handles an edge-case, where when the ProxyProvider on Authentik has already been deleted, but the finalizer is still present. We just remove the finalizer and return.
@@ -219,7 +184,7 @@ func (c *Controller) reconcileDelete(ctx context.Context, pp *v1alpha1.ProxyProv
 	return c.updateProxyProvider(ctx, pp)
 }
 
-func (c *Controller) reconcileUpdate(ctx context.Context, pp *v1alpha1.ProxyProvider) error {
+func (c *ProxyProviderController) reconcileUpdate(ctx context.Context, pp *v1alpha1.ProxyProvider) error {
 	// We retrieve the existing PP from the API by slug.
 	pk, err := strconv.ParseInt(pp.Status.PK, 10, 32)
 	if err != nil {
@@ -247,13 +212,17 @@ func (c *Controller) reconcileUpdate(ctx context.Context, pp *v1alpha1.ProxyProv
 	if err != nil {
 		return fmt.Errorf("error when calling `ProvidersAPI.ProvidersProxyPartialUpdate`: %w with response %v", err, r)
 	}
-
 	pp.Status.PK = strconv.Itoa(int(resp.Pk))
 
+	err = c.reconcileOutpost(ctx, pp.Spec.Outpost, int32(pk), ReconcileOutpostModeAdd)
+	if err != nil {
+		return fmt.Errorf("error when calling `reconcileOutpost`: %w", err)
+	}
+
 	return c.updateProxyProviderStatus(ctx, pp)
 }
 
-func (c *Controller) reconcileCreate(ctx context.Context, pp *v1alpha1.ProxyProvider) error {
+func (c *ProxyProviderController) reconcileCreate(ctx context.Context, pp *v1alpha1.ProxyProvider) error {
 	proxyProviderRequest := &authentikapi.ProxyProviderRequest{
 		Name:              pp.Spec.Name,
 		AuthorizationFlow: pp.Spec.AuthorizationFlow,
@@ -266,27 +235,23 @@ func (c *Controller) reconcileCreate(ctx context.Context, pp *v1alpha1.ProxyProv
 		return fmt.Errorf("error when calling `ProvidersAPI.ProvidersProxyCreate`: %w with response %v", err, r)
 	}
 
+	err = c.reconcileOutpost(ctx, pp.Spec.Outpost, resp.Pk, ReconcileOutpostModeAdd)
+	if err != nil {
+		return fmt.Errorf("error when calling `reconcileOutpost`: %w", err)
+	}
+
 	pp.Status.PK = strconv.Itoa(int(resp.Pk))
 	return c.updateProxyProviderStatus(ctx, pp)
 }
 
-func (c *Controller) enqueueProxyProvider(obj interface{}) {
+func (c *ProxyProviderController) updateProxyProviderStatus(ctx context.Context, pp *v1alpha1.ProxyProvider) error {
-	objectRef, err := cache.ObjectToName(obj)
-	if err != nil {
-		utilruntime.HandleError(err)
-		return
-	}
-	c.workqueue.Add(objectRef)
-}
-
-func (c *Controller) updateProxyProviderStatus(ctx context.Context, pp *v1alpha1.ProxyProvider) error {
 	ppCopy := pp.DeepCopy()
 	_, err := c.proxyProviderClientset.ProxyproviderV1alpha1().ProxyProviders(ppCopy.Namespace).UpdateStatus(ctx, ppCopy, metav1.UpdateOptions{FieldManager: FieldManager})
 	return err
 }
 
 // Update metadata, spec, etc. of the ProxyProvider object.
-func (c *Controller) updateProxyProvider(ctx context.Context, pp *v1alpha1.ProxyProvider) error {
+func (c *ProxyProviderController) updateProxyProvider(ctx context.Context, pp *v1alpha1.ProxyProvider) error {
 	ppCopy := pp.DeepCopy()
 	_, err := c.proxyProviderClientset.ProxyproviderV1alpha1().ProxyProviders(ppCopy.Namespace).Update(ctx, ppCopy, metav1.UpdateOptions{FieldManager: FieldManager})
 	if err != nil {
@@ -294,3 +259,51 @@ func (c *Controller) updateProxyProvider(ctx context.Context, pp *v1alpha1.Proxy
 	}
 	return nil
 }
+
+type ReconcileOutpostMode string
+
+const (
+	ReconcileOutpostModeAdd    ReconcileOutpostMode = "add"
+	ReconcileOutpostModeRemove ReconcileOutpostMode = "remove"
+)
+
+func (c *ProxyProviderController) reconcileOutpost(ctx context.Context, outpostId string, providerPk int32, mode ReconcileOutpostMode) error {
+	logger := klog.LoggerWithValues(klog.FromContext(ctx), "outpostId", outpostId, "providerPk", providerPk, "mode", mode)
+
+	outpost, r, err := c.authentik.OutpostsApi.OutpostsInstancesRetrieve(ctx, outpostId).Execute()
+	if err != nil {
+		return fmt.Errorf("error when calling `OutpostsAPI.OutpostsInstancesRetrieve`: %w with response %v", err, r)
+	}
+	updated := false
+
+	switch mode {
+	case ReconcileOutpostModeAdd:
+		if !slices.Contains(outpost.Providers, providerPk) {
+			outpost.Providers = append(outpost.Providers, providerPk)
+			updated = true
+		} else {
+			logger.V(4).Info("Provider already in outpost")
+		}
+	case ReconcileOutpostModeRemove:
+		if slices.Contains(outpost.Providers, providerPk) {
+			outpost.Providers = slices.Delete(outpost.Providers, slices.Index(outpost.Providers, providerPk), 1)
+			updated = true
+		}
+	default:
+		return fmt.Errorf("invalid mode: %s", mode)
+	}
+
+	if !updated {
+		return nil
+	}
+
+	outpostPartialUpdateRequest := &authentikapi.PatchedOutpostRequest{
+		Providers: outpost.Providers,
+	}
+	_, r, err = c.authentik.OutpostsApi.OutpostsInstancesPartialUpdate(ctx, outpostId).PatchedOutpostRequest(*outpostPartialUpdateRequest).Execute()
+	if err != nil {
+		return fmt.Errorf("error when calling `OutpostsAPI.OutpostsInstancesPartialUpdate`: %w with response %v", err, r)
+	}
+
+	return nil
+}

pkg/controllers/proxyprovider/controller_test.go

@@ -21,13 +21,30 @@ import (
 	"k8s.io/client-go/tools/cache"
 )
 
+const testOutpostID = "550e8400-e29b-41d4-a716-446655440000"
+
 func TestController_syncHandler_create(t *testing.T) {
 	const wantPK = 42
 
+	var outpostPartialUpdateCalled bool
 	server := newAuthentikTestServer(t, authentikTestHandlers{
 		proxyCreate: func(w http.ResponseWriter, _ *http.Request) {
 			writeJSON(t, w, http.StatusCreated, map[string]any{"pk": wantPK})
 		},
+		outpostRetrieve: outpostRetrieveHandler(t, nil),
+		outpostPartialUpdate: func(w http.ResponseWriter, r *http.Request) {
+			outpostPartialUpdateCalled = true
+			var body struct {
+				Providers []int32 `json:"providers"`
+			}
+			if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+				t.Fatalf("decode outpost patch body: %v", err)
+			}
+			if !slices.Contains(body.Providers, wantPK) {
+				t.Fatalf("patched providers = %v, want to contain %d", body.Providers, wantPK)
+			}
+			writeJSON(t, w, http.StatusOK, map[string]any{"pk": testOutpostID, "providers": body.Providers})
+		},
 	})
 	t.Cleanup(server.Close)
 
@@ -38,6 +55,41 @@ func TestController_syncHandler_create(t *testing.T) {
 	if err != nil {
 		t.Fatalf("syncHandler() error = %v", err)
 	}
+	if !outpostPartialUpdateCalled {
+		t.Fatal("expected Authentik outpost partial update call")
+	}
+
+	got := getProxyProvider(t, ctrl, "default", "test-pp")
+	if got.Status.PK != "42" {
+		t.Fatalf("status.pk = %q, want 42", got.Status.PK)
+	}
+}
+
+func TestController_syncHandler_create_providerAlreadyInOutpost(t *testing.T) {
+	const wantPK = 42
+
+	var outpostPartialUpdateCalled bool
+	server := newAuthentikTestServer(t, authentikTestHandlers{
+		proxyCreate: func(w http.ResponseWriter, _ *http.Request) {
+			writeJSON(t, w, http.StatusCreated, map[string]any{"pk": wantPK})
+		},
+		outpostRetrieve: outpostRetrieveHandler(t, []int32{wantPK}),
+		outpostPartialUpdate: func(w http.ResponseWriter, _ *http.Request) {
+			outpostPartialUpdateCalled = true
+		},
+	})
+	t.Cleanup(server.Close)
+
+	ctrl, ctx, cancel := newTestController(t, testProxyProvider(), server.URL)
+	t.Cleanup(cancel)
+
+	err := ctrl.syncHandler(ctx, cache.ObjectName{Namespace: "default", Name: "test-pp"})
+	if err != nil {
+		t.Fatalf("syncHandler() error = %v", err)
+	}
+	if outpostPartialUpdateCalled {
+		t.Fatal("did not expect Authentik outpost partial update when provider is already present")
+	}
 
 	got := getProxyProvider(t, ctrl, "default", "test-pp")
 	if got.Status.PK != "42" {
@@ -71,6 +123,7 @@ func TestController_syncHandler_update(t *testing.T) {
 	pp.Status.PK = "42"
 	pp.Finalizers = []string{DeleteAuthentikProxyProviderFinalizer}
 
+	var outpostPartialUpdateCalled bool
 	server := newAuthentikTestServer(t, authentikTestHandlers{
 		allRetrieve: func(w http.ResponseWriter, _ *http.Request) {
 			writeJSON(t, w, http.StatusOK, map[string]any{"pk": 42})
@@ -78,6 +131,20 @@ func TestController_syncHandler_update(t *testing.T) {
 		proxyPartialUpdate: func(w http.ResponseWriter, _ *http.Request) {
 			writeJSON(t, w, http.StatusOK, map[string]any{"pk": 42})
 		},
+		outpostRetrieve: outpostRetrieveHandler(t, nil),
+		outpostPartialUpdate: func(w http.ResponseWriter, r *http.Request) {
+			outpostPartialUpdateCalled = true
+			var body struct {
+				Providers []int32 `json:"providers"`
+			}
+			if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+				t.Fatalf("decode outpost patch body: %v", err)
+			}
+			if !slices.Contains(body.Providers, 42) {
+				t.Fatalf("patched providers = %v, want to contain 42", body.Providers)
+			}
+			writeJSON(t, w, http.StatusOK, map[string]any{"pk": testOutpostID, "providers": body.Providers})
+		},
 	})
 	t.Cleanup(server.Close)
 
@@ -88,6 +155,9 @@ func TestController_syncHandler_update(t *testing.T) {
 	if err != nil {
 		t.Fatalf("syncHandler() error = %v", err)
 	}
+	if !outpostPartialUpdateCalled {
+		t.Fatal("expected Authentik outpost partial update call")
+	}
 
 	got := getProxyProvider(t, ctrl, pp.Namespace, pp.Name)
 	if got.Status.PK != "42" {
@@ -122,14 +192,29 @@ func TestController_syncHandler_update_providerNotFound(t *testing.T) {
 }
 
 func TestController_syncHandler_delete(t *testing.T) {
+	const wantPK int32 = 42
 	now := metav1.Now()
 	pp := testProxyProvider()
 	pp.Status.PK = "42"
 	pp.DeletionTimestamp = &now
 	pp.Finalizers = []string{DeleteAuthentikProxyProviderFinalizer}
 
-	var destroyCalled bool
+	var outpostPartialUpdateCalled, destroyCalled bool
 	server := newAuthentikTestServer(t, authentikTestHandlers{
+		outpostRetrieve: outpostRetrieveHandler(t, []int32{wantPK}),
+		outpostPartialUpdate: func(w http.ResponseWriter, r *http.Request) {
+			outpostPartialUpdateCalled = true
+			var body struct {
+				Providers []int32 `json:"providers"`
+			}
+			if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+				t.Fatalf("decode outpost patch body: %v", err)
+			}
+			if slices.Contains(body.Providers, wantPK) {
+				t.Fatalf("patched providers = %v, want provider %d removed", body.Providers, wantPK)
+			}
+			writeJSON(t, w, http.StatusOK, map[string]any{"pk": testOutpostID, "providers": body.Providers})
+		},
 		proxyDestroy: func(w http.ResponseWriter, r *http.Request) {
 			destroyCalled = true
 			if r.Method != http.MethodDelete {
@@ -147,6 +232,49 @@ func TestController_syncHandler_delete(t *testing.T) {
 	if err != nil {
 		t.Fatalf("syncHandler() error = %v", err)
 	}
+	if !outpostPartialUpdateCalled {
+		t.Fatal("expected Authentik outpost partial update call")
+	}
+	if !destroyCalled {
+		t.Fatal("expected Authentik destroy call")
+	}
+
+	got := getProxyProvider(t, ctrl, pp.Namespace, pp.Name)
+	if slices.Contains(got.Finalizers, DeleteAuthentikProxyProviderFinalizer) {
+		t.Fatalf("finalizers = %v, want finalizer removed", got.Finalizers)
+	}
+}
+
+func TestController_syncHandler_delete_providerNotInOutpost(t *testing.T) {
+	now := metav1.Now()
+	pp := testProxyProvider()
+	pp.Status.PK = "42"
+	pp.DeletionTimestamp = &now
+	pp.Finalizers = []string{DeleteAuthentikProxyProviderFinalizer}
+
+	var outpostPartialUpdateCalled, destroyCalled bool
+	server := newAuthentikTestServer(t, authentikTestHandlers{
+		outpostRetrieve: outpostRetrieveHandler(t, nil),
+		outpostPartialUpdate: func(w http.ResponseWriter, _ *http.Request) {
+			outpostPartialUpdateCalled = true
+		},
+		proxyDestroy: func(w http.ResponseWriter, _ *http.Request) {
+			destroyCalled = true
+			w.WriteHeader(http.StatusNoContent)
+		},
+	})
+	t.Cleanup(server.Close)
+
+	ctrl, ctx, cancel := newTestController(t, pp, server.URL)
+	t.Cleanup(cancel)
+
+	err := ctrl.syncHandler(ctx, cache.ObjectName{Namespace: pp.Namespace, Name: pp.Name})
+	if err != nil {
+		t.Fatalf("syncHandler() error = %v", err)
+	}
+	if outpostPartialUpdateCalled {
+		t.Fatal("did not expect Authentik outpost partial update when provider is not in outpost")
+	}
 	if !destroyCalled {
 		t.Fatal("expected Authentik destroy call")
 	}
@@ -158,6 +286,7 @@ func TestController_syncHandler_delete(t *testing.T) {
 }
 
 func TestController_syncHandler_delete_providerAlreadyGone(t *testing.T) {
+	const wantPK int32 = 42
 	now := metav1.Now()
 	pp := testProxyProvider()
 	pp.Status.PK = "42"
@@ -165,6 +294,16 @@ func TestController_syncHandler_delete_providerAlreadyGone(t *testing.T) {
 	pp.Finalizers = []string{DeleteAuthentikProxyProviderFinalizer}
 
 	server := newAuthentikTestServer(t, authentikTestHandlers{
+		outpostRetrieve: outpostRetrieveHandler(t, []int32{wantPK}),
+		outpostPartialUpdate: func(w http.ResponseWriter, r *http.Request) {
+			var body struct {
+				Providers []int32 `json:"providers"`
+			}
+			if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+				t.Fatalf("decode outpost patch body: %v", err)
+			}
+			writeJSON(t, w, http.StatusOK, map[string]any{"pk": testOutpostID, "providers": body.Providers})
+		},
 		proxyDestroy: func(w http.ResponseWriter, _ *http.Request) {
 			http.NotFound(w, nil)
 		},
@@ -218,20 +357,6 @@ func TestController_syncHandler_invalidPK(t *testing.T) {
 	}
 }
 
-func TestController_enqueueProxyProvider(t *testing.T) {
-	server := newAuthentikTestServer(t, authentikTestHandlers{})
-	t.Cleanup(server.Close)
-
-	ctrl, _, cancel := newTestController(t, testProxyProvider(), server.URL)
-	t.Cleanup(cancel)
-
-	ctrl.enqueueProxyProvider(testProxyProvider())
-
-	if ctrl.workqueue.Len() != 1 {
-		t.Fatalf("workqueue length = %d, want 1", ctrl.workqueue.Len())
-	}
-}
-
 // --- test helpers ---
 
 func testProxyProvider() *v1alpha1.ProxyProvider {
@@ -249,11 +374,12 @@ func testProxyProvider() *v1alpha1.ProxyProvider {
 			AuthorizationFlow: "flow-auth",
 			InvalidationFlow:  "flow-invalidate",
 			ExternalHost:      "https://app.example.com",
+			Outpost:           testOutpostID,
 		},
 	}
 }
 
-func newTestController(t *testing.T, pp *v1alpha1.ProxyProvider, authentikURL string) (*Controller, context.Context, context.CancelFunc) {
+func newTestController(t *testing.T, pp *v1alpha1.ProxyProvider, authentikURL string) (*ProxyProviderController, context.Context, context.CancelFunc) {
 	t.Helper()
 	ctx, cancel := context.WithCancel(context.Background())
 	ctrl, _, stop := newTestControllerWithContext(t, ctx, pp, authentikURL)
@@ -263,7 +389,7 @@ func newTestController(t *testing.T, pp *v1alpha1.ProxyProvider, authentikURL st
 	}
 }
 
-func newTestControllerWithContext(t *testing.T, ctx context.Context, pp *v1alpha1.ProxyProvider, authentikURL string) (*Controller, context.Context, func()) {
+func newTestControllerWithContext(t *testing.T, ctx context.Context, pp *v1alpha1.ProxyProvider, authentikURL string) (*ProxyProviderController, context.Context, func()) {
 	t.Helper()
 
 	authentikClient := newAuthentikAPIClientForTest(t, authentikURL)
@@ -305,10 +431,22 @@ func newAuthentikAPIClientForTest(t *testing.T, serverURL string) *authentikapi.
 }
 
 type authentikTestHandlers struct {
-	proxyCreate        http.HandlerFunc
+	proxyCreate          http.HandlerFunc
-	proxyDestroy       http.HandlerFunc
+	proxyDestroy         http.HandlerFunc
-	proxyPartialUpdate http.HandlerFunc
+	proxyPartialUpdate   http.HandlerFunc
-	allRetrieve        http.HandlerFunc
+	allRetrieve          http.HandlerFunc
+	outpostRetrieve      http.HandlerFunc
+	outpostPartialUpdate http.HandlerFunc
+}
+
+func outpostRetrieveHandler(t *testing.T, providers []int32) http.HandlerFunc {
+	t.Helper()
+	return func(w http.ResponseWriter, _ *http.Request) {
+		writeJSON(t, w, http.StatusOK, map[string]any{
+			"pk":        testOutpostID,
+			"providers": providers,
+		})
+	}
 }
 
 func newAuthentikTestServer(t *testing.T, handlers authentikTestHandlers) *httptest.Server {
@@ -355,6 +493,30 @@ func newAuthentikTestServer(t *testing.T, handlers authentikTestHandlers) *httpt
 			}
 			http.NotFound(w, r)
 
+		case strings.HasPrefix(path, "/api/v3/outposts/instances/") && strings.HasSuffix(path, "/"):
+			idPath := strings.TrimPrefix(path, "/api/v3/outposts/instances/")
+			idPath = strings.TrimSuffix(idPath, "/")
+			if idPath == "" || strings.Contains(idPath, "/") {
+				http.NotFound(w, r)
+				return
+			}
+			switch r.Method {
+			case http.MethodGet:
+				if handlers.outpostRetrieve != nil {
+					handlers.outpostRetrieve(w, r)
+					return
+				}
+				http.NotFound(w, r)
+			case http.MethodPatch:
+				if handlers.outpostPartialUpdate != nil {
+					handlers.outpostPartialUpdate(w, r)
+					return
+				}
+				http.NotFound(w, r)
+			default:
+				http.Error(w, "unexpected method on outpost instance", http.StatusMethodNotAllowed)
+			}
+
 		default:
 			http.NotFound(w, r)
 		}
@@ -372,7 +534,7 @@ func writeJSON(t *testing.T, w http.ResponseWriter, status int, body any) {
 	}
 }
 
-func getProxyProvider(t *testing.T, ctrl *Controller, namespace, name string) *v1alpha1.ProxyProvider {
+func getProxyProvider(t *testing.T, ctrl *ProxyProviderController, namespace, name string) *v1alpha1.ProxyProvider {
 	t.Helper()
 
 	got, err := ctrl.proxyProviderClientset.ProxyproviderV1alpha1().ProxyProviders(namespace).Get(

pkg/generated/applyconfiguration/proxyprovider/v1alpha1/proxyproviderspec.go

@@ -25,6 +25,7 @@ type ProxyProviderSpecApplyConfiguration struct {
 	AuthorizationFlow *string `json:"authorization_flow,omitempty"`
 	InvalidationFlow  *string `json:"invalidation_flow,omitempty"`
 	ExternalHost      *string `json:"external_host,omitempty"`
+	Outpost           *string `json:"outpost,omitempty"`
 }
 
 // ProxyProviderSpecApplyConfiguration constructs a declarative configuration of the ProxyProviderSpec type for use with
@@ -64,3 +65,11 @@ func (b *ProxyProviderSpecApplyConfiguration) WithExternalHost(value string) *Pr
 	b.ExternalHost = &value
 	return b
 }
+
+// WithOutpost sets the Outpost field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Outpost field is set to the value of the last call.
+func (b *ProxyProviderSpecApplyConfiguration) WithOutpost(value string) *ProxyProviderSpecApplyConfiguration {
+	b.Outpost = &value
+	return b
+}

pkg/generated/openapi/zz_generated.openapi.go

@@ -363,9 +363,8 @@ func schema_pkg_apis_policybinding_v1alpha1_PolicyBindingSpec(ref common.Referen
 					},
 					"user": {
 						SchemaProps: spec.SchemaProps{
-							Default: 0,
+							Type:   []string{"integer"},
-							Type:    []string{"integer"},
+							Format: "int32",
-							Format:  "int32",
 						},
 					},
 					"target": {
@@ -383,7 +382,7 @@ func schema_pkg_apis_policybinding_v1alpha1_PolicyBindingSpec(ref common.Referen
 						},
 					},
 				},
-				Required: []string{"user", "target", "order"},
+				Required: []string{"target", "order"},
 			},
 		},
 	}
@@ -537,8 +536,15 @@ func schema_pkg_apis_proxyprovider_v1alpha1_ProxyProviderSpec(ref common.Referen
 							Format:  "",
 						},
 					},
+					"outpost": {
+						SchemaProps: spec.SchemaProps{
+							Default: "",
+							Type:    []string{"string"},
+							Format:  "",
+						},
+					},
 				},
-				Required: []string{"name", "authorization_flow", "invalidation_flow", "external_host"},
+				Required: []string{"name", "authorization_flow", "invalidation_flow", "external_host", "outpost"},
 			},
 		},
 	}
@@ -3057,7 +3063,7 @@ func schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref common.ReferenceCall
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\"\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\"\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)",
+				Description: "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)",
 				Type:        []string{"object"},
 			},
 		},
@@ -3068,7 +3074,7 @@ func schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref common.ReferenceCallback
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "TypeMeta is shared by all top level objects. The proper way to use it is to inline it in your type, like this:\n\n\ttype MyAwesomeAPIObject struct {\n\t     runtime.TypeMeta    `json:\"\"`\n\t     ... // other fields\n\t}\n\nfunc (obj *MyAwesomeAPIObject) SetGroupVersionKind(gvk *metav1.GroupVersionKind) { metav1.UpdateTypeMeta(obj,gvk) }; GroupVersionKind() *GroupVersionKind\n\nTypeMeta is provided here for convenience. You may use it directly from this package or define your own with the same fields.",
+				Description: "TypeMeta is shared by all top level objects. The proper way to use it is to inline it in your type, like this:\n\n\ttype MyAwesomeAPIObject struct {\n\t     runtime.TypeMeta    `json:\",inline\"`\n\t     ... // other fields\n\t}\n\nfunc (obj *MyAwesomeAPIObject) SetGroupVersionKind(gvk *metav1.GroupVersionKind) { metav1.UpdateTypeMeta(obj,gvk) }; GroupVersionKind() *GroupVersionKind\n\nTypeMeta is provided here for convenience. You may use it directly from this package or define your own with the same fields.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"apiVersion": {