ci: fix ref to local workflows

update docs
ci: add base
2026-05-17 10:46:10 +02:00 · 2026-05-16 20:12:43 +02:00 · 2026-05-16 20:07:04 +02:00 · 2026-05-16 19:49:27 +02:00 · 2026-05-16 19:28:24 +02:00 · 2026-05-15 19:01:18 +02:00
60 changed files with 1663 additions and 1752 deletions
@@ -0,0 +1,16 @@
 name: Go Cache Key
 description: Create a cache key for Go dependencies
 outputs:
  hash:
    description: The cache key for Go dependencies
    value: ${{ steps.hash-go.outputs.hash }}
 runs:
  using: composite
  steps:
    - name: Create cache key
      shell: bash
      id: hash-go
      run: |
        echo "hash=$(sha256sum go.mod go.sum | sha256sum | cut -d' ' -f1)" >> "$GITHUB_OUTPUT"
@@ -8,30 +8,44 @@ env:
  RUNNER_TOOL_CACHE: /toolcache
 jobs:
  install-dependencies:
    uses: ./.gitea/workflows/install-go-dependencies.yaml
  build-check:
    name: build check
    needs: install-dependencies
    uses: ./.gitea/workflows/run-go-script.yaml
    with:
      script: build
  check-format:
    name: check format
    needs: install-dependencies
    uses: ./.gitea/workflows/run-go-script.yaml
    with:
      script: check-format
  check-lint:
    name: check lint
    needs: install-dependencies
    uses: ./.gitea/workflows/run-go-script.yaml
    with:
      script: lint
  test:
    name: test
    needs: install-dependencies
    uses: ./.gitea/workflows/run-go-script.yaml
    with:
      script: test
  image-check:
    name: image check
    runs-on:
      - ubuntu-latest
      - linux_amd64
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Setup go
+      - name: Build image
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+        run: make build-image
        with:
          go-version-file: go.mod
          check-latest: true
      - name: Create cache key
        id: hash-go
        run: echo "hash=$(sha256sum go.mod go.sum | sha256sum | cut -d' ' -f1)" >> "$GITHUB_OUTPUT"
      - name: cache go
        id: cache-go
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
        with:
          path: |
            /go_path
            /go_cache
          key: go_path-${{ steps.hash-go.outputs.hash }}
          restore-keys: |-
            go_cache-${{ steps.hash-go.outputs.hash }}
      - name: build
        run: make build
@@ -0,0 +1,33 @@
 name: Install Go Dependencies
 on:
  workflow_call:
 jobs:
  install-dependencies:
    runs-on:
      - ubuntu-latest
      - linux_amd64
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Setup go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version-file: go.mod
          check-latest: true
      - name: Create cache key
        id: go-cache-key
        uses: ./.gitea/actions/go-cache-key
      - name: cache go
        id: cache-go
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            /go_path
            /go_cache
          key: go_path-${{ steps.go-cache-key.outputs.hash }}
          restore-keys: |-
            go_cache-${{ steps.go-cache-key.outputs.hash }}
      - name: Download dependencies
        run: go mod download
@@ -0,0 +1,38 @@
 name: Run Go Script
 on:
  workflow_call:
    inputs:
      script:
        description: The script to run
        required: true
        type: string
 jobs:
  run-script:
    runs-on:
      - ubuntu-latest
      - linux_amd64
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Setup go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
          go-version-file: go.mod
          check-latest: true
      - name: Create cache key
        id: go-cache-key
        uses: ./.gitea/actions/go-cache-key
      - name: Install dependencies from Cache
        id: cache-go
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            /go_path
            /go_cache
          key: go_path-${{ steps.go-cache-key.outputs.hash }}
          restore-keys: |-
            go_cache-${{ steps.go-cache-key.outputs.hash }}
      - name: Run script
        run: make ${{ inputs.script }}
@@ -14,6 +14,7 @@
 # Output of the go coverage tool, specifically when used with LiteIDE
 *.out
 lcov.info
 # Dependency directories (remove the comment below to include it)
 # vendor/
@@ -25,3 +26,9 @@ go.work.sum
 # env file
 .env
 # vendor directory
 vendor/
 # build artifacts
 main
 __debug_bin*
@@ -0,0 +1,3 @@
 [submodule "code-generator"]
 	path = code-generator
 	url = https://github.com/kubernetes/code-generator.git
@@ -0,0 +1,14 @@
 {
  "version": "0.2.0",
  "configurations": [
    {
      "name": "Launch Package",
      "type": "go",
      "request": "launch",
      "mode": "auto",
      "program": "${fileDirname}",
      "args": ["--kubeconfig=/home/tbehrendt/.kube/config"],
      "envFile": ".env"
    }
  ]
 }
@@ -1,9 +1,40 @@
 ifneq (,$(wildcard ./.env))
    include .env
    export
 endif
 .PHONY: build run codegen build-image test test-unit test-coverage lint format check-format
 build:
-	go build
+	go build -o main
 build-image:
 	docker build -t authentik-kubernetes-operator:latest .
 run:
 	make build
-	./main
+	./main --kubeconfig=/home/tbehrendt/.kube/config
 codegen:
-	./hack/update-codegen.sh
+	./scripts/codegen.sh
 test: test-unit test-coverage
 test-unit:
 	go test . -coverprofile=coverage.out
 test-coverage:
 	go tool gcov2lcov -infile coverage.out > lcov.info
 lint:
 	go vet ./...
 format:
 	gofmt -w .
 check-format:
 	@OUTPUT=$$(gofmt -l .); \
 	if [ -n "$$OUTPUT" ]; then \
 		echo "Formatter failed for:"; \
 		echo "$$OUTPUT"; \
 		exit 1; \
 	fi
@@ -2,4 +2,56 @@
 Authentik Kubernetes Operator allows to manage Authentik resources directly in Kubernetes using Custom Kubernetes Resources.
-## Features
+The custom resources of this operator ultimately will mirror the Authentik resources. New resources will be added as there is a need for them.
 Manual changes to the resources in Authentik will be overwritten by the operator. So always manage the resources in Kubernetes.
 ## Custom Resources
 | Custom Resource | CRD File                                                   | Short Name |
 | --------------- | ---------------------------------------------------------- | ---------- |
 | ProxyProvider   | [`proxyProvider.yaml`](`artifacts/crd/proxyProvider.yaml`) | pp         |
 ### ProxyProvider
 Currently only the "Forward Single" ProxyProvider is supported and only a reduced set of fields are exposed by the custom resources.
 Example [`proxyProvider.yaml`](`artifacts/examples/proxyProvider.yaml`):
 ```yaml
 apiVersion: proxyprovider.t000-n.de/v1alpha1
 kind: ProxyProvider
 metadata:
  name: proxy-provider-example
  namespace: kube-system
 spec:
  name: proxy-provider-example
  # The ID of the authorization flow. In this example: "default-provider-authorization-implicit-consent (Authorize Application)"
  authorization_flow: 16896c6d-b326-42d1-8d3f-93f32921962e
  # The ID of the invalidation flow. In this example: "default-provider-invalidation-flow (Logged out of application)"
  invalidation_flow: 7acac1ef-19e3-4a6f-8d8d-14ca7031d184
  # The external host of your application.
  external_host: https://example.t00n.de
 ```
 The ProxyProvider will be created in Authentik, but will not be assigned to an outpost or an application (Resources are TBD).
 ## Versioning
 As soon as the operator covers an entire use case, the version will be raised to v1 and follow default versioning rules. Before that, the version will be v1alpha1.
 ## Development
 ### Guidelines & Tips
 - Only do a single reconciliation at a time and then return.
  - This is because your references from the k8s API get stale after each update.
  - Whenever you update a resource, k8s API will send a new event to your controller, which will trigger a new reconciliation.
 - The API will periodically send a resource to the controller for re-syncing, giving the controller a chance to reconcile the state with the outside world.
 - Use finalizers to ensure that the controller gets a chance to reconcile the state with the outside world before the object is deleted. If no finalizer is present, the object is deleted immediately without the controller seeing it.
 - Use the resource's state to keep track of the current state of the outside world, e.g. identifiers of external resources, etc.
 ### References
 - [Extend Kubernetes](https://kubernetes.io/docs/concepts/extend-kubernetes/#api-extensions)
 - [Example Controller Implementation](https://github.com/kubernetes/sample-controller)
@@ -0,0 +1,51 @@
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  name: proxyproviders.proxyprovider.t000-n.de
  finalizers:
    - proxyprovider.t000-n.de/delete-authentik-proxyprovider
 spec:
  group: proxyprovider.t000-n.de
  versions:
    - name: v1alpha1
      served: true
      storage: true
      subresources:
        status: {}
      additionalPrinterColumns:
        - name: PK
          type: string
          jsonPath: .status.pk
      schema:
        openAPIV3Schema:
          type: object
          properties:
            spec:
              type: object
              properties:
                name:
                  type: string
                authorization_flow:
                  type: string
                invalidation_flow:
                  type: string
                external_host:
                  type: string
              required:
                - name
                - authorization_flow
                - invalidation_flow
                - external_host
            status:
              type: object
              properties:
                pk:
                  type: string
              required:
                - pk
  names:
    kind: ProxyProvider
    plural: proxyproviders
    shortNames:
      - pp
  scope: Namespaced
@@ -1,41 +0,0 @@
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  name: foos.samplecontroller.k8s.io
  # for more information on the below annotation, please see
  # https://github.com/kubernetes/enhancements/blob/master/keps/sig-api-machinery/2337-k8s.io-group-protection/README.md
  annotations:
    "api-approved.kubernetes.io": "unapproved, experimental-only; please get an approval from Kubernetes API reviewers if you're trying to develop a CRD in the *.k8s.io or *.kubernetes.io groups"
 spec:
  group: samplecontroller.k8s.io
  versions:
    - name: v1alpha1
      served: true
      storage: true
      schema:
        # schema used for validation
        openAPIV3Schema:
          type: object
          properties:
            spec:
              type: object
              properties:
                deploymentName:
                  type: string
                replicas:
                  type: integer
                  minimum: 1
                  maximum: 10
            status:
              type: object
              properties:
                availableReplicas:
                  type: integer
      # subresources for the custom resource
      subresources:
        # enables the status subresource
        status: {}
  names:
    kind: Foo
    plural: foos
  scope: Namespaced
@@ -1,37 +0,0 @@
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
  name: foos.samplecontroller.k8s.io
  # for more information on the below annotation, please see
  # https://github.com/kubernetes/enhancements/blob/master/keps/sig-api-machinery/2337-k8s.io-group-protection/README.md
  annotations:
    "api-approved.kubernetes.io": "unapproved, experimental-only; please get an approval from Kubernetes API reviewers if you're trying to develop a CRD in the *.k8s.io or *.kubernetes.io groups"
 spec:
  group: samplecontroller.k8s.io
  versions:
    - name: v1alpha1
      served: true
      storage: true
      schema:
        # schema used for validation
        openAPIV3Schema:
          type: object
          properties:
            spec:
              type: object
              properties:
                deploymentName:
                  type: string
                replicas:
                  type: integer
                  minimum: 1
                  maximum: 10
            status:
              type: object
              properties:
                availableReplicas:
                  type: integer
  names:
    kind: Foo
    plural: foos
  scope: Namespaced
@@ -1,7 +0,0 @@
 apiVersion: samplecontroller.k8s.io/v1alpha1
 kind: Foo
 metadata:
  name: example-foo
 spec:
  deploymentName: example-foo
  replicas: 1
@@ -0,0 +1,11 @@
 # Example ProxyProvider CRD
 apiVersion: proxyprovider.t000-n.de/v1alpha1
 kind: ProxyProvider
 metadata:
  name: proxy-provider-example
  namespace: kube-system
 spec:
  name: proxy-provider-example
  authorization_flow: 16896c6d-b326-42d1-8d3f-93f32921962e
  invalidation_flow: 7acac1ef-19e3-4a6f-8d8d-14ca7031d184
  external_host: https://example.t00n.de
@@ -19,88 +19,71 @@ package main
 import (
 	"context"
 	"fmt"
 	"net/http"
 	"slices"
 	"strconv"
 	"time"
 	"golang.org/x/time/rate"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/wait"
 	appsinformers "k8s.io/client-go/informers/apps/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/kubernetes/scheme"
 	typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
 	appslisters "k8s.io/client-go/listers/apps/v1"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/record"
 	"k8s.io/client-go/util/workqueue"
 	"k8s.io/klog/v2"
-	samplev1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/samplecontroller/v1alpha1"
+	v1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/proxyprovider/v1alpha1"
 	clientset "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/clientset/versioned"
-	samplescheme "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/clientset/versioned/scheme"
+	operatorscheme "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/clientset/versioned/scheme"
-	informers "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/informers/externalversions/samplecontroller/v1alpha1"
+	informers "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/informers/externalversions/proxyprovider/v1alpha1"
-	listers "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/listers/samplecontroller/v1alpha1"
+	listers "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/listers/proxyprovider/v1alpha1"
 	authentikapi "goauthentik.io/api/v3"
 )
-const controllerAgentName = "sample-controller"
+const controllerAgentName = "proxy-provider-controller"
 const (
 	// SuccessSynced is used as part of the Event 'reason' when a Foo is synced
 	SuccessSynced         = "Synced"
 	// ErrResourceExists is used as part of the Event 'reason' when a Foo fails
 	// to sync due to a Deployment of the same name already existing.
 	ErrResourceExists     = "ErrResourceExists"
-
+	MessageResourceExists = "Resource %q already exists and is not managed by ProxyProvider"
-	// MessageResourceExists is the message used for Events when a resource
+	MessageResourceSynced = "ProxyProvider synced successfully"
 	// fails to sync due to a Deployment already existing
 	MessageResourceExists = "Resource %q already exists and is not managed by Foo"
 	// MessageResourceSynced is the message used for an Event fired when a Foo
 	// is synced successfully
 	MessageResourceSynced = "Foo synced successfully"
 	// FieldManager distinguishes this controller from other things writing to API objects
 	FieldManager          = controllerAgentName
 )
-// Controller is the controller implementation for Foo resources
+// Finalizers
 const (
 	DeleteAuthentikProxyProviderFinalizer = "proxyprovider.t000-n.de/delete-authentik-proxyprovider"
 )
 type Controller struct {
 	// kubeclientset is a standard kubernetes clientset
 	kubeclientset          kubernetes.Interface
-	// sampleclientset is a clientset for our own API group
+	proxyProviderClientset clientset.Interface
-	sampleclientset clientset.Interface
+	authentik              *authentikapi.APIClient
-	deploymentsLister appslisters.DeploymentLister
+	proxyLister listers.ProxyProviderLister
-	deploymentsSynced cache.InformerSynced
+	proxySynced cache.InformerSynced
 	foosLister        listers.FooLister
 	foosSynced        cache.InformerSynced
 	// workqueue is a rate limited work queue. This is used to queue work to be
 	// processed instead of performing it as soon as a change happens. This
 	// means we can ensure we only process a fixed amount of resources at a
 	// time, and makes it easy to ensure we are never processing the same item
 	// simultaneously in two different workers.
 	workqueue workqueue.TypedRateLimitingInterface[cache.ObjectName]
 	// recorder is an event recorder for recording Event resources to the
 	// Kubernetes API.
 	recorder  record.EventRecorder
 }
 // NewController returns a new sample controller
 func NewController(
 	ctx context.Context,
 	kubeclientset kubernetes.Interface,
-	sampleclientset clientset.Interface,
+	proxyProviderClientset clientset.Interface,
-	deploymentInformer appsinformers.DeploymentInformer,
+	authentik *authentikapi.APIClient,
-	fooInformer informers.FooInformer) *Controller {
+	proxyInformer informers.ProxyProviderInformer,
 ) *Controller {
 	logger := klog.FromContext(ctx)
-	// Create event broadcaster
+	utilruntime.Must(operatorscheme.AddToScheme(scheme.Scheme))
 	// Add sample-controller types to the default Kubernetes Scheme so Events can be
 	// logged for sample-controller types.
 	utilruntime.Must(samplescheme.AddToScheme(scheme.Scheme))
 	logger.V(4).Info("Creating event broadcaster")
 	eventBroadcaster := record.NewBroadcaster(record.WithContext(ctx))
@@ -112,70 +95,40 @@ func NewController(
 		&workqueue.TypedBucketRateLimiter[cache.ObjectName]{Limiter: rate.NewLimiter(rate.Limit(50), 300)},
 	)
-	controller := &Controller{
+	c := &Controller{
 		kubeclientset:          kubeclientset,
-		sampleclientset:   sampleclientset,
+		proxyProviderClientset: proxyProviderClientset,
-		deploymentsLister: deploymentInformer.Lister(),
+		authentik:              authentik,
-		deploymentsSynced: deploymentInformer.Informer().HasSynced,
+		proxyLister:            proxyInformer.Lister(),
-		foosLister:        fooInformer.Lister(),
+		proxySynced:            proxyInformer.Informer().HasSynced,
 		foosSynced:        fooInformer.Informer().HasSynced,
 		workqueue:              workqueue.NewTypedRateLimitingQueue(ratelimiter),
 		recorder:               recorder,
 	}
 	logger.Info("Setting up event handlers")
-	// Set up an event handler for when Foo resources change
+	proxyInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
-	fooInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
+		AddFunc: c.enqueueProxyProvider,
-		AddFunc: controller.enqueueFoo,
+		UpdateFunc: func(_, newObj interface{}) {
-		UpdateFunc: func(old, new interface{}) {
+			c.enqueueProxyProvider(newObj)
 			controller.enqueueFoo(new)
 		},
 	})
 	// Set up an event handler for when Deployment resources change. This
 	// handler will lookup the owner of the given Deployment, and if it is
 	// owned by a Foo resource then the handler will enqueue that Foo resource for
 	// processing. This way, we don't need to implement custom logic for
 	// handling Deployment resources. More info on this pattern:
 	// https://github.com/kubernetes/community/blob/8cafef897a22026d42f5e5bb3f104febe7e29830/contributors/devel/controllers.md
 	deploymentInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
 		AddFunc: controller.handleObject,
 		UpdateFunc: func(old, new interface{}) {
 			newDepl := new.(*appsv1.Deployment)
 			oldDepl := old.(*appsv1.Deployment)
 			if newDepl.ResourceVersion == oldDepl.ResourceVersion {
 				// Periodic resync will send update events for all known Deployments.
 				// Two different versions of the same Deployment will always have different RVs.
 				return
 			}
 			controller.handleObject(new)
 		},
 		DeleteFunc: controller.handleObject,
 	})
-	return controller
+	return c
 }
 // Run will set up the event handlers for types we are interested in, as well
 // as syncing informer caches and starting workers. It will block until stopCh
 // is closed, at which point it will shutdown the workqueue and wait for
 // workers to finish processing their current work items.
 func (c *Controller) Run(ctx context.Context, workers int) error {
 	defer utilruntime.HandleCrash()
 	defer c.workqueue.ShutDown()
 	logger := klog.FromContext(ctx)
-	// Start the informer factories to begin populating the informer caches
+	logger.Info("Starting ProxyProvider controller")
 	logger.Info("Starting Foo controller")
 	// Wait for the caches to be synced before starting workers
 	logger.Info("Waiting for informer caches to sync")
-
+	if ok := cache.WaitForCacheSync(ctx.Done(), c.proxySynced); !ok {
 	if ok := cache.WaitForCacheSync(ctx.Done(), c.deploymentsSynced, c.foosSynced); !ok {
 		return fmt.Errorf("failed to wait for caches to sync")
 	}
 	logger.Info("Starting workers", "count", workers)
 	// Launch two workers to process Foo resources
 	for i := 0; i < workers; i++ {
 		go wait.UntilWithContext(ctx, c.runWorker, time.Second)
 	}
@@ -183,239 +136,161 @@ func (c *Controller) Run(ctx context.Context, workers int) error {
 	logger.Info("Started workers")
 	<-ctx.Done()
 	logger.Info("Shutting down workers")
 	return nil
 }
 // runWorker is a long-running function that will continually call the
 // processNextWorkItem function in order to read and process a message on the
 // workqueue.
 func (c *Controller) runWorker(ctx context.Context) {
 	for c.processNextWorkItem(ctx) {
 	}
 }
 // processNextWorkItem will read a single work item off the workqueue and
 // attempt to process it, by calling the syncHandler.
 func (c *Controller) processNextWorkItem(ctx context.Context) bool {
 	objRef, shutdown := c.workqueue.Get()
 	logger := klog.FromContext(ctx)
 	if shutdown {
 		return false
 	}
 	// We call Done at the end of this func so the workqueue knows we have
 	// finished processing this item. We also must remember to call Forget
 	// if we do not want this work item being re-queued. For example, we do
 	// not call Forget if a transient error occurs, instead the item is
 	// put back on the workqueue and attempted again after a back-off
 	// period.
 	defer c.workqueue.Done(objRef)
 	// Run the syncHandler, passing it the structured reference to the object to be synced.
 	err := c.syncHandler(ctx, objRef)
 	if err == nil {
 		// If no error occurs then we Forget this item so it does not
 		// get queued again until another change happens.
 		c.workqueue.Forget(objRef)
 		logger.Info("Successfully synced", "objectName", objRef)
 		return true
 	}
 	// there was a failure so be sure to report it.  This method allows for
 	// pluggable error handling which can be used for things like
 	// cluster-monitoring.
 	utilruntime.HandleErrorWithContext(ctx, err, "Error syncing; requeuing for later retry", "objectReference", objRef)
 	// since we failed, we should requeue the item to work on later.  This
 	// method will add a backoff to avoid hotlooping on particular items
 	// (they're probably still not going to work right away) and overall
 	// controller protection (everything I've done is broken, this controller
 	// needs to calm down or it can starve other useful work) cases.
 	c.workqueue.AddRateLimited(objRef)
 	return true
 }
 // syncHandler compares the actual state with the desired, and attempts to
 // converge the two. It then updates the Status block of the Foo resource
 // with the current status of the resource.
 func (c *Controller) syncHandler(ctx context.Context, objectRef cache.ObjectName) error {
 	logger := klog.LoggerWithValues(klog.FromContext(ctx), "objectRef", objectRef)
-	// Get the Foo resource with this namespace/name
+	pp, err := c.proxyLister.ProxyProviders(objectRef.Namespace).Get(objectRef.Name)
 	foo, err := c.foosLister.Foos(objectRef.Namespace).Get(objectRef.Name)
 	if err != nil {
 		// The Foo resource may no longer exist, in which case we stop
 		// processing.
 		if errors.IsNotFound(err) {
-			utilruntime.HandleErrorWithContext(ctx, err, "Foo referenced by item in work queue no longer exists", "objectReference", objectRef)
+			logger.V(4).Info("ProxyProvider no longer exists")
 			return nil
 		}
 		return err
 	}
 	logger.V(4).Info("sync ProxyProvider", "name", pp.Name)
-	deploymentName := foo.Spec.DeploymentName
+	if !pp.ObjectMeta.DeletionTimestamp.IsZero() {
-	if deploymentName == "" {
+		logger.Info("Reconciling deletion of ProxyProvider", "name", pp.Name)
-		// We choose to absorb the error here as the worker would requeue the
+		return c.reconcileDelete(ctx, pp)
 		// resource otherwise. Instead, the next time the resource is updated
 		// the resource will be queued again.
 		utilruntime.HandleErrorWithContext(ctx, nil, "Deployment name missing from object reference", "objectReference", objectRef)
 		return nil
 	}
-	// Get the deployment with the name specified in Foo.spec
+	if pp.Status.PK == "" {
-	deployment, err := c.deploymentsLister.Deployments(foo.Namespace).Get(deploymentName)
+		logger.Info("Reconciling creation of ProxyProvider", "name", pp.Name)
-	// If the resource doesn't exist, we'll create it
+		return c.reconcileCreate(ctx, pp)
 	if errors.IsNotFound(err) {
 		deployment, err = c.kubeclientset.AppsV1().Deployments(foo.Namespace).Create(ctx, newDeployment(foo), metav1.CreateOptions{FieldManager: FieldManager})
 	}
-	// If an error occurs during Get/Create, we'll requeue the item so we can
+	// Check if all finalizers are present. If not, we add them. Same pattern as above, just needs a helper function to check for presence of a finalizer.
-	// attempt processing again later. This could have been caused by a
+	if !slices.Contains(pp.ObjectMeta.Finalizers, DeleteAuthentikProxyProviderFinalizer) {
-	// temporary network failure, or any other transient reason.
+		logger.Info("Ensuring finalizers are present", "name", pp.Name)
 		return c.ensureFinalizers(ctx, pp)
 	}
 	logger.Info("Reconciling update of ProxyProvider", "name", pp.Name)
 	return c.reconcileUpdate(ctx, pp)
 }
 func (c *Controller) ensureFinalizers(ctx context.Context, pp *v1alpha1.ProxyProvider) error {
 	pp.ObjectMeta.Finalizers = append(pp.ObjectMeta.Finalizers, DeleteAuthentikProxyProviderFinalizer)
 	return c.updateProxyProvider(ctx, pp)
 }
 func (c *Controller) reconcileDelete(ctx context.Context, pp *v1alpha1.ProxyProvider) error {
 	pk, err := strconv.ParseInt(pp.Status.PK, 10, 32)
 	if err != nil {
-		return err
+		return fmt.Errorf("error parsing PK: %v", err)
 	}
-	// If the Deployment is not controlled by this Foo resource, we should log
+	r, err := c.authentik.ProvidersApi.ProvidersProxyDestroy(ctx, int32(pk)).Execute()
 	// a warning to the event recorder and return error msg.
 	if !metav1.IsControlledBy(deployment, foo) {
 		msg := fmt.Sprintf(MessageResourceExists, deployment.Name)
 		c.recorder.Event(foo, corev1.EventTypeWarning, ErrResourceExists, msg)
 		return fmt.Errorf("%s", msg)
 	}
 	// If this number of the replicas on the Foo resource is specified, and the
 	// number does not equal the current desired replicas on the Deployment, we
 	// should update the Deployment resource.
 	if foo.Spec.Replicas != nil && *foo.Spec.Replicas != *deployment.Spec.Replicas {
 		logger.V(4).Info("Update deployment resource", "currentReplicas", *deployment.Spec.Replicas, "desiredReplicas", *foo.Spec.Replicas)
 		deployment, err = c.kubeclientset.AppsV1().Deployments(foo.Namespace).Update(ctx, newDeployment(foo), metav1.UpdateOptions{FieldManager: FieldManager})
 	}
 	// If an error occurs during Update, we'll requeue the item so we can
 	// attempt processing again later. This could have been caused by a
 	// temporary network failure, or any other transient reason.
 	if err != nil {
-		return err
+		// This handles an edge-case, where when the ProxyProvider on Authentik has already been deleted, but the finalizer is still present. We just remove the finalizer and return.
 		if r != nil && r.StatusCode != http.StatusNotFound {
 			return fmt.Errorf("error when calling `ProvidersAPI.ProvidersProxyDestroy`: %w with response %v", err, r)
 		}
 	}
-	// Finally, we update the status block of the Foo resource to reflect the
+	pp.ObjectMeta.Finalizers = slices.Delete(pp.ObjectMeta.Finalizers, slices.Index(pp.ObjectMeta.Finalizers, DeleteAuthentikProxyProviderFinalizer), 1)
-	// current state of the world
+	return c.updateProxyProvider(ctx, pp)
-	err = c.updateFooStatus(ctx, foo, deployment)
+}
 func (c *Controller) reconcileUpdate(ctx context.Context, pp *v1alpha1.ProxyProvider) error {
 	// We retrieve the existing PP from the API by slug.
 	pk, err := strconv.ParseInt(pp.Status.PK, 10, 32)
 	if err != nil {
-		return err
+		return fmt.Errorf("error parsing PK: %v", err)
 	}
 	_, r, err := c.authentik.ProvidersApi.ProvidersAllRetrieve(ctx, int32(pk)).Execute()
 	if err != nil {
 		if r != nil && r.StatusCode == http.StatusNotFound {
 			// This handles an edge-case, where when the PorxyProvider on Authentik has been deleted, e.g. by mistake. We just remove the PK and return.
 			// During the next reconciliation, the ProxyProvider will be re-created.
 			pp.Status.PK = ""
 			return c.updateProxyProviderStatus(ctx, pp)
 		}
 		return fmt.Errorf("error retrieving existing ProxyProvider: %v with response %v", err, r)
 	}
-	c.recorder.Event(foo, corev1.EventTypeNormal, SuccessSynced, MessageResourceSynced)
+	proxyProviderRequest := &authentikapi.PatchedProxyProviderRequest{
-	return nil
+		Name:              &pp.Spec.Name,
 		AuthorizationFlow: &pp.Spec.AuthorizationFlow,
 		InvalidationFlow:  &pp.Spec.InvalidationFlow,
 		ExternalHost:      &pp.Spec.ExternalHost,
 		Mode:              authentikapi.PROXYMODE_FORWARD_SINGLE.Ptr(),
 	}
 	resp, r, err := c.authentik.ProvidersApi.ProvidersProxyPartialUpdate(ctx, int32(pk)).PatchedProxyProviderRequest(*proxyProviderRequest).Execute()
 	if err != nil {
 		return fmt.Errorf("error when calling `ProvidersAPI.ProvidersProxyPartialUpdate`: %w with response %v", err, r)
 	}
-func (c *Controller) updateFooStatus(ctx context.Context, foo *samplev1alpha1.Foo, deployment *appsv1.Deployment) error {
+	pp.Status.PK = strconv.Itoa(int(resp.Pk))
-	// NEVER modify objects from the store. It's a read-only, local cache.
+
-	// You can use DeepCopy() to make a deep copy of original object and modify this copy
+	return c.updateProxyProviderStatus(ctx, pp)
 	// Or create a copy manually for better performance
 	fooCopy := foo.DeepCopy()
 	fooCopy.Status.AvailableReplicas = deployment.Status.AvailableReplicas
 	// If the CustomResourceSubresources feature gate is not enabled,
 	// we must use Update instead of UpdateStatus to update the Status block of the Foo resource.
 	// UpdateStatus will not allow changes to the Spec of the resource,
 	// which is ideal for ensuring nothing other than resource status has been updated.
 	_, err := c.sampleclientset.SamplecontrollerV1alpha1().Foos(foo.Namespace).UpdateStatus(ctx, fooCopy, metav1.UpdateOptions{FieldManager: FieldManager})
 	return err
 }
-// enqueueFoo takes a Foo resource and converts it into a namespace/name
+func (c *Controller) reconcileCreate(ctx context.Context, pp *v1alpha1.ProxyProvider) error {
-// string which is then put onto the work queue. This method should *not* be
+	proxyProviderRequest := &authentikapi.ProxyProviderRequest{
-// passed resources of any type other than Foo.
+		Name:              pp.Spec.Name,
-func (c *Controller) enqueueFoo(obj interface{}) {
+		AuthorizationFlow: pp.Spec.AuthorizationFlow,
-	if objectRef, err := cache.ObjectToName(obj); err != nil {
+		InvalidationFlow:  pp.Spec.InvalidationFlow,
 		ExternalHost:      pp.Spec.ExternalHost,
 		Mode:              authentikapi.PROXYMODE_FORWARD_SINGLE.Ptr(),
 	}
 	resp, r, err := c.authentik.ProvidersApi.ProvidersProxyCreate(ctx).ProxyProviderRequest(*proxyProviderRequest).Execute()
 	if err != nil {
 		return fmt.Errorf("error when calling `ProvidersAPI.ProvidersProxyCreate`: %w with response %v", err, r)
 	}
 	pp.Status.PK = strconv.Itoa(int(resp.Pk))
 	return c.updateProxyProviderStatus(ctx, pp)
 }
 func (c *Controller) enqueueProxyProvider(obj interface{}) {
 	objectRef, err := cache.ObjectToName(obj)
 	if err != nil {
 		utilruntime.HandleError(err)
 		return
-	} else {
+	}
 	c.workqueue.Add(objectRef)
 }
 func (c *Controller) updateProxyProviderStatus(ctx context.Context, pp *v1alpha1.ProxyProvider) error {
 	ppCopy := pp.DeepCopy()
 	_, err := c.proxyProviderClientset.ProxyproviderV1alpha1().ProxyProviders(ppCopy.Namespace).UpdateStatus(ctx, ppCopy, metav1.UpdateOptions{FieldManager: FieldManager})
 	return err
 }
-// handleObject will take any resource implementing metav1.Object and attempt
+// Update metadata, spec, etc. of the ProxyProvider object.
-// to find the Foo resource that 'owns' it. It does this by looking at the
+func (c *Controller) updateProxyProvider(ctx context.Context, pp *v1alpha1.ProxyProvider) error {
-// objects metadata.ownerReferences field for an appropriate OwnerReference.
+	ppCopy := pp.DeepCopy()
-// It then enqueues that Foo resource to be processed. If the object does not
+	_, err := c.proxyProviderClientset.ProxyproviderV1alpha1().ProxyProviders(ppCopy.Namespace).Update(ctx, ppCopy, metav1.UpdateOptions{FieldManager: FieldManager})
 // have an appropriate OwnerReference, it will simply be skipped.
 func (c *Controller) handleObject(obj interface{}) {
 	var object metav1.Object
 	var ok bool
 	logger := klog.FromContext(context.Background())
 	if object, ok = obj.(metav1.Object); !ok {
 		tombstone, ok := obj.(cache.DeletedFinalStateUnknown)
 		if !ok {
 			// If the object value is not too big and does not contain sensitive information then
 			// it may be useful to include it.
 			utilruntime.HandleErrorWithContext(context.Background(), nil, "Error decoding object, invalid type", "type", fmt.Sprintf("%T", obj))
 			return
 		}
 		object, ok = tombstone.Obj.(metav1.Object)
 		if !ok {
 			// If the object value is not too big and does not contain sensitive information then
 			// it may be useful to include it.
 			utilruntime.HandleErrorWithContext(context.Background(), nil, "Error decoding object tombstone, invalid type", "type", fmt.Sprintf("%T", tombstone.Obj))
 			return
 		}
 		logger.V(4).Info("Recovered deleted object", "resourceName", object.GetName())
 	}
 	logger.V(4).Info("Processing object", "object", klog.KObj(object))
 	if ownerRef := metav1.GetControllerOf(object); ownerRef != nil {
 		// If this object is not owned by a Foo, we should not do anything more
 		// with it.
 		if ownerRef.Kind != "Foo" {
 			return
 		}
 		foo, err := c.foosLister.Foos(object.GetNamespace()).Get(ownerRef.Name)
 	if err != nil {
-			logger.V(4).Info("Ignore orphaned object", "object", klog.KObj(object), "foo", ownerRef.Name)
+		return fmt.Errorf("error updating ProxyProvider metadata: %v", err)
 			return
 		}
 		c.enqueueFoo(foo)
 		return
 	}
 }
 // newDeployment creates a new Deployment for a Foo resource. It also sets
 // the appropriate OwnerReferences on the resource so handleObject can discover
 // the Foo resource that 'owns' it.
 func newDeployment(foo *samplev1alpha1.Foo) *appsv1.Deployment {
 	labels := map[string]string{
 		"app":        "nginx",
 		"controller": foo.Name,
 	}
 	return &appsv1.Deployment{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      foo.Spec.DeploymentName,
 			Namespace: foo.Namespace,
 			OwnerReferences: []metav1.OwnerReference{
 				*metav1.NewControllerRef(foo, samplev1alpha1.SchemeGroupVersion.WithKind("Foo")),
 			},
 		},
 		Spec: appsv1.DeploymentSpec{
 			Replicas: foo.Spec.Replicas,
 			Selector: &metav1.LabelSelector{
 				MatchLabels: labels,
 			},
 			Template: corev1.PodTemplateSpec{
 				ObjectMeta: metav1.ObjectMeta{
 					Labels: labels,
 				},
 				Spec: corev1.PodSpec{
 					Containers: []corev1.Container{
 						{
 							Name:  "nginx",
 							Image: "nginx:latest",
 						},
 					},
 				},
 			},
 		},
 	}
 	return nil
 }
@@ -1,316 +1,385 @@
-/*
+// AI generated tests and not yet reviewed.
 Copyright 2017 The Kubernetes Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"context"
-	"fmt"
+	"encoding/json"
-	"reflect"
+	"net/http"
 	"net/http/httptest"
 	"net/url"
 	"slices"
 	"strings"
 	"testing"
 	"time"
-	apps "k8s.io/api/apps/v1"
+	v1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/proxyprovider/v1alpha1"
 	operatorfake "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/clientset/versioned/fake"
 	operatorinformers "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/informers/externalversions"
 	authentikapi "goauthentik.io/api/v3"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/kubernetes/fake"
 	"k8s.io/apimachinery/pkg/util/diff"
 	kubeinformers "k8s.io/client-go/informers"
 	k8sfake "k8s.io/client-go/kubernetes/fake"
 	core "k8s.io/client-go/testing"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/record"
 	"k8s.io/klog/v2/ktesting"
 	"k8s.io/utils/ptr"
 	samplecontroller "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/samplecontroller/v1alpha1"
 	"gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/clientset/versioned/fake"
 	informers "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/informers/externalversions"
 )
-var (
+func TestController_syncHandler_create(t *testing.T) {
-	alwaysReady        = func() bool { return true }
+	const wantPK = 42
 	noResyncPeriodFunc = func() time.Duration { return 0 }
 )
-type fixture struct {
+	server := newAuthentikTestServer(t, authentikTestHandlers{
-	t *testing.T
+		proxyCreate: func(w http.ResponseWriter, _ *http.Request) {
 			writeJSON(t, w, http.StatusCreated, map[string]any{"pk": wantPK})
 		},
 	})
 	t.Cleanup(server.Close)
-	client     *fake.Clientset
+	ctrl, ctx, cancel := newTestController(t, testProxyProvider(), server.URL)
-	kubeclient *k8sfake.Clientset
+	t.Cleanup(cancel)
-	// Objects to put in the store.
+
-	fooLister        []*samplecontroller.Foo
+	err := ctrl.syncHandler(ctx, cache.ObjectName{Namespace: "default", Name: "test-pp"})
-	deploymentLister []*apps.Deployment
+	if err != nil {
-	// Actions expected to happen on the client.
+		t.Fatalf("syncHandler() error = %v", err)
 	kubeactions []core.Action
 	actions     []core.Action
 	// Objects from here preloaded into NewSimpleFake.
 	kubeobjects []runtime.Object
 	objects     []runtime.Object
 	}
-func newFixture(t *testing.T) *fixture {
+	got := getProxyProvider(t, ctrl, "default", "test-pp")
-	f := &fixture{}
+	if got.Status.PK != "42" {
-	f.t = t
+		t.Fatalf("status.pk = %q, want 42", got.Status.PK)
-	f.objects = []runtime.Object{}
+	}
 	f.kubeobjects = []runtime.Object{}
 	return f
 }
-func newFoo(name string, replicas *int32) *samplecontroller.Foo {
+func TestController_syncHandler_ensureFinalizers(t *testing.T) {
-	return &samplecontroller.Foo{
+	pp := testProxyProvider()
-		TypeMeta: metav1.TypeMeta{APIVersion: samplecontroller.SchemeGroupVersion.String()},
+	pp.Status.PK = "42"
 	server := newAuthentikTestServer(t, authentikTestHandlers{})
 	t.Cleanup(server.Close)
 	ctrl, ctx, cancel := newTestController(t, pp, server.URL)
 	t.Cleanup(cancel)
 	err := ctrl.syncHandler(ctx, cache.ObjectName{Namespace: pp.Namespace, Name: pp.Name})
 	if err != nil {
 		t.Fatalf("syncHandler() error = %v", err)
 	}
 	got := getProxyProvider(t, ctrl, pp.Namespace, pp.Name)
 	if !slices.Contains(got.Finalizers, DeleteAuthentikProxyProviderFinalizer) {
 		t.Fatalf("finalizers = %v, want %q", got.Finalizers, DeleteAuthentikProxyProviderFinalizer)
 	}
 }
 func TestController_syncHandler_update(t *testing.T) {
 	pp := testProxyProvider()
 	pp.Status.PK = "42"
 	pp.Finalizers = []string{DeleteAuthentikProxyProviderFinalizer}
 	server := newAuthentikTestServer(t, authentikTestHandlers{
 		allRetrieve: func(w http.ResponseWriter, _ *http.Request) {
 			writeJSON(t, w, http.StatusOK, map[string]any{"pk": 42})
 		},
 		proxyPartialUpdate: func(w http.ResponseWriter, _ *http.Request) {
 			writeJSON(t, w, http.StatusOK, map[string]any{"pk": 42})
 		},
 	})
 	t.Cleanup(server.Close)
 	ctrl, ctx, cancel := newTestController(t, pp, server.URL)
 	t.Cleanup(cancel)
 	err := ctrl.syncHandler(ctx, cache.ObjectName{Namespace: pp.Namespace, Name: pp.Name})
 	if err != nil {
 		t.Fatalf("syncHandler() error = %v", err)
 	}
 	got := getProxyProvider(t, ctrl, pp.Namespace, pp.Name)
 	if got.Status.PK != "42" {
 		t.Fatalf("status.pk = %q, want 42", got.Status.PK)
 	}
 }
 func TestController_syncHandler_update_providerNotFound(t *testing.T) {
 	pp := testProxyProvider()
 	pp.Status.PK = "42"
 	pp.Finalizers = []string{DeleteAuthentikProxyProviderFinalizer}
 	server := newAuthentikTestServer(t, authentikTestHandlers{
 		allRetrieve: func(w http.ResponseWriter, _ *http.Request) {
 			http.NotFound(w, nil)
 		},
 	})
 	t.Cleanup(server.Close)
 	ctrl, ctx, cancel := newTestController(t, pp, server.URL)
 	t.Cleanup(cancel)
 	err := ctrl.syncHandler(ctx, cache.ObjectName{Namespace: pp.Namespace, Name: pp.Name})
 	if err != nil {
 		t.Fatalf("syncHandler() error = %v", err)
 	}
 	got := getProxyProvider(t, ctrl, pp.Namespace, pp.Name)
 	if got.Status.PK != "" {
 		t.Fatalf("status.pk = %q, want empty after provider not found", got.Status.PK)
 	}
 }
 func TestController_syncHandler_delete(t *testing.T) {
 	now := metav1.Now()
 	pp := testProxyProvider()
 	pp.Status.PK = "42"
 	pp.DeletionTimestamp = &now
 	pp.Finalizers = []string{DeleteAuthentikProxyProviderFinalizer}
 	var destroyCalled bool
 	server := newAuthentikTestServer(t, authentikTestHandlers{
 		proxyDestroy: func(w http.ResponseWriter, r *http.Request) {
 			destroyCalled = true
 			if r.Method != http.MethodDelete {
 				t.Errorf("destroy method = %s, want DELETE", r.Method)
 			}
 			w.WriteHeader(http.StatusNoContent)
 		},
 	})
 	t.Cleanup(server.Close)
 	ctrl, ctx, cancel := newTestController(t, pp, server.URL)
 	t.Cleanup(cancel)
 	err := ctrl.syncHandler(ctx, cache.ObjectName{Namespace: pp.Namespace, Name: pp.Name})
 	if err != nil {
 		t.Fatalf("syncHandler() error = %v", err)
 	}
 	if !destroyCalled {
 		t.Fatal("expected Authentik destroy call")
 	}
 	got := getProxyProvider(t, ctrl, pp.Namespace, pp.Name)
 	if slices.Contains(got.Finalizers, DeleteAuthentikProxyProviderFinalizer) {
 		t.Fatalf("finalizers = %v, want finalizer removed", got.Finalizers)
 	}
 }
 func TestController_syncHandler_delete_providerAlreadyGone(t *testing.T) {
 	now := metav1.Now()
 	pp := testProxyProvider()
 	pp.Status.PK = "42"
 	pp.DeletionTimestamp = &now
 	pp.Finalizers = []string{DeleteAuthentikProxyProviderFinalizer}
 	server := newAuthentikTestServer(t, authentikTestHandlers{
 		proxyDestroy: func(w http.ResponseWriter, _ *http.Request) {
 			http.NotFound(w, nil)
 		},
 	})
 	t.Cleanup(server.Close)
 	ctrl, ctx, cancel := newTestController(t, pp, server.URL)
 	t.Cleanup(cancel)
 	err := ctrl.syncHandler(ctx, cache.ObjectName{Namespace: pp.Namespace, Name: pp.Name})
 	if err != nil {
 		t.Fatalf("syncHandler() error = %v", err)
 	}
 	got := getProxyProvider(t, ctrl, pp.Namespace, pp.Name)
 	if slices.Contains(got.Finalizers, DeleteAuthentikProxyProviderFinalizer) {
 		t.Fatalf("finalizers = %v, want finalizer removed after 404", got.Finalizers)
 	}
 }
 func TestController_syncHandler_notFound(t *testing.T) {
 	server := newAuthentikTestServer(t, authentikTestHandlers{})
 	t.Cleanup(server.Close)
 	ctrl, ctx, cancel := newTestController(t, nil, server.URL)
 	t.Cleanup(cancel)
 	err := ctrl.syncHandler(ctx, cache.ObjectName{Namespace: "default", Name: "missing"})
 	if err != nil {
 		t.Fatalf("syncHandler() error = %v, want nil for missing object", err)
 	}
 }
 func TestController_syncHandler_invalidPK(t *testing.T) {
 	pp := testProxyProvider()
 	pp.Status.PK = "not-a-number"
 	pp.Finalizers = []string{DeleteAuthentikProxyProviderFinalizer}
 	server := newAuthentikTestServer(t, authentikTestHandlers{})
 	t.Cleanup(server.Close)
 	ctrl, ctx, cancel := newTestController(t, pp, server.URL)
 	t.Cleanup(cancel)
 	err := ctrl.syncHandler(ctx, cache.ObjectName{Namespace: pp.Namespace, Name: pp.Name})
 	if err == nil {
 		t.Fatal("syncHandler() error = nil, want parse error")
 	}
 	if !strings.Contains(err.Error(), "error parsing PK") {
 		t.Fatalf("syncHandler() error = %v, want PK parse error", err)
 	}
 }
 func TestController_enqueueProxyProvider(t *testing.T) {
 	server := newAuthentikTestServer(t, authentikTestHandlers{})
 	t.Cleanup(server.Close)
 	ctrl, _, cancel := newTestController(t, testProxyProvider(), server.URL)
 	t.Cleanup(cancel)
 	ctrl.enqueueProxyProvider(testProxyProvider())
 	if ctrl.workqueue.Len() != 1 {
 		t.Fatalf("workqueue length = %d, want 1", ctrl.workqueue.Len())
 	}
 }
 // --- test helpers ---
 func testProxyProvider() *v1alpha1.ProxyProvider {
 	return &v1alpha1.ProxyProvider{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: v1alpha1.SchemeGroupVersion.String(),
 			Kind:       "ProxyProvider",
 		},
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      name,
+			Name:      "test-pp",
-			Namespace: metav1.NamespaceDefault,
+			Namespace: "default",
 		},
-		Spec: samplecontroller.FooSpec{
+		Spec: v1alpha1.ProxyProviderSpec{
-			DeploymentName: fmt.Sprintf("%s-deployment", name),
+			Name:              "my-app",
-			Replicas:       replicas,
+			AuthorizationFlow: "flow-auth",
 			InvalidationFlow:  "flow-invalidate",
 			ExternalHost:      "https://app.example.com",
 		},
 	}
 }
-func (f *fixture) newController(ctx context.Context) (*Controller, informers.SharedInformerFactory, kubeinformers.SharedInformerFactory) {
+func newTestController(t *testing.T, pp *v1alpha1.ProxyProvider, authentikURL string) (*Controller, context.Context, context.CancelFunc) {
-	f.client = fake.NewClientset(f.objects...)
+	t.Helper()
-	f.kubeclient = k8sfake.NewClientset(f.kubeobjects...)
+	ctx, cancel := context.WithCancel(context.Background())
-
+	ctrl, _, stop := newTestControllerWithContext(t, ctx, pp, authentikURL)
-	i := informers.NewSharedInformerFactory(f.client, noResyncPeriodFunc())
+	return ctrl, ctx, func() {
-	k8sI := kubeinformers.NewSharedInformerFactory(f.kubeclient, noResyncPeriodFunc())
+		cancel()
-
+		stop()
 	c := NewController(ctx, f.kubeclient, f.client,
 		k8sI.Apps().V1().Deployments(), i.Samplecontroller().V1alpha1().Foos())
 	c.foosSynced = alwaysReady
 	c.deploymentsSynced = alwaysReady
 	c.recorder = &record.FakeRecorder{}
 	for _, f := range f.fooLister {
 		i.Samplecontroller().V1alpha1().Foos().Informer().GetIndexer().Add(f)
 	}
 	for _, d := range f.deploymentLister {
 		k8sI.Apps().V1().Deployments().Informer().GetIndexer().Add(d)
 	}
 	return c, i, k8sI
 }
 func (f *fixture) run(ctx context.Context, fooRef cache.ObjectName) {
 	f.runController(ctx, fooRef, true, false)
 }
 func (f *fixture) runExpectError(ctx context.Context, fooRef cache.ObjectName) {
 	f.runController(ctx, fooRef, true, true)
 }
 func (f *fixture) runController(ctx context.Context, fooRef cache.ObjectName, startInformers bool, expectError bool) {
 	c, i, k8sI := f.newController(ctx)
 	if startInformers {
 		i.Start(ctx.Done())
 		k8sI.Start(ctx.Done())
 	}
 	err := c.syncHandler(ctx, fooRef)
 	if !expectError && err != nil {
 		f.t.Errorf("error syncing foo: %v", err)
 	} else if expectError && err == nil {
 		f.t.Error("expected error syncing foo, got nil")
 	}
 	actions := filterInformerActions(f.client.Actions())
 	for i, action := range actions {
 		if len(f.actions) < i+1 {
 			f.t.Errorf("%d unexpected actions: %+v", len(actions)-len(f.actions), actions[i:])
 			break
 		}
 		expectedAction := f.actions[i]
 		checkAction(expectedAction, action, f.t)
 	}
 	if len(f.actions) > len(actions) {
 		f.t.Errorf("%d additional expected actions:%+v", len(f.actions)-len(actions), f.actions[len(actions):])
 	}
 	k8sActions := filterInformerActions(f.kubeclient.Actions())
 	for i, action := range k8sActions {
 		if len(f.kubeactions) < i+1 {
 			f.t.Errorf("%d unexpected actions: %+v", len(k8sActions)-len(f.kubeactions), k8sActions[i:])
 			break
 		}
 		expectedAction := f.kubeactions[i]
 		checkAction(expectedAction, action, f.t)
 	}
 	if len(f.kubeactions) > len(k8sActions) {
 		f.t.Errorf("%d additional expected actions:%+v", len(f.kubeactions)-len(k8sActions), f.kubeactions[len(k8sActions):])
 	}
 }
-// checkAction verifies that expected and actual actions are equal and both have
+func newTestControllerWithContext(t *testing.T, ctx context.Context, pp *v1alpha1.ProxyProvider, authentikURL string) (*Controller, context.Context, func()) {
-// same attached resources
+	t.Helper()
-func checkAction(expected, actual core.Action, t *testing.T) {
+
-	if !(expected.Matches(actual.GetVerb(), actual.GetResource().Resource) && actual.GetSubresource() == expected.GetSubresource()) {
+	authentikClient := newAuthentikAPIClientForTest(t, authentikURL)
-		t.Errorf("Expected\n\t%#v\ngot\n\t%#v", expected, actual)
+
 	var objects []runtime.Object
 	if pp != nil {
 		objects = append(objects, pp)
 	}
 	proxyClient := operatorfake.NewSimpleClientset(objects...)
 	informerFactory := operatorinformers.NewSharedInformerFactory(proxyClient, 0)
 	proxyInformer := informerFactory.Proxyprovider().V1alpha1().ProxyProviders()
 	ctrl := NewController(ctx, fake.NewClientset(), proxyClient, authentikClient, proxyInformer)
 	informerFactory.Start(ctx.Done())
 	for informerType, synced := range informerFactory.WaitForCacheSync(ctx.Done()) {
 		if !synced {
 			t.Fatalf("informer %v failed to sync", informerType)
 		}
 	}
 	return ctrl, ctx, func() {}
 }
 func newAuthentikAPIClientForTest(t *testing.T, serverURL string) *authentikapi.APIClient {
 	t.Helper()
 	u, err := url.Parse(serverURL)
 	if err != nil {
 		t.Fatalf("parse server URL: %v", err)
 	}
 	cfg := authentikapi.NewConfiguration()
 	cfg.Scheme = u.Scheme
 	cfg.Host = u.Host
 	return authentikapi.NewAPIClient(cfg)
 }
 type authentikTestHandlers struct {
 	proxyCreate        http.HandlerFunc
 	proxyDestroy       http.HandlerFunc
 	proxyPartialUpdate http.HandlerFunc
 	allRetrieve        http.HandlerFunc
 }
 func newAuthentikTestServer(t *testing.T, handlers authentikTestHandlers) *httptest.Server {
 	t.Helper()
 	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		path := r.URL.Path
 		switch {
 		case path == "/api/v3/providers/proxy/" && r.Method == http.MethodPost:
 			if handlers.proxyCreate != nil {
 				handlers.proxyCreate(w, r)
 				return
 			}
 			http.NotFound(w, r)
-	if reflect.TypeOf(actual) != reflect.TypeOf(expected) {
+		case strings.HasPrefix(path, "/api/v3/providers/proxy/") && strings.HasSuffix(path, "/"):
-		t.Errorf("Action has wrong type. Expected: %t. Got: %t", expected, actual)
+			idPath := strings.TrimPrefix(path, "/api/v3/providers/proxy/")
 			if idPath == "" {
 				http.NotFound(w, r)
 				return
 			}
-
+			switch r.Method {
-	switch a := actual.(type) {
+			case http.MethodDelete:
-	case core.CreateActionImpl:
+				if handlers.proxyDestroy != nil {
-		e, _ := expected.(core.CreateActionImpl)
+					handlers.proxyDestroy(w, r)
-		expObject := e.GetObject()
+					return
 		object := a.GetObject()
 		if !reflect.DeepEqual(expObject, object) {
 			t.Errorf("Action %s %s has wrong object\nDiff:\n %s",
 				a.GetVerb(), a.GetResource().Resource, diff.ObjectGoPrintSideBySide(expObject, object))
 				}
-	case core.UpdateActionImpl:
+				http.NotFound(w, r)
-		e, _ := expected.(core.UpdateActionImpl)
+			case http.MethodPatch:
-		expObject := e.GetObject()
+				if handlers.proxyPartialUpdate != nil {
-		object := a.GetObject()
+					handlers.proxyPartialUpdate(w, r)
-
+					return
 		if !reflect.DeepEqual(expObject, object) {
 			t.Errorf("Action %s %s has wrong object\nDiff:\n %s",
 				a.GetVerb(), a.GetResource().Resource, diff.ObjectGoPrintSideBySide(expObject, object))
 		}
 	case core.PatchActionImpl:
 		e, _ := expected.(core.PatchActionImpl)
 		expPatch := e.GetPatch()
 		patch := a.GetPatch()
 		if !reflect.DeepEqual(expPatch, patch) {
 			t.Errorf("Action %s %s has wrong patch\nDiff:\n %s",
 				a.GetVerb(), a.GetResource().Resource, diff.ObjectGoPrintSideBySide(expPatch, patch))
 				}
 				http.NotFound(w, r)
 			default:
-		t.Errorf("Uncaptured Action %s %s, you should explicitly add a case to capture it",
+				http.Error(w, "unexpected method on proxy instance", http.StatusMethodNotAllowed)
-			actual.GetVerb(), actual.GetResource().Resource)
+			}
 		case strings.HasPrefix(path, "/api/v3/providers/all/") && strings.HasSuffix(path, "/"):
 			if r.Method == http.MethodGet && handlers.allRetrieve != nil {
 				handlers.allRetrieve(w, r)
 				return
 			}
 			http.NotFound(w, r)
 		default:
 			http.NotFound(w, r)
 		}
 	})
 	return httptest.NewServer(handler)
 }
 func writeJSON(t *testing.T, w http.ResponseWriter, status int, body any) {
 	t.Helper()
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(status)
 	if err := json.NewEncoder(w).Encode(body); err != nil {
 		t.Fatalf("write JSON response: %v", err)
 	}
 }
-// filterInformerActions filters list and watch actions for testing resources.
+func getProxyProvider(t *testing.T, ctrl *Controller, namespace, name string) *v1alpha1.ProxyProvider {
-// Since list and watch don't change resource state we can filter it to lower
+	t.Helper()
-// nose level in our tests.
+
-func filterInformerActions(actions []core.Action) []core.Action {
+	got, err := ctrl.proxyProviderClientset.ProxyproviderV1alpha1().ProxyProviders(namespace).Get(
-	ret := []core.Action{}
+		context.Background(), name, metav1.GetOptions{},
-	for _, action := range actions {
+	)
-		if len(action.GetNamespace()) == 0 &&
+	if err != nil {
-			(action.Matches("list", "foos") ||
+		t.Fatalf("get ProxyProvider: %v", err)
 				action.Matches("watch", "foos") ||
 				action.Matches("list", "deployments") ||
 				action.Matches("watch", "deployments")) {
 			continue
 	}
-		ret = append(ret, action)
+	return got
 	}
 	return ret
 }
 func (f *fixture) expectCreateDeploymentAction(d *apps.Deployment) {
 	f.kubeactions = append(f.kubeactions, core.NewCreateAction(schema.GroupVersionResource{Resource: "deployments"}, d.Namespace, d))
 }
 func (f *fixture) expectUpdateDeploymentAction(d *apps.Deployment) {
 	f.kubeactions = append(f.kubeactions, core.NewUpdateAction(schema.GroupVersionResource{Resource: "deployments"}, d.Namespace, d))
 }
 func (f *fixture) expectUpdateFooStatusAction(foo *samplecontroller.Foo) {
 	action := core.NewUpdateSubresourceAction(schema.GroupVersionResource{Resource: "foos"}, "status", foo.Namespace, foo)
 	f.actions = append(f.actions, action)
 }
 func getRef(foo *samplecontroller.Foo, t *testing.T) cache.ObjectName {
 	ref := cache.MetaObjectToName(foo)
 	return ref
 }
 func TestCreatesDeployment(t *testing.T) {
 	f := newFixture(t)
 	foo := newFoo("test", ptr.To[int32](1))
 	_, ctx := ktesting.NewTestContext(t)
 	f.fooLister = append(f.fooLister, foo)
 	f.objects = append(f.objects, foo)
 	expDeployment := newDeployment(foo)
 	f.expectCreateDeploymentAction(expDeployment)
 	f.expectUpdateFooStatusAction(foo)
 	f.run(ctx, getRef(foo, t))
 }
 func TestDoNothing(t *testing.T) {
 	f := newFixture(t)
 	foo := newFoo("test", ptr.To[int32](1))
 	_, ctx := ktesting.NewTestContext(t)
 	d := newDeployment(foo)
 	f.fooLister = append(f.fooLister, foo)
 	f.objects = append(f.objects, foo)
 	f.deploymentLister = append(f.deploymentLister, d)
 	f.kubeobjects = append(f.kubeobjects, d)
 	f.expectUpdateFooStatusAction(foo)
 	f.run(ctx, getRef(foo, t))
 }
 func TestUpdateDeployment(t *testing.T) {
 	f := newFixture(t)
 	foo := newFoo("test", ptr.To[int32](1))
 	_, ctx := ktesting.NewTestContext(t)
 	d := newDeployment(foo)
 	// Update replicas
 	foo.Spec.Replicas = ptr.To[int32](2)
 	expDeployment := newDeployment(foo)
 	f.fooLister = append(f.fooLister, foo)
 	f.objects = append(f.objects, foo)
 	f.deploymentLister = append(f.deploymentLister, d)
 	f.kubeobjects = append(f.kubeobjects, d)
 	f.expectUpdateFooStatusAction(foo)
 	f.expectUpdateDeploymentAction(expDeployment)
 	f.run(ctx, getRef(foo, t))
 }
 func TestNotControlledByUs(t *testing.T) {
 	f := newFixture(t)
 	foo := newFoo("test", ptr.To[int32](1))
 	_, ctx := ktesting.NewTestContext(t)
 	d := newDeployment(foo)
 	d.ObjectMeta.OwnerReferences = []metav1.OwnerReference{}
 	f.fooLister = append(f.fooLister, foo)
 	f.objects = append(f.objects, foo)
 	f.deploymentLister = append(f.deploymentLister, d)
 	f.kubeobjects = append(f.kubeobjects, d)
 	f.runExpectError(ctx, getRef(foo, t))
 }
@@ -5,15 +5,14 @@ go 1.26.3
 godebug default=go1.26
 require (
 	goauthentik.io/api/v3 v3.2026020.16
 	golang.org/x/time v0.15.0
 	k8s.io/api v0.0.0-20260509204538-0dfb117cc6ec
-	k8s.io/apimachinery v0.0.0-20260509204146-64dfe1db2af5
+	k8s.io/apimachinery v0.0.0-20260513183604-f9371b815e42
 	k8s.io/client-go v0.0.0-20260509205101-ca52b81a2940
 	k8s.io/code-generator v0.0.0-20260509210052-5595d1310975
 	k8s.io/klog/v2 v2.140.0
-	k8s.io/kube-openapi v0.0.0-20260509150519-312035bf509b
+	k8s.io/kube-openapi v0.0.0-20260511211612-da4e56fe5676
-	k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2
+	sigs.k8s.io/structured-merge-diff/v6 v6.4.0
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.2
 )
 require (
@@ -37,6 +36,7 @@ require (
 	github.com/go-openapi/swag/yamlutils v0.25.4 // indirect
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/jandelgado/gcov2lcov v1.1.1 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
@@ -46,19 +46,20 @@ require (
 	github.com/x448/float16 v0.8.4 // indirect
 	go.yaml.in/yaml/v2 v2.4.4 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/mod v0.35.0 // indirect
 	golang.org/x/net v0.53.0 // indirect
 	golang.org/x/oauth2 v0.36.0 // indirect
 	golang.org/x/sync v0.20.0 // indirect
 	golang.org/x/sys v0.43.0 // indirect
 	golang.org/x/term v0.42.0 // indirect
 	golang.org/x/text v0.36.0 // indirect
 	golang.org/x/tools v0.44.0 // indirect
 	google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b // indirect
+	k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/yaml v1.6.0 // indirect
 )
 replace k8s.io/code-generator => ./code-generator
 tool github.com/jandelgado/gcov2lcov
@@ -49,6 +49,8 @@ github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/jandelgado/gcov2lcov v1.1.1 h1:CHUNoAglvb34DqmMoZchnzDbA3yjpzT8EoUvVqcAY+s=
 github.com/jandelgado/gcov2lcov v1.1.1/go.mod h1:tMVUlMVtS1po2SB8UkADWhOT5Y5Q13XOce2AYU69JuI=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
@@ -71,9 +73,16 @@ github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7
 github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
 github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/objx v0.5.3 h1:jmXUvGomnU1o3W/V5h2VEradbpJDwGrzugQQvL0POH4=
 github.com/stretchr/objx v0.5.3/go.mod h1:rDQraq+vQZU7Fde9LOZLr8Tax6zZvy4kuNKF+QYS+U0=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
@@ -84,14 +93,12 @@ go.yaml.in/yaml/v2 v2.4.4 h1:tuyd0P+2Ont/d6e2rl3be67goVK4R6deVxCUX5vyPaQ=
 go.yaml.in/yaml/v2 v2.4.4/go.mod h1:gMZqIpDtDqOfM0uNfy0SkpRhvUryYH0Z6wdMYcacYXQ=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
-golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
+goauthentik.io/api/v3 v3.2026020.16 h1:sEqcVRXYSJTYaSdU5PzSEdFUWDqCONm5BeL62F5k+58=
-golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
+goauthentik.io/api/v3 v3.2026020.16/go.mod h1:82lqAz4jxzl6Cg0YDbhNtvvTG2rm6605ZhdJFnbbsl8=
 golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
 golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
 golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
 golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
 golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
 golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
 golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY=
@@ -100,12 +107,6 @@ golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
 golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
 golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U=
 golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno=
 golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c=
 golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI=
 golang.org/x/tools/go/expect v0.1.1-deprecated h1:jpBZDwmgPhXsKZC6WhL20P4b/wmnpsEAGHaNy0n/rJM=
 golang.org/x/tools/go/expect v0.1.1-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
 golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated h1:1h2MnaIAIXISqTFKdENegdpAgUXz6NrPEsbIeWaBRvM=
 golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
 google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af h1:+5/Sw3GsDNlEmu7TfklWKPdQ0Ykja5VEmq2i817+jbI=
 google.golang.org/protobuf v1.36.12-0.20260120151049-f2248ac996af/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -115,29 +116,26 @@ gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnf
 gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 k8s.io/api v0.0.0-20260509204538-0dfb117cc6ec h1:xf12Yh3ltN4fnNyP0CyyM0TwNVnZDfLJjV3+bf9fPFY=
 k8s.io/api v0.0.0-20260509204538-0dfb117cc6ec/go.mod h1:C+fcNlNQ9TcKHspN+DD7UybdfnjDAGyBjfCd6W7ogbY=
-k8s.io/apimachinery v0.0.0-20260509204146-64dfe1db2af5 h1:k2HBxRBq6w2QCj14oAhBosjMqqgNlj4dmLXFj8f1A+8=
+k8s.io/apimachinery v0.0.0-20260513183604-f9371b815e42 h1:rWdGOTor3z0WSyZcRl9ms4dn9Cw9CqmNBqXuf2z0k1k=
-k8s.io/apimachinery v0.0.0-20260509204146-64dfe1db2af5/go.mod h1:37ALVDWo0LgW74Y9rAdewmZo20SVCGGH34806wUMrko=
+k8s.io/apimachinery v0.0.0-20260513183604-f9371b815e42/go.mod h1:hiubQ6UTHIdr0bS8ExXOJEywFVOoudnldm/l/NiNVlA=
 k8s.io/client-go v0.0.0-20260509205101-ca52b81a2940 h1:n5t5Jx3VpLdiAGxIvIHsZDmsExtZVwghUPLM3wFi6Go=
 k8s.io/client-go v0.0.0-20260509205101-ca52b81a2940/go.mod h1:0e7OLwg7kdXISVFwn7ishFdvxfVgi7wsqHqsQPHl61w=
 k8s.io/code-generator v0.0.0-20260509210052-5595d1310975 h1:hDrusFgTzvqcDJ7p13A9Eid4i8Y9uNSs/67lniaYHwM=
 k8s.io/code-generator v0.0.0-20260509210052-5595d1310975/go.mod h1:mQXg0n0EeF4oU8aTwm9mzwoyAKqVRmUb9wLhjHnRq3I=
 k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b h1:gMplByicHV/TJBizHd9aVEsTYoJBnnUAT5MHlTkbjhQ=
 k8s.io/gengo/v2 v2.0.0-20250922181213-ec3ebc5fd46b/go.mod h1:CgujABENc3KuTrcsdpGmrrASjtQsWCT7R99mEV4U/fM=
 k8s.io/klog/v2 v2.140.0 h1:Tf+J3AH7xnUzZyVVXhTgGhEKnFqye14aadWv7bzXdzc=
 k8s.io/klog/v2 v2.140.0/go.mod h1:o+/RWfJ6PwpnFn7OyAG3QnO47BFsymfEfrz6XyYSSp0=
-k8s.io/kube-openapi v0.0.0-20260509150519-312035bf509b h1:WrpNVPKkCaOO9h77E1P2HLnhWDQxrxzpf2jfsM8WevY=
+k8s.io/kube-openapi v0.0.0-20260511211612-da4e56fe5676 h1:ahjrVu/DBcaAhw/GcblfaOvvQ2wi8kqXWvn62nud3UU=
-k8s.io/kube-openapi v0.0.0-20260509150519-312035bf509b/go.mod h1:V/QaCUYDa+0QpcHhVVc5l99Uz56wEMEXBSj9oCDkNDY=
+k8s.io/kube-openapi v0.0.0-20260511211612-da4e56fe5676/go.mod h1:V/QaCUYDa+0QpcHhVVc5l99Uz56wEMEXBSj9oCDkNDY=
 k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2 h1:AZYQSJemyQB5eRxqcPky+/7EdBj0xi3g0ZcxxJ7vbWU=
 k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2/go.mod h1:xDxuJ0whA3d0I4mf/C4ppKHxXynQ+fxnkmQH0vTHnuk=
 sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
 sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
-sigs.k8s.io/structured-merge-diff/v6 v6.3.2 h1:kwVWMx5yS1CrnFWA/2QHyRVJ8jM6dBA80uLmm0wJkk8=
+sigs.k8s.io/structured-merge-diff/v6 v6.4.0 h1:qmp2e3ZfFi1/jJbDGpD4mt3wyp6PE1NfKHCYLqgNQJo=
-sigs.k8s.io/structured-merge-diff/v6 v6.3.2/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE=
+sigs.k8s.io/structured-merge-diff/v6 v6.4.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE=
 sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
 sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=
@@ -0,0 +1,18 @@
 API rule violation: names_match,gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/proxyprovider/v1alpha1,ProxyProviderSpec,AuthorizationFlow
 API rule violation: names_match,gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/proxyprovider/v1alpha1,ProxyProviderSpec,ExternalHost
 API rule violation: names_match,gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/proxyprovider/v1alpha1,ProxyProviderSpec,InvalidationFlow
 API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,Quantity,Format
 API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,Quantity,d
 API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,Quantity,i
 API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,Quantity,s
 API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,int64Amount,scale
 API rule violation: names_match,k8s.io/apimachinery/pkg/api/resource,int64Amount,value
 API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,APIResourceList,APIResources
 API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,Duration,Duration
 API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,InternalEvent,Object
 API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,InternalEvent,Type
 API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,MicroTime,Time
 API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,StatusCause,Type
 API rule violation: names_match,k8s.io/apimachinery/pkg/apis/meta/v1,Time,Time
 API rule violation: names_match,k8s.io/apimachinery/pkg/runtime,Unknown,ContentEncoding
 API rule violation: names_match,k8s.io/apimachinery/pkg/runtime,Unknown,ContentType
@@ -1,16 +0,0 @@
 /*
 Copyright The Kubernetes Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
@@ -1,22 +0,0 @@
 //go:build tools
 /*
 Copyright 2019 The Kubernetes Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 // This package imports things required by build scripts, to force `go mod` to see them as dependencies
 package tools
 import _ "k8s.io/code-generator"
@@ -1,59 +0,0 @@
 #!/usr/bin/env bash
 # Copyright 2017 The Kubernetes Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 set -o errexit
 set -o nounset
 set -o pipefail
 SCRIPT_ROOT=$(dirname "${BASH_SOURCE[0]}")/..
 CODEGEN_PKG=${CODEGEN_PKG:-$(cd "${SCRIPT_ROOT}"; ls -d -1 ./vendor/k8s.io/code-generator 2>/dev/null || echo ../code-generator)}
 source "${CODEGEN_PKG}/kube_codegen.sh"
 THIS_PKG="gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator"
 kube::codegen::gen_helpers \
    --boilerplate "${SCRIPT_ROOT}/hack/boilerplate.go.txt" \
    "${SCRIPT_ROOT}/pkg/apis"
 if [[ -n "${API_KNOWN_VIOLATIONS_DIR:-}" ]]; then
    report_filename="${API_KNOWN_VIOLATIONS_DIR}/sample_controller_violation_exceptions.list"
    if [[ "${UPDATE_API_KNOWN_VIOLATIONS:-}" == "true" ]]; then
        update_report="--update-report"
    fi
 fi
 kube::codegen::gen_openapi \
    --output-dir "${SCRIPT_ROOT}/pkg/generated/openapi" \
    --output-pkg "k8s.io/${THIS_PKG}/pkg/generated/openapi" \
    --report-filename "${report_filename:-"/dev/null"}" \
    --output-model-name-file "zz_generated.model_name.go" \
    ${update_report:+"${update_report}"} \
    --boilerplate "${SCRIPT_ROOT}/hack/boilerplate.go.txt" \
    "${SCRIPT_ROOT}/pkg/apis"
 kube::codegen::gen_client \
    --with-watch \
    --with-applyconfig \
    --applyconfig-openapi-schema <(go run gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/openapi/cmd/models-schema) \
    --output-dir "${SCRIPT_ROOT}/pkg/generated" \
    --output-pkg "${THIS_PKG}/pkg/generated" \
    --boilerplate "${SCRIPT_ROOT}/hack/boilerplate.go.txt" \
    "${SCRIPT_ROOT}/pkg/apis"
 kube::codegen::gen_register \
    --boilerplate "${SCRIPT_ROOT}/hack/boilerplate.go.txt" \
    "${SCRIPT_ROOT}/pkg/apis"
@@ -1,57 +0,0 @@
 #!/usr/bin/env bash
 # Copyright 2017 The Kubernetes Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 set -o errexit
 set -o nounset
 set -o pipefail
 SCRIPT_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd -P)"
 DIFFROOT="${SCRIPT_ROOT}/pkg"
 TMP_DIFFROOT="$(mktemp -d -t "$(basename "$0").XXXXXX")/pkg"
 cleanup() {
  rm -rf "${TMP_DIFFROOT}"
 }
 trap "cleanup" EXIT SIGINT
 cleanup
 # Ensure model-schema generator matches the version from
 # k8s.io/kubernetes/pkg/generated/openapi/cmd/models-schema/main.go
 echo "Ensuring models-schema is up-to-date"
 K8S_MODELS_SCHEMA="${SCRIPT_ROOT}/../../../../pkg/generated/openapi/cmd/models-schema/main.go"
 SAMPLE_CONTROLLER_MODELS_SCHEMA="${SCRIPT_ROOT}/pkg/generated/openapi/cmd/models-schema/main.go"
 # these two files will only differ in the imported lines for generated openapi
 if ! diff -I "k8s.io/kubernetes/pkg/generated/openapi" \
  -I "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/openapi" \
  "${K8S_MODELS_SCHEMA}" "${SAMPLE_CONTROLLER_MODELS_SCHEMA}"; then
  echo "${SAMPLE_CONTROLLER_MODELS_SCHEMA} is out of date. Compare changes with ${K8S_MODELS_SCHEMA}"
  exit 1
 fi
 mkdir -p "${TMP_DIFFROOT}"
 cp -a "${DIFFROOT}"/* "${TMP_DIFFROOT}"
 "${SCRIPT_ROOT}/hack/update-codegen.sh"
 echo "diffing ${DIFFROOT} against freshly generated codegen"
 ret=0
 diff -Naupr "${DIFFROOT}" "${TMP_DIFFROOT}" || ret=$?
 if [[ $ret -eq 0 ]]; then
  echo "${DIFFROOT} up to date."
 else
  echo "${DIFFROOT} is out of date. Please run hack/update-codegen.sh"
 fi
 exit $ret
@@ -17,11 +17,14 @@ limitations under the License.
 package main
 import (
 	"errors"
 	"flag"
 	"net/url"
 	"os"
 	"time"
 	"gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/signals"
-	kubeinformers "k8s.io/client-go/informers"
+	authentikapi "goauthentik.io/api/v3"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/clientcmd"
 	"k8s.io/klog/v2"
@@ -58,23 +61,27 @@ func main() {
 		klog.FlushAndExit(klog.ExitFlushTimeout, 1)
 	}
-	exampleClient, err := clientset.NewForConfig(cfg)
+	proxyProviderClient, err := clientset.NewForConfig(cfg)
 	if err != nil {
-		logger.Error(err, "Error building kubernetes clientset")
+		logger.Error(err, "Error building proxy provider clientset")
 		klog.FlushAndExit(klog.ExitFlushTimeout, 1)
 	}
-	kubeInformerFactory := kubeinformers.NewSharedInformerFactory(kubeClient, time.Second*30)
+	authentikClient, err := newAuthentikAPIClient(os.Getenv("AUTENTIK_HOST"), os.Getenv("AUTENTIK_TOKEN"))
-	exampleInformerFactory := informers.NewSharedInformerFactory(exampleClient, time.Second*30)
+	if err != nil {
 		logger.Error(err, "Error building Authentik API client")
 		klog.FlushAndExit(klog.ExitFlushTimeout, 1)
 	}
-	controller := NewController(ctx, kubeClient, exampleClient,
+	proxyProviderInformerFactory := informers.NewSharedInformerFactory(proxyProviderClient, time.Second*30)
-		kubeInformerFactory.Apps().V1().Deployments(),
+
-		exampleInformerFactory.Samplecontroller().V1alpha1().Foos())
+	controller := NewController(ctx, kubeClient, proxyProviderClient, authentikClient,
 		proxyProviderInformerFactory.Proxyprovider().V1alpha1().ProxyProviders(),
 	)
 	// notice that there is no need to run Start methods in a separate goroutine. (i.e. go kubeInformerFactory.Start(ctx.done())
 	// Start method is non-blocking and runs all registered informers in a dedicated goroutine.
-	kubeInformerFactory.Start(ctx.Done())
+	proxyProviderInformerFactory.Start(ctx.Done())
 	exampleInformerFactory.Start(ctx.Done())
 	if err = controller.Run(ctx, 2); err != nil {
 		logger.Error(err, "Error running controller")
@@ -86,3 +93,27 @@ func init() {
 	flag.StringVar(&kubeconfig, "kubeconfig", "", "Path to a kubeconfig. Only required if out-of-cluster.")
 	flag.StringVar(&masterURL, "master", "", "The address of the Kubernetes API server. Overrides any value in kubeconfig. Only required if out-of-cluster.")
 }
 // newAuthentikAPIClient builds the OpenAPI-generated goauthentik client when AUTENTIK_HOST is set.
 func newAuthentikAPIClient(host, token string) (*authentikapi.APIClient, error) {
 	if host == "" {
 		return nil, errors.New("authentik host is not set")
 	}
 	cfg := authentikapi.NewConfiguration()
 	if u, err := url.Parse(host); err == nil && u.Host != "" {
 		cfg.Scheme = u.Scheme
 		if cfg.Scheme == "" {
 			cfg.Scheme = "https"
 		}
 		cfg.Host = u.Host
 	} else {
 		cfg.Scheme = "https"
 		cfg.Host = host
 	}
 	if token == "" {
 		return nil, errors.New("authentik token is not set")
 	}
 	cfg.AddDefaultHeader("Authorization", "Bearer "+token)
 	return authentikapi.NewAPIClient(cfg), nil
 }
@@ -16,7 +16,7 @@ limitations under the License.
 // +k8s:deepcopy-gen=package
 // +k8s:openapi-gen=true
-// +groupName=samplecontroller.k8s.io
+// +groupName=proxyprovider.t000-n.de
-// Package v1alpha1 is the v1alpha1 version of the API.
+// Package v1 is the v1 version of the API.
 package v1alpha1
@@ -21,34 +21,33 @@ import (
 )
 // +genclient
 // +kubebuilder:subresource:status
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// Foo is a specification for a Foo resource
+type ProxyProvider struct {
 type Foo struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec   FooSpec   `json:"spec"`
+	Spec   ProxyProviderSpec   `json:"spec"`
-	Status FooStatus `json:"status"`
+	Status ProxyProviderStatus `json:"status"`
 }
-// FooSpec is the spec for a Foo resource
+type ProxyProviderSpec struct {
-type FooSpec struct {
+	Name              string `json:"name"`
-	DeploymentName string `json:"deploymentName"`
+	AuthorizationFlow string `json:"authorization_flow"`
-	Replicas       *int32 `json:"replicas"`
+	InvalidationFlow  string `json:"invalidation_flow"`
 	ExternalHost      string `json:"external_host"`
 }
-// FooStatus is the status for a Foo resource
+type ProxyProviderStatus struct {
-type FooStatus struct {
+	PK string `json:"pk"`
 	AvailableReplicas int32 `json:"availableReplicas"`
 }
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// FooList is a list of Foo resources
+type ProxyProviderList struct {
 type FooList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
-	Items []Foo `json:"items"`
+	Items []ProxyProvider `json:"items"`
 }
@@ -26,27 +26,27 @@ import (
 )
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *Foo) DeepCopyInto(out *Foo) {
+func (in *ProxyProvider) DeepCopyInto(out *ProxyProvider) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	in.Spec.DeepCopyInto(&out.Spec)
+	out.Spec = in.Spec
 	out.Status = in.Status
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Foo.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyProvider.
-func (in *Foo) DeepCopy() *Foo {
+func (in *ProxyProvider) DeepCopy() *ProxyProvider {
 	if in == nil {
 		return nil
 	}
-	out := new(Foo)
+	out := new(ProxyProvider)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *Foo) DeepCopyObject() runtime.Object {
+func (in *ProxyProvider) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@@ -54,13 +54,13 @@ func (in *Foo) DeepCopyObject() runtime.Object {
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FooList) DeepCopyInto(out *FooList) {
+func (in *ProxyProviderList) DeepCopyInto(out *ProxyProviderList) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
-		*out = make([]Foo, len(*in))
+		*out = make([]ProxyProvider, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -68,18 +68,18 @@ func (in *FooList) DeepCopyInto(out *FooList) {
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FooList.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyProviderList.
-func (in *FooList) DeepCopy() *FooList {
+func (in *ProxyProviderList) DeepCopy() *ProxyProviderList {
 	if in == nil {
 		return nil
 	}
-	out := new(FooList)
+	out := new(ProxyProviderList)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *FooList) DeepCopyObject() runtime.Object {
+func (in *ProxyProviderList) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@@ -87,38 +87,33 @@ func (in *FooList) DeepCopyObject() runtime.Object {
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FooSpec) DeepCopyInto(out *FooSpec) {
+func (in *ProxyProviderSpec) DeepCopyInto(out *ProxyProviderSpec) {
 	*out = *in
 	if in.Replicas != nil {
 		in, out := &in.Replicas, &out.Replicas
 		*out = new(int32)
 		**out = **in
 	}
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FooSpec.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyProviderSpec.
-func (in *FooSpec) DeepCopy() *FooSpec {
+func (in *ProxyProviderSpec) DeepCopy() *ProxyProviderSpec {
 	if in == nil {
 		return nil
 	}
-	out := new(FooSpec)
+	out := new(ProxyProviderSpec)
 	in.DeepCopyInto(out)
 	return out
 }
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FooStatus) DeepCopyInto(out *FooStatus) {
+func (in *ProxyProviderStatus) DeepCopyInto(out *ProxyProviderStatus) {
 	*out = *in
 	return
 }
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FooStatus.
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyProviderStatus.
-func (in *FooStatus) DeepCopy() *FooStatus {
+func (in *ProxyProviderStatus) DeepCopy() *ProxyProviderStatus {
 	if in == nil {
 		return nil
 	}
-	out := new(FooStatus)
+	out := new(ProxyProviderStatus)
 	in.DeepCopyInto(out)
 	return out
 }
@@ -28,7 +28,7 @@ import (
 )
 // GroupName specifies the group name used to register the objects.
-const GroupName = "samplecontroller.k8s.io"
+const GroupName = "proxyprovider.t000-n.de"
 // GroupVersion specifies the group and the version used to register the objects.
 var GroupVersion = v1.GroupVersion{Group: GroupName, Version: "v1alpha1"}
@@ -62,8 +62,8 @@ func init() {
 // Adds the list of known types to Scheme.
 func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
-		&Foo{},
+		&ProxyProvider{},
-		&FooList{},
+		&ProxyProviderList{},
 	)
 	// AddToGroupVersion allows the serialization of client types like ListOptions.
 	v1.AddToGroupVersion(scheme, SchemeGroupVersion)
@@ -39,16 +39,6 @@ func Parser() *typed.Parser {
 var parserOnce sync.Once
 var parser *typed.Parser
 var schemaYAML = typed.YAMLObject(`types:
 - name: io.k8s.sample-controller.pkg.apis.samplecontroller.v1alpha1.Foo
  scalar: untyped
  list:
    elementType:
      namedType: __untyped_atomic_
    elementRelationship: atomic
  map:
    elementType:
      namedType: __untyped_deduced_
    elementRelationship: separable
 - name: __untyped_atomic_
  scalar: untyped
  list:
@@ -19,83 +19,37 @@ limitations under the License.
 package v1alpha1
 import (
 	samplecontrollerv1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/samplecontroller/v1alpha1"
 	internal "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/applyconfiguration/internal"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
 	managedfields "k8s.io/apimachinery/pkg/util/managedfields"
 	v1 "k8s.io/client-go/applyconfigurations/meta/v1"
 )
-// FooApplyConfiguration represents a declarative configuration of the Foo type for use
+// ProxyProviderApplyConfiguration represents a declarative configuration of the ProxyProvider type for use
 // with apply.
-//
+type ProxyProviderApplyConfiguration struct {
-// Foo is a specification for a Foo resource
+	v1.TypeMetaApplyConfiguration    `json:""`
 type FooApplyConfiguration struct {
 	v1.TypeMetaApplyConfiguration    `json:",inline"`
 	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
-	Spec                             *FooSpecApplyConfiguration   `json:"spec,omitempty"`
+	Spec                             *ProxyProviderSpecApplyConfiguration   `json:"spec,omitempty"`
-	Status                           *FooStatusApplyConfiguration `json:"status,omitempty"`
+	Status                           *ProxyProviderStatusApplyConfiguration `json:"status,omitempty"`
 }
-// Foo constructs a declarative configuration of the Foo type for use with
+// ProxyProvider constructs a declarative configuration of the ProxyProvider type for use with
 // apply.
-func Foo(name, namespace string) *FooApplyConfiguration {
+func ProxyProvider(name, namespace string) *ProxyProviderApplyConfiguration {
-	b := &FooApplyConfiguration{}
+	b := &ProxyProviderApplyConfiguration{}
 	b.WithName(name)
 	b.WithNamespace(namespace)
-	b.WithKind("Foo")
+	b.WithKind("ProxyProvider")
-	b.WithAPIVersion("samplecontroller.k8s.io/v1alpha1")
+	b.WithAPIVersion("proxyprovider.t000-n.de/v1alpha1")
 	return b
 }
-// ExtractFooFrom extracts the applied configuration owned by fieldManager from
+func (b ProxyProviderApplyConfiguration) IsApplyConfiguration() {}
 // foo for the specified subresource. Pass an empty string for subresource to extract
 // the main resource. Common subresources include "status", "scale", etc.
 // foo must be a unmodified Foo API object that was retrieved from the Kubernetes API.
 // ExtractFooFrom provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
 func ExtractFooFrom(foo *samplecontrollerv1alpha1.Foo, fieldManager string, subresource string) (*FooApplyConfiguration, error) {
 	b := &FooApplyConfiguration{}
 	err := managedfields.ExtractInto(foo, internal.Parser().Type("io.k8s.sample-controller.pkg.apis.samplecontroller.v1alpha1.Foo"), fieldManager, b, subresource)
 	if err != nil {
 		return nil, err
 	}
 	b.WithName(foo.Name)
 	b.WithNamespace(foo.Namespace)
 	b.WithKind("Foo")
 	b.WithAPIVersion("samplecontroller.k8s.io/v1alpha1")
 	return b, nil
 }
 // ExtractFoo extracts the applied configuration owned by fieldManager from
 // foo. If no managedFields are found in foo for fieldManager, a
 // FooApplyConfiguration is returned with only the Name, Namespace (if applicable),
 // APIVersion and Kind populated. It is possible that no managed fields were found for because other
 // field managers have taken ownership of all the fields previously owned by fieldManager, or because
 // the fieldManager never owned fields any fields.
 // foo must be a unmodified Foo API object that was retrieved from the Kubernetes API.
 // ExtractFoo provides a way to perform a extract/modify-in-place/apply workflow.
 // Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
 // applied if another fieldManager has updated or force applied any of the previously applied fields.
 func ExtractFoo(foo *samplecontrollerv1alpha1.Foo, fieldManager string) (*FooApplyConfiguration, error) {
 	return ExtractFooFrom(foo, fieldManager, "")
 }
 // ExtractFooStatus extracts the applied configuration owned by fieldManager from
 // foo for the status subresource.
 func ExtractFooStatus(foo *samplecontrollerv1alpha1.Foo, fieldManager string) (*FooApplyConfiguration, error) {
 	return ExtractFooFrom(foo, fieldManager, "status")
 }
 func (b FooApplyConfiguration) IsApplyConfiguration() {}
 // WithKind sets the Kind field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the Kind field is set to the value of the last call.
-func (b *FooApplyConfiguration) WithKind(value string) *FooApplyConfiguration {
+func (b *ProxyProviderApplyConfiguration) WithKind(value string) *ProxyProviderApplyConfiguration {
 	b.TypeMetaApplyConfiguration.Kind = &value
 	return b
 }
@@ -103,7 +57,7 @@ func (b *FooApplyConfiguration) WithKind(value string) *FooApplyConfiguration {
 // WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the APIVersion field is set to the value of the last call.
-func (b *FooApplyConfiguration) WithAPIVersion(value string) *FooApplyConfiguration {
+func (b *ProxyProviderApplyConfiguration) WithAPIVersion(value string) *ProxyProviderApplyConfiguration {
 	b.TypeMetaApplyConfiguration.APIVersion = &value
 	return b
 }
@@ -111,7 +65,7 @@ func (b *FooApplyConfiguration) WithAPIVersion(value string) *FooApplyConfigurat
 // WithName sets the Name field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the Name field is set to the value of the last call.
-func (b *FooApplyConfiguration) WithName(value string) *FooApplyConfiguration {
+func (b *ProxyProviderApplyConfiguration) WithName(value string) *ProxyProviderApplyConfiguration {
 	b.ensureObjectMetaApplyConfigurationExists()
 	b.ObjectMetaApplyConfiguration.Name = &value
 	return b
@@ -120,7 +74,7 @@ func (b *FooApplyConfiguration) WithName(value string) *FooApplyConfiguration {
 // WithGenerateName sets the GenerateName field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the GenerateName field is set to the value of the last call.
-func (b *FooApplyConfiguration) WithGenerateName(value string) *FooApplyConfiguration {
+func (b *ProxyProviderApplyConfiguration) WithGenerateName(value string) *ProxyProviderApplyConfiguration {
 	b.ensureObjectMetaApplyConfigurationExists()
 	b.ObjectMetaApplyConfiguration.GenerateName = &value
 	return b
@@ -129,7 +83,7 @@ func (b *FooApplyConfiguration) WithGenerateName(value string) *FooApplyConfigur
 // WithNamespace sets the Namespace field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the Namespace field is set to the value of the last call.
-func (b *FooApplyConfiguration) WithNamespace(value string) *FooApplyConfiguration {
+func (b *ProxyProviderApplyConfiguration) WithNamespace(value string) *ProxyProviderApplyConfiguration {
 	b.ensureObjectMetaApplyConfigurationExists()
 	b.ObjectMetaApplyConfiguration.Namespace = &value
 	return b
@@ -138,7 +92,7 @@ func (b *FooApplyConfiguration) WithNamespace(value string) *FooApplyConfigurati
 // WithUID sets the UID field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the UID field is set to the value of the last call.
-func (b *FooApplyConfiguration) WithUID(value types.UID) *FooApplyConfiguration {
+func (b *ProxyProviderApplyConfiguration) WithUID(value types.UID) *ProxyProviderApplyConfiguration {
 	b.ensureObjectMetaApplyConfigurationExists()
 	b.ObjectMetaApplyConfiguration.UID = &value
 	return b
@@ -147,7 +101,7 @@ func (b *FooApplyConfiguration) WithUID(value types.UID) *FooApplyConfiguration
 // WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the ResourceVersion field is set to the value of the last call.
-func (b *FooApplyConfiguration) WithResourceVersion(value string) *FooApplyConfiguration {
+func (b *ProxyProviderApplyConfiguration) WithResourceVersion(value string) *ProxyProviderApplyConfiguration {
 	b.ensureObjectMetaApplyConfigurationExists()
 	b.ObjectMetaApplyConfiguration.ResourceVersion = &value
 	return b
@@ -156,7 +110,7 @@ func (b *FooApplyConfiguration) WithResourceVersion(value string) *FooApplyConfi
 // WithGeneration sets the Generation field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the Generation field is set to the value of the last call.
-func (b *FooApplyConfiguration) WithGeneration(value int64) *FooApplyConfiguration {
+func (b *ProxyProviderApplyConfiguration) WithGeneration(value int64) *ProxyProviderApplyConfiguration {
 	b.ensureObjectMetaApplyConfigurationExists()
 	b.ObjectMetaApplyConfiguration.Generation = &value
 	return b
@@ -165,7 +119,7 @@ func (b *FooApplyConfiguration) WithGeneration(value int64) *FooApplyConfigurati
 // WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the CreationTimestamp field is set to the value of the last call.
-func (b *FooApplyConfiguration) WithCreationTimestamp(value metav1.Time) *FooApplyConfiguration {
+func (b *ProxyProviderApplyConfiguration) WithCreationTimestamp(value metav1.Time) *ProxyProviderApplyConfiguration {
 	b.ensureObjectMetaApplyConfigurationExists()
 	b.ObjectMetaApplyConfiguration.CreationTimestamp = &value
 	return b
@@ -174,7 +128,7 @@ func (b *FooApplyConfiguration) WithCreationTimestamp(value metav1.Time) *FooApp
 // WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the DeletionTimestamp field is set to the value of the last call.
-func (b *FooApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *FooApplyConfiguration {
+func (b *ProxyProviderApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *ProxyProviderApplyConfiguration {
 	b.ensureObjectMetaApplyConfigurationExists()
 	b.ObjectMetaApplyConfiguration.DeletionTimestamp = &value
 	return b
@@ -183,7 +137,7 @@ func (b *FooApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *FooApp
 // WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
-func (b *FooApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *FooApplyConfiguration {
+func (b *ProxyProviderApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *ProxyProviderApplyConfiguration {
 	b.ensureObjectMetaApplyConfigurationExists()
 	b.ObjectMetaApplyConfiguration.DeletionGracePeriodSeconds = &value
 	return b
@@ -193,7 +147,7 @@ func (b *FooApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *Foo
 // and returns the receiver, so that objects can be build by chaining "With" function invocations.
 // If called multiple times, the entries provided by each call will be put on the Labels field,
 // overwriting an existing map entries in Labels field with the same key.
-func (b *FooApplyConfiguration) WithLabels(entries map[string]string) *FooApplyConfiguration {
+func (b *ProxyProviderApplyConfiguration) WithLabels(entries map[string]string) *ProxyProviderApplyConfiguration {
 	b.ensureObjectMetaApplyConfigurationExists()
 	if b.ObjectMetaApplyConfiguration.Labels == nil && len(entries) > 0 {
 		b.ObjectMetaApplyConfiguration.Labels = make(map[string]string, len(entries))
@@ -208,7 +162,7 @@ func (b *FooApplyConfiguration) WithLabels(entries map[string]string) *FooApplyC
 // and returns the receiver, so that objects can be build by chaining "With" function invocations.
 // If called multiple times, the entries provided by each call will be put on the Annotations field,
 // overwriting an existing map entries in Annotations field with the same key.
-func (b *FooApplyConfiguration) WithAnnotations(entries map[string]string) *FooApplyConfiguration {
+func (b *ProxyProviderApplyConfiguration) WithAnnotations(entries map[string]string) *ProxyProviderApplyConfiguration {
 	b.ensureObjectMetaApplyConfigurationExists()
 	if b.ObjectMetaApplyConfiguration.Annotations == nil && len(entries) > 0 {
 		b.ObjectMetaApplyConfiguration.Annotations = make(map[string]string, len(entries))
@@ -222,7 +176,7 @@ func (b *FooApplyConfiguration) WithAnnotations(entries map[string]string) *FooA
 // WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
 // and returns the receiver, so that objects can be build by chaining "With" function invocations.
 // If called multiple times, values provided by each call will be appended to the OwnerReferences field.
-func (b *FooApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *FooApplyConfiguration {
+func (b *ProxyProviderApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *ProxyProviderApplyConfiguration {
 	b.ensureObjectMetaApplyConfigurationExists()
 	for i := range values {
 		if values[i] == nil {
@@ -236,7 +190,7 @@ func (b *FooApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReference
 // WithFinalizers adds the given value to the Finalizers field in the declarative configuration
 // and returns the receiver, so that objects can be build by chaining "With" function invocations.
 // If called multiple times, values provided by each call will be appended to the Finalizers field.
-func (b *FooApplyConfiguration) WithFinalizers(values ...string) *FooApplyConfiguration {
+func (b *ProxyProviderApplyConfiguration) WithFinalizers(values ...string) *ProxyProviderApplyConfiguration {
 	b.ensureObjectMetaApplyConfigurationExists()
 	for i := range values {
 		b.ObjectMetaApplyConfiguration.Finalizers = append(b.ObjectMetaApplyConfiguration.Finalizers, values[i])
@@ -244,7 +198,7 @@ func (b *FooApplyConfiguration) WithFinalizers(values ...string) *FooApplyConfig
 	return b
 }
-func (b *FooApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
+func (b *ProxyProviderApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
 	if b.ObjectMetaApplyConfiguration == nil {
 		b.ObjectMetaApplyConfiguration = &v1.ObjectMetaApplyConfiguration{}
 	}
@@ -253,7 +207,7 @@ func (b *FooApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
 // WithSpec sets the Spec field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the Spec field is set to the value of the last call.
-func (b *FooApplyConfiguration) WithSpec(value *FooSpecApplyConfiguration) *FooApplyConfiguration {
+func (b *ProxyProviderApplyConfiguration) WithSpec(value *ProxyProviderSpecApplyConfiguration) *ProxyProviderApplyConfiguration {
 	b.Spec = value
 	return b
 }
@@ -261,29 +215,29 @@ func (b *FooApplyConfiguration) WithSpec(value *FooSpecApplyConfiguration) *FooA
 // WithStatus sets the Status field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the Status field is set to the value of the last call.
-func (b *FooApplyConfiguration) WithStatus(value *FooStatusApplyConfiguration) *FooApplyConfiguration {
+func (b *ProxyProviderApplyConfiguration) WithStatus(value *ProxyProviderStatusApplyConfiguration) *ProxyProviderApplyConfiguration {
 	b.Status = value
 	return b
 }
 // GetKind retrieves the value of the Kind field in the declarative configuration.
-func (b *FooApplyConfiguration) GetKind() *string {
+func (b *ProxyProviderApplyConfiguration) GetKind() *string {
 	return b.TypeMetaApplyConfiguration.Kind
 }
 // GetAPIVersion retrieves the value of the APIVersion field in the declarative configuration.
-func (b *FooApplyConfiguration) GetAPIVersion() *string {
+func (b *ProxyProviderApplyConfiguration) GetAPIVersion() *string {
 	return b.TypeMetaApplyConfiguration.APIVersion
 }
 // GetName retrieves the value of the Name field in the declarative configuration.
-func (b *FooApplyConfiguration) GetName() *string {
+func (b *ProxyProviderApplyConfiguration) GetName() *string {
 	b.ensureObjectMetaApplyConfigurationExists()
 	return b.ObjectMetaApplyConfiguration.Name
 }
 // GetNamespace retrieves the value of the Namespace field in the declarative configuration.
-func (b *FooApplyConfiguration) GetNamespace() *string {
+func (b *ProxyProviderApplyConfiguration) GetNamespace() *string {
 	b.ensureObjectMetaApplyConfigurationExists()
 	return b.ObjectMetaApplyConfiguration.Namespace
 }
@@ -0,0 +1,66 @@
 /*
 Copyright The Kubernetes Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 // Code generated by applyconfiguration-gen. DO NOT EDIT.
 package v1alpha1
 // ProxyProviderSpecApplyConfiguration represents a declarative configuration of the ProxyProviderSpec type for use
 // with apply.
 type ProxyProviderSpecApplyConfiguration struct {
 	Name              *string `json:"name,omitempty"`
 	AuthorizationFlow *string `json:"authorization_flow,omitempty"`
 	InvalidationFlow  *string `json:"invalidation_flow,omitempty"`
 	ExternalHost      *string `json:"external_host,omitempty"`
 }
 // ProxyProviderSpecApplyConfiguration constructs a declarative configuration of the ProxyProviderSpec type for use with
 // apply.
 func ProxyProviderSpec() *ProxyProviderSpecApplyConfiguration {
 	return &ProxyProviderSpecApplyConfiguration{}
 }
 // WithName sets the Name field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the Name field is set to the value of the last call.
 func (b *ProxyProviderSpecApplyConfiguration) WithName(value string) *ProxyProviderSpecApplyConfiguration {
 	b.Name = &value
 	return b
 }
 // WithAuthorizationFlow sets the AuthorizationFlow field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the AuthorizationFlow field is set to the value of the last call.
 func (b *ProxyProviderSpecApplyConfiguration) WithAuthorizationFlow(value string) *ProxyProviderSpecApplyConfiguration {
 	b.AuthorizationFlow = &value
 	return b
 }
 // WithInvalidationFlow sets the InvalidationFlow field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the InvalidationFlow field is set to the value of the last call.
 func (b *ProxyProviderSpecApplyConfiguration) WithInvalidationFlow(value string) *ProxyProviderSpecApplyConfiguration {
 	b.InvalidationFlow = &value
 	return b
 }
 // WithExternalHost sets the ExternalHost field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the ExternalHost field is set to the value of the last call.
 func (b *ProxyProviderSpecApplyConfiguration) WithExternalHost(value string) *ProxyProviderSpecApplyConfiguration {
 	b.ExternalHost = &value
 	return b
 }
@@ -18,24 +18,22 @@ limitations under the License.
 package v1alpha1
-// FooStatusApplyConfiguration represents a declarative configuration of the FooStatus type for use
+// ProxyProviderStatusApplyConfiguration represents a declarative configuration of the ProxyProviderStatus type for use
 // with apply.
-//
+type ProxyProviderStatusApplyConfiguration struct {
-// FooStatus is the status for a Foo resource
+	PK *string `json:"pk,omitempty"`
 type FooStatusApplyConfiguration struct {
 	AvailableReplicas *int32 `json:"availableReplicas,omitempty"`
 }
-// FooStatusApplyConfiguration constructs a declarative configuration of the FooStatus type for use with
+// ProxyProviderStatusApplyConfiguration constructs a declarative configuration of the ProxyProviderStatus type for use with
 // apply.
-func FooStatus() *FooStatusApplyConfiguration {
+func ProxyProviderStatus() *ProxyProviderStatusApplyConfiguration {
-	return &FooStatusApplyConfiguration{}
+	return &ProxyProviderStatusApplyConfiguration{}
 }
-// WithAvailableReplicas sets the AvailableReplicas field in the declarative configuration to the given value
+// WithPK sets the PK field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
-// If called multiple times, the AvailableReplicas field is set to the value of the last call.
+// If called multiple times, the PK field is set to the value of the last call.
-func (b *FooStatusApplyConfiguration) WithAvailableReplicas(value int32) *FooStatusApplyConfiguration {
+func (b *ProxyProviderStatusApplyConfiguration) WithPK(value string) *ProxyProviderStatusApplyConfiguration {
-	b.AvailableReplicas = &value
+	b.PK = &value
 	return b
 }
@@ -1,50 +0,0 @@
 /*
 Copyright The Kubernetes Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 // Code generated by applyconfiguration-gen. DO NOT EDIT.
 package v1alpha1
 // FooSpecApplyConfiguration represents a declarative configuration of the FooSpec type for use
 // with apply.
 //
 // FooSpec is the spec for a Foo resource
 type FooSpecApplyConfiguration struct {
 	DeploymentName *string `json:"deploymentName,omitempty"`
 	Replicas       *int32  `json:"replicas,omitempty"`
 }
 // FooSpecApplyConfiguration constructs a declarative configuration of the FooSpec type for use with
 // apply.
 func FooSpec() *FooSpecApplyConfiguration {
 	return &FooSpecApplyConfiguration{}
 }
 // WithDeploymentName sets the DeploymentName field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the DeploymentName field is set to the value of the last call.
 func (b *FooSpecApplyConfiguration) WithDeploymentName(value string) *FooSpecApplyConfiguration {
 	b.DeploymentName = &value
 	return b
 }
 // WithReplicas sets the Replicas field in the declarative configuration to the given value
 // and returns the receiver, so that objects can be built by chaining "With" function invocations.
 // If called multiple times, the Replicas field is set to the value of the last call.
 func (b *FooSpecApplyConfiguration) WithReplicas(value int32) *FooSpecApplyConfiguration {
 	b.Replicas = &value
 	return b
 }
@@ -19,9 +19,9 @@ limitations under the License.
 package applyconfiguration
 import (
-	v1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/samplecontroller/v1alpha1"
+	v1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/proxyprovider/v1alpha1"
 	internal "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/applyconfiguration/internal"
-	samplecontrollerv1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/applyconfiguration/samplecontroller/v1alpha1"
+	proxyproviderv1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/applyconfiguration/proxyprovider/v1alpha1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
 	managedfields "k8s.io/apimachinery/pkg/util/managedfields"
@@ -31,13 +31,13 @@ import (
 // apply configuration type exists for the given GroupVersionKind.
 func ForKind(kind schema.GroupVersionKind) interface{} {
 	switch kind {
-	// Group=samplecontroller.k8s.io, Version=v1alpha1
+	// Group=proxyprovider.t000-n.de, Version=v1alpha1
-	case v1alpha1.SchemeGroupVersion.WithKind("Foo"):
+	case v1alpha1.SchemeGroupVersion.WithKind("ProxyProvider"):
-		return &samplecontrollerv1alpha1.FooApplyConfiguration{}
+		return &proxyproviderv1alpha1.ProxyProviderApplyConfiguration{}
-	case v1alpha1.SchemeGroupVersion.WithKind("FooSpec"):
+	case v1alpha1.SchemeGroupVersion.WithKind("ProxyProviderSpec"):
-		return &samplecontrollerv1alpha1.FooSpecApplyConfiguration{}
+		return &proxyproviderv1alpha1.ProxyProviderSpecApplyConfiguration{}
-	case v1alpha1.SchemeGroupVersion.WithKind("FooStatus"):
+	case v1alpha1.SchemeGroupVersion.WithKind("ProxyProviderStatus"):
-		return &samplecontrollerv1alpha1.FooStatusApplyConfiguration{}
+		return &proxyproviderv1alpha1.ProxyProviderStatusApplyConfiguration{}
 	}
 	return nil
@@ -22,7 +22,7 @@ import (
 	fmt "fmt"
 	http "net/http"
-	samplecontrollerv1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/clientset/versioned/typed/samplecontroller/v1alpha1"
+	proxyproviderv1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/clientset/versioned/typed/proxyprovider/v1alpha1"
 	discovery "k8s.io/client-go/discovery"
 	rest "k8s.io/client-go/rest"
 	flowcontrol "k8s.io/client-go/util/flowcontrol"
@@ -30,18 +30,18 @@ import (
 type Interface interface {
 	Discovery() discovery.DiscoveryInterface
-	SamplecontrollerV1alpha1() samplecontrollerv1alpha1.SamplecontrollerV1alpha1Interface
+	ProxyproviderV1alpha1() proxyproviderv1alpha1.ProxyproviderV1alpha1Interface
 }
 // Clientset contains the clients for groups.
 type Clientset struct {
 	*discovery.DiscoveryClient
-	samplecontrollerV1alpha1 *samplecontrollerv1alpha1.SamplecontrollerV1alpha1Client
+	proxyproviderV1alpha1 *proxyproviderv1alpha1.ProxyproviderV1alpha1Client
 }
-// SamplecontrollerV1alpha1 retrieves the SamplecontrollerV1alpha1Client
+// ProxyproviderV1alpha1 retrieves the ProxyproviderV1alpha1Client
-func (c *Clientset) SamplecontrollerV1alpha1() samplecontrollerv1alpha1.SamplecontrollerV1alpha1Interface {
+func (c *Clientset) ProxyproviderV1alpha1() proxyproviderv1alpha1.ProxyproviderV1alpha1Interface {
-	return c.samplecontrollerV1alpha1
+	return c.proxyproviderV1alpha1
 }
 // Discovery retrieves the DiscoveryClient
@@ -88,7 +88,7 @@ func NewForConfigAndClient(c *rest.Config, httpClient *http.Client) (*Clientset,
 	var cs Clientset
 	var err error
-	cs.samplecontrollerV1alpha1, err = samplecontrollerv1alpha1.NewForConfigAndClient(&configShallowCopy, httpClient)
+	cs.proxyproviderV1alpha1, err = proxyproviderv1alpha1.NewForConfigAndClient(&configShallowCopy, httpClient)
 	if err != nil {
 		return nil, err
 	}
@@ -113,7 +113,7 @@ func NewForConfigOrDie(c *rest.Config) *Clientset {
 // New creates a new Clientset for the given RESTClient.
 func New(c rest.Interface) *Clientset {
 	var cs Clientset
-	cs.samplecontrollerV1alpha1 = samplecontrollerv1alpha1.New(c)
+	cs.proxyproviderV1alpha1 = proxyproviderv1alpha1.New(c)
 	cs.DiscoveryClient = discovery.NewDiscoveryClient(c)
 	return &cs
@@ -21,8 +21,8 @@ package fake
 import (
 	applyconfiguration "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/applyconfiguration"
 	clientset "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/clientset/versioned"
-	samplecontrollerv1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/clientset/versioned/typed/samplecontroller/v1alpha1"
+	proxyproviderv1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/clientset/versioned/typed/proxyprovider/v1alpha1"
-	fakesamplecontrollerv1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/clientset/versioned/typed/samplecontroller/v1alpha1/fake"
+	fakeproxyproviderv1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/clientset/versioned/typed/proxyprovider/v1alpha1/fake"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/watch"
@@ -136,7 +136,7 @@ var (
 	_ testing.FakeClient  = &Clientset{}
 )
-// SamplecontrollerV1alpha1 retrieves the SamplecontrollerV1alpha1Client
+// ProxyproviderV1alpha1 retrieves the ProxyproviderV1alpha1Client
-func (c *Clientset) SamplecontrollerV1alpha1() samplecontrollerv1alpha1.SamplecontrollerV1alpha1Interface {
+func (c *Clientset) ProxyproviderV1alpha1() proxyproviderv1alpha1.ProxyproviderV1alpha1Interface {
-	return &fakesamplecontrollerv1alpha1.FakeSamplecontrollerV1alpha1{Fake: &c.Fake}
+	return &fakeproxyproviderv1alpha1.FakeProxyproviderV1alpha1{Fake: &c.Fake}
 }
@@ -19,7 +19,7 @@ limitations under the License.
 package fake
 import (
-	samplecontrollerv1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/samplecontroller/v1alpha1"
+	proxyproviderv1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/proxyprovider/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
@@ -31,7 +31,7 @@ var scheme = runtime.NewScheme()
 var codecs = serializer.NewCodecFactory(scheme)
 var localSchemeBuilder = runtime.SchemeBuilder{
-	samplecontrollerv1alpha1.AddToScheme,
+	proxyproviderv1alpha1.AddToScheme,
 }
 // AddToScheme adds all types of this clientset into the given scheme. This allows composition
@@ -19,7 +19,7 @@ limitations under the License.
 package scheme
 import (
-	samplecontrollerv1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/samplecontroller/v1alpha1"
+	proxyproviderv1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/proxyprovider/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
@@ -31,7 +31,7 @@ var Scheme = runtime.NewScheme()
 var Codecs = serializer.NewCodecFactory(Scheme)
 var ParameterCodec = runtime.NewParameterCodec(Scheme)
 var localSchemeBuilder = runtime.SchemeBuilder{
-	samplecontrollerv1alpha1.AddToScheme,
+	proxyproviderv1alpha1.AddToScheme,
 }
 // AddToScheme adds all types of this clientset into the given scheme. This allows composition
@@ -0,0 +1,53 @@
 /*
 Copyright The Kubernetes Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 // Code generated by client-gen. DO NOT EDIT.
 package fake
 import (
 	v1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/proxyprovider/v1alpha1"
 	proxyproviderv1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/applyconfiguration/proxyprovider/v1alpha1"
 	typedproxyproviderv1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/clientset/versioned/typed/proxyprovider/v1alpha1"
 	gentype "k8s.io/client-go/gentype"
 )
 // fakeProxyProviders implements ProxyProviderInterface
 type fakeProxyProviders struct {
 	*gentype.FakeClientWithListAndApply[*v1alpha1.ProxyProvider, *v1alpha1.ProxyProviderList, *proxyproviderv1alpha1.ProxyProviderApplyConfiguration]
 	Fake *FakeProxyproviderV1alpha1
 }
 func newFakeProxyProviders(fake *FakeProxyproviderV1alpha1, namespace string) typedproxyproviderv1alpha1.ProxyProviderInterface {
 	return &fakeProxyProviders{
 		gentype.NewFakeClientWithListAndApply[*v1alpha1.ProxyProvider, *v1alpha1.ProxyProviderList, *proxyproviderv1alpha1.ProxyProviderApplyConfiguration](
 			fake.Fake,
 			namespace,
 			v1alpha1.SchemeGroupVersion.WithResource("proxyproviders"),
 			v1alpha1.SchemeGroupVersion.WithKind("ProxyProvider"),
 			func() *v1alpha1.ProxyProvider { return &v1alpha1.ProxyProvider{} },
 			func() *v1alpha1.ProxyProviderList { return &v1alpha1.ProxyProviderList{} },
 			func(dst, src *v1alpha1.ProxyProviderList) { dst.ListMeta = src.ListMeta },
 			func(list *v1alpha1.ProxyProviderList) []*v1alpha1.ProxyProvider {
 				return gentype.ToPointerSlice(list.Items)
 			},
 			func(list *v1alpha1.ProxyProviderList, items []*v1alpha1.ProxyProvider) {
 				list.Items = gentype.FromPointerSlice(items)
 			},
 		),
 		fake,
 	}
 }
@@ -19,22 +19,22 @@ limitations under the License.
 package fake
 import (
-	v1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/clientset/versioned/typed/samplecontroller/v1alpha1"
+	v1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/clientset/versioned/typed/proxyprovider/v1alpha1"
 	rest "k8s.io/client-go/rest"
 	testing "k8s.io/client-go/testing"
 )
-type FakeSamplecontrollerV1alpha1 struct {
+type FakeProxyproviderV1alpha1 struct {
 	*testing.Fake
 }
-func (c *FakeSamplecontrollerV1alpha1) Foos(namespace string) v1alpha1.FooInterface {
+func (c *FakeProxyproviderV1alpha1) ProxyProviders(namespace string) v1alpha1.ProxyProviderInterface {
-	return newFakeFoos(c, namespace)
+	return newFakeProxyProviders(c, namespace)
 }
 // RESTClient returns a RESTClient that is used to communicate
 // with API server by this client implementation.
-func (c *FakeSamplecontrollerV1alpha1) RESTClient() rest.Interface {
+func (c *FakeProxyproviderV1alpha1) RESTClient() rest.Interface {
 	var ret *rest.RESTClient
 	return ret
 }
@@ -18,4 +18,4 @@ limitations under the License.
 package v1alpha1
-type FooExpansion interface{}
+type ProxyProviderExpansion interface{}
@@ -0,0 +1,74 @@
 /*
 Copyright The Kubernetes Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 // Code generated by client-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	context "context"
 	proxyproviderv1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/proxyprovider/v1alpha1"
 	applyconfigurationproxyproviderv1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/applyconfiguration/proxyprovider/v1alpha1"
 	scheme "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/clientset/versioned/scheme"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
 	watch "k8s.io/apimachinery/pkg/watch"
 	gentype "k8s.io/client-go/gentype"
 )
 // ProxyProvidersGetter has a method to return a ProxyProviderInterface.
 // A group's client should implement this interface.
 type ProxyProvidersGetter interface {
 	ProxyProviders(namespace string) ProxyProviderInterface
 }
 // ProxyProviderInterface has methods to work with ProxyProvider resources.
 type ProxyProviderInterface interface {
 	Create(ctx context.Context, proxyProvider *proxyproviderv1alpha1.ProxyProvider, opts v1.CreateOptions) (*proxyproviderv1alpha1.ProxyProvider, error)
 	Update(ctx context.Context, proxyProvider *proxyproviderv1alpha1.ProxyProvider, opts v1.UpdateOptions) (*proxyproviderv1alpha1.ProxyProvider, error)
 	// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 	UpdateStatus(ctx context.Context, proxyProvider *proxyproviderv1alpha1.ProxyProvider, opts v1.UpdateOptions) (*proxyproviderv1alpha1.ProxyProvider, error)
 	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
 	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
 	Get(ctx context.Context, name string, opts v1.GetOptions) (*proxyproviderv1alpha1.ProxyProvider, error)
 	List(ctx context.Context, opts v1.ListOptions) (*proxyproviderv1alpha1.ProxyProviderList, error)
 	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
 	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *proxyproviderv1alpha1.ProxyProvider, err error)
 	Apply(ctx context.Context, proxyProvider *applyconfigurationproxyproviderv1alpha1.ProxyProviderApplyConfiguration, opts v1.ApplyOptions) (result *proxyproviderv1alpha1.ProxyProvider, err error)
 	// Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus().
 	ApplyStatus(ctx context.Context, proxyProvider *applyconfigurationproxyproviderv1alpha1.ProxyProviderApplyConfiguration, opts v1.ApplyOptions) (result *proxyproviderv1alpha1.ProxyProvider, err error)
 	ProxyProviderExpansion
 }
 // proxyProviders implements ProxyProviderInterface
 type proxyProviders struct {
 	*gentype.ClientWithListAndApply[*proxyproviderv1alpha1.ProxyProvider, *proxyproviderv1alpha1.ProxyProviderList, *applyconfigurationproxyproviderv1alpha1.ProxyProviderApplyConfiguration]
 }
 // newProxyProviders returns a ProxyProviders
 func newProxyProviders(c *ProxyproviderV1alpha1Client, namespace string) *proxyProviders {
 	return &proxyProviders{
 		gentype.NewClientWithListAndApply[*proxyproviderv1alpha1.ProxyProvider, *proxyproviderv1alpha1.ProxyProviderList, *applyconfigurationproxyproviderv1alpha1.ProxyProviderApplyConfiguration](
 			"proxyproviders",
 			c.RESTClient(),
 			scheme.ParameterCodec,
 			namespace,
 			func() *proxyproviderv1alpha1.ProxyProvider { return &proxyproviderv1alpha1.ProxyProvider{} },
 			func() *proxyproviderv1alpha1.ProxyProviderList { return &proxyproviderv1alpha1.ProxyProviderList{} },
 		),
 	}
 }
@@ -21,29 +21,29 @@ package v1alpha1
 import (
 	http "net/http"
-	samplecontrollerv1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/samplecontroller/v1alpha1"
+	proxyproviderv1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/proxyprovider/v1alpha1"
 	scheme "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/clientset/versioned/scheme"
 	rest "k8s.io/client-go/rest"
 )
-type SamplecontrollerV1alpha1Interface interface {
+type ProxyproviderV1alpha1Interface interface {
 	RESTClient() rest.Interface
-	FoosGetter
+	ProxyProvidersGetter
 }
-// SamplecontrollerV1alpha1Client is used to interact with features provided by the samplecontroller.k8s.io group.
+// ProxyproviderV1alpha1Client is used to interact with features provided by the proxyprovider.t000-n.de group.
-type SamplecontrollerV1alpha1Client struct {
+type ProxyproviderV1alpha1Client struct {
 	restClient rest.Interface
 }
-func (c *SamplecontrollerV1alpha1Client) Foos(namespace string) FooInterface {
+func (c *ProxyproviderV1alpha1Client) ProxyProviders(namespace string) ProxyProviderInterface {
-	return newFoos(c, namespace)
+	return newProxyProviders(c, namespace)
 }
-// NewForConfig creates a new SamplecontrollerV1alpha1Client for the given config.
+// NewForConfig creates a new ProxyproviderV1alpha1Client for the given config.
 // NewForConfig is equivalent to NewForConfigAndClient(c, httpClient),
 // where httpClient was generated with rest.HTTPClientFor(c).
-func NewForConfig(c *rest.Config) (*SamplecontrollerV1alpha1Client, error) {
+func NewForConfig(c *rest.Config) (*ProxyproviderV1alpha1Client, error) {
 	config := *c
 	setConfigDefaults(&config)
 	httpClient, err := rest.HTTPClientFor(&config)
@@ -53,21 +53,21 @@ func NewForConfig(c *rest.Config) (*SamplecontrollerV1alpha1Client, error) {
 	return NewForConfigAndClient(&config, httpClient)
 }
-// NewForConfigAndClient creates a new SamplecontrollerV1alpha1Client for the given config and http client.
+// NewForConfigAndClient creates a new ProxyproviderV1alpha1Client for the given config and http client.
 // Note the http client provided takes precedence over the configured transport values.
-func NewForConfigAndClient(c *rest.Config, h *http.Client) (*SamplecontrollerV1alpha1Client, error) {
+func NewForConfigAndClient(c *rest.Config, h *http.Client) (*ProxyproviderV1alpha1Client, error) {
 	config := *c
 	setConfigDefaults(&config)
 	client, err := rest.RESTClientForConfigAndClient(&config, h)
 	if err != nil {
 		return nil, err
 	}
-	return &SamplecontrollerV1alpha1Client{client}, nil
+	return &ProxyproviderV1alpha1Client{client}, nil
 }
-// NewForConfigOrDie creates a new SamplecontrollerV1alpha1Client for the given config and
+// NewForConfigOrDie creates a new ProxyproviderV1alpha1Client for the given config and
 // panics if there is an error in the config.
-func NewForConfigOrDie(c *rest.Config) *SamplecontrollerV1alpha1Client {
+func NewForConfigOrDie(c *rest.Config) *ProxyproviderV1alpha1Client {
 	client, err := NewForConfig(c)
 	if err != nil {
 		panic(err)
@@ -75,13 +75,13 @@ func NewForConfigOrDie(c *rest.Config) *SamplecontrollerV1alpha1Client {
 	return client
 }
-// New creates a new SamplecontrollerV1alpha1Client for the given RESTClient.
+// New creates a new ProxyproviderV1alpha1Client for the given RESTClient.
-func New(c rest.Interface) *SamplecontrollerV1alpha1Client {
+func New(c rest.Interface) *ProxyproviderV1alpha1Client {
-	return &SamplecontrollerV1alpha1Client{c}
+	return &ProxyproviderV1alpha1Client{c}
 }
 func setConfigDefaults(config *rest.Config) {
-	gv := samplecontrollerv1alpha1.SchemeGroupVersion
+	gv := proxyproviderv1alpha1.SchemeGroupVersion
 	config.GroupVersion = &gv
 	config.APIPath = "/apis"
 	config.NegotiatedSerializer = rest.CodecFactoryForGeneratedClient(scheme.Scheme, scheme.Codecs).WithoutConversion()
@@ -93,7 +93,7 @@ func setConfigDefaults(config *rest.Config) {
 // RESTClient returns a RESTClient that is used to communicate
 // with API server by this client implementation.
-func (c *SamplecontrollerV1alpha1Client) RESTClient() rest.Interface {
+func (c *ProxyproviderV1alpha1Client) RESTClient() rest.Interface {
 	if c == nil {
 		return nil
 	}
@@ -1,49 +0,0 @@
 /*
 Copyright The Kubernetes Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 // Code generated by client-gen. DO NOT EDIT.
 package fake
 import (
 	v1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/samplecontroller/v1alpha1"
 	samplecontrollerv1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/applyconfiguration/samplecontroller/v1alpha1"
 	typedsamplecontrollerv1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/clientset/versioned/typed/samplecontroller/v1alpha1"
 	gentype "k8s.io/client-go/gentype"
 )
 // fakeFoos implements FooInterface
 type fakeFoos struct {
 	*gentype.FakeClientWithListAndApply[*v1alpha1.Foo, *v1alpha1.FooList, *samplecontrollerv1alpha1.FooApplyConfiguration]
 	Fake *FakeSamplecontrollerV1alpha1
 }
 func newFakeFoos(fake *FakeSamplecontrollerV1alpha1, namespace string) typedsamplecontrollerv1alpha1.FooInterface {
 	return &fakeFoos{
 		gentype.NewFakeClientWithListAndApply[*v1alpha1.Foo, *v1alpha1.FooList, *samplecontrollerv1alpha1.FooApplyConfiguration](
 			fake.Fake,
 			namespace,
 			v1alpha1.SchemeGroupVersion.WithResource("foos"),
 			v1alpha1.SchemeGroupVersion.WithKind("Foo"),
 			func() *v1alpha1.Foo { return &v1alpha1.Foo{} },
 			func() *v1alpha1.FooList { return &v1alpha1.FooList{} },
 			func(dst, src *v1alpha1.FooList) { dst.ListMeta = src.ListMeta },
 			func(list *v1alpha1.FooList) []*v1alpha1.Foo { return gentype.ToPointerSlice(list.Items) },
 			func(list *v1alpha1.FooList, items []*v1alpha1.Foo) { list.Items = gentype.FromPointerSlice(items) },
 		),
 		fake,
 	}
 }
@@ -1,74 +0,0 @@
 /*
 Copyright The Kubernetes Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 // Code generated by client-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	context "context"
 	samplecontrollerv1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/samplecontroller/v1alpha1"
 	applyconfigurationsamplecontrollerv1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/applyconfiguration/samplecontroller/v1alpha1"
 	scheme "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/clientset/versioned/scheme"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	types "k8s.io/apimachinery/pkg/types"
 	watch "k8s.io/apimachinery/pkg/watch"
 	gentype "k8s.io/client-go/gentype"
 )
 // FoosGetter has a method to return a FooInterface.
 // A group's client should implement this interface.
 type FoosGetter interface {
 	Foos(namespace string) FooInterface
 }
 // FooInterface has methods to work with Foo resources.
 type FooInterface interface {
 	Create(ctx context.Context, foo *samplecontrollerv1alpha1.Foo, opts v1.CreateOptions) (*samplecontrollerv1alpha1.Foo, error)
 	Update(ctx context.Context, foo *samplecontrollerv1alpha1.Foo, opts v1.UpdateOptions) (*samplecontrollerv1alpha1.Foo, error)
 	// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
 	UpdateStatus(ctx context.Context, foo *samplecontrollerv1alpha1.Foo, opts v1.UpdateOptions) (*samplecontrollerv1alpha1.Foo, error)
 	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
 	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
 	Get(ctx context.Context, name string, opts v1.GetOptions) (*samplecontrollerv1alpha1.Foo, error)
 	List(ctx context.Context, opts v1.ListOptions) (*samplecontrollerv1alpha1.FooList, error)
 	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
 	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *samplecontrollerv1alpha1.Foo, err error)
 	Apply(ctx context.Context, foo *applyconfigurationsamplecontrollerv1alpha1.FooApplyConfiguration, opts v1.ApplyOptions) (result *samplecontrollerv1alpha1.Foo, err error)
 	// Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus().
 	ApplyStatus(ctx context.Context, foo *applyconfigurationsamplecontrollerv1alpha1.FooApplyConfiguration, opts v1.ApplyOptions) (result *samplecontrollerv1alpha1.Foo, err error)
 	FooExpansion
 }
 // foos implements FooInterface
 type foos struct {
 	*gentype.ClientWithListAndApply[*samplecontrollerv1alpha1.Foo, *samplecontrollerv1alpha1.FooList, *applyconfigurationsamplecontrollerv1alpha1.FooApplyConfiguration]
 }
 // newFoos returns a Foos
 func newFoos(c *SamplecontrollerV1alpha1Client, namespace string) *foos {
 	return &foos{
 		gentype.NewClientWithListAndApply[*samplecontrollerv1alpha1.Foo, *samplecontrollerv1alpha1.FooList, *applyconfigurationsamplecontrollerv1alpha1.FooApplyConfiguration](
 			"foos",
 			c.RESTClient(),
 			scheme.ParameterCodec,
 			namespace,
 			func() *samplecontrollerv1alpha1.Foo { return &samplecontrollerv1alpha1.Foo{} },
 			func() *samplecontrollerv1alpha1.FooList { return &samplecontrollerv1alpha1.FooList{} },
 		),
 	}
 }
@@ -26,7 +26,7 @@ import (
 	versioned "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/clientset/versioned"
 	internalinterfaces "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/informers/externalversions/internalinterfaces"
-	samplecontroller "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/informers/externalversions/samplecontroller"
+	proxyprovider "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/informers/externalversions/proxyprovider"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
@@ -325,9 +325,9 @@ type SharedInformerFactory interface {
 	// client.
 	InformerFor(obj runtime.Object, newFunc internalinterfaces.NewInformerFunc) cache.SharedIndexInformer
-	Samplecontroller() samplecontroller.Interface
+	Proxyprovider() proxyprovider.Interface
 }
-func (f *sharedInformerFactory) Samplecontroller() samplecontroller.Interface {
+func (f *sharedInformerFactory) Proxyprovider() proxyprovider.Interface {
-	return samplecontroller.New(f, f.namespace, f.tweakListOptions)
+	return proxyprovider.New(f, f.namespace, f.tweakListOptions)
 }
@@ -21,7 +21,7 @@ package externalversions
 import (
 	fmt "fmt"
-	v1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/samplecontroller/v1alpha1"
+	v1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/proxyprovider/v1alpha1"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
 	cache "k8s.io/client-go/tools/cache"
 )
@@ -52,9 +52,9 @@ func (f *genericInformer) Lister() cache.GenericLister {
 // TODO extend this to unknown resources with a client pool
 func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource) (GenericInformer, error) {
 	switch resource {
-	// Group=samplecontroller.k8s.io, Version=v1alpha1
+	// Group=proxyprovider.t000-n.de, Version=v1alpha1
-	case v1alpha1.SchemeGroupVersion.WithResource("foos"):
+	case v1alpha1.SchemeGroupVersion.WithResource("proxyproviders"):
-		return &genericInformer{resource: resource.GroupResource(), informer: f.Samplecontroller().V1alpha1().Foos().Informer()}, nil
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Proxyprovider().V1alpha1().ProxyProviders().Informer()}, nil
 	}
@@ -16,11 +16,11 @@ limitations under the License.
 // Code generated by informer-gen. DO NOT EDIT.
-package samplecontroller
+package proxyprovider
 import (
 	internalinterfaces "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/informers/externalversions/internalinterfaces"
-	v1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/informers/externalversions/samplecontroller/v1alpha1"
+	v1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/informers/externalversions/proxyprovider/v1alpha1"
 )
 // Interface provides access to each of this group's versions.
@@ -24,8 +24,8 @@ import (
 // Interface provides access to all the informers in this group version.
 type Interface interface {
-	// Foos returns a FooInformer.
+	// ProxyProviders returns a ProxyProviderInformer.
-	Foos() FooInformer
+	ProxyProviders() ProxyProviderInformer
 }
 type version struct {
@@ -39,7 +39,7 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 	return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
 }
-// Foos returns a FooInformer.
+// ProxyProviders returns a ProxyProviderInformer.
-func (v *version) Foos() FooInformer {
+func (v *version) ProxyProviders() ProxyProviderInformer {
-	return &fooInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+	return &proxyProviderInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
 }
@@ -0,0 +1,116 @@
 /*
 Copyright The Kubernetes Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 // Code generated by informer-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	context "context"
 	time "time"
 	apisproxyproviderv1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/proxyprovider/v1alpha1"
 	versioned "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/clientset/versioned"
 	internalinterfaces "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/informers/externalversions/internalinterfaces"
 	proxyproviderv1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/listers/proxyprovider/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
 	watch "k8s.io/apimachinery/pkg/watch"
 	cache "k8s.io/client-go/tools/cache"
 )
 // ProxyProviderInformer provides access to a shared informer and lister for
 // ProxyProviders.
 type ProxyProviderInformer interface {
 	Informer() cache.SharedIndexInformer
 	Lister() proxyproviderv1alpha1.ProxyProviderLister
 }
 type proxyProviderInformer struct {
 	factory          internalinterfaces.SharedInformerFactory
 	tweakListOptions internalinterfaces.TweakListOptionsFunc
 	namespace        string
 }
 // NewProxyProviderInformer constructs a new informer for ProxyProvider type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
 func NewProxyProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
 	return NewProxyProviderInformerWithOptions(client, namespace, internalinterfaces.InformerOptions{ResyncPeriod: resyncPeriod, Indexers: indexers})
 }
 // NewFilteredProxyProviderInformer constructs a new informer for ProxyProvider type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredProxyProviderInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return NewProxyProviderInformerWithOptions(client, namespace, internalinterfaces.InformerOptions{ResyncPeriod: resyncPeriod, Indexers: indexers, TweakListOptions: tweakListOptions})
 }
 // NewProxyProviderInformerWithOptions constructs a new informer for ProxyProvider type with additional options.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
 func NewProxyProviderInformerWithOptions(client versioned.Interface, namespace string, options internalinterfaces.InformerOptions) cache.SharedIndexInformer {
 	gvr := schema.GroupVersionResource{Group: "proxyprovider.t000-n.de", Version: "v1alpha1", Resource: "proxyproviders"}
 	identifier := options.InformerName.WithResource(gvr)
 	tweakListOptions := options.TweakListOptions
 	return cache.NewSharedIndexInformerWithOptions(
 		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(opts v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&opts)
 				}
 				return client.ProxyproviderV1alpha1().ProxyProviders(namespace).List(context.Background(), opts)
 			},
 			WatchFunc: func(opts v1.ListOptions) (watch.Interface, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&opts)
 				}
 				return client.ProxyproviderV1alpha1().ProxyProviders(namespace).Watch(context.Background(), opts)
 			},
 			ListWithContextFunc: func(ctx context.Context, opts v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&opts)
 				}
 				return client.ProxyproviderV1alpha1().ProxyProviders(namespace).List(ctx, opts)
 			},
 			WatchFuncWithContext: func(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&opts)
 				}
 				return client.ProxyproviderV1alpha1().ProxyProviders(namespace).Watch(ctx, opts)
 			},
 		}, client),
 		&apisproxyproviderv1alpha1.ProxyProvider{},
 		cache.SharedIndexInformerOptions{
 			ResyncPeriod: options.ResyncPeriod,
 			Indexers:     options.Indexers,
 			Identifier:   identifier,
 		},
 	)
 }
 func (f *proxyProviderInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
 	return NewProxyProviderInformerWithOptions(client, f.namespace, internalinterfaces.InformerOptions{ResyncPeriod: resyncPeriod, Indexers: cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, InformerName: f.factory.InformerName(), TweakListOptions: f.tweakListOptions})
 }
 func (f *proxyProviderInformer) Informer() cache.SharedIndexInformer {
 	return f.factory.InformerFor(&apisproxyproviderv1alpha1.ProxyProvider{}, f.defaultInformer)
 }
 func (f *proxyProviderInformer) Lister() proxyproviderv1alpha1.ProxyProviderLister {
 	return proxyproviderv1alpha1.NewProxyProviderLister(f.Informer().GetIndexer())
 }
@@ -1,116 +0,0 @@
 /*
 Copyright The Kubernetes Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 // Code generated by informer-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	context "context"
 	time "time"
 	apissamplecontrollerv1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/samplecontroller/v1alpha1"
 	versioned "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/clientset/versioned"
 	internalinterfaces "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/informers/externalversions/internalinterfaces"
 	samplecontrollerv1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/listers/samplecontroller/v1alpha1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	schema "k8s.io/apimachinery/pkg/runtime/schema"
 	watch "k8s.io/apimachinery/pkg/watch"
 	cache "k8s.io/client-go/tools/cache"
 )
 // FooInformer provides access to a shared informer and lister for
 // Foos.
 type FooInformer interface {
 	Informer() cache.SharedIndexInformer
 	Lister() samplecontrollerv1alpha1.FooLister
 }
 type fooInformer struct {
 	factory          internalinterfaces.SharedInformerFactory
 	tweakListOptions internalinterfaces.TweakListOptionsFunc
 	namespace        string
 }
 // NewFooInformer constructs a new informer for Foo type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
 func NewFooInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
 	return NewFooInformerWithOptions(client, namespace, internalinterfaces.InformerOptions{ResyncPeriod: resyncPeriod, Indexers: indexers})
 }
 // NewFilteredFooInformer constructs a new informer for Foo type.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
 func NewFilteredFooInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
 	return NewFooInformerWithOptions(client, namespace, internalinterfaces.InformerOptions{ResyncPeriod: resyncPeriod, Indexers: indexers, TweakListOptions: tweakListOptions})
 }
 // NewFooInformerWithOptions constructs a new informer for Foo type with additional options.
 // Always prefer using an informer factory to get a shared informer instead of getting an independent
 // one. This reduces memory footprint and number of connections to the server.
 func NewFooInformerWithOptions(client versioned.Interface, namespace string, options internalinterfaces.InformerOptions) cache.SharedIndexInformer {
 	gvr := schema.GroupVersionResource{Group: "samplecontroller.k8s.io", Version: "v1alpha1", Resource: "foos"}
 	identifier := options.InformerName.WithResource(gvr)
 	tweakListOptions := options.TweakListOptions
 	return cache.NewSharedIndexInformerWithOptions(
 		cache.ToListWatcherWithWatchListSemantics(&cache.ListWatch{
 			ListFunc: func(opts v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&opts)
 				}
 				return client.SamplecontrollerV1alpha1().Foos(namespace).List(context.Background(), opts)
 			},
 			WatchFunc: func(opts v1.ListOptions) (watch.Interface, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&opts)
 				}
 				return client.SamplecontrollerV1alpha1().Foos(namespace).Watch(context.Background(), opts)
 			},
 			ListWithContextFunc: func(ctx context.Context, opts v1.ListOptions) (runtime.Object, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&opts)
 				}
 				return client.SamplecontrollerV1alpha1().Foos(namespace).List(ctx, opts)
 			},
 			WatchFuncWithContext: func(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
 				if tweakListOptions != nil {
 					tweakListOptions(&opts)
 				}
 				return client.SamplecontrollerV1alpha1().Foos(namespace).Watch(ctx, opts)
 			},
 		}, client),
 		&apissamplecontrollerv1alpha1.Foo{},
 		cache.SharedIndexInformerOptions{
 			ResyncPeriod: options.ResyncPeriod,
 			Indexers:     options.Indexers,
 			Identifier:   identifier,
 		},
 	)
 }
 func (f *fooInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
 	return NewFooInformerWithOptions(client, f.namespace, internalinterfaces.InformerOptions{ResyncPeriod: resyncPeriod, Indexers: cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, InformerName: f.factory.InformerName(), TweakListOptions: f.tweakListOptions})
 }
 func (f *fooInformer) Informer() cache.SharedIndexInformer {
 	return f.factory.InformerFor(&apissamplecontrollerv1alpha1.Foo{}, f.defaultInformer)
 }
 func (f *fooInformer) Lister() samplecontrollerv1alpha1.FooLister {
 	return samplecontrollerv1alpha1.NewFooLister(f.Informer().GetIndexer())
 }
@@ -18,10 +18,10 @@ limitations under the License.
 package v1alpha1
-// FooListerExpansion allows custom methods to be added to
+// ProxyProviderListerExpansion allows custom methods to be added to
-// FooLister.
+// ProxyProviderLister.
-type FooListerExpansion interface{}
+type ProxyProviderListerExpansion interface{}
-// FooNamespaceListerExpansion allows custom methods to be added to
+// ProxyProviderNamespaceListerExpansion allows custom methods to be added to
-// FooNamespaceLister.
+// ProxyProviderNamespaceLister.
-type FooNamespaceListerExpansion interface{}
+type ProxyProviderNamespaceListerExpansion interface{}
@@ -0,0 +1,70 @@
 /*
 Copyright The Kubernetes Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 // Code generated by lister-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	proxyproviderv1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/proxyprovider/v1alpha1"
 	labels "k8s.io/apimachinery/pkg/labels"
 	listers "k8s.io/client-go/listers"
 	cache "k8s.io/client-go/tools/cache"
 )
 // ProxyProviderLister helps list ProxyProviders.
 // All objects returned here must be treated as read-only.
 type ProxyProviderLister interface {
 	// List lists all ProxyProviders in the indexer.
 	// Objects returned here must be treated as read-only.
 	List(selector labels.Selector) (ret []*proxyproviderv1alpha1.ProxyProvider, err error)
 	// ProxyProviders returns an object that can list and get ProxyProviders.
 	ProxyProviders(namespace string) ProxyProviderNamespaceLister
 	ProxyProviderListerExpansion
 }
 // proxyProviderLister implements the ProxyProviderLister interface.
 type proxyProviderLister struct {
 	listers.ResourceIndexer[*proxyproviderv1alpha1.ProxyProvider]
 }
 // NewProxyProviderLister returns a new ProxyProviderLister.
 func NewProxyProviderLister(indexer cache.Indexer) ProxyProviderLister {
 	return &proxyProviderLister{listers.New[*proxyproviderv1alpha1.ProxyProvider](indexer, proxyproviderv1alpha1.Resource("proxyprovider"))}
 }
 // ProxyProviders returns an object that can list and get ProxyProviders.
 func (s *proxyProviderLister) ProxyProviders(namespace string) ProxyProviderNamespaceLister {
 	return proxyProviderNamespaceLister{listers.NewNamespaced[*proxyproviderv1alpha1.ProxyProvider](s.ResourceIndexer, namespace)}
 }
 // ProxyProviderNamespaceLister helps list and get ProxyProviders.
 // All objects returned here must be treated as read-only.
 type ProxyProviderNamespaceLister interface {
 	// List lists all ProxyProviders in the indexer for a given namespace.
 	// Objects returned here must be treated as read-only.
 	List(selector labels.Selector) (ret []*proxyproviderv1alpha1.ProxyProvider, err error)
 	// Get retrieves the ProxyProvider from the indexer for a given namespace and name.
 	// Objects returned here must be treated as read-only.
 	Get(name string) (*proxyproviderv1alpha1.ProxyProvider, error)
 	ProxyProviderNamespaceListerExpansion
 }
 // proxyProviderNamespaceLister implements the ProxyProviderNamespaceLister
 // interface.
 type proxyProviderNamespaceLister struct {
 	listers.ResourceIndexer[*proxyproviderv1alpha1.ProxyProvider]
 }
@@ -1,70 +0,0 @@
 /*
 Copyright The Kubernetes Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 // Code generated by lister-gen. DO NOT EDIT.
 package v1alpha1
 import (
 	samplecontrollerv1alpha1 "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/samplecontroller/v1alpha1"
 	labels "k8s.io/apimachinery/pkg/labels"
 	listers "k8s.io/client-go/listers"
 	cache "k8s.io/client-go/tools/cache"
 )
 // FooLister helps list Foos.
 // All objects returned here must be treated as read-only.
 type FooLister interface {
 	// List lists all Foos in the indexer.
 	// Objects returned here must be treated as read-only.
 	List(selector labels.Selector) (ret []*samplecontrollerv1alpha1.Foo, err error)
 	// Foos returns an object that can list and get Foos.
 	Foos(namespace string) FooNamespaceLister
 	FooListerExpansion
 }
 // fooLister implements the FooLister interface.
 type fooLister struct {
 	listers.ResourceIndexer[*samplecontrollerv1alpha1.Foo]
 }
 // NewFooLister returns a new FooLister.
 func NewFooLister(indexer cache.Indexer) FooLister {
 	return &fooLister{listers.New[*samplecontrollerv1alpha1.Foo](indexer, samplecontrollerv1alpha1.Resource("foo"))}
 }
 // Foos returns an object that can list and get Foos.
 func (s *fooLister) Foos(namespace string) FooNamespaceLister {
 	return fooNamespaceLister{listers.NewNamespaced[*samplecontrollerv1alpha1.Foo](s.ResourceIndexer, namespace)}
 }
 // FooNamespaceLister helps list and get Foos.
 // All objects returned here must be treated as read-only.
 type FooNamespaceLister interface {
 	// List lists all Foos in the indexer for a given namespace.
 	// Objects returned here must be treated as read-only.
 	List(selector labels.Selector) (ret []*samplecontrollerv1alpha1.Foo, err error)
 	// Get retrieves the Foo from the indexer for a given namespace and name.
 	// Objects returned here must be treated as read-only.
 	Get(name string) (*samplecontrollerv1alpha1.Foo, error)
 	FooNamespaceListerExpansion
 }
 // fooNamespaceLister implements the FooNamespaceLister
 // interface.
 type fooNamespaceLister struct {
 	listers.ResourceIndexer[*samplecontrollerv1alpha1.Foo]
 }
@@ -1,76 +0,0 @@
 /*
 Copyright 2021 The Kubernetes Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package main
 import (
 	"encoding/json"
 	"fmt"
 	"os"
 	"gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/generated/openapi"
 	"k8s.io/kube-openapi/pkg/common"
 	"k8s.io/kube-openapi/pkg/validation/spec"
 )
 // Outputs openAPI schema JSON containing the schema definitions in zz_generated.openapi.go.
 func main() {
 	err := output()
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "Failed: %v", err) // nolint:errcheck
 		os.Exit(1)
 	}
 }
 func output() error {
 	refFunc := func(name string) spec.Ref {
 		return spec.MustCreateRef(fmt.Sprintf("#/definitions/%s", name))
 	}
 	defs := openapi.GetOpenAPIDefinitions(refFunc)
 	schemaDefs := make(map[string]spec.Schema, len(defs))
 	for k, v := range defs {
 		// Replace top-level schema with v2 if a v2 schema is embedded
 		// so that the output of this program is always in OpenAPI v2.
 		// This is done by looking up an extension that marks the embedded v2
 		// schema, and, if the v2 schema is found, make it the resulting schema for
 		// the type.
 		if schema, ok := v.Schema.Extensions[common.ExtensionV2Schema]; ok {
 			if v2Schema, isOpenAPISchema := schema.(spec.Schema); isOpenAPISchema {
 				schemaDefs[k] = v2Schema
 				continue
 			}
 		}
 		schemaDefs[k] = v.Schema
 	}
 	data, err := json.Marshal(&spec.Swagger{
 		SwaggerProps: spec.SwaggerProps{
 			Definitions: schemaDefs,
 			Info: &spec.Info{
 				InfoProps: spec.InfoProps{
 					Title:   "Kubernetes",
 					Version: "unversioned",
 				},
 			},
 			Swagger: "2.0",
 		},
 	})
 	if err != nil {
 		return fmt.Errorf("error serializing api definitions: %w", err)
 	}
 	os.Stdout.Write(data) // nolint:errcheck
 	return nil
 }
@@ -32,6 +32,10 @@ import (
 func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 	return map[string]common.OpenAPIDefinition{
 		"gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/proxyprovider/v1alpha1.ProxyProvider":       schema_pkg_apis_proxyprovider_v1alpha1_ProxyProvider(ref),
 		"gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/proxyprovider/v1alpha1.ProxyProviderList":   schema_pkg_apis_proxyprovider_v1alpha1_ProxyProviderList(ref),
 		"gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/proxyprovider/v1alpha1.ProxyProviderSpec":   schema_pkg_apis_proxyprovider_v1alpha1_ProxyProviderSpec(ref),
 		"gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/proxyprovider/v1alpha1.ProxyProviderStatus": schema_pkg_apis_proxyprovider_v1alpha1_ProxyProviderStatus(ref),
 		resource.Quantity{}.OpenAPIModelName():            schema_apimachinery_pkg_api_resource_Quantity(ref),
 		v1.APIGroup{}.OpenAPIModelName():                  schema_pkg_apis_meta_v1_APIGroup(ref),
 		v1.APIGroupList{}.OpenAPIModelName():              schema_pkg_apis_meta_v1_APIGroupList(ref),
@@ -87,10 +91,161 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
 		runtime.TypeMeta{}.OpenAPIModelName():             schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref),
 		runtime.Unknown{}.OpenAPIModelName():              schema_k8sio_apimachinery_pkg_runtime_Unknown(ref),
 		version.Info{}.OpenAPIModelName():                 schema_k8sio_apimachinery_pkg_version_Info(ref),
-		"gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/samplecontroller/v1alpha1.Foo":       schema_pkg_apis_samplecontroller_v1alpha1_Foo(ref),
+	}
-		"gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/samplecontroller/v1alpha1.FooList":   schema_pkg_apis_samplecontroller_v1alpha1_FooList(ref),
+}
-		"gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/samplecontroller/v1alpha1.FooSpec":   schema_pkg_apis_samplecontroller_v1alpha1_FooSpec(ref),
+
-		"gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/samplecontroller/v1alpha1.FooStatus": schema_pkg_apis_samplecontroller_v1alpha1_FooStatus(ref),
+func schema_pkg_apis_proxyprovider_v1alpha1_ProxyProvider(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
 				Type: []string{"object"},
 				Properties: map[string]spec.Schema{
 					"kind": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
 					"apiVersion": {
 						SchemaProps: spec.SchemaProps{
 							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
 					"metadata": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
 							Ref:     ref(v1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
 							Ref:     ref("gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/proxyprovider/v1alpha1.ProxyProviderSpec"),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
 							Ref:     ref("gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/proxyprovider/v1alpha1.ProxyProviderStatus"),
 						},
 					},
 				},
 				Required: []string{"spec", "status"},
 			},
 		},
 		Dependencies: []string{
 			"gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/proxyprovider/v1alpha1.ProxyProviderSpec", "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/proxyprovider/v1alpha1.ProxyProviderStatus", v1.ObjectMeta{}.OpenAPIModelName()},
 	}
 }
 func schema_pkg_apis_proxyprovider_v1alpha1_ProxyProviderList(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
 				Type: []string{"object"},
 				Properties: map[string]spec.Schema{
 					"kind": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
 					"apiVersion": {
 						SchemaProps: spec.SchemaProps{
 							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
 					"metadata": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
 							Ref:     ref(v1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
 						SchemaProps: spec.SchemaProps{
 							Type: []string{"array"},
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Ref: ref("gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/proxyprovider/v1alpha1.ProxyProvider"),
 									},
 								},
 							},
 						},
 					},
 				},
 				Required: []string{"items"},
 			},
 		},
 		Dependencies: []string{
 			"gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/proxyprovider/v1alpha1.ProxyProvider", v1.ListMeta{}.OpenAPIModelName()},
 	}
 }
 func schema_pkg_apis_proxyprovider_v1alpha1_ProxyProviderSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
 				Type: []string{"object"},
 				Properties: map[string]spec.Schema{
 					"name": {
 						SchemaProps: spec.SchemaProps{
 							Default: "",
 							Type:    []string{"string"},
 							Format:  "",
 						},
 					},
 					"authorization_flow": {
 						SchemaProps: spec.SchemaProps{
 							Default: "",
 							Type:    []string{"string"},
 							Format:  "",
 						},
 					},
 					"invalidation_flow": {
 						SchemaProps: spec.SchemaProps{
 							Default: "",
 							Type:    []string{"string"},
 							Format:  "",
 						},
 					},
 					"external_host": {
 						SchemaProps: spec.SchemaProps{
 							Default: "",
 							Type:    []string{"string"},
 							Format:  "",
 						},
 					},
 				},
 				Required: []string{"name", "authorization_flow", "invalidation_flow", "external_host"},
 			},
 		},
 	}
 }
 func schema_pkg_apis_proxyprovider_v1alpha1_ProxyProviderStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
 				Type: []string{"object"},
 				Properties: map[string]spec.Schema{
 					"pk": {
 						SchemaProps: spec.SchemaProps{
 							Default: "",
 							Type:    []string{"string"},
 							Format:  "",
 						},
 					},
 				},
 				Required: []string{"pk"},
 			},
 		},
 	}
 }
@@ -183,7 +338,6 @@ func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenA
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
 										Ref: ref(v1.GroupVersionForDiscovery{}.OpenAPIModelName()),
 									},
 								},
@@ -209,7 +363,6 @@ func schema_pkg_apis_meta_v1_APIGroup(ref common.ReferenceCallback) common.OpenA
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
 										Ref: ref(v1.ServerAddressByClientCIDR{}.OpenAPIModelName()),
 									},
 								},
@@ -258,7 +411,6 @@ func schema_pkg_apis_meta_v1_APIGroupList(ref common.ReferenceCallback) common.O
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
 										Ref: ref(v1.APIGroup{}.OpenAPIModelName()),
 									},
 								},
@@ -334,7 +486,6 @@ func schema_pkg_apis_meta_v1_APIResource(ref common.ReferenceCallback) common.Op
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: "",
 										Type:   []string{"string"},
 										Format: "",
 									},
@@ -354,7 +505,6 @@ func schema_pkg_apis_meta_v1_APIResource(ref common.ReferenceCallback) common.Op
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: "",
 										Type:   []string{"string"},
 										Format: "",
 									},
@@ -374,7 +524,6 @@ func schema_pkg_apis_meta_v1_APIResource(ref common.ReferenceCallback) common.Op
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: "",
 										Type:   []string{"string"},
 										Format: "",
 									},
@@ -437,7 +586,6 @@ func schema_pkg_apis_meta_v1_APIResourceList(ref common.ReferenceCallback) commo
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
 										Ref: ref(v1.APIResource{}.OpenAPIModelName()),
 									},
 								},
@@ -486,7 +634,6 @@ func schema_pkg_apis_meta_v1_APIVersions(ref common.ReferenceCallback) common.Op
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: "",
 										Type:   []string{"string"},
 										Format: "",
 									},
@@ -506,7 +653,6 @@ func schema_pkg_apis_meta_v1_APIVersions(ref common.ReferenceCallback) common.Op
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
 										Ref: ref(v1.ServerAddressByClientCIDR{}.OpenAPIModelName()),
 									},
 								},
@@ -555,7 +701,6 @@ func schema_pkg_apis_meta_v1_ApplyOptions(ref common.ReferenceCallback) common.O
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: "",
 										Type:   []string{"string"},
 										Format: "",
 									},
@@ -680,7 +825,6 @@ func schema_pkg_apis_meta_v1_CreateOptions(ref common.ReferenceCallback) common.
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: "",
 										Type:   []string{"string"},
 										Format: "",
 									},
@@ -768,7 +912,6 @@ func schema_pkg_apis_meta_v1_DeleteOptions(ref common.ReferenceCallback) common.
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: "",
 										Type:   []string{"string"},
 										Format: "",
 									},
@@ -838,7 +981,6 @@ func schema_pkg_apis_meta_v1_FieldSelectorRequirement(ref common.ReferenceCallba
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: "",
 										Type:   []string{"string"},
 										Format: "",
 									},
@@ -1123,7 +1265,6 @@ func schema_pkg_apis_meta_v1_LabelSelector(ref common.ReferenceCallback) common.
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: "",
 										Type:   []string{"string"},
 										Format: "",
 									},
@@ -1143,7 +1284,6 @@ func schema_pkg_apis_meta_v1_LabelSelector(ref common.ReferenceCallback) common.
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
 										Ref: ref(v1.LabelSelectorRequirement{}.OpenAPIModelName()),
 									},
 								},
@@ -1198,7 +1338,6 @@ func schema_pkg_apis_meta_v1_LabelSelectorRequirement(ref common.ReferenceCallba
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: "",
 										Type:   []string{"string"},
 										Format: "",
 									},
@@ -1573,7 +1712,6 @@ func schema_pkg_apis_meta_v1_ObjectMeta(ref common.ReferenceCallback) common.Ope
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: "",
 										Type:   []string{"string"},
 										Format: "",
 									},
@@ -1589,7 +1727,6 @@ func schema_pkg_apis_meta_v1_ObjectMeta(ref common.ReferenceCallback) common.Ope
 								Allows: true,
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: "",
 										Type:   []string{"string"},
 										Format: "",
 									},
@@ -1614,7 +1751,6 @@ func schema_pkg_apis_meta_v1_ObjectMeta(ref common.ReferenceCallback) common.Ope
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
 										Ref: ref(v1.OwnerReference{}.OpenAPIModelName()),
 									},
 								},
@@ -1634,7 +1770,6 @@ func schema_pkg_apis_meta_v1_ObjectMeta(ref common.ReferenceCallback) common.Ope
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: "",
 										Type:   []string{"string"},
 										Format: "",
 									},
@@ -1654,7 +1789,6 @@ func schema_pkg_apis_meta_v1_ObjectMeta(ref common.ReferenceCallback) common.Ope
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
 										Ref: ref(v1.ManagedFieldsEntry{}.OpenAPIModelName()),
 									},
 								},
@@ -1805,7 +1939,6 @@ func schema_pkg_apis_meta_v1_PartialObjectMetadataList(ref common.ReferenceCallb
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
 										Ref: ref(v1.PartialObjectMetadata{}.OpenAPIModelName()),
 									},
 								},
@@ -1865,7 +1998,6 @@ func schema_pkg_apis_meta_v1_PatchOptions(ref common.ReferenceCallback) common.O
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: "",
 										Type:   []string{"string"},
 										Format: "",
 									},
@@ -1946,7 +2078,6 @@ func schema_pkg_apis_meta_v1_RootPaths(ref common.ReferenceCallback) common.Open
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: "",
 										Type:   []string{"string"},
 										Format: "",
 									},
@@ -2164,7 +2295,6 @@ func schema_pkg_apis_meta_v1_StatusDetails(ref common.ReferenceCallback) common.
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
 										Ref: ref(v1.StatusCause{}.OpenAPIModelName()),
 									},
 								},
@@ -2226,7 +2356,6 @@ func schema_pkg_apis_meta_v1_Table(ref common.ReferenceCallback) common.OpenAPID
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
 										Ref: ref(v1.TableColumnDefinition{}.OpenAPIModelName()),
 									},
 								},
@@ -2245,7 +2374,6 @@ func schema_pkg_apis_meta_v1_Table(ref common.ReferenceCallback) common.OpenAPID
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
 										Ref: ref(v1.TableRow{}.OpenAPIModelName()),
 									},
 								},
@@ -2387,7 +2515,6 @@ func schema_pkg_apis_meta_v1_TableRow(ref common.ReferenceCallback) common.OpenA
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
 										Ref: ref(v1.TableRowCondition{}.OpenAPIModelName()),
 									},
 								},
@@ -2555,7 +2682,6 @@ func schema_pkg_apis_meta_v1_UpdateOptions(ref common.ReferenceCallback) common.
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: "",
 										Type:   []string{"string"},
 										Format: "",
 									},
@@ -2616,7 +2742,7 @@ func schema_k8sio_apimachinery_pkg_runtime_RawExtension(ref common.ReferenceCall
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\",inline\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)",
+				Description: "RawExtension is used to hold extensions in external versions.\n\nTo use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.\n\n// Internal package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\"\"`\n\t\tMyPlugin runtime.Object `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// External package:\n\n\ttype MyAPIObject struct {\n\t\truntime.TypeMeta `json:\"\"`\n\t\tMyPlugin runtime.RawExtension `json:\"myPlugin\"`\n\t}\n\n\ttype PluginA struct {\n\t\tAOption string `json:\"aOption\"`\n\t}\n\n// On the wire, the JSON will look something like this:\n\n\t{\n\t\t\"kind\":\"MyAPIObject\",\n\t\t\"apiVersion\":\"v1\",\n\t\t\"myPlugin\": {\n\t\t\t\"kind\":\"PluginA\",\n\t\t\t\"aOption\":\"foo\",\n\t\t},\n\t}\n\nSo what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)",
 				Type:        []string{"object"},
 			},
 		},
@@ -2627,7 +2753,7 @@ func schema_k8sio_apimachinery_pkg_runtime_TypeMeta(ref common.ReferenceCallback
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
-				Description: "TypeMeta is shared by all top level objects. The proper way to use it is to inline it in your type, like this:\n\n\ttype MyAwesomeAPIObject struct {\n\t     runtime.TypeMeta    `json:\",inline\"`\n\t     ... // other fields\n\t}\n\nfunc (obj *MyAwesomeAPIObject) SetGroupVersionKind(gvk *metav1.GroupVersionKind) { metav1.UpdateTypeMeta(obj,gvk) }; GroupVersionKind() *GroupVersionKind\n\nTypeMeta is provided here for convenience. You may use it directly from this package or define your own with the same fields.",
+				Description: "TypeMeta is shared by all top level objects. The proper way to use it is to inline it in your type, like this:\n\n\ttype MyAwesomeAPIObject struct {\n\t     runtime.TypeMeta    `json:\"\"`\n\t     ... // other fields\n\t}\n\nfunc (obj *MyAwesomeAPIObject) SetGroupVersionKind(gvk *metav1.GroupVersionKind) { metav1.UpdateTypeMeta(obj,gvk) }; GroupVersionKind() *GroupVersionKind\n\nTypeMeta is provided here for convenience. You may use it directly from this package or define your own with the same fields.",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"apiVersion": {
@@ -2796,148 +2922,3 @@ func schema_k8sio_apimachinery_pkg_version_Info(ref common.ReferenceCallback) co
 		},
 	}
 }
 func schema_pkg_apis_samplecontroller_v1alpha1_Foo(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
 				Description: "Foo is a specification for a Foo resource",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"kind": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
 					"apiVersion": {
 						SchemaProps: spec.SchemaProps{
 							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
 					"metadata": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
 							Ref:     ref(v1.ObjectMeta{}.OpenAPIModelName()),
 						},
 					},
 					"spec": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
 							Ref:     ref("gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/samplecontroller/v1alpha1.FooSpec"),
 						},
 					},
 					"status": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
 							Ref:     ref("gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/samplecontroller/v1alpha1.FooStatus"),
 						},
 					},
 				},
 				Required: []string{"spec", "status"},
 			},
 		},
 		Dependencies: []string{
 			v1.ObjectMeta{}.OpenAPIModelName(), "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/samplecontroller/v1alpha1.FooSpec", "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/samplecontroller/v1alpha1.FooStatus"},
 	}
 }
 func schema_pkg_apis_samplecontroller_v1alpha1_FooList(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
 				Description: "FooList is a list of Foo resources",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"kind": {
 						SchemaProps: spec.SchemaProps{
 							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
 					"apiVersion": {
 						SchemaProps: spec.SchemaProps{
 							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
 							Type:        []string{"string"},
 							Format:      "",
 						},
 					},
 					"metadata": {
 						SchemaProps: spec.SchemaProps{
 							Default: map[string]interface{}{},
 							Ref:     ref(v1.ListMeta{}.OpenAPIModelName()),
 						},
 					},
 					"items": {
 						SchemaProps: spec.SchemaProps{
 							Type: []string{"array"},
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
 									SchemaProps: spec.SchemaProps{
 										Default: map[string]interface{}{},
 										Ref:     ref("gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/samplecontroller/v1alpha1.Foo"),
 									},
 								},
 							},
 						},
 					},
 				},
 				Required: []string{"items"},
 			},
 		},
 		Dependencies: []string{
 			v1.ListMeta{}.OpenAPIModelName(), "gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator/pkg/apis/samplecontroller/v1alpha1.Foo"},
 	}
 }
 func schema_pkg_apis_samplecontroller_v1alpha1_FooSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
 				Description: "FooSpec is the spec for a Foo resource",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"deploymentName": {
 						SchemaProps: spec.SchemaProps{
 							Default: "",
 							Type:    []string{"string"},
 							Format:  "",
 						},
 					},
 					"replicas": {
 						SchemaProps: spec.SchemaProps{
 							Type:   []string{"integer"},
 							Format: "int32",
 						},
 					},
 				},
 				Required: []string{"deploymentName", "replicas"},
 			},
 		},
 	}
 }
 func schema_pkg_apis_samplecontroller_v1alpha1_FooStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
 			SchemaProps: spec.SchemaProps{
 				Description: "FooStatus is the status for a Foo resource",
 				Type:        []string{"object"},
 				Properties: map[string]spec.Schema{
 					"availableReplicas": {
 						SchemaProps: spec.SchemaProps{
 							Default: 0,
 							Type:    []string{"integer"},
 							Format:  "int32",
 						},
 					},
 				},
 				Required: []string{"availableReplicas"},
 			},
 		},
 	}
 }
@@ -1,23 +0,0 @@
 /*
 Copyright 2017 The Kubernetes Authors.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
    http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
 package signals
 import (
 	"os"
 )
 var shutdownSignals = []os.Signal{os.Interrupt}
@@ -0,0 +1,50 @@
 #!/usr/bin/env bash
 # Run Kubernetes code generators for pkg/apis using vendored kube_codegen.sh.
 set -euo pipefail
 # kube_codegen runs nested `go install` from the code-generator submodule. For this
 # repo we force:
 #   -buildvcs=false — avoid git stamping failures (submodules, safe.directory)
 #   -mod=mod        — do not use the repo root vendor/ (often stale vs go.mod
 #                     or unrelated to generator tools); fetch modules instead.
 export GOFLAGS="-buildvcs=false -mod=mod"
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)"
 REPO_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd -P)"
 MODULE="gitea.t000-n.de/t.behrendt/authentik-kubernetes-operator"
 KUBE_CODEGEN="${REPO_ROOT}/code-generator/kube_codegen.sh"
 BOILERPLATE="${REPO_ROOT}/code-generator/examples/hack/boilerplate.go.txt"
 API_ROOT="${REPO_ROOT}/pkg/apis"
 GEN_ROOT="${REPO_ROOT}/pkg/generated"
 source "${KUBE_CODEGEN}"
 kube::codegen::gen_helpers --boilerplate "${BOILERPLATE}" "${API_ROOT}"
 kube::codegen::gen_register --boilerplate "${BOILERPLATE}" "${API_ROOT}"
 # OpenAPI rule diff: keep a checked-in baseline (see k8s.io/code-generator examples/hack/update-codegen.sh).
 API_VIOLATIONS_DIR="${REPO_ROOT}/hack/api-violations"
 VIOLATIONS_LIST="${API_VIOLATIONS_DIR}/codegen_violation_exceptions.list"
 mkdir -p "${API_VIOLATIONS_DIR}"
 openapi_report_args=(--report-filename "${VIOLATIONS_LIST}")
 if [[ ! -s "${VIOLATIONS_LIST}" ]] || [[ "${UPDATE_API_KNOWN_VIOLATIONS:-}" == "true" ]]; then
 	openapi_report_args+=(--update-report)
 fi
 kube::codegen::gen_openapi \
 	--output-dir "${GEN_ROOT}/openapi" \
 	--output-pkg "${MODULE}/pkg/generated/openapi" \
 	--output-model-name-file zz_generated.model_name.go \
 	--boilerplate "${BOILERPLATE}" \
 	"${openapi_report_args[@]}" \
 	"${API_ROOT}"
 kube::codegen::gen_client \
 	--with-watch \
 	--with-applyconfig \
 	--output-dir "${GEN_ROOT}" \
 	--output-pkg "${MODULE}/pkg/generated" \
 	--boilerplate "${BOILERPLATE}" \
 	"${API_ROOT}"
Author	SHA1	Message	Date
t.behrendt	20f81f90eb	ci: fix ref to local workflows CI / install-dependencies (pull_request) Successful in 21s Details CI / image check (pull_request) Failing after 5s Details CI / check format (pull_request) Successful in 23s Details CI / check lint (pull_request) Successful in 32s Details CI / test (pull_request) Successful in 22s Details CI / build check (pull_request) Successful in 17m4s Details	2026-05-17 10:46:10 +02:00
t.behrendt	6a9cefbaf3	update docs CI / install dependencies (pull_request) Failing after 8s Details CI / build check (pull_request) Has been skipped Details CI / check format (pull_request) Has been skipped Details CI / check lint (pull_request) Has been skipped Details CI / test (pull_request) Has been skipped Details CI / image check (pull_request) Has been skipped Details	2026-05-16 20:12:43 +02:00
t.behrendt	cc32a01246	ci: add base	2026-05-16 20:07:04 +02:00
t.behrendt	9b0d6a3279	change v1 to v1alpha1	2026-05-16 19:49:27 +02:00
t.behrendt	4f6910c809	docs	2026-05-16 19:28:24 +02:00
t.behrendt	d926b3b4b1	chore: add delve debugging artifacts to gitignore	2026-05-15 19:01:18 +02:00
t.behrendt	dff5b5c9a1	refactor: switch to reconsiliation pattern	2026-05-15 19:00:47 +02:00
t.behrendt	2753647d01	remove unused deployment listener	2026-05-15 16:08:56 +02:00
t.behrendt	90d21f1dd8	mvp working creation of proxy provider	2026-05-15 11:09:20 +02:00
t.behrendt	93fd4e89d5	minimum runnable	2026-05-14 18:55:57 +02:00
`@@ -18,4 +18,4 @@ limitations under the License.`

	`package v1alpha1`	`package v1alpha1`

	`type FooExpansion interface{}`	`type ProxyProviderExpansion interface{}`