From 21d91e9f50c4ebfd9a2f797b061516955783a631 Mon Sep 17 00:00:00 2001
From: Mangirdas Judeikis <mangirdas@judeikis.lt>
Date: Thu, 23 Oct 2025 19:38:21 +0300
Subject: [PATCH 1/2] Add helm deployment & fixup generator

---
 .gitignore                                    |   2 +-
 Makefile                                      |  16 +
 .../clusterbinding_controller.go              |  10 +-
 backend/controllers/rbac.go                   |  29 +
 .../serviceexport/serviceexport_controller.go |  10 +-
 .../serviceexportrequest_controller.go        |  12 +-
 .../servicenamespace_controller.go            |  10 +-
 backend/http/handler.go                       |   2 +-
 backend/template/resources.gohtml             |  24 +-
 .../kubectl/bind-apiservice/plugin/bind.go    |  33 +
 cli/pkg/kubectl/bind/plugin/bind.go           |   2 +
 deploy/charts/backend/.helmignore             |  23 +
 deploy/charts/backend/Chart.yaml              |  24 +
 .../crds/kube-bind.io_apiservicebindings.yaml | 421 +++++++++++
 ...kube-bind.io_apiserviceexportrequests.yaml | 458 ++++++++++++
 .../crds/kube-bind.io_apiserviceexports.yaml  | 691 ++++++++++++++++++
 ...ube-bind.io_apiserviceexporttemplates.yaml | 272 +++++++
 .../kube-bind.io_apiservicenamespaces.yaml    | 124 ++++
 .../crds/kube-bind.io_boundschemas.yaml       | 466 ++++++++++++
 .../crds/kube-bind.io_clusterbindings.yaml    | 330 +++++++++
 .../crds/kube-bind.io_collections.yaml        | 132 ++++
 .../examples/values-local-development.yaml    |  57 ++
 deploy/charts/backend/templates/_helpers.tpl  |  62 ++
 .../backend/templates/clusterrolebinding.yaml |  16 +
 .../charts/backend/templates/deployment.yaml  | 130 ++++
 deploy/charts/backend/templates/hpa.yaml      |  32 +
 deploy/charts/backend/templates/role.yaml     | 107 +++
 deploy/charts/backend/templates/service.yaml  |  22 +
 .../backend/templates/serviceaccount.yaml     |  13 +
 .../templates/tests/test-connection.yaml      |  15 +
 deploy/charts/backend/values.yaml             | 136 ++++
 .../insecure/example-backend.yaml             | 137 ----
 .../example-backend/letsencrypt/.gitignore    |   2 -
 .../letsencrypt/cluster-issuer.yaml.tmpl      |  15 -
 .../letsencrypt/dex-config-secret.yaml.tmpl   |  34 -
 .../letsencrypt/example-backend.yaml          | 235 ------
 .../letsencrypt/oidc-secret.yaml.tmpl         |   9 -
 docs/content/setup/helm.md                    | 237 +++++-
 hack/update-codegen.sh                        |  14 +
 39 files changed, 3896 insertions(+), 468 deletions(-)
 create mode 100644 backend/controllers/rbac.go
 create mode 100644 deploy/charts/backend/.helmignore
 create mode 100644 deploy/charts/backend/Chart.yaml
 create mode 100644 deploy/charts/backend/crds/kube-bind.io_apiservicebindings.yaml
 create mode 100644 deploy/charts/backend/crds/kube-bind.io_apiserviceexportrequests.yaml
 create mode 100644 deploy/charts/backend/crds/kube-bind.io_apiserviceexports.yaml
 create mode 100644 deploy/charts/backend/crds/kube-bind.io_apiserviceexporttemplates.yaml
 create mode 100644 deploy/charts/backend/crds/kube-bind.io_apiservicenamespaces.yaml
 create mode 100644 deploy/charts/backend/crds/kube-bind.io_boundschemas.yaml
 create mode 100644 deploy/charts/backend/crds/kube-bind.io_clusterbindings.yaml
 create mode 100644 deploy/charts/backend/crds/kube-bind.io_collections.yaml
 create mode 100644 deploy/charts/backend/examples/values-local-development.yaml
 create mode 100644 deploy/charts/backend/templates/_helpers.tpl
 create mode 100644 deploy/charts/backend/templates/clusterrolebinding.yaml
 create mode 100644 deploy/charts/backend/templates/deployment.yaml
 create mode 100644 deploy/charts/backend/templates/hpa.yaml
 create mode 100644 deploy/charts/backend/templates/role.yaml
 create mode 100644 deploy/charts/backend/templates/service.yaml
 create mode 100644 deploy/charts/backend/templates/serviceaccount.yaml
 create mode 100644 deploy/charts/backend/templates/tests/test-connection.yaml
 create mode 100644 deploy/charts/backend/values.yaml
 delete mode 100644 deploy/manifests/example-backend/insecure/example-backend.yaml
 delete mode 100644 deploy/manifests/example-backend/letsencrypt/.gitignore
 delete mode 100644 deploy/manifests/example-backend/letsencrypt/cluster-issuer.yaml.tmpl
 delete mode 100644 deploy/manifests/example-backend/letsencrypt/dex-config-secret.yaml.tmpl
 delete mode 100644 deploy/manifests/example-backend/letsencrypt/example-backend.yaml
 delete mode 100644 deploy/manifests/example-backend/letsencrypt/oidc-secret.yaml.tmpl

diff --git a/.gitignore b/.gitignore
index f0d1aa73d..cde76d088 100644
--- a/.gitignore
+++ b/.gitignore
@@ -14,5 +14,5 @@ coverage.*
 /dex
 /bin
 docs/generators/cli-doc/cli-doc
-dex/
 apiserviceexport.yaml
+*.prod
\ No newline at end of file
diff --git a/Makefile b/Makefile
index e30a4f474..899da2cf8 100644
--- a/Makefile
+++ b/Makefile
@@ -290,10 +290,26 @@ CONTRIBS_E2E := $(patsubst %,test-e2e-contrib-%,$(CONTRIBS))
 
 .PHONY: test-e2e-contribs $(CONTRIBS_E2E)
 test-e2e-contribs: $(CONTRIBS_E2E) ## Run e2e tests for external integrations
+
+.PHONY: test-e2e-contrib-kcp
 test-e2e-contrib-kcp: $(DEX) $(KCP)
 $(CONTRIBS_E2E):
 	cd contrib/$(patsubst test-e2e-contrib-%,%,$@) && $(GO_TEST) -race -count $(COUNT) $(E2E_PARALLELISM_FLAG) ./test/e2e/...
 
+DESTROY_KIND_CLUSTER ?= true
+REUSE_KIND_CLUSTER_SUFFIX ?= ""
+KIND_CLUSTER_NAME ?= kube-bind
+
+.PHONY: test-e2e-kind
+test-e2e-kind: build image-local
+	echo "Running kube-bind e2e tests"
+	KUBE_BIND_BACKEND_IMAGE=$(KO_DOCKER_REPO)/backend:$(REV) \
+	KUBE_BIND_KONNECTOR_IMAGE=$(KO_DOCKER_REPO)/konnector:$(REV) \
+	$(GO_TEST) -v ./test/e2e-kind/... \
+		-destroy-kind-cluster=$(DESTROY_KIND_CLUSTER) \
+		-collect-logs=true 
+	echo "Kube-bind e2e tests completed"
+
 .PHONY: test
 ifdef USE_GOTESTSUM
 test: $(GOTESTSUM)
diff --git a/backend/controllers/clusterbinding/clusterbinding_controller.go b/backend/controllers/clusterbinding/clusterbinding_controller.go
index d524d8c54..abd1c7853 100644
--- a/backend/controllers/clusterbinding/clusterbinding_controller.go
+++ b/backend/controllers/clusterbinding/clusterbinding_controller.go
@@ -147,10 +147,12 @@ func NewClusterBindingReconciler(
 	return r, nil
 }
 
-//+kubebuilder:rbac:groups=kubebind.k8s.io,resources=clusterbindings,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=kubebind.k8s.io,resources=clusterbindings/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=kubebind.k8s.io,resources=clusterbindings/finalizers,verbs=update
-//+kubebuilder:rbac:groups=kubebind.k8s.io,resources=apiserviceexports,verbs=get;list;watch
+//+kubebuilder:rbac:groups=kube-bind.io,resources=clusterbindings,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=kube-bind.io,resources=clusterbindings/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups=kube-bind.io,resources=clusterbindings/finalizers,verbs=update
+//+kubebuilder:rbac:groups=kube-bind.io,resources=apiserviceexports,verbs=get;list;watch
+//+kubebuilder:rbac:groups=kube-bind.io,resources=collections,verbs=get;list;watch
+//+kubebuilder:rbac:groups=kube-bind.io,resources=apiserviceexporttemplates,verbs=get;list;watch
 //+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterroles,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=clusterrolebindings,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=get;list;watch;create;update;patch;delete
diff --git a/backend/controllers/rbac.go b/backend/controllers/rbac.go
new file mode 100644
index 000000000..7bd75c5ac
--- /dev/null
+++ b/backend/controllers/rbac.go
@@ -0,0 +1,29 @@
+/*
+Copyright 2022 The Kube Bind Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controllers
+
+// This is Core access needed for backend controllers.
+//+kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups="",resources=serviceaccounts,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch;create;update;patch;delete
+
+// Additional RBAC permissions for export functionality
+// These permissions allow the backend to grant RBAC permissions for exported resources
+//+kubebuilder:rbac:groups="",resources=configmaps,verbs=*
+//+kubebuilder:rbac:groups="",resources=secrets,verbs=*
diff --git a/backend/controllers/serviceexport/serviceexport_controller.go b/backend/controllers/serviceexport/serviceexport_controller.go
index 21166e4ff..ab6124882 100644
--- a/backend/controllers/serviceexport/serviceexport_controller.go
+++ b/backend/controllers/serviceexport/serviceexport_controller.go
@@ -82,11 +82,11 @@ func NewAPIServiceExportReconciler(
 	return r, nil
 }
 
-//+kubebuilder:rbac:groups=kubebind.k8s.io,resources=apiserviceexports,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=kubebind.k8s.io,resources=apiserviceexports/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=kubebind.k8s.io,resources=apiserviceexports/finalizers,verbs=update
-//+kubebuilder:rbac:groups=kubebind.k8s.io,resources=boundschemas,verbs=get;list;watch
-//+kubebuilder:rbac:groups=kubebind.k8s.io,resources=boundschemas/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups=kube-bind.io,resources=apiserviceexports,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=kube-bind.io,resources=apiserviceexports/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups=kube-bind.io,resources=apiserviceexports/finalizers,verbs=update
+//+kubebuilder:rbac:groups=kube-bind.io,resources=boundschemas,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=kube-bind.io,resources=boundschemas/status,verbs=get;update;patch;list
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
diff --git a/backend/controllers/serviceexportrequest/serviceexportrequest_controller.go b/backend/controllers/serviceexportrequest/serviceexportrequest_controller.go
index 4330a7f78..3788d011b 100644
--- a/backend/controllers/serviceexportrequest/serviceexportrequest_controller.go
+++ b/backend/controllers/serviceexportrequest/serviceexportrequest_controller.go
@@ -177,12 +177,12 @@ func getBoundSchemaMapper(clusterName string, cl cluster.Cluster) handler.TypedE
 	})
 }
 
-//+kubebuilder:rbac:groups=kubebind.k8s.io,resources=apiserviceexportrequests,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=kubebind.k8s.io,resources=apiserviceexportrequests/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=kubebind.k8s.io,resources=apiserviceexportrequests/finalizers,verbs=update
-//+kubebuilder:rbac:groups=kubebind.k8s.io,resources=apiserviceexports,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=kubebind.k8s.io,resources=apiresourceschemas,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=kubebind.k8s.io,resources=resources=apiservicenamespaces,verbs=get;list;watch;create
+//+kubebuilder:rbac:groups=kube-bind.io,resources=apiserviceexportrequests,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=kube-bind.io,resources=apiserviceexportrequests/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups=kube-bind.io,resources=apiserviceexportrequests/finalizers,verbs=update
+//+kubebuilder:rbac:groups=kube-bind.io,resources=apiserviceexports,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=kube-bind.io,resources=apiresourceschemas,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=kube-bind.io,resources=apiservicenamespaces,verbs=get;list;watch;create
 
 // Reconcile is part of the main kubernetes reconciliation loop which aims to
 // move the current state of the cluster closer to the desired state.
diff --git a/backend/controllers/servicenamespace/servicenamespace_controller.go b/backend/controllers/servicenamespace/servicenamespace_controller.go
index e9f4e52b0..0b28901b9 100644
--- a/backend/controllers/servicenamespace/servicenamespace_controller.go
+++ b/backend/controllers/servicenamespace/servicenamespace_controller.go
@@ -206,11 +206,11 @@ func getServiceExportMapper(clusterName string, cl cluster.Cluster) handler.Type
 	})
 }
 
-//+kubebuilder:rbac:groups=kubebind.k8s.io,resources=apiservicenamespaces,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=kubebind.k8s.io,resources=apiservicenamespaces/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=kubebind.k8s.io,resources=apiservicenamespaces/finalizers,verbs=update
-//+kubebuilder:rbac:groups=kubebind.k8s.io,resources=clusterbindings,verbs=get;list;watch
-//+kubebuilder:rbac:groups=kubebind.k8s.io,resources=apiserviceexports,verbs=get;list;watch
+//+kubebuilder:rbac:groups=kube-bind.io,resources=apiservicenamespaces,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=kube-bind.io,resources=apiservicenamespaces/status,verbs=get;update;patch
+//+kubebuilder:rbac:groups=kube-bind.io,resources=apiservicenamespaces/finalizers,verbs=update
+//+kubebuilder:rbac:groups=kube-bind.io,resources=clusterbindings,verbs=get;list;watch
+//+kubebuilder:rbac:groups=kube-bind.io,resources=apiserviceexports,verbs=get;list;watch
 //+kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=rolebindings,verbs=get;list;watch;create;update;patch;delete
 
diff --git a/backend/http/handler.go b/backend/http/handler.go
index b4a0b1e3a..5fbd16fbf 100644
--- a/backend/http/handler.go
+++ b/backend/http/handler.go
@@ -205,7 +205,7 @@ func (h *handler) handleAuthorize(w http.ResponseWriter, r *http.Request) {
 		ProviderClusterID: providerCluster, // used in multicluster-runtime providers
 	}
 	if callbackPort != "" && code.RedirectURL == "" {
-		code.RedirectURL = fmt.Sprintf("http://localhost:%s/callback", callbackPort)
+		code.RedirectURL = fmt.Sprintf("http://127.0.0.1:%s/callback", callbackPort)
 	}
 
 	if code.RedirectURL == "" || code.SessionID == "" || code.ClusterID == "" {
diff --git a/backend/template/resources.gohtml b/backend/template/resources.gohtml
index 1f653295c..67db1f76a 100644
--- a/backend/template/resources.gohtml
+++ b/backend/template/resources.gohtml
@@ -10,7 +10,7 @@
     <!-- Bootstrap Icons -->
     <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap-icons@1.7.2/font/bootstrap-icons.css">
 
-    <title>Modules - Kube Bind</title>
+    <title>Services - Kube Bind</title>
     <style>
       body {
         background: #f8f9fa;
@@ -36,7 +36,7 @@
         margin: 0;
       }
       
-      .module-card {
+      .service-card {
         border: 1px solid #dee2e6;
         border-radius: 6px;
         background: white;
@@ -44,17 +44,17 @@
         margin-bottom: 1rem;
       }
       
-      .module-card:hover {
+      .service-card:hover {
         border-color: #007bff;
       }
       
-      .module-card .card-header {
+      .service-card .card-header {
         background: #f8f9fa;
         border-bottom: 1px solid #dee2e6;
         padding: 0.75rem 1rem;
       }
       
-      .module-card .card-header h5 {
+      .service-card .card-header h5 {
         margin: 0;
         font-size: 1.1rem;
         font-weight: 500;
@@ -135,14 +135,14 @@
   <body>
     <div class="container">
       <div class="page-header">
-        <h2>Available Modules</h2>
-        <p>Select a module to bind its resources and permissions</p>
+        <h2>Available Services</h2>
+        <p>Select a service to bind its resources and permissions</p>
       </div>
       
       <div class="row">
-        {{range $moduleIdx, $schema := .Schemas}}
+        {{range $serviceIdx, $schema := .Schemas}}
         <div class="col-lg-6 col-md-12 mb-3">
-          <div class="card module-card">
+          <div class="card service-card">
             <div class="card-header">
               <h5>{{$schema.Name}}</h5>
               {{if $schema.Description}}<small class="text-muted">{{$schema.Description}}</small>{{end}}
@@ -171,10 +171,10 @@
                   </span>
                   {{if or $claim.Selector.NamedResources $claim.Selector.LabelSelector}}
                   <br>
-                  <a class="btn details-btn mt-1" data-toggle="collapse" href="#claim-{{$moduleIdx}}-{{$i}}" role="button" aria-expanded="false">
+                  <a class="btn details-btn mt-1" data-toggle="collapse" href="#claim-{{$serviceIdx}}-{{$i}}" role="button" aria-expanded="false">
                     Details
                   </a>
-                  <div class="collapse mt-2" id="claim-{{$moduleIdx}}-{{$i}}">
+                  <div class="collapse mt-2" id="claim-{{$serviceIdx}}-{{$i}}">
                     {{if $claim.Selector.NamedResources}}
                     <div class="detail-card p-2 mb-2">
                       <strong>Named:</strong>
@@ -217,7 +217,7 @@
             </ul>
             <div class="card-body">
               <a href="{{if $.Cluster}}/clusters/{{$.Cluster}}{{end}}/bind?s={{$schema.SessionID}}&template={{$schema.Name}}" class="btn bind-btn {{$schema.Name}}">
-                Bind Module
+                Bind Service
               </a>
             </div>
           </div>
diff --git a/cli/pkg/kubectl/bind-apiservice/plugin/bind.go b/cli/pkg/kubectl/bind-apiservice/plugin/bind.go
index 691430e71..240a271e0 100644
--- a/cli/pkg/kubectl/bind-apiservice/plugin/bind.go
+++ b/cli/pkg/kubectl/bind-apiservice/plugin/bind.go
@@ -143,39 +143,72 @@ func (b *BindAPIServiceOptions) Validate() error {
 
 // Run starts the binding process.
 func (b *BindAPIServiceOptions) Run(ctx context.Context) error {
+	fmt.Fprintf(b.Options.ErrOut, "🔧 Starting binding process...\n")
+
+	fmt.Fprintf(b.Options.ErrOut, "📋 Step 1: Getting client config...\n")
 	config, err := b.Options.ClientConfig.ClientConfig()
 	if err != nil {
+		fmt.Fprintf(b.Options.ErrOut, "❌ Failed to get client config: %v\n", err)
 		return err
 	}
+	fmt.Fprintf(b.Options.ErrOut, "✅ Client config obtained successfully\n")
 
+	fmt.Fprintf(b.Options.ErrOut, "📋 Step 2: Getting remote kubeconfig...\n")
 	remoteKubeconfig, remoteNamespace, remoteConfig, err := b.getRemoteKubeconfig(ctx, config)
 	if err != nil {
+		fmt.Fprintf(b.Options.ErrOut, "❌ Failed to get remote kubeconfig: %v\n", err)
 		return err
 	}
+	fmt.Fprintf(b.Options.ErrOut, "✅ Remote kubeconfig obtained, namespace: %s\n", remoteNamespace)
+
+	fmt.Fprintf(b.Options.ErrOut, "📋 Step 3: Getting request manifest...\n")
 	bs, err := b.getRequestManifest()
 	if err != nil {
+		fmt.Fprintf(b.Options.ErrOut, "❌ Failed to get request manifest: %v\n", err)
 		return err
 	}
+	fmt.Fprintf(b.Options.ErrOut, "✅ Request manifest obtained (%d bytes)\n", len(bs))
+
+	fmt.Fprintf(b.Options.ErrOut, "📋 Step 4: Unmarshaling manifest...\n")
 	request, err := b.unmarshalManifest(bs)
 	if err != nil {
+		fmt.Fprintf(b.Options.ErrOut, "❌ Failed to unmarshal manifest: %v\n", err)
 		return err
 	}
+	fmt.Fprintf(b.Options.ErrOut, "✅ Manifest unmarshaled successfully\n")
+
+	fmt.Fprintf(b.Options.ErrOut, "📋 Step 5: Creating service export request...\n")
 	result, err := b.createServiceExportRequest(ctx, remoteConfig, remoteNamespace, request)
 	if err != nil {
+		fmt.Fprintf(b.Options.ErrOut, "❌ Failed to create service export request: %v\n", err)
 		return err
 	}
+	fmt.Fprintf(b.Options.ErrOut, "✅ Service export request created successfully\n")
+
+	fmt.Fprintf(b.Options.ErrOut, "📋 Step 6: Deploying konnector...\n")
 	if err := b.deployKonnector(ctx, config); err != nil {
+		fmt.Fprintf(b.Options.ErrOut, "❌ Failed to deploy konnector: %v\n", err)
 		return err
 	}
+	fmt.Fprintf(b.Options.ErrOut, "✅ Konnector deployed successfully\n")
+
+	fmt.Fprintf(b.Options.ErrOut, "📋 Step 7: Creating kubeconfig secret...\n")
 	secretName, err := b.createKubeconfigSecret(ctx, config, remoteConfig.Host, remoteNamespace, remoteKubeconfig)
 	if err != nil {
+		fmt.Fprintf(b.Options.ErrOut, "❌ Failed to create kubeconfig secret: %v\n", err)
 		return err
 	}
+	fmt.Fprintf(b.Options.ErrOut, "✅ Kubeconfig secret created: %s\n", secretName)
+
+	fmt.Fprintf(b.Options.ErrOut, "📋 Step 8: Creating API service bindings...\n")
 	bindings, err := b.createAPIServiceBindings(ctx, config, result, secretName)
 	if err != nil {
+		fmt.Fprintf(b.Options.ErrOut, "❌ Failed to create API service bindings: %v\n", err)
 		return err
 	}
+	fmt.Fprintf(b.Options.ErrOut, "✅ API service bindings created (%d bindings)\n", len(bindings))
 
+	fmt.Fprintf(b.Options.ErrOut, "📋 Step 9: Printing results table...\n")
 	fmt.Fprintln(b.Options.ErrOut)
 	return b.printTable(ctx, config, bindings)
 }
diff --git a/cli/pkg/kubectl/bind/plugin/bind.go b/cli/pkg/kubectl/bind/plugin/bind.go
index 3b7eacf7d..1e62d0055 100644
--- a/cli/pkg/kubectl/bind/plugin/bind.go
+++ b/cli/pkg/kubectl/bind/plugin/bind.go
@@ -292,8 +292,10 @@ func (b *BindOptions) Run(ctx context.Context, urlCh chan<- string) error {
 
 		// TODO: support passing through the base options
 
+		fmt.Fprintf(b.Options.ErrOut, "\n")
 		fmt.Fprintf(b.Options.ErrOut, "🚀 Executing: %s %s\n", "kubectl bind", strings.Join(args, " "))
 		fmt.Fprintf(b.Options.ErrOut, "✨ Use \"-o yaml\" and \"--dry-run\" to get the APIServiceExportRequest.\n   and pass it to \"kubectl bind apiservice\" directly. Great for automation.\n")
+
 		command := exec.CommandContext(ctx, executable, append(args, "--no-banner")...)
 		command.Stdin = bytes.NewReader(bs)
 		command.Stdout = b.Options.Out
diff --git a/deploy/charts/backend/.helmignore b/deploy/charts/backend/.helmignore
new file mode 100644
index 000000000..0e8a0eb36
--- /dev/null
+++ b/deploy/charts/backend/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/deploy/charts/backend/Chart.yaml b/deploy/charts/backend/Chart.yaml
new file mode 100644
index 000000000..f75ec9108
--- /dev/null
+++ b/deploy/charts/backend/Chart.yaml
@@ -0,0 +1,24 @@
+apiVersion: v2
+name: kube-bind backend
+description: A Helm chart for Kube-bind backend deployment
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "v0.5.1"
\ No newline at end of file
diff --git a/deploy/charts/backend/crds/kube-bind.io_apiservicebindings.yaml b/deploy/charts/backend/crds/kube-bind.io_apiservicebindings.yaml
new file mode 100644
index 000000000..44a60fe21
--- /dev/null
+++ b/deploy/charts/backend/crds/kube-bind.io_apiservicebindings.yaml
@@ -0,0 +1,421 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.17.3
+  name: apiservicebindings.kube-bind.io
+spec:
+  group: kube-bind.io
+  names:
+    categories:
+    - kube-bindings
+    kind: APIServiceBinding
+    listKind: APIServiceBindingList
+    plural: apiservicebindings
+    shortNames:
+    - sb
+    singular: apiservicebinding
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.providerPrettyName
+      name: Provider
+      type: string
+    - jsonPath: .metadata.annotations.kube-bind\.io/resources
+      name: Resources
+      priority: 1
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].message
+      name: Message
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          APIServiceBinding binds an API service represented by a APIServiceExport
+          in a service provider cluster into a consumer cluster. This object lives in
+          the consumer cluster.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: |-
+              spec specifies how an API service from a service provider should be bound in the
+              local consumer cluster.
+            properties:
+              kubeconfigSecretRef:
+                description: kubeconfigSecretName is the secret ref that contains
+                  the kubeconfig of the service cluster.
+                properties:
+                  key:
+                    description: The key of the secret to select from.  Must be "kubeconfig".
+                    enum:
+                    - kubeconfig
+                    type: string
+                  name:
+                    description: Name of the referent.
+                    minLength: 1
+                    type: string
+                  namespace:
+                    description: Namespace of the referent.
+                    minLength: 1
+                    type: string
+                required:
+                - key
+                - name
+                - namespace
+                type: object
+                x-kubernetes-validations:
+                - message: kubeconfigSecretRef is immutable
+                  rule: self == oldSelf
+            required:
+            - kubeconfigSecretRef
+            type: object
+          status:
+            description: status contains reconciliation information for a service
+              binding.
+            properties:
+              conditions:
+                description: conditions is a list of conditions that apply to the
+                  APIServiceBinding.
+                items:
+                  description: Condition defines an observation of a object operational
+                    state.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        Last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed. If that is not known, then using the time when
+                        the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        A human readable message indicating details about the transition.
+                        This field may be empty.
+                      type: string
+                    reason:
+                      description: |-
+                        The reason for the condition's last transition in CamelCase.
+                        The specific API may choose whether or not this field is considered a guaranteed API.
+                        This field may not be empty.
+                      type: string
+                    severity:
+                      description: |-
+                        Severity provides an explicit classification of Reason code, so the users or machines can immediately
+                        understand the current situation and act accordingly.
+                        The Severity field MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: |-
+                        Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions
+                        can be useful (see .node.status.conditions), the ability to deconflict is important.
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - status
+                  - type
+                  type: object
+                type: array
+              providerPrettyName:
+                description: |-
+                  providerPrettyName is the pretty name of the service provider cluster. This
+                  can be shared among different APIServiceBindings.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .status.providerPrettyName
+      name: Provider
+      type: string
+    - jsonPath: .metadata.annotations.kube-bind\.io/resources
+      name: Resources
+      priority: 1
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].message
+      name: Message
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: |-
+          APIServiceBinding binds an API service represented by a APIServiceExport
+          in a service provider cluster into a consumer cluster. This object lives in
+          the consumer cluster.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: |-
+              spec specifies how an API service from a service provider should be bound in the
+              local consumer cluster.
+            properties:
+              kubeconfigSecretRef:
+                description: kubeconfigSecretName is the secret ref that contains
+                  the kubeconfig of the service cluster.
+                properties:
+                  key:
+                    description: The key of the secret to select from.  Must be "kubeconfig".
+                    enum:
+                    - kubeconfig
+                    type: string
+                  name:
+                    description: Name of the referent.
+                    minLength: 1
+                    type: string
+                  namespace:
+                    description: Namespace of the referent.
+                    minLength: 1
+                    type: string
+                required:
+                - key
+                - name
+                - namespace
+                type: object
+                x-kubernetes-validations:
+                - message: kubeconfigSecretRef is immutable
+                  rule: self == oldSelf
+            required:
+            - kubeconfigSecretRef
+            type: object
+          status:
+            description: status contains reconciliation information for a service
+              binding.
+            properties:
+              boundSchemas:
+                description: |-
+                  BoundSchemas contains references to all BoundAPIResourceSchema objects
+                  associated with this APIServiceBinding, tracking consumer usage status.
+                items:
+                  description: BoundSchemaReference contains a reference to a BoundAPIResourceSchema
+                    with status information.
+                  properties:
+                    group:
+                      default: ""
+                      description: |-
+                        group is the name of an API group.
+                        For core groups this is the empty string '""'.
+                      pattern: ^(|[a-z0-9]([-a-z0-9]*[a-z0-9](\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)?)$
+                      type: string
+                    resource:
+                      description: |-
+                        resource is the name of the resource.
+                        Note: it is worth noting that you can not ask for permissions for resource provided by a CRD
+                        not provided by an service binding export.
+                      pattern: ^[a-z][-a-z0-9]*[a-z0-9]$
+                      type: string
+                  required:
+                  - resource
+                  type: object
+                minItems: 1
+                type: array
+              conditions:
+                description: conditions is a list of conditions that apply to the
+                  APIServiceBinding.
+                items:
+                  description: Condition defines an observation of a object operational
+                    state.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        Last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed. If that is not known, then using the time when
+                        the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        A human readable message indicating details about the transition.
+                        This field may be empty.
+                      type: string
+                    reason:
+                      description: |-
+                        The reason for the condition's last transition in CamelCase.
+                        The specific API may choose whether or not this field is considered a guaranteed API.
+                        This field may not be empty.
+                      type: string
+                    severity:
+                      description: |-
+                        Severity provides an explicit classification of Reason code, so the users or machines can immediately
+                        understand the current situation and act accordingly.
+                        The Severity field MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: |-
+                        Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions
+                        can be useful (see .node.status.conditions), the ability to deconflict is important.
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - status
+                  - type
+                  type: object
+                type: array
+              permissionClaims:
+                description: |-
+                  PermissionClaims records decisions about permission claims requested by the service provider.
+                  Access is granted per GroupResource.
+                items:
+                  description: |-
+                    PermissionClaim selects objects of a GVR that a service provider may
+                    request and that a consumer may accept and allow the service provider access to.
+                  properties:
+                    group:
+                      default: ""
+                      description: |-
+                        group is the name of an API group.
+                        For core groups this is the empty string '""'.
+                      pattern: ^(|[a-z0-9]([-a-z0-9]*[a-z0-9](\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)?)$
+                      type: string
+                    resource:
+                      description: |-
+                        resource is the name of the resource.
+                        Note: it is worth noting that you can not ask for permissions for resource provided by a CRD
+                        not provided by an service binding export.
+                      pattern: ^[a-z][-a-z0-9]*[a-z0-9]$
+                      type: string
+                    selector:
+                      description: Selector is a resource selector that selects objects
+                        of a GVR.
+                      properties:
+                        labelSelector:
+                          description: LabelSelector is a label selector that selects
+                            objects of a GVR.
+                          properties:
+                            matchExpressions:
+                              description: matchExpressions is a list of label selector
+                                requirements. The requirements are ANDed.
+                              items:
+                                description: |-
+                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                  relates the key and values.
+                                properties:
+                                  key:
+                                    description: key is the label key that the selector
+                                      applies to.
+                                    type: string
+                                  operator:
+                                    description: |-
+                                      operator represents a key's relationship to a set of values.
+                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                    type: string
+                                  values:
+                                    description: |-
+                                      values is an array of string values. If the operator is In or NotIn,
+                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                      the values array must be empty. This array is replaced during a strategic
+                                      merge patch.
+                                    items:
+                                      type: string
+                                    type: array
+                                    x-kubernetes-list-type: atomic
+                                required:
+                                - key
+                                - operator
+                                type: object
+                              type: array
+                              x-kubernetes-list-type: atomic
+                            matchLabels:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                              type: object
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        namedResources:
+                          description: NamedResource is a shorthand for selecting
+                            a single resource by name and namespace.
+                          items:
+                            description: NamedResource selects a specific resource
+                              by name and namespace.
+                            properties:
+                              name:
+                                description: |-
+                                  Name is the name of the resource.
+                                  Name matches the metadata.name field of the underlying object.
+                                type: string
+                              namespace:
+                                description: |-
+                                  Namespace represents namespace where an object of the given group/resource may be managed.
+                                  Namespaces matches against the metadata.namespace field. If not provided, the object is assumed to be cluster-scoped.
+                                  Namespaces field is ignored for namespaced isolation mode.
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          type: array
+                      type: object
+                  required:
+                  - resource
+                  - selector
+                  type: object
+                type: array
+              providerPrettyName:
+                description: |-
+                  providerPrettyName is the pretty name of the service provider cluster. This
+                  can be shared among different APIServiceBindings.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/deploy/charts/backend/crds/kube-bind.io_apiserviceexportrequests.yaml b/deploy/charts/backend/crds/kube-bind.io_apiserviceexportrequests.yaml
new file mode 100644
index 000000000..660268ec0
--- /dev/null
+++ b/deploy/charts/backend/crds/kube-bind.io_apiserviceexportrequests.yaml
@@ -0,0 +1,458 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.17.3
+  name: apiserviceexportrequests.kube-bind.io
+spec:
+  group: kube-bind.io
+  names:
+    categories:
+    - kube-bindings
+    kind: APIServiceExportRequest
+    listKind: APIServiceExportRequestList
+    plural: apiserviceexportrequests
+    singular: apiserviceexportrequest
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          APIServiceExportRequest is represents a request session of kubectl-bind-apiservice.
+
+          The service provider can prune these objects after some time.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: |-
+              spec specifies how an API service from a service provider should be bound in the
+              local consumer cluster.
+            properties:
+              parameters:
+                description: |-
+                  parameters holds service provider specific parameters for this binding
+                  request.
+                type: object
+                x-kubernetes-preserve-unknown-fields: true
+                x-kubernetes-validations:
+                - message: parameters are immutable
+                  rule: self == oldSelf
+              resources:
+                description: resources is a list of resources that should be exported.
+                items:
+                  properties:
+                    group:
+                      default: ""
+                      description: |-
+                        group is the name of an API group.
+                        For core groups this is the empty string '""'.
+                      pattern: ^(|[a-z0-9]([-a-z0-9]*[a-z0-9](\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)?)$
+                      type: string
+                    resource:
+                      description: |-
+                        resource is the name of the resource.
+                        Note: it is worth noting that you can not ask for permissions for resource provided by a CRD
+                        not provided by an service binding export.
+                      pattern: ^[a-z][-a-z0-9]*[a-z0-9]$
+                      type: string
+                    versions:
+                      description: |-
+                        versions is a list of versions that should be exported. If this is empty
+                        a sensible default is chosen by the service provider.
+                      items:
+                        type: string
+                      type: array
+                  required:
+                  - resource
+                  type: object
+                minItems: 1
+                type: array
+                x-kubernetes-validations:
+                - message: resources are immutable
+                  rule: self == oldSelf
+            required:
+            - resources
+            type: object
+          status:
+            default: {}
+            description: status contains reconciliation information for a service
+              binding.
+            properties:
+              conditions:
+                description: |-
+                  conditions is a list of conditions that apply to the ClusterBinding. It is
+                  updated by the konnector and the service provider.
+                items:
+                  description: Condition defines an observation of a object operational
+                    state.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        Last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed. If that is not known, then using the time when
+                        the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        A human readable message indicating details about the transition.
+                        This field may be empty.
+                      type: string
+                    reason:
+                      description: |-
+                        The reason for the condition's last transition in CamelCase.
+                        The specific API may choose whether or not this field is considered a guaranteed API.
+                        This field may not be empty.
+                      type: string
+                    severity:
+                      description: |-
+                        Severity provides an explicit classification of Reason code, so the users or machines can immediately
+                        understand the current situation and act accordingly.
+                        The Severity field MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: |-
+                        Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions
+                        can be useful (see .node.status.conditions), the ability to deconflict is important.
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - status
+                  - type
+                  type: object
+                type: array
+              phase:
+                default: Pending
+                description: |-
+                  phase is the current phase of the binding request. It starts in Pending
+                  and transitions to Succeeded or Failed. See the condition for detailed
+                  information.
+                enum:
+                - Pending
+                - Failed
+                - Succeeded
+                type: string
+              terminalMessage:
+                description: |-
+                  terminalMessage is a human readable message that describes the reason
+                  for the current phase.
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: |-
+          APIServiceExportRequest is represents a request session of kubectl-bind-apiservice.
+
+          The service provider can prune these objects after some time.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: |-
+              spec specifies how an API service from a service provider should be bound in the
+              local consumer cluster.
+            properties:
+              namespaces:
+                description: |-
+                  namespaces specifies the namespaces to bootstrap as part of this request.
+                  When objects originate from provider side, the consumer does not always know the necessary details.
+                  This field allows provider to pre-heat the necessary namespaces on provider side by creating
+                  APIServiceNamespace objects attached to the APIServiceExport. More namespaces can be created later by the consumer.
+                items:
+                  properties:
+                    name:
+                      description: name is the name of the namespace to create on
+                        provider side.
+                      type: string
+                  required:
+                  - name
+                  type: object
+                type: array
+                x-kubernetes-validations:
+                - message: namespaces are immutable
+                  rule: self == oldSelf
+              parameters:
+                description: |-
+                  parameters holds service provider specific parameters for this binding
+                  request.
+                type: object
+                x-kubernetes-preserve-unknown-fields: true
+                x-kubernetes-validations:
+                - message: parameters are immutable
+                  rule: self == oldSelf
+              permissionClaims:
+                description: |-
+                  PermissionClaims records decisions about permission claims requested by the service provider.
+                  Access is granted per GroupResource.
+                items:
+                  description: |-
+                    PermissionClaim selects objects of a GVR that a service provider may
+                    request and that a consumer may accept and allow the service provider access to.
+                  properties:
+                    group:
+                      default: ""
+                      description: |-
+                        group is the name of an API group.
+                        For core groups this is the empty string '""'.
+                      pattern: ^(|[a-z0-9]([-a-z0-9]*[a-z0-9](\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)?)$
+                      type: string
+                    resource:
+                      description: |-
+                        resource is the name of the resource.
+                        Note: it is worth noting that you can not ask for permissions for resource provided by a CRD
+                        not provided by an service binding export.
+                      pattern: ^[a-z][-a-z0-9]*[a-z0-9]$
+                      type: string
+                    selector:
+                      description: Selector is a resource selector that selects objects
+                        of a GVR.
+                      properties:
+                        labelSelector:
+                          description: LabelSelector is a label selector that selects
+                            objects of a GVR.
+                          properties:
+                            matchExpressions:
+                              description: matchExpressions is a list of label selector
+                                requirements. The requirements are ANDed.
+                              items:
+                                description: |-
+                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                  relates the key and values.
+                                properties:
+                                  key:
+                                    description: key is the label key that the selector
+                                      applies to.
+                                    type: string
+                                  operator:
+                                    description: |-
+                                      operator represents a key's relationship to a set of values.
+                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                    type: string
+                                  values:
+                                    description: |-
+                                      values is an array of string values. If the operator is In or NotIn,
+                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                      the values array must be empty. This array is replaced during a strategic
+                                      merge patch.
+                                    items:
+                                      type: string
+                                    type: array
+                                    x-kubernetes-list-type: atomic
+                                required:
+                                - key
+                                - operator
+                                type: object
+                              type: array
+                              x-kubernetes-list-type: atomic
+                            matchLabels:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                              type: object
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        namedResources:
+                          description: NamedResource is a shorthand for selecting
+                            a single resource by name and namespace.
+                          items:
+                            description: NamedResource selects a specific resource
+                              by name and namespace.
+                            properties:
+                              name:
+                                description: |-
+                                  Name is the name of the resource.
+                                  Name matches the metadata.name field of the underlying object.
+                                type: string
+                              namespace:
+                                description: |-
+                                  Namespace represents namespace where an object of the given group/resource may be managed.
+                                  Namespaces matches against the metadata.namespace field. If not provided, the object is assumed to be cluster-scoped.
+                                  Namespaces field is ignored for namespaced isolation mode.
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          type: array
+                      type: object
+                  required:
+                  - resource
+                  - selector
+                  type: object
+                type: array
+                x-kubernetes-validations:
+                - message: permissionClaims are immutable
+                  rule: self == oldSelf
+              resources:
+                description: resources is a list of resources that should be exported.
+                items:
+                  properties:
+                    group:
+                      default: ""
+                      description: |-
+                        group is the name of an API group.
+                        For core groups this is the empty string '""'.
+                      pattern: ^(|[a-z0-9]([-a-z0-9]*[a-z0-9](\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)?)$
+                      type: string
+                    resource:
+                      description: |-
+                        resource is the name of the resource.
+                        Note: it is worth noting that you can not ask for permissions for resource provided by a CRD
+                        not provided by an service binding export.
+                      pattern: ^[a-z][-a-z0-9]*[a-z0-9]$
+                      type: string
+                    versions:
+                      description: |-
+                        versions is a list of versions that should be exported. If this is empty
+                        a sensible default is chosen by the service provider.
+                      items:
+                        type: string
+                      type: array
+                  required:
+                  - resource
+                  type: object
+                minItems: 1
+                type: array
+                x-kubernetes-validations:
+                - message: resources are immutable
+                  rule: self == oldSelf
+            required:
+            - resources
+            type: object
+          status:
+            default: {}
+            description: status contains reconciliation information for a service
+              binding.
+            properties:
+              conditions:
+                description: |-
+                  conditions is a list of conditions that apply to the ClusterBinding. It is
+                  updated by the konnector and the service provider.
+                items:
+                  description: Condition defines an observation of a object operational
+                    state.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        Last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed. If that is not known, then using the time when
+                        the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        A human readable message indicating details about the transition.
+                        This field may be empty.
+                      type: string
+                    reason:
+                      description: |-
+                        The reason for the condition's last transition in CamelCase.
+                        The specific API may choose whether or not this field is considered a guaranteed API.
+                        This field may not be empty.
+                      type: string
+                    severity:
+                      description: |-
+                        Severity provides an explicit classification of Reason code, so the users or machines can immediately
+                        understand the current situation and act accordingly.
+                        The Severity field MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: |-
+                        Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions
+                        can be useful (see .node.status.conditions), the ability to deconflict is important.
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - status
+                  - type
+                  type: object
+                type: array
+              phase:
+                default: Pending
+                description: |-
+                  phase is the current phase of the binding request. It starts in Pending
+                  and transitions to Succeeded or Failed. See the condition for detailed
+                  information.
+                enum:
+                - Pending
+                - Failed
+                - Succeeded
+                type: string
+              terminalMessage:
+                description: |-
+                  terminalMessage is a human readable message that describes the reason
+                  for the current phase.
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/deploy/charts/backend/crds/kube-bind.io_apiserviceexports.yaml b/deploy/charts/backend/crds/kube-bind.io_apiserviceexports.yaml
new file mode 100644
index 000000000..c947b88bf
--- /dev/null
+++ b/deploy/charts/backend/crds/kube-bind.io_apiserviceexports.yaml
@@ -0,0 +1,691 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.17.3
+  name: apiserviceexports.kube-bind.io
+spec:
+  group: kube-bind.io
+  names:
+    categories:
+    - kube-bindings
+    kind: APIServiceExport
+    listKind: APIServiceExportList
+    plural: apiserviceexports
+    singular: apiserviceexport
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.conditions[?(@.type=="Established")].status
+      name: Established
+      priority: 5
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          APIServiceExport specifies the resource to be exported. It is mostly a CRD:
+          - the spec is a CRD spec, but without webhooks
+          - the status reflects that on the consumer cluster
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec specifies the resource.
+            properties:
+              clusterScopedIsolation:
+                description: |-
+                  ClusterScopedIsolation specifies how cluster scoped service objects are isolated between multiple consumers on the provider side.
+                  It can be "Prefixed", "Namespaced", or "None".
+                enum:
+                - Prefixed
+                - Namespaced
+                - None
+                type: string
+              group:
+                description: "group is the API group of the defined custom resource.
+                  Empty string means the\ncore API group. \tThe resources are served
+                  under `/apis/<group>/...` or `/api` for the core group."
+                type: string
+              informerScope:
+                description: |-
+                  informerScope is the scope of the APIServiceExport. It can be either Cluster or Namespace.
+
+                  Cluster:    The konnector has permission to watch all namespaces at once and cluster-scoped resources.
+                              This is more efficient than watching each namespace individually.
+                  Namespaced: The konnector has permission to watch only single namespaces.
+                              This is more resource intensive. And it means cluster-scoped resources cannot be exported.
+                enum:
+                - Cluster
+                - Namespaced
+                type: string
+                x-kubernetes-validations:
+                - message: informerScope is immutable
+                  rule: self == oldSelf
+              names:
+                description: names specify the resource and kind names for the custom
+                  resource.
+                properties:
+                  categories:
+                    description: |-
+                      categories is a list of grouped resources this custom resource belongs to (e.g. 'all').
+                      This is published in API discovery documents, and used by clients to support invocations like
+                      `kubectl get all`.
+                    items:
+                      type: string
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  kind:
+                    description: |-
+                      kind is the serialized kind of the resource. It is normally CamelCase and singular.
+                      Custom resource instances will use this value as the `kind` attribute in API calls.
+                    type: string
+                  listKind:
+                    description: listKind is the serialized kind of the list for this
+                      resource. Defaults to "`kind`List".
+                    type: string
+                  plural:
+                    description: |-
+                      plural is the plural name of the resource to serve.
+                      The custom resources are served under `/apis/<group>/<version>/.../<plural>`.
+                      Must match the name of the CustomResourceDefinition (in the form `<names.plural>.<group>`).
+                      Must be all lowercase.
+                    type: string
+                  shortNames:
+                    description: |-
+                      shortNames are short names for the resource, exposed in API discovery documents,
+                      and used by clients to support invocations like `kubectl get <shortname>`.
+                      It must be all lowercase.
+                    items:
+                      type: string
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  singular:
+                    description: singular is the singular name of the resource. It
+                      must be all lowercase. Defaults to lowercased `kind`.
+                    type: string
+                required:
+                - kind
+                - plural
+                type: object
+              scope:
+                description: |-
+                  scope indicates whether the defined custom resource is cluster- or namespace-scoped.
+                  Allowed values are `Cluster` and `Namespaced`.
+                enum:
+                - Cluster
+                - Namespaced
+                type: string
+              versions:
+                description: |-
+                  versions is the API version of the defined custom resource.
+
+                  Note: the OpenAPI v3 schemas must be equal for all versions until CEL
+                        version migration is supported.
+                items:
+                  description: APIServiceExportVersion describes one API version of
+                    a resource.
+                  properties:
+                    additionalPrinterColumns:
+                      description: |-
+                        additionalPrinterColumns specifies additional columns returned in Table output.
+                        See https://kubernetes.io/docs/reference/using-api/api-concepts/#receiving-resources-as-tables for details.
+                        If no columns are specified, a single column displaying the age of the custom resource is used.
+                      items:
+                        description: CustomResourceColumnDefinition specifies a column
+                          for server side printing.
+                        properties:
+                          description:
+                            description: description is a human readable description
+                              of this column.
+                            type: string
+                          format:
+                            description: |-
+                              format is an optional OpenAPI type definition for this column. The 'name' format is applied
+                              to the primary identifier column to assist in clients identifying column is the resource name.
+                              See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.
+                            type: string
+                          jsonPath:
+                            description: |-
+                              jsonPath is a simple JSON path (i.e. with array notation) which is evaluated against
+                              each custom resource to produce the value for this column.
+                            type: string
+                          name:
+                            description: name is a human readable name for the column.
+                            type: string
+                          priority:
+                            description: |-
+                              priority is an integer defining the relative importance of this column compared to others. Lower
+                              numbers are considered higher priority. Columns that may be omitted in limited space scenarios
+                              should be given a priority greater than 0.
+                            format: int32
+                            type: integer
+                          type:
+                            description: |-
+                              type is an OpenAPI type definition for this column.
+                              See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.
+                            type: string
+                        required:
+                        - jsonPath
+                        - name
+                        - type
+                        type: object
+                      type: array
+                      x-kubernetes-list-map-keys:
+                      - name
+                      x-kubernetes-list-type: map
+                    deprecated:
+                      description: |-
+                        deprecated indicates this version of the custom resource API is deprecated.
+                        When set to true, API requests to this version receive a warning header in the server response.
+                        Defaults to false.
+                      type: boolean
+                    deprecationWarning:
+                      description: |-
+                        deprecationWarning overrides the default warning returned to API clients.
+                        May only be set when `deprecated` is true.
+                        The default warning indicates this version is deprecated and recommends use
+                        of the newest served version of equal or greater stability, if one exists.
+                      type: string
+                    name:
+                      description: |-
+                        name is the version name, e.g. “v1”, “v2beta1”, etc.
+                        The custom resources are served under this version at `/apis/<group>/<version>/...` if `served` is true.
+                      minLength: 1
+                      pattern: ^v[1-9][0-9]*([a-z]+[1-9][0-9]*)?$
+                      type: string
+                    schema:
+                      description: |-
+                        schema describes the structural schema used for validation, pruning, and defaulting
+                        of this version of the custom resource.
+                      properties:
+                        openAPIV3Schema:
+                          description: openAPIV3Schema is the OpenAPI v3 schema to
+                            use for validation and pruning.
+                          type: object
+                          x-kubernetes-map-type: atomic
+                          x-kubernetes-preserve-unknown-fields: true
+                      required:
+                      - openAPIV3Schema
+                      type: object
+                    served:
+                      default: true
+                      description: served is a flag enabling/disabling this version
+                        from being served via REST APIs
+                      type: boolean
+                    storage:
+                      description: |-
+                        storage indicates this version should be used when persisting custom resources to storage.
+                        There must be exactly one version with storage=true.
+                      type: boolean
+                    subresources:
+                      description: subresources specify what subresources this version
+                        of the defined custom resource have.
+                      properties:
+                        scale:
+                          description: scale indicates the custom resource should
+                            serve a `/scale` subresource that returns an `autoscaling/v1`
+                            Scale object.
+                          properties:
+                            labelSelectorPath:
+                              description: |-
+                                labelSelectorPath defines the JSON path inside of a custom resource that corresponds to Scale `status.selector`.
+                                Only JSON paths without the array notation are allowed.
+                                Must be a JSON Path under `.status` or `.spec`.
+                                Must be set to work with HorizontalPodAutoscaler.
+                                The field pointed by this JSON path must be a string field (not a complex selector struct)
+                                which contains a serialized label selector in string form.
+                                More info: https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions#scale-subresource
+                                If there is no value under the given path in the custom resource, the `status.selector` value in the `/scale`
+                                subresource will default to the empty string.
+                              type: string
+                            specReplicasPath:
+                              description: |-
+                                specReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `spec.replicas`.
+                                Only JSON paths without the array notation are allowed.
+                                Must be a JSON Path under `.spec`.
+                                If there is no value under the given path in the custom resource, the `/scale` subresource will return an error on GET.
+                              type: string
+                            statusReplicasPath:
+                              description: |-
+                                statusReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `status.replicas`.
+                                Only JSON paths without the array notation are allowed.
+                                Must be a JSON Path under `.status`.
+                                If there is no value under the given path in the custom resource, the `status.replicas` value in the `/scale` subresource
+                                will default to 0.
+                              type: string
+                          required:
+                          - specReplicasPath
+                          - statusReplicasPath
+                          type: object
+                        status:
+                          description: |-
+                            status indicates the custom resource should serve a `/status` subresource.
+                            When enabled:
+                            1. requests to the custom resource primary endpoint ignore changes to the `status` stanza of the object.
+                            2. requests to the custom resource `/status` subresource ignore changes to anything other than the `status` stanza of the object.
+                          type: object
+                      type: object
+                  required:
+                  - name
+                  - schema
+                  - served
+                  - storage
+                  type: object
+                minItems: 1
+                type: array
+                x-kubernetes-list-map-keys:
+                - name
+                x-kubernetes-list-type: map
+            required:
+            - group
+            - informerScope
+            - names
+            - scope
+            - versions
+            type: object
+            x-kubernetes-validations:
+            - message: informerScope must be Cluster for cluster-scoped resources
+              rule: self.scope == "Namespaced" || self.informerScope == "Cluster"
+            - message: clusterScopedIsolation must be defined for cluster-scoped resources
+              rule: self.scope == "Namespaced" || has(self.clusterScopedIsolation)
+            - message: clusterScopedIsolation is not relevant for namespaced resources
+              rule: self.scope == "Cluster" || !has(self.clusterScopedIsolation)
+          status:
+            description: status contains reconciliation information for the resource.
+            properties:
+              acceptedNames:
+                description: |-
+                  acceptedNames are the names that are actually being used to serve discovery.
+                  They may be different than the names in spec.
+                properties:
+                  categories:
+                    description: |-
+                      categories is a list of grouped resources this custom resource belongs to (e.g. 'all').
+                      This is published in API discovery documents, and used by clients to support invocations like
+                      `kubectl get all`.
+                    items:
+                      type: string
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  kind:
+                    description: |-
+                      kind is the serialized kind of the resource. It is normally CamelCase and singular.
+                      Custom resource instances will use this value as the `kind` attribute in API calls.
+                    type: string
+                  listKind:
+                    description: listKind is the serialized kind of the list for this
+                      resource. Defaults to "`kind`List".
+                    type: string
+                  plural:
+                    description: |-
+                      plural is the plural name of the resource to serve.
+                      The custom resources are served under `/apis/<group>/<version>/.../<plural>`.
+                      Must match the name of the CustomResourceDefinition (in the form `<names.plural>.<group>`).
+                      Must be all lowercase.
+                    type: string
+                  shortNames:
+                    description: |-
+                      shortNames are short names for the resource, exposed in API discovery documents,
+                      and used by clients to support invocations like `kubectl get <shortname>`.
+                      It must be all lowercase.
+                    items:
+                      type: string
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  singular:
+                    description: singular is the singular name of the resource. It
+                      must be all lowercase. Defaults to lowercased `kind`.
+                    type: string
+                required:
+                - kind
+                - plural
+                type: object
+              conditions:
+                description: |-
+                  conditions is a list of conditions that apply to the APIServiceExport. It is
+                  updated by the konnector on the consumer cluster.
+                items:
+                  description: Condition defines an observation of a object operational
+                    state.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        Last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed. If that is not known, then using the time when
+                        the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        A human readable message indicating details about the transition.
+                        This field may be empty.
+                      type: string
+                    reason:
+                      description: |-
+                        The reason for the condition's last transition in CamelCase.
+                        The specific API may choose whether or not this field is considered a guaranteed API.
+                        This field may not be empty.
+                      type: string
+                    severity:
+                      description: |-
+                        Severity provides an explicit classification of Reason code, so the users or machines can immediately
+                        understand the current situation and act accordingly.
+                        The Severity field MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: |-
+                        Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions
+                        can be useful (see .node.status.conditions), the ability to deconflict is important.
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - status
+                  - type
+                  type: object
+                type: array
+              storedVersions:
+                description: |-
+                  storedVersions lists all versions of CustomResources that were ever persisted. Tracking these
+                  versions allows a migration path for stored versions in etcd. The field is mutable
+                  so a migration controller can finish a migration to another version (ensuring
+                  no old objects are left in storage), and then remove the rest of the
+                  versions from this list.
+                  Versions may not be removed from `spec.versions` while they exist in this list.
+                items:
+                  type: string
+                type: array
+            type: object
+        required:
+        - spec
+        type: object
+        x-kubernetes-validations:
+        - message: informerScope is immutable
+          rule: self.metadata.name == self.spec.names.plural+"."+self.spec.group
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .status.conditions[?(@.type=="Established")].status
+      name: Established
+      priority: 5
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: |-
+          APIServiceExport specifies the resource to be exported. It is mostly a CRD:
+          - the spec is a CRD spec, but without webhooks
+          - the status reflects that on the consumer cluster
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec specifies the resource.
+            properties:
+              clusterScopedIsolation:
+                description: |-
+                  ClusterScopedIsolation specifies how cluster scoped service objects are isolated between multiple consumers on the provider side.
+                  It can be "Prefixed", "Namespaced", or "None".
+                enum:
+                - Prefixed
+                - Namespaced
+                - None
+                type: string
+              informerScope:
+                description: |-
+                  informerScope is the scope of the APIServiceExport. It can be either Cluster or Namespace.
+
+                  Cluster:    The konnector has permission to watch all namespaces at once and cluster-scoped resources.
+                              This is more efficient than watching each namespace individually.
+                  Namespaced: The konnector has permission to watch only single namespaces.
+                              This is more resource intensive. And it means cluster-scoped resources cannot be exported.
+                enum:
+                - Cluster
+                - Namespaced
+                type: string
+                x-kubernetes-validations:
+                - message: informerScope is immutable
+                  rule: self == oldSelf
+              permissionClaims:
+                description: |-
+                  PermissionClaims records decisions about permission claims requested by the service provider.
+                  Access is granted per GroupResource.
+                items:
+                  description: |-
+                    PermissionClaim selects objects of a GVR that a service provider may
+                    request and that a consumer may accept and allow the service provider access to.
+                  properties:
+                    group:
+                      default: ""
+                      description: |-
+                        group is the name of an API group.
+                        For core groups this is the empty string '""'.
+                      pattern: ^(|[a-z0-9]([-a-z0-9]*[a-z0-9](\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)?)$
+                      type: string
+                    resource:
+                      description: |-
+                        resource is the name of the resource.
+                        Note: it is worth noting that you can not ask for permissions for resource provided by a CRD
+                        not provided by an service binding export.
+                      pattern: ^[a-z][-a-z0-9]*[a-z0-9]$
+                      type: string
+                    selector:
+                      description: Selector is a resource selector that selects objects
+                        of a GVR.
+                      properties:
+                        labelSelector:
+                          description: LabelSelector is a label selector that selects
+                            objects of a GVR.
+                          properties:
+                            matchExpressions:
+                              description: matchExpressions is a list of label selector
+                                requirements. The requirements are ANDed.
+                              items:
+                                description: |-
+                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                  relates the key and values.
+                                properties:
+                                  key:
+                                    description: key is the label key that the selector
+                                      applies to.
+                                    type: string
+                                  operator:
+                                    description: |-
+                                      operator represents a key's relationship to a set of values.
+                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                    type: string
+                                  values:
+                                    description: |-
+                                      values is an array of string values. If the operator is In or NotIn,
+                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                      the values array must be empty. This array is replaced during a strategic
+                                      merge patch.
+                                    items:
+                                      type: string
+                                    type: array
+                                    x-kubernetes-list-type: atomic
+                                required:
+                                - key
+                                - operator
+                                type: object
+                              type: array
+                              x-kubernetes-list-type: atomic
+                            matchLabels:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                              type: object
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        namedResources:
+                          description: NamedResource is a shorthand for selecting
+                            a single resource by name and namespace.
+                          items:
+                            description: NamedResource selects a specific resource
+                              by name and namespace.
+                            properties:
+                              name:
+                                description: |-
+                                  Name is the name of the resource.
+                                  Name matches the metadata.name field of the underlying object.
+                                type: string
+                              namespace:
+                                description: |-
+                                  Namespace represents namespace where an object of the given group/resource may be managed.
+                                  Namespaces matches against the metadata.namespace field. If not provided, the object is assumed to be cluster-scoped.
+                                  Namespaces field is ignored for namespaced isolation mode.
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          type: array
+                      type: object
+                  required:
+                  - resource
+                  - selector
+                  type: object
+                type: array
+                x-kubernetes-validations:
+                - message: permissionClaims are immutable
+                  rule: self == oldSelf
+              resources:
+                description: resources is a list of resources that should be exported.
+                items:
+                  properties:
+                    group:
+                      default: ""
+                      description: |-
+                        group is the name of an API group.
+                        For core groups this is the empty string '""'.
+                      pattern: ^(|[a-z0-9]([-a-z0-9]*[a-z0-9](\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)?)$
+                      type: string
+                    resource:
+                      description: |-
+                        resource is the name of the resource.
+                        Note: it is worth noting that you can not ask for permissions for resource provided by a CRD
+                        not provided by an service binding export.
+                      pattern: ^[a-z][-a-z0-9]*[a-z0-9]$
+                      type: string
+                    versions:
+                      description: |-
+                        versions is a list of versions that should be exported. If this is empty
+                        a sensible default is chosen by the service provider.
+                      items:
+                        type: string
+                      type: array
+                  required:
+                  - resource
+                  type: object
+                minItems: 1
+                type: array
+                x-kubernetes-validations:
+                - message: resources are immutable
+                  rule: self == oldSelf
+            required:
+            - informerScope
+            - resources
+            type: object
+          status:
+            description: status contains reconciliation information for the resource.
+            properties:
+              conditions:
+                description: |-
+                  conditions is a list of conditions that apply to the APIServiceExport. It is
+                  updated by the konnector on the consumer cluster.
+                items:
+                  description: Condition defines an observation of a object operational
+                    state.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        Last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed. If that is not known, then using the time when
+                        the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        A human readable message indicating details about the transition.
+                        This field may be empty.
+                      type: string
+                    reason:
+                      description: |-
+                        The reason for the condition's last transition in CamelCase.
+                        The specific API may choose whether or not this field is considered a guaranteed API.
+                        This field may not be empty.
+                      type: string
+                    severity:
+                      description: |-
+                        Severity provides an explicit classification of Reason code, so the users or machines can immediately
+                        understand the current situation and act accordingly.
+                        The Severity field MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: |-
+                        Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions
+                        can be useful (see .node.status.conditions), the ability to deconflict is important.
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - status
+                  - type
+                  type: object
+                type: array
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/deploy/charts/backend/crds/kube-bind.io_apiserviceexporttemplates.yaml b/deploy/charts/backend/crds/kube-bind.io_apiserviceexporttemplates.yaml
new file mode 100644
index 000000000..5ac00f14d
--- /dev/null
+++ b/deploy/charts/backend/crds/kube-bind.io_apiserviceexporttemplates.yaml
@@ -0,0 +1,272 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.17.3
+  name: apiserviceexporttemplates.kube-bind.io
+spec:
+  group: kube-bind.io
+  names:
+    categories:
+    - kube-bind
+    kind: APIServiceExportTemplate
+    listKind: APIServiceExportTemplateList
+    plural: apiserviceexporttemplates
+    singular: apiserviceexporttemplate
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.resources[*].group
+      name: Resources
+      type: string
+    - jsonPath: .spec.permissionClaims[*].resource
+      name: PermissionClaims
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: APIServiceExportTemplate groups multiple CRDs with related resources
+          (permissionClaims) as a Service definition.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec specifies the template.
+            properties:
+              namespaces:
+                description: |-
+                  namespaces specifies the namespaces that should be bootstrapped as part of this template.
+                  When objects originate from provider side, consumer does not always know the necessary details
+                  This field allows provider to pre-heat the necessary namespaces on provider side by creating
+                  APIServiceNamespace objects attached to the APIServiceExport. More namespaces can be created later by the consumer.
+                items:
+                  properties:
+                    name:
+                      description: name is the name of the namespace to create on
+                        provider side.
+                      type: string
+                  required:
+                  - name
+                  type: object
+                type: array
+              permissionClaims:
+                description: permissionClaims defines the permission claims required
+                  by this template.
+                items:
+                  description: |-
+                    PermissionClaim selects objects of a GVR that a service provider may
+                    request and that a consumer may accept and allow the service provider access to.
+                  properties:
+                    group:
+                      default: ""
+                      description: |-
+                        group is the name of an API group.
+                        For core groups this is the empty string '""'.
+                      pattern: ^(|[a-z0-9]([-a-z0-9]*[a-z0-9](\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)?)$
+                      type: string
+                    resource:
+                      description: |-
+                        resource is the name of the resource.
+                        Note: it is worth noting that you can not ask for permissions for resource provided by a CRD
+                        not provided by an service binding export.
+                      pattern: ^[a-z][-a-z0-9]*[a-z0-9]$
+                      type: string
+                    selector:
+                      description: Selector is a resource selector that selects objects
+                        of a GVR.
+                      properties:
+                        labelSelector:
+                          description: LabelSelector is a label selector that selects
+                            objects of a GVR.
+                          properties:
+                            matchExpressions:
+                              description: matchExpressions is a list of label selector
+                                requirements. The requirements are ANDed.
+                              items:
+                                description: |-
+                                  A label selector requirement is a selector that contains values, a key, and an operator that
+                                  relates the key and values.
+                                properties:
+                                  key:
+                                    description: key is the label key that the selector
+                                      applies to.
+                                    type: string
+                                  operator:
+                                    description: |-
+                                      operator represents a key's relationship to a set of values.
+                                      Valid operators are In, NotIn, Exists and DoesNotExist.
+                                    type: string
+                                  values:
+                                    description: |-
+                                      values is an array of string values. If the operator is In or NotIn,
+                                      the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                      the values array must be empty. This array is replaced during a strategic
+                                      merge patch.
+                                    items:
+                                      type: string
+                                    type: array
+                                    x-kubernetes-list-type: atomic
+                                required:
+                                - key
+                                - operator
+                                type: object
+                              type: array
+                              x-kubernetes-list-type: atomic
+                            matchLabels:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                operator is "In", and the values array contains only "value". The requirements are ANDed.
+                              type: object
+                          type: object
+                          x-kubernetes-map-type: atomic
+                        namedResources:
+                          description: NamedResource is a shorthand for selecting
+                            a single resource by name and namespace.
+                          items:
+                            description: NamedResource selects a specific resource
+                              by name and namespace.
+                            properties:
+                              name:
+                                description: |-
+                                  Name is the name of the resource.
+                                  Name matches the metadata.name field of the underlying object.
+                                type: string
+                              namespace:
+                                description: |-
+                                  Namespace represents namespace where an object of the given group/resource may be managed.
+                                  Namespaces matches against the metadata.namespace field. If not provided, the object is assumed to be cluster-scoped.
+                                  Namespaces field is ignored for namespaced isolation mode.
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          type: array
+                      type: object
+                  required:
+                  - resource
+                  - selector
+                  type: object
+                type: array
+              resources:
+                description: resources defines the CRDs that are part of this template.
+                items:
+                  properties:
+                    group:
+                      default: ""
+                      description: |-
+                        group is the name of an API group.
+                        For core groups this is the empty string '""'.
+                      pattern: ^(|[a-z0-9]([-a-z0-9]*[a-z0-9](\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*)?)$
+                      type: string
+                    resource:
+                      description: |-
+                        resource is the name of the resource.
+                        Note: it is worth noting that you can not ask for permissions for resource provided by a CRD
+                        not provided by an service binding export.
+                      pattern: ^[a-z][-a-z0-9]*[a-z0-9]$
+                      type: string
+                    versions:
+                      description: |-
+                        versions is a list of versions that should be exported. If this is empty
+                        a sensible default is chosen by the service provider.
+                      items:
+                        type: string
+                      type: array
+                  required:
+                  - resource
+                  type: object
+                minItems: 1
+                type: array
+              scope:
+                allOf:
+                - enum:
+                  - Cluster
+                  - Namespaced
+                - enum:
+                  - Namespaced
+                  - Cluster
+                description: scope defines the scope of the resources in this template.
+                type: string
+            required:
+            - resources
+            - scope
+            type: object
+          status:
+            description: status contains reconciliation information for the template.
+            properties:
+              conditions:
+                description: conditions is a list of conditions that apply to the
+                  APIServiceExportTemplate.
+                items:
+                  description: Condition defines an observation of a object operational
+                    state.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        Last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed. If that is not known, then using the time when
+                        the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        A human readable message indicating details about the transition.
+                        This field may be empty.
+                      type: string
+                    reason:
+                      description: |-
+                        The reason for the condition's last transition in CamelCase.
+                        The specific API may choose whether or not this field is considered a guaranteed API.
+                        This field may not be empty.
+                      type: string
+                    severity:
+                      description: |-
+                        Severity provides an explicit classification of Reason code, so the users or machines can immediately
+                        understand the current situation and act accordingly.
+                        The Severity field MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: |-
+                        Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions
+                        can be useful (see .node.status.conditions), the ability to deconflict is important.
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - status
+                  - type
+                  type: object
+                type: array
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/deploy/charts/backend/crds/kube-bind.io_apiservicenamespaces.yaml b/deploy/charts/backend/crds/kube-bind.io_apiservicenamespaces.yaml
new file mode 100644
index 000000000..1f84ff597
--- /dev/null
+++ b/deploy/charts/backend/crds/kube-bind.io_apiservicenamespaces.yaml
@@ -0,0 +1,124 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.17.3
+  name: apiservicenamespaces.kube-bind.io
+spec:
+  group: kube-bind.io
+  names:
+    categories:
+    - kube-bindings
+    kind: APIServiceNamespace
+    listKind: APIServiceNamespaceList
+    plural: apiservicenamespaces
+    singular: apiservicenamespace
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.namespace
+      name: Namespace
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          APIServiceNamespace defines how consumer namespaces map to service namespaces.
+          These objects are created by the konnector, and a service namespace is then
+          created by the service provider.
+
+          The name of the APIServiceNamespace equals the namespace name in the consumer
+          cluster.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec specifies a service namespace.
+            type: object
+          status:
+            description: status contains reconciliation information for a service
+              namespace
+            properties:
+              namespace:
+                description: |-
+                  namespace is the service provider namespace name that will be bound to the
+                  consumer namespace named like this object.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .status.namespace
+      name: Namespace
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: |-
+          APIServiceNamespace defines how consumer namespaces map to service namespaces.
+          These objects are created by the konnector, and a service namespace is then
+          created by the service provider.
+
+          The name of the APIServiceNamespace equals the namespace name in the consumer
+          cluster.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec specifies a service namespace.
+            type: object
+          status:
+            description: status contains reconciliation information for a service
+              namespace
+            properties:
+              namespace:
+                description: |-
+                  namespace is the service provider namespace name that will be bound to the
+                  consumer namespace named like this object.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/deploy/charts/backend/crds/kube-bind.io_boundschemas.yaml b/deploy/charts/backend/crds/kube-bind.io_boundschemas.yaml
new file mode 100644
index 000000000..fe67f2837
--- /dev/null
+++ b/deploy/charts/backend/crds/kube-bind.io_boundschemas.yaml
@@ -0,0 +1,466 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.17.3
+  name: boundschemas.kube-bind.io
+spec:
+  group: kube-bind.io
+  names:
+    categories:
+    - kube-bindings
+    kind: BoundSchema
+    listKind: BoundSchemaList
+    plural: boundschemas
+    shortNames:
+    - bs
+    singular: boundschema
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: BoundSchema
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: BoundSchemaSpec defines the desired state of the BoundSchema.
+            properties:
+              conversion:
+                description: conversion defines conversion settings for the defined
+                  custom resource.
+                properties:
+                  strategy:
+                    description: |-
+                      strategy specifies how custom resources are converted between versions. Allowed values are:
+                      - `"None"`: The converter only change the apiVersion and would not touch any other field in the custom resource.
+                      - `"Webhook"`: API Server will call to an external webhook to do the conversion. Additional information
+                        is needed for this option. This requires spec.preserveUnknownFields to be false, and spec.conversion.webhook to be set.
+                    enum:
+                    - None
+                    - Webhook
+                    type: string
+                  webhook:
+                    description: webhook describes how to call the conversion webhook.
+                      Required when `strategy` is set to `"Webhook"`.
+                    properties:
+                      clientConfig:
+                        description: clientConfig is the instructions for how to call
+                          the webhook if strategy is `Webhook`.
+                        properties:
+                          caBundle:
+                            description: |-
+                              caBundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
+                              If unspecified, system trust roots on the apiserver are used.
+                            format: byte
+                            type: string
+                          url:
+                            description: |-
+                              url gives the location of the webhook, in standard URL form
+                              (`scheme://host:port/path`).
+
+                              Please note that using `localhost` or `127.0.0.1` as a `host` is
+                              risky unless you take great care to run this webhook on all hosts
+                              which run an apiserver which might need to make calls to this
+                              webhook. Such installs are likely to be non-portable, i.e., not easy
+                              to turn up in a new cluster.
+
+                              The scheme must be "https"; the URL must begin with "https://".
+
+                              A path is optional, and if present may be any string permissible in
+                              a URL. You may use the path to pass an arbitrary string to the
+                              webhook, for example, a cluster identifier.
+
+                              Attempting to use a user or basic auth e.g. "user:password@" is not
+                              allowed. Fragments ("#...") and query parameters ("?...") are not
+                              allowed, either.
+                            format: uri
+                            type: string
+                        type: object
+                      conversionReviewVersions:
+                        description: |-
+                          conversionReviewVersions is an ordered list of preferred `ConversionReview`
+                          versions the Webhook expects. The API server will use the first version in
+                          the list which it supports. If none of the versions specified in this list
+                          are supported by API server, conversion will fail for the custom resource.
+                          If a persisted Webhook configuration specifies allowed versions and does not
+                          include any versions known to the API Server, calls to the webhook will fail.
+                        items:
+                          type: string
+                        type: array
+                        x-kubernetes-list-type: atomic
+                    type: object
+                type: object
+                x-kubernetes-validations:
+                - message: Webhook must be specified if strategy=Webhook
+                  rule: (self.strategy == 'None' && !has(self.webhook))  || (self.strategy
+                    == 'Webhook' && has(self.webhook))
+              group:
+                description: "group is the API group of the defined custom resource.
+                  Empty string means the\ncore API group. \tThe resources are served
+                  under `/apis/<group>/...` or `/api` for the core group."
+                type: string
+              informerScope:
+                allOf:
+                - enum:
+                  - Cluster
+                  - Namespaced
+                - enum:
+                  - Cluster
+                  - Namespaced
+                description: |-
+                  InformerScope indicates whether the informer for defined custom resource is cluster- or namespace-scoped.
+                  Allowed values are `Cluster` and `Namespaced`.
+                type: string
+              names:
+                description: names specify the resource and kind names for the custom
+                  resource.
+                properties:
+                  categories:
+                    description: |-
+                      categories is a list of grouped resources this custom resource belongs to (e.g. 'all').
+                      This is published in API discovery documents, and used by clients to support invocations like
+                      `kubectl get all`.
+                    items:
+                      type: string
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  kind:
+                    description: |-
+                      kind is the serialized kind of the resource. It is normally CamelCase and singular.
+                      Custom resource instances will use this value as the `kind` attribute in API calls.
+                    type: string
+                  listKind:
+                    description: listKind is the serialized kind of the list for this
+                      resource. Defaults to "`kind`List".
+                    type: string
+                  plural:
+                    description: |-
+                      plural is the plural name of the resource to serve.
+                      The custom resources are served under `/apis/<group>/<version>/.../<plural>`.
+                      Must match the name of the CustomResourceDefinition (in the form `<names.plural>.<group>`).
+                      Must be all lowercase.
+                    type: string
+                  shortNames:
+                    description: |-
+                      shortNames are short names for the resource, exposed in API discovery documents,
+                      and used by clients to support invocations like `kubectl get <shortname>`.
+                      It must be all lowercase.
+                    items:
+                      type: string
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  singular:
+                    description: singular is the singular name of the resource. It
+                      must be all lowercase. Defaults to lowercased `kind`.
+                    type: string
+                required:
+                - kind
+                - plural
+                type: object
+              scope:
+                description: |-
+                  scope indicates whether the defined custom resource is cluster- or namespace-scoped.
+                  Allowed values are `Cluster` and `Namespaced`.
+                enum:
+                - Cluster
+                - Namespaced
+                type: string
+              versions:
+                description: |-
+                  versions is the API version of the defined custom resource.
+
+                  Note: the OpenAPI v3 schemas must be equal for all versions until CEL
+                        version migration is supported.
+                items:
+                  description: APIResourceVersion describes one API version of a resource.
+                  properties:
+                    additionalPrinterColumns:
+                      description: |-
+                        additionalPrinterColumns specifies additional columns returned in Table output.
+                        See https://kubernetes.io/docs/reference/using-api/api-concepts/#receiving-resources-as-tables for details.
+                        If no columns are specified, a single column displaying the age of the custom resource is used.
+                      items:
+                        description: CustomResourceColumnDefinition specifies a column
+                          for server side printing.
+                        properties:
+                          description:
+                            description: description is a human readable description
+                              of this column.
+                            type: string
+                          format:
+                            description: |-
+                              format is an optional OpenAPI type definition for this column. The 'name' format is applied
+                              to the primary identifier column to assist in clients identifying column is the resource name.
+                              See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.
+                            type: string
+                          jsonPath:
+                            description: |-
+                              jsonPath is a simple JSON path (i.e. with array notation) which is evaluated against
+                              each custom resource to produce the value for this column.
+                            type: string
+                          name:
+                            description: name is a human readable name for the column.
+                            type: string
+                          priority:
+                            description: |-
+                              priority is an integer defining the relative importance of this column compared to others. Lower
+                              numbers are considered higher priority. Columns that may be omitted in limited space scenarios
+                              should be given a priority greater than 0.
+                            format: int32
+                            type: integer
+                          type:
+                            description: |-
+                              type is an OpenAPI type definition for this column.
+                              See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.
+                            type: string
+                        required:
+                        - jsonPath
+                        - name
+                        - type
+                        type: object
+                      type: array
+                      x-kubernetes-list-map-keys:
+                      - name
+                      x-kubernetes-list-type: map
+                    deprecated:
+                      description: |-
+                        deprecated indicates this version of the custom resource API is deprecated.
+                        When set to true, API requests to this version receive a warning header in the server response.
+                        Defaults to false.
+                      type: boolean
+                    deprecationWarning:
+                      description: |-
+                        deprecationWarning overrides the default warning returned to API clients.
+                        May only be set when `deprecated` is true.
+                        The default warning indicates this version is deprecated and recommends use
+                        of the newest served version of equal or greater stability, if one exists.
+                      type: string
+                    name:
+                      description: |-
+                        name is the version name, e.g. “v1”, “v2beta1”, etc.
+                        The custom resources are served under this version at `/apis/<group>/<version>/...` if `served` is true.
+                      minLength: 1
+                      pattern: ^v[1-9][0-9]*([a-z]+[1-9][0-9]*)?$
+                      type: string
+                    schema:
+                      description: |-
+                        schema describes the structural schema used for validation, pruning, and defaulting
+                        of this version of the custom resource.
+                      type: object
+                      x-kubernetes-map-type: atomic
+                      x-kubernetes-preserve-unknown-fields: true
+                    served:
+                      default: true
+                      description: served is a flag enabling/disabling this version
+                        from being served via REST APIs
+                      type: boolean
+                    storage:
+                      description: |-
+                        storage indicates this version should be used when persisting custom resources to storage.
+                        There must be exactly one version with storage=true.
+                      type: boolean
+                    subresources:
+                      description: subresources specify what subresources this version
+                        of the defined custom resource have.
+                      properties:
+                        scale:
+                          description: scale indicates the custom resource should
+                            serve a `/scale` subresource that returns an `autoscaling/v1`
+                            Scale object.
+                          properties:
+                            labelSelectorPath:
+                              description: |-
+                                labelSelectorPath defines the JSON path inside of a custom resource that corresponds to Scale `status.selector`.
+                                Only JSON paths without the array notation are allowed.
+                                Must be a JSON Path under `.status` or `.spec`.
+                                Must be set to work with HorizontalPodAutoscaler.
+                                The field pointed by this JSON path must be a string field (not a complex selector struct)
+                                which contains a serialized label selector in string form.
+                                More info: https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions#scale-subresource
+                                If there is no value under the given path in the custom resource, the `status.selector` value in the `/scale`
+                                subresource will default to the empty string.
+                              type: string
+                            specReplicasPath:
+                              description: |-
+                                specReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `spec.replicas`.
+                                Only JSON paths without the array notation are allowed.
+                                Must be a JSON Path under `.spec`.
+                                If there is no value under the given path in the custom resource, the `/scale` subresource will return an error on GET.
+                              type: string
+                            statusReplicasPath:
+                              description: |-
+                                statusReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `status.replicas`.
+                                Only JSON paths without the array notation are allowed.
+                                Must be a JSON Path under `.status`.
+                                If there is no value under the given path in the custom resource, the `status.replicas` value in the `/scale` subresource
+                                will default to 0.
+                              type: string
+                          required:
+                          - specReplicasPath
+                          - statusReplicasPath
+                          type: object
+                        status:
+                          description: |-
+                            status indicates the custom resource should serve a `/status` subresource.
+                            When enabled:
+                            1. requests to the custom resource primary endpoint ignore changes to the `status` stanza of the object.
+                            2. requests to the custom resource `/status` subresource ignore changes to anything other than the `status` stanza of the object.
+                          type: object
+                      type: object
+                  required:
+                  - name
+                  - schema
+                  - served
+                  - storage
+                  type: object
+                minItems: 1
+                type: array
+                x-kubernetes-list-map-keys:
+                - name
+                x-kubernetes-list-type: map
+            required:
+            - group
+            - informerScope
+            - names
+            - scope
+            - versions
+            type: object
+          status:
+            description: BoundSchemaStatus defines the observed state of the BoundSchema.
+            properties:
+              acceptedNames:
+                description: |-
+                  acceptedNames are the names that are actually being used to serve discovery.
+                  They may be different than the names in spec.
+                properties:
+                  categories:
+                    description: |-
+                      categories is a list of grouped resources this custom resource belongs to (e.g. 'all').
+                      This is published in API discovery documents, and used by clients to support invocations like
+                      `kubectl get all`.
+                    items:
+                      type: string
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  kind:
+                    description: |-
+                      kind is the serialized kind of the resource. It is normally CamelCase and singular.
+                      Custom resource instances will use this value as the `kind` attribute in API calls.
+                    type: string
+                  listKind:
+                    description: listKind is the serialized kind of the list for this
+                      resource. Defaults to "`kind`List".
+                    type: string
+                  plural:
+                    description: |-
+                      plural is the plural name of the resource to serve.
+                      The custom resources are served under `/apis/<group>/<version>/.../<plural>`.
+                      Must match the name of the CustomResourceDefinition (in the form `<names.plural>.<group>`).
+                      Must be all lowercase.
+                    type: string
+                  shortNames:
+                    description: |-
+                      shortNames are short names for the resource, exposed in API discovery documents,
+                      and used by clients to support invocations like `kubectl get <shortname>`.
+                      It must be all lowercase.
+                    items:
+                      type: string
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  singular:
+                    description: singular is the singular name of the resource. It
+                      must be all lowercase. Defaults to lowercased `kind`.
+                    type: string
+                required:
+                - kind
+                - plural
+                type: object
+              conditions:
+                description: Conditions represent the latest available observations
+                  of the object's state.
+                items:
+                  description: Condition defines an observation of a object operational
+                    state.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        Last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed. If that is not known, then using the time when
+                        the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        A human readable message indicating details about the transition.
+                        This field may be empty.
+                      type: string
+                    reason:
+                      description: |-
+                        The reason for the condition's last transition in CamelCase.
+                        The specific API may choose whether or not this field is considered a guaranteed API.
+                        This field may not be empty.
+                      type: string
+                    severity:
+                      description: |-
+                        Severity provides an explicit classification of Reason code, so the users or machines can immediately
+                        understand the current situation and act accordingly.
+                        The Severity field MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: |-
+                        Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions
+                        can be useful (see .node.status.conditions), the ability to deconflict is important.
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - status
+                  - type
+                  type: object
+                type: array
+              instantiations:
+                description: Instantiations tracks the number of instances of the
+                  resource on the consumer side.
+                type: integer
+              storedVersions:
+                description: |-
+                  storedVersions lists all versions of CustomResources that were ever persisted. Tracking these
+                  versions allows a migration path for stored versions in etcd. The field is mutable
+                  so a migration controller can finish a migration to another version (ensuring
+                  no old objects are left in storage), and then remove the rest of the
+                  versions from this list.
+                  Versions may not be removed from `spec.versions` while they exist in this list.
+                items:
+                  type: string
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/deploy/charts/backend/crds/kube-bind.io_clusterbindings.yaml b/deploy/charts/backend/crds/kube-bind.io_clusterbindings.yaml
new file mode 100644
index 000000000..366a382e6
--- /dev/null
+++ b/deploy/charts/backend/crds/kube-bind.io_clusterbindings.yaml
@@ -0,0 +1,330 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.17.3
+  name: clusterbindings.kube-bind.io
+spec:
+  group: kube-bind.io
+  names:
+    categories:
+    - kube-bindings
+    kind: ClusterBinding
+    listKind: ClusterBindingList
+    plural: clusterbindings
+    singular: clusterbinding
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.konnectorVersion
+      name: Konnector Version
+      type: string
+    - jsonPath: .status.lastHeartbeatTime
+      name: Last Heartbeat
+      type: date
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          ClusterBinding represents a bound consumer cluster. It lives in a service provider cluster
+          and is a singleton named "cluster".
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec represents the data in the newly created ClusterBinding.
+            properties:
+              kubeconfigSecretRef:
+                description: kubeconfigSecretName is the secret ref that contains
+                  the kubeconfig of the service cluster.
+                properties:
+                  key:
+                    description: The key of the secret to select from.  Must be "kubeconfig".
+                    enum:
+                    - kubeconfig
+                    type: string
+                  name:
+                    description: Name of the referent.
+                    minLength: 1
+                    type: string
+                required:
+                - key
+                - name
+                type: object
+                x-kubernetes-validations:
+                - message: kubeconfigSecretRef is immutable
+                  rule: self == oldSelf
+              providerPrettyName:
+                description: |-
+                  providerPrettyName is the pretty name of the service provider cluster. This
+                  can be shared among different ServiceBindings.
+                minLength: 1
+                type: string
+              serviceProviderSpec:
+                description: |-
+                  serviceProviderSpec contains all the data and information about the service which has been bound to the service
+                  binding request. The service providers decide what they need and what to configure based on what then include in
+                  this field, such as service region, type, tiers, etc...
+                type: object
+                x-kubernetes-preserve-unknown-fields: true
+            required:
+            - kubeconfigSecretRef
+            - providerPrettyName
+            type: object
+          status:
+            description: status contains reconciliation information for the service
+              binding.
+            properties:
+              conditions:
+                description: |-
+                  conditions is a list of conditions that apply to the ClusterBinding. It is
+                  updated by the konnector and the service provider.
+                items:
+                  description: Condition defines an observation of a object operational
+                    state.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        Last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed. If that is not known, then using the time when
+                        the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        A human readable message indicating details about the transition.
+                        This field may be empty.
+                      type: string
+                    reason:
+                      description: |-
+                        The reason for the condition's last transition in CamelCase.
+                        The specific API may choose whether or not this field is considered a guaranteed API.
+                        This field may not be empty.
+                      type: string
+                    severity:
+                      description: |-
+                        Severity provides an explicit classification of Reason code, so the users or machines can immediately
+                        understand the current situation and act accordingly.
+                        The Severity field MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: |-
+                        Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions
+                        can be useful (see .node.status.conditions), the ability to deconflict is important.
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - status
+                  - type
+                  type: object
+                type: array
+              heartbeatInterval:
+                description: |-
+                  heartbeatInterval is the maximal interval between heartbeats that the
+                  konnector promises to send. The service provider can assume that the
+                  konnector is not unhealthy if it does not receive a heartbeat within
+                  this time.
+                type: string
+              konnectorVersion:
+                description: |-
+                  konnectorVersion is the version of the konnector that is running on the
+                  consumer cluster.
+                type: string
+              lastHeartbeatTime:
+                description: lastHeartbeatTime is the last time the konnector updated
+                  the status.
+                format: date-time
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+        x-kubernetes-validations:
+        - message: cluster binding name should be cluster
+          rule: self.metadata.name == "cluster"
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .status.konnectorVersion
+      name: Konnector Version
+      type: string
+    - jsonPath: .status.lastHeartbeatTime
+      name: Last Heartbeat
+      type: date
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: |-
+          ClusterBinding represents a bound consumer cluster. It lives in a service
+          provider cluster and is a singleton named "cluster" per namespace.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec represents the data in the newly created ClusterBinding.
+            properties:
+              kubeconfigSecretRef:
+                description: kubeconfigSecretName is the secret ref that contains
+                  the kubeconfig of the service cluster.
+                properties:
+                  key:
+                    description: The key of the secret to select from.  Must be "kubeconfig".
+                    enum:
+                    - kubeconfig
+                    type: string
+                  name:
+                    description: Name of the referent.
+                    minLength: 1
+                    type: string
+                required:
+                - key
+                - name
+                type: object
+                x-kubernetes-validations:
+                - message: kubeconfigSecretRef is immutable
+                  rule: self == oldSelf
+              providerPrettyName:
+                description: |-
+                  providerPrettyName is the pretty name of the service provider cluster. This
+                  can be shared among different ServiceBindings.
+                minLength: 1
+                type: string
+              serviceProviderSpec:
+                description: |-
+                  serviceProviderSpec contains all the data and information about the service which has been bound to the service
+                  binding request. The service providers decide what they need and what to configure based on what then include in
+                  this field, such as service region, type, tiers, etc...
+                type: object
+                x-kubernetes-preserve-unknown-fields: true
+            required:
+            - kubeconfigSecretRef
+            - providerPrettyName
+            type: object
+          status:
+            description: status contains reconciliation information for the service
+              binding.
+            properties:
+              conditions:
+                description: |-
+                  conditions is a list of conditions that apply to the ClusterBinding. It is
+                  updated by the konnector and the service provider.
+                items:
+                  description: Condition defines an observation of a object operational
+                    state.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        Last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed. If that is not known, then using the time when
+                        the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        A human readable message indicating details about the transition.
+                        This field may be empty.
+                      type: string
+                    reason:
+                      description: |-
+                        The reason for the condition's last transition in CamelCase.
+                        The specific API may choose whether or not this field is considered a guaranteed API.
+                        This field may not be empty.
+                      type: string
+                    severity:
+                      description: |-
+                        Severity provides an explicit classification of Reason code, so the users or machines can immediately
+                        understand the current situation and act accordingly.
+                        The Severity field MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: |-
+                        Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions
+                        can be useful (see .node.status.conditions), the ability to deconflict is important.
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - status
+                  - type
+                  type: object
+                type: array
+              heartbeatInterval:
+                description: |-
+                  heartbeatInterval is the maximal interval between heartbeats that the
+                  konnector promises to send. The service provider can assume that the
+                  konnector is not unhealthy if it does not receive a heartbeat within
+                  this time.
+                type: string
+              konnectorVersion:
+                description: |-
+                  konnectorVersion is the version of the konnector that is running on the
+                  consumer cluster.
+                type: string
+              lastHeartbeatTime:
+                description: lastHeartbeatTime is the last time the konnector updated
+                  the status.
+                format: date-time
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+        x-kubernetes-validations:
+        - message: cluster binding name should be cluster
+          rule: self.metadata.name == "cluster"
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/deploy/charts/backend/crds/kube-bind.io_collections.yaml b/deploy/charts/backend/crds/kube-bind.io_collections.yaml
new file mode 100644
index 000000000..b95bc0f89
--- /dev/null
+++ b/deploy/charts/backend/crds/kube-bind.io_collections.yaml
@@ -0,0 +1,132 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.17.3
+  name: collections.kube-bind.io
+spec:
+  group: kube-bind.io
+  names:
+    categories:
+    - kube-bind
+    kind: Collection
+    listKind: CollectionList
+    plural: collections
+    singular: collection
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.description
+      name: Description
+      type: string
+    - jsonPath: .spec.templates[*].name
+      name: Templates
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: Collection groups multiple APIServiceExportTemplates into a logical
+          group. This functions as a folder in the UI.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec specifies the collection.
+            properties:
+              description:
+                description: description is a human readable description of this collection.
+                type: string
+              templates:
+                description: templates is a list of template references that are part
+                  of this collection.
+                items:
+                  description: APIServiceExportTemplateReference references an APIServiceExportTemplate
+                    by name.
+                  properties:
+                    name:
+                      description: name is the name of the template.
+                      type: string
+                  required:
+                  - name
+                  type: object
+                minItems: 1
+                type: array
+            required:
+            - templates
+            type: object
+          status:
+            description: status contains reconciliation information for the collection.
+            properties:
+              conditions:
+                description: conditions is a list of conditions that apply to the
+                  Collection.
+                items:
+                  description: Condition defines an observation of a object operational
+                    state.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        Last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed. If that is not known, then using the time when
+                        the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        A human readable message indicating details about the transition.
+                        This field may be empty.
+                      type: string
+                    reason:
+                      description: |-
+                        The reason for the condition's last transition in CamelCase.
+                        The specific API may choose whether or not this field is considered a guaranteed API.
+                        This field may not be empty.
+                      type: string
+                    severity:
+                      description: |-
+                        Severity provides an explicit classification of Reason code, so the users or machines can immediately
+                        understand the current situation and act accordingly.
+                        The Severity field MUST be set only when Status=False.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: |-
+                        Type of condition in CamelCase or in foo.example.com/CamelCase.
+                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions
+                        can be useful (see .node.status.conditions), the ability to deconflict is important.
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - status
+                  - type
+                  type: object
+                type: array
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/deploy/charts/backend/examples/values-local-development.yaml b/deploy/charts/backend/examples/values-local-development.yaml
new file mode 100644
index 000000000..be7fde680
--- /dev/null
+++ b/deploy/charts/backend/examples/values-local-development.yaml
@@ -0,0 +1,57 @@
+# Local development values for kube-bind backend
+# This is a YAML-formatted file with common configuration for local development
+
+# Image configuration
+image:
+  pullPolicy: IfNotPresent
+
+# Backend configuration
+backend:
+  listenAddress: "0.0.0.0:8443"
+  # OIDC configuration
+  oidc:
+    issuerUrl: "https://auth.genericcontrolplane.io"
+    clientId: "kube-bind"
+    clientSecret: "### REPLACE_ME ###"
+    callbackUrl: "https://kube-bind.genericcontrolplane.io/callback"
+  
+  # Cookie encryption keys (generate your own for production!)
+  # example: openssl rand -base64 32
+  cookieSigningKey: "### REPLACE_ME ###"
+  cookieEncryptionKey: "### REPLACE_ME ###"
+
+  tls:
+    enabled: true
+    certSecretName: backend-tls-cert
+    tlsCertFile: /etc/kube-bind/tls/tls.crt
+    tlsKeyFile: /etc/kube-bind/tls/tls.key
+
+# Cert-manager configuration
+certManager:
+  enabled: true
+  clusterIssuer: letsencrypt-prod
+
+# RBAC configuration
+rbac:
+  create: true
+
+# Service account configuration
+serviceAccount:
+  create: true
+  automount: true
+
+service:
+  type: LoadBalancer
+  port: 8080
+  httpsPort: 443
+
+livenessProbe:
+  httpGet:
+    path: /healthz
+    port: https
+    scheme: HTTPS
+readinessProbe:
+  httpGet:
+    path: /healthz
+    port: https
+    scheme: HTTPS
\ No newline at end of file
diff --git a/deploy/charts/backend/templates/_helpers.tpl b/deploy/charts/backend/templates/_helpers.tpl
new file mode 100644
index 000000000..dcd9bc945
--- /dev/null
+++ b/deploy/charts/backend/templates/_helpers.tpl
@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "kube-bind.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "kube-bind.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "kube-bind.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "kube-bind.labels" -}}
+helm.sh/chart: {{ include "kube-bind.chart" . }}
+{{ include "kube-bind.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "kube-bind.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "kube-bind.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "kube-bind.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "kube-bind.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/deploy/charts/backend/templates/clusterrolebinding.yaml b/deploy/charts/backend/templates/clusterrolebinding.yaml
new file mode 100644
index 000000000..11d3e5b26
--- /dev/null
+++ b/deploy/charts/backend/templates/clusterrolebinding.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "kube-bind.fullname" . }}-manager
+  labels:
+    {{- include "kube-bind.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kube-bind-role
+subjects:
+- kind: ServiceAccount
+  name: {{ include "kube-bind.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
\ No newline at end of file
diff --git a/deploy/charts/backend/templates/deployment.yaml b/deploy/charts/backend/templates/deployment.yaml
new file mode 100644
index 000000000..8e98f46e8
--- /dev/null
+++ b/deploy/charts/backend/templates/deployment.yaml
@@ -0,0 +1,130 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "kube-bind.fullname" . }}
+  labels:
+    {{- include "kube-bind.labels" . | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "kube-bind.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "kube-bind.labels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "kube-bind.serviceAccountName" . }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}
+          {{- with .Values.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          args:
+            - --listen-address={{ .Values.backend.listenAddress }}
+            {{- if .Values.backend.logLevel }}
+            - --log-level={{ .Values.backend.logLevel }}
+            {{- end }}
+            {{- if .Values.backend.oidc.issuerUrl }}
+            - --oidc-issuer-url={{ .Values.backend.oidc.issuerUrl }}
+            {{- end }}
+            {{- if .Values.backend.oidc.clientId }}
+            - --oidc-issuer-client-id={{ .Values.backend.oidc.clientId }}
+            {{- end }}
+            {{- if .Values.backend.oidc.clientSecret }}
+            - --oidc-issuer-client-secret={{ .Values.backend.oidc.clientSecret }}
+            {{- end }}
+            {{- if .Values.backend.oidc.callbackUrl }}
+            - --oidc-callback-url={{ .Values.backend.oidc.callbackUrl }}
+            {{- end }}
+            {{- if .Values.backend.prettyName }}
+            - --pretty-name={{ .Values.backend.prettyName }}
+            {{- end }}
+            {{- if .Values.backend.namespacePrefix }}
+            - --namespace-prefix={{ .Values.backend.namespacePrefix }}
+            {{- end }}
+            {{- if .Values.backend.consumerScope }}
+            - --consumer-scope={{ .Values.backend.consumerScope }}
+            {{- end }}
+            {{- if .Values.backend.cookieSigningKey }}
+            - --cookie-signing-key={{ .Values.backend.cookieSigningKey }}
+            {{- end }}
+            {{- if .Values.backend.cookieEncryptionKey }}
+            - --cookie-encryption-key={{ .Values.backend.cookieEncryptionKey }}
+            {{- end }}
+            {{- if .Values.backend.tls.enabled }}
+            - --tls-cert-file={{ .Values.backend.tls.tlsCertFile }}
+            - --tls-key-file={{ .Values.backend.tls.tlsKeyFile }}
+            {{- end }}
+          ports:
+            {{- if .Values.backend.tls.enabled }}
+            - name: https
+              containerPort: 8443
+              protocol: TCP
+            {{- else }}
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+            {{- end }}
+          {{- with .Values.livenessProbe }}
+          livenessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.readinessProbe }}
+          readinessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+            {{- if .Values.backend.tls.enabled }}
+            - name: tls-certs
+              mountPath: /etc/kube-bind/tls
+              readOnly: true
+            {{- end }}
+            {{- with .Values.volumeMounts }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+      volumes:
+        {{- if .Values.backend.tls.enabled }}
+        - name: tls-certs
+          secret:
+            secretName: {{ .Values.backend.tls.certSecretName }}
+        {{- end }}
+        {{- with .Values.volumes }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
diff --git a/deploy/charts/backend/templates/hpa.yaml b/deploy/charts/backend/templates/hpa.yaml
new file mode 100644
index 000000000..9eb020211
--- /dev/null
+++ b/deploy/charts/backend/templates/hpa.yaml
@@ -0,0 +1,32 @@
+{{- if .Values.autoscaling.enabled }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "kube-bind.fullname" . }}
+  labels:
+    {{- include "kube-bind.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "kube-bind.fullname" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+    {{- end }}
+    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    {{- end }}
+{{- end }}
diff --git a/deploy/charts/backend/templates/role.yaml b/deploy/charts/backend/templates/role.yaml
new file mode 100644
index 000000000..cb3604903
--- /dev/null
+++ b/deploy/charts/backend/templates/role.yaml
@@ -0,0 +1,107 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kube-bind-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - secrets
+  verbs:
+  - '*'
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  - serviceaccounts
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - kube-bind.io
+  resources:
+  - apiresourceschemas
+  - apiserviceexportrequests
+  - apiserviceexports
+  - apiservicenamespaces
+  - boundschemas
+  - clusterbindings
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - kube-bind.io
+  resources:
+  - apiserviceexportrequests/finalizers
+  - apiserviceexports/finalizers
+  - apiservicenamespaces/finalizers
+  - clusterbindings/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - kube-bind.io
+  resources:
+  - apiserviceexportrequests/status
+  - apiserviceexports/status
+  - apiservicenamespaces/status
+  - clusterbindings/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - kube-bind.io
+  resources:
+  - apiserviceexporttemplates
+  - collections
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - kube-bind.io
+  resources:
+  - boundschemas/status
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterrolebindings
+  - clusterroles
+  - rolebindings
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
diff --git a/deploy/charts/backend/templates/service.yaml b/deploy/charts/backend/templates/service.yaml
new file mode 100644
index 000000000..f0824cdf3
--- /dev/null
+++ b/deploy/charts/backend/templates/service.yaml
@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "kube-bind.fullname" . }}
+  labels:
+    {{- include "kube-bind.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    {{- if .Values.backend.tls.enabled }}
+    - port: {{ .Values.service.httpsPort | default 8443 }}
+      targetPort: https
+      protocol: TCP
+      name: https
+    {{- else }}
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+    {{- end }}
+  selector:
+    {{- include "kube-bind.selectorLabels" . | nindent 4 }}
diff --git a/deploy/charts/backend/templates/serviceaccount.yaml b/deploy/charts/backend/templates/serviceaccount.yaml
new file mode 100644
index 000000000..86e6fb813
--- /dev/null
+++ b/deploy/charts/backend/templates/serviceaccount.yaml
@@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "kube-bind.serviceAccountName" . }}
+  labels:
+    {{- include "kube-bind.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
+{{- end }}
diff --git a/deploy/charts/backend/templates/tests/test-connection.yaml b/deploy/charts/backend/templates/tests/test-connection.yaml
new file mode 100644
index 000000000..ea7ec43de
--- /dev/null
+++ b/deploy/charts/backend/templates/tests/test-connection.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "kube-bind.fullname" . }}-test-connection"
+  labels:
+    {{- include "kube-bind.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test
+spec:
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args: ['{{ include "kube-bind.fullname" . }}:{{ .Values.service.port }}']
+  restartPolicy: Never
diff --git a/deploy/charts/backend/values.yaml b/deploy/charts/backend/values.yaml
new file mode 100644
index 000000000..f7a3a379e
--- /dev/null
+++ b/deploy/charts/backend/values.yaml
@@ -0,0 +1,136 @@
+# Default values for kube-bind.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+# This will set the replicaset count more information can be found here: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/
+replicaCount: 1
+
+# This sets the container image more information can be found here: https://kubernetes.io/docs/concepts/containers/images/
+image:
+    repository: ghcr.io/kube-bind/backend
+    # This sets the pull policy for images.
+    pullPolicy: IfNotPresent
+    # Overrides the image tag whose default is the chart appVersion.
+    tag: ""
+
+# This is for the secrets for pulling an image from a private repository more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+imagePullSecrets: []
+# This is to override the chart name.
+nameOverride: ""
+fullnameOverride: ""
+
+# This section builds out the service account more information can be found here: https://kubernetes.io/docs/concepts/security/service-accounts/
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Automatically mount a ServiceAccount's API credentials?
+  automount: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+# RBAC configuration
+rbac:
+  # Specifies whether RBAC resources should be created
+  create: true
+
+# This is for setting Kubernetes Annotations to a Pod.
+# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+podAnnotations: {}
+# This is for setting Kubernetes Labels to a Pod.
+# For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+podLabels: {}
+
+podSecurityContext: {}
+  # fsGroup: 2000
+
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+# This is for setting up a service more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/
+service:
+  # This sets the service type more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
+  type: ClusterIP
+  # This sets the ports more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/#field-spec-ports
+  port: 8080
+  httpsPort: 8443
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+# This is to setup the liveness and readiness probes more information can be found here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
+livenessProbe:
+  httpGet:
+    path: /healthz
+    port: http
+readinessProbe:
+  httpGet:
+    path: /healthz
+    port: http
+
+# This section is for setting up autoscaling more information can be found here: https://kubernetes.io/docs/concepts/workloads/autoscaling/
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 100
+  targetCPUUtilizationPercentage: 80
+  # targetMemoryUtilizationPercentage: 80
+
+# Additional volumes on the output Deployment definition.
+volumes: []
+# - name: foo
+#   secret:
+#     secretName: mysecret
+#     optional: false
+
+# Additional volumeMounts on the output Deployment definition.
+volumeMounts: []
+# - name: foo
+#   mountPath: "/etc/foo"
+#   readOnly: true
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+# Backend configuration
+backend:
+  listenAddress: "0.0.0.0:8080"
+  # OIDC configuration
+  oidc:
+    issuerUrl: ""
+    clientId: ""
+    clientSecret: ""
+    callbackUrl: ""
+  
+  # General backend configuration
+  prettyName: ""
+  namespacePrefix: "kube-bind-"
+  consumerScope: "cluster"
+  
+  # Cookie configuration - these should be base64 encoded keys
+  cookieSigningKey: ""
+  cookieEncryptionKey: ""
+
+# Cert-manager configuration
+certManager:
+  enabled: false
+  clusterIssuer: ""
diff --git a/deploy/manifests/example-backend/insecure/example-backend.yaml b/deploy/manifests/example-backend/insecure/example-backend.yaml
deleted file mode 100644
index d5f521f35..000000000
--- a/deploy/manifests/example-backend/insecure/example-backend.yaml
+++ /dev/null
@@ -1,137 +0,0 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: example-backend
-  labels:
-    app: example-backend
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: example-backend
-  strategy:
-    type: Recreate
-  template:
-    metadata:
-      labels:
-        app: example-backend
-    spec:
-      serviceAccountName: example-backend
-      containers:
-        - name: example-backend
-          image: ghcr.io/kube-bind/example-backend:latest
-          command:
-            - /example-backend
-          args:
-            - --namespace-prefix=cluster
-            - --pretty-name=MangoDB
-            - --consumer-scope=Namespaced
-            - --oidc-issuer-client-id=$(OIDC-ISSUER-CLIENT-ID)
-            - --oidc-issuer-client-secret=$(OIDC-ISSUER-CLIENT-SECRET)
-            - --oidc-issuer-url=$(OIDC-ISSUER-URL)
-            - --oidc-callback-url=$(OIDC-CALLBACK-URL)
-            - --listen-address=0.0.0.0:443
-            - --cookie-signing-key=$(COOKIE-SIGNING-KEY)
-          env:
-            - name: OIDC-ISSUER-CLIENT-ID
-              valueFrom:
-                secretKeyRef:
-                  name: oidc-config
-                  key: oidc-issuer-client-id
-            - name: OIDC-ISSUER-CLIENT-SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: oidc-config
-                  key: oidc-issuer-client-secret
-            - name: OIDC-ISSUER-URL
-              valueFrom:
-                secretKeyRef:
-                  name: oidc-config
-                  key: oidc-issuer-url
-            - name: OIDC-CALLBACK-URL
-              valueFrom:
-                secretKeyRef:
-                  name: oidc-config
-                  key: oidc-callback-url
-            - name: COOKIE-SIGNING-KEY
-              valueFrom:
-                secretKeyRef:
-                  name: cookie-config
-                  key: signing-key
-          resources:
-            limits:
-              cpu: '2'
-              memory: 2Gi
-            requests:
-              cpu: '100m'
-              memory: 256Mi
-      volumes:
-        - name: oidc-config
-          secret:
-            secretName: oidc-config
-        - name: cookie-config
-          secret:
-            secretName: cookie-config
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: oidc-config
-type: Opaque
-stringData:
-    oidc-issuer-client-id: 'mangodb'
-    oidc-issuer-client-secret: 'mangodb-93f3e8d86fd1fc4c9c50c74643b87d1cfce8dd5ef25f8722187fe002'
-    oidc-issuer-url: 'https://mangodb.de'
-    oidc-callback-url: 'https://mangodb.de/callback'
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: example-backend
-spec:
-  type: ClusterIP
-  ports:
-    - protocol: TCP
-      name: example-backend
-      port: 443
-      targetPort: 443
-  selector:
-    app: example-backend
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: example-backend
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: example-backend
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-- kind: ServiceAccount
-  name: example-backend
-  namespace: default
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: example-backend
-  annotations:
-    kubernetes.io/ingress.class: nginx
-spec:
-  rules:
-  - host: "mangodb.de"
-    http:
-      paths:
-      - pathType: Prefix
-        path: "/"
-        backend:
-          service:
-            name: example-backend
-            port:
-              number: 443
diff --git a/deploy/manifests/example-backend/letsencrypt/.gitignore b/deploy/manifests/example-backend/letsencrypt/.gitignore
deleted file mode 100644
index c6d77ca2c..000000000
--- a/deploy/manifests/example-backend/letsencrypt/.gitignore
+++ /dev/null
@@ -1,2 +0,0 @@
-*-secret.yaml
-cluster-issuer.yaml
diff --git a/deploy/manifests/example-backend/letsencrypt/cluster-issuer.yaml.tmpl b/deploy/manifests/example-backend/letsencrypt/cluster-issuer.yaml.tmpl
deleted file mode 100644
index 870b12182..000000000
--- a/deploy/manifests/example-backend/letsencrypt/cluster-issuer.yaml.tmpl
+++ /dev/null
@@ -1,15 +0,0 @@
----
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: letsencrypt-prod
-spec:
-  acme:
-    email: <redacted>
-    server: https://acme-v02.api.letsencrypt.org/directory
-    privateKeySecretRef:
-      name: letsencrypt-prod-private-key
-    solvers:
-    - http01:
-        ingress:
-          class: nginx
\ No newline at end of file
diff --git a/deploy/manifests/example-backend/letsencrypt/dex-config-secret.yaml.tmpl b/deploy/manifests/example-backend/letsencrypt/dex-config-secret.yaml.tmpl
deleted file mode 100644
index cff14717c..000000000
--- a/deploy/manifests/example-backend/letsencrypt/dex-config-secret.yaml.tmpl
+++ /dev/null
@@ -1,34 +0,0 @@
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: dex-config
-type: Opaque
-stringData:
-  config.yaml: |
-    issuer: https://mangodb.de/dex
-    storage:
-      type: memory
-      config:
-        file: examples/dex.db
-    web:
-      http: 0.0.0.0:5556
-    oauth2:
-       skipApprovalScreen: true
-    staticClients:
-    - id: kube-bind
-      redirectURIs:
-      - 'https://mangodb.de/callback'
-      name: 'Kube Bind'
-      secret: <redacted>
-    connectors:
-    - type: github
-      id: github
-      name: GitHub
-      config:
-        clientID: <redacted>
-        clientSecret: <redacted>
-        redirectURI: https://mangodb.de/dex/callback
-        teamNameField: slug
-        orgs:
-        - name: kube-bind
diff --git a/deploy/manifests/example-backend/letsencrypt/example-backend.yaml b/deploy/manifests/example-backend/letsencrypt/example-backend.yaml
deleted file mode 100644
index 8e0e950a5..000000000
--- a/deploy/manifests/example-backend/letsencrypt/example-backend.yaml
+++ /dev/null
@@ -1,235 +0,0 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: example-backend
-  labels:
-    app: example-backend
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: example-backend
-  strategy:
-    type: Recreate
-  template:
-    metadata:
-      labels:
-        app: example-backend
-    spec:
-      serviceAccountName: example-backend
-      containers:
-        - name: example-backend
-          image: ghcr.io/kube-bind/example-backend:latest
-          imagePullPolicy: Always
-          args:
-            - --namespace-prefix=cluster
-            - --pretty-name=MangoDB
-            - --consumer-scope=Namespaced
-            - --oidc-issuer-client-id=$(OIDC-ISSUER-CLIENT-ID)
-            - --oidc-issuer-client-secret=$(OIDC-ISSUER-CLIENT-SECRET)
-            - --oidc-issuer-url=$(OIDC-ISSUER-URL)
-            - --oidc-authorize-url=$(OIDC-AUTHORIZE-URL)
-            - --oidc-callback-url=$(OIDC-CALLBACK-URL)
-            - --listen-address=0.0.0.0:8080
-            - --external-address=https://api.mangodb.de
-            - --external-ca-file=/etc/tls/ca.crt
-            - --external-server-name=78615b03-d644-4fb7-8395-8a60efd388f2.k8s.ondigitalocean.com
-            - --cookie-signing-key=$(COOKIE-SIGNING-KEY)
-          env:
-            - name: OIDC-ISSUER-CLIENT-ID
-              valueFrom:
-                configMapKeyRef:
-                  name: oidc-config
-                  key: oidc-issuer-client-id
-            - name: OIDC-ISSUER-CLIENT-SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: oidc-secret
-                  key: oidc-issuer-client-secret
-            - name: OIDC-ISSUER-URL
-              valueFrom:
-                configMapKeyRef:
-                  name: oidc-config
-                  key: oidc-issuer-url
-            - name: OIDC-AUTHORIZE-URL
-              valueFrom:
-                configMapKeyRef:
-                  name: oidc-config
-                  key: oidc-authorize-url
-            - name: OIDC-CALLBACK-URL
-              valueFrom:
-                configMapKeyRef:
-                  name: oidc-config
-                  key: oidc-callback-url
-            - name: COOKIE-SIGNING-KEY
-              valueFrom:
-                secretKeyRef:
-                  name: oidc-secret
-                  key: cookie-signing-key
-          resources:
-            limits:
-              cpu: '2'
-              memory: 2Gi
-            requests:
-              cpu: '100m'
-              memory: 256Mi
-          volumeMounts:
-          - name: kube-bind-ca
-            mountPath: /etc/tls
-            readOnly: true
-      volumes:
-        - name: oidc-config
-          configMap:
-            name: oidc-config
-        - name: oidc-secret
-          secret:
-            secretName: oidc-config
-        - name: kube-bind-ca
-          secret:
-            secretName: kube-bind-ca
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: oidc-config
-data:
-    oidc-issuer-client-id: 'kube-bind'
-    oidc-issuer-url: 'https://mangodb.de/dex'
-    oidc-authorize-url: 'https://mangodb.de/authorize'
-    oidc-callback-url: 'https://mangodb.de/callback'
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: kube-bind-ca
-type: Opaque
-data:
-  ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKekNDQWcrZ0F3SUJBZ0lDQm5Vd0RRWUpLb1pJaHZjTkFRRUxCUUF3TXpFVk1CTUdBMVVFQ2hNTVJHbG4KYVhSaGJFOWpaV0Z1TVJvd0dBWURWUVFERXhGck9ITmhZWE1nUTJ4MWMzUmxjaUJEUVRBZUZ3MHlNakV3TWpFeApOVEV3TXpkYUZ3MDBNakV3TWpFeE5URXdNemRhTURNeEZUQVRCZ05WQkFvVERFUnBaMmwwWVd4UFkyVmhiakVhCk1CZ0dBMVVFQXhNUmF6aHpZV0Z6SUVOc2RYTjBaWElnUTBFd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUIKRHdBd2dnRUtBb0lCQVFEMUJsNWJVNHVvL3cwd0gxczkwcHMvcDhneW1MTmpVRU4xc2xyNmtpWXYrNkpzbXBqaApVdjE2UHpXOXY4dStRQWpMeUJHUmc3TG0vRVpvcmpZMGxDdTYrSVMrcitxUjZsN3ZETXBYVmdBUE5NWi8zMk12CmVTZ3hTa0FzZmhsb1p0NnA1S0NUcGRFM29XQk9Kc3BVUzRPZG10OWhyempsbEY4eGh2c1lQNXVWZDhBV29FTFUKMFlTbms1Z3JPaWZCMDQzTlVKanNhVk5Ta2V0ekUycWlpTjJuWmlYZnVMSFRDNk9HY0d4VVNSYTBzcUhPQ0pETwpja3BhQlI2Z2ZPR2xkcG4xQXNROEFJdWRxa3ZnTWhoaUkzMU84cXZOS0tFSVlJSGdrTzhYNzh0cmxnb01UWFFQCnFiSFlrUmZaWlRnN0hmWXRGTjRyWmRjV2VyakJOZzYrOGtxVkFnTUJBQUdqUlRCRE1BNEdBMVVkRHdFQi93UUUKQXdJQmhqQVNCZ05WSFJNQkFmOEVDREFHQVFIL0FnRUFNQjBHQTFVZERnUVdCQlJqbS9iOU5JMzcxbFd1U2crOAovZWdYNHAvaXR6QU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFmYTV6eHErREVnQUhUanBBSWFvWlE3QTUyTExoCkw5S3NCTzFQOHFZQldqQ2Z2OHV5NHhKaEVYMnlmU3VkR1pTZWNLaXRueERnbmhKanRSNGxuZjJXNVdIZldWNDIKdk5TYldYemc5bzVxVVFNMnl6a1ExV25NV3pxQ2VWMlpOUC9CczJLZWlUeDlMTk5ZZFFiSU01bjkyY0RYNzZGeQpHa09sbGo3djV6cWh5MC9MSWtjNmxnNW0waEd1U3FaUDliUFpvR3lRZWtrQXp3UEZWMWJYcmc4dXJUbFlXWjExCjJ3aGtzeWtCbk5qUHNjajNxWHA1OVpOaVVRUFNsSFBpK2lWb1RmMDJNYmlHb1lUd3FQL0ZUSlVxTHNxa3JoRkkKQjkrZ3lycVNVQTFERzNscUJzNVlzd0RwQ3FIMDEwQkg1YUtvUWFuY2hrQlNBc29ZWVJvS3QvTTdRdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: example-backend
-spec:
-  type: ClusterIP
-  ports:
-    - protocol: TCP
-      name: example-backend
-      port: 80
-      targetPort: 8080
-  selector:
-    app: example-backend
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: example-backend
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: example-backend
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-- kind: ServiceAccount
-  name: example-backend
-  namespace: default
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: example-backend
-  annotations:
-    kubernetes.io/ingress.class: nginx
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-    nginx.ingress.kubernetes.io/proxy-buffers-number: "4 512k"
-    nginx.ingress.kubernetes.io/proxy-buffer-size: 256k
-spec:
-  tls:
-  - hosts:
-    - mangodb.de
-    secretName: mangodb-tls
-  rules:
-  - host: "mangodb.de"
-    http:
-      paths:
-      - pathType: Prefix
-        path: "/"
-        backend:
-          service:
-            name: example-backend
-            port:
-              number: 80
-      - pathType: Prefix
-        path: "/dex"
-        backend:
-          service:
-            name: dex
-            port:
-              number: 80
-
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: dex
-  labels:
-    app: dex
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: dex
-  strategy:
-    type: Recreate
-  template:
-    metadata:
-      labels:
-        app: dex
-    spec:
-      containers:
-      - name: dex
-        image: ghcr.io/dexidp/dex:latest-distroless
-        args:
-        - dex
-        - serve
-        - /etc/dex/config.yaml
-        resources:
-          limits:
-            cpu: '2'
-            memory: 2Gi
-          requests:
-            cpu: '100m'
-            memory: 256Mi
-        volumeMounts:
-        - name: dex-config
-          mountPath: /etc/dex
-          readOnly: true
-        - name: mangodb-tls
-          mountPath: /etc/tls
-          readOnly: true
-      volumes:
-      - name: dex-config
-        secret:
-          secretName: dex-config
-      - name: mangodb-tls
-        secret:
-          secretName: mangodb-tls
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: dex
-spec:
-  type: ClusterIP
-  ports:
-  - protocol: TCP
-    name: dex
-    port: 80
-    targetPort: 5556
-  selector:
-    app: dex
diff --git a/deploy/manifests/example-backend/letsencrypt/oidc-secret.yaml.tmpl b/deploy/manifests/example-backend/letsencrypt/oidc-secret.yaml.tmpl
deleted file mode 100644
index 9f099db1d..000000000
--- a/deploy/manifests/example-backend/letsencrypt/oidc-secret.yaml.tmpl
+++ /dev/null
@@ -1,9 +0,0 @@
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: oidc-secret
-type: Opaque
-stringData:
-  oidc-issuer-client-secret: <redacted>
-  cookie-signing-key: <redacted>
\ No newline at end of file
diff --git a/docs/content/setup/helm.md b/docs/content/setup/helm.md
index 329c19008..f23bc61f8 100644
--- a/docs/content/setup/helm.md
+++ b/docs/content/setup/helm.md
@@ -1,9 +1,242 @@
----
+<---
 description: >
   Install kube-bind on an existing Kubernetes cluster via the official Helm chart.
 ---
 
 # Installation with Helm
 
+Kube-bind can be installed on an existing Kubernetes cluster using the official Helm chart.
+There are 2 helm charts available: `kube-bind/backend` for service providers and `kube-bind/konnectors` for service consumers.
+
+## Quick Start
+
+**Important**: Current version of kube-bind uses application level redirect (HTTP 302) to CLI. Your ingress controller must support this behavior.
+
+## Prerequisites & Setup Guides
+
+The following prerequisites are required. Click the links below for detailed setup instructions:
+
+- **[Kubernetes cluster](#kubernetes-cluster)** - A running Kubernetes cluster
+- **[Helm 3.x](#helm)** - Package manager for Kubernetes
+- **[cert-manager](#cert-manager-setup)** - For TLS certificate management
+- **[OIDC provider](#oidc-provider-setup)** - For authentication (Dex, Keycloak, etc.)
+
+### Install Kube-Bind Backend
+
+1. **Add the Helm repository:**
+```bash
+helm repo add kube-bind https://kube-bind.github.io/helm-charts
+helm repo update
+```
+
+2. **Configure your values:**
+Edit `deploy/charts/backend/examples/values-local-development.yaml` and replace the placeholder values:
+- `### REPLACE ME ###` with your actual OIDC credentials
+- Update hostnames to match your setup
+
+3. **Install the backend:**
+```bash
+helm upgrade --install \
+    --namespace kube-bind \
+    --create-namespace \
+    --values ./deploy/charts/backend/examples/values-local-development.yaml \
+    kube-bind kube-bind/backend
+```
+
+4. **Seed with example resources (optional):**
+```bash
+kubectl apply -f deploy/examples/crd-foo.yaml
+kubectl apply -f deploy/examples/crd-mangodb.yaml
+kubectl apply -f deploy/examples/template-foo.yaml
+kubectl apply -f deploy/examples/template-mangodb.yaml
+kubectl apply -f deploy/examples/collection.yaml
+```
+
+That's it! Your kube-bind backend is now ready to use.
+
+---
+
+### Kubernetes Cluster
+You need a running Kubernetes cluster with `kubectl` configured. For testing, you can create a local cluster:
+
+```bash
+kind create cluster --name kube-bind-test
+```
+
+### Helm
+Install Helm 3.x from [https://helm.sh/docs/intro/install/](https://helm.sh/docs/intro/install/)
+
+### cert-manager Setup
+
+Install cert-manager for automatic TLS certificate management:
+
+```bash
+helm repo add jetstack https://charts.jetstack.io
+helm repo update
+
+helm upgrade \
+  --install \
+  --namespace cert-manager \
+  --create-namespace \
+  --version v1.18.2 \
+  --set crds.enabled=true \
+  --atomic \
+  cert-manager jetstack/cert-manager
+```
+
+#### Configure Let's Encrypt (Optional)
+
+Create a ClusterIssuer for automatic certificate provisioning:
+
+```bash
+kubectl apply -f - <<EOF
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    # Replace with your email address
+    email: admin@example.com
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: le-issuer-account-key
+    solvers:
+    - dns01:
+        cloudflare:
+          email: admin@example.com
+          apiKeySecretRef:
+            name: cloudflare-api-key-secret
+            key: api-key
+EOF
+```
+
+Create the Cloudflare API key secret:
+
+```bash
+kubectl apply -f - <<EOF
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloudflare-api-key-secret
+  namespace: cert-manager
+type: Opaque
+data:
+  # Replace with your base64 encoded Cloudflare Global API Key
+  # Get your API key from: https://dash.cloudflare.com/profile/api-tokens
+  # Then encode it: echo -n "your-api-key" | base64
+  api-key: #### REPLACE ME WITH BASE64 ENCODED VALUE ####
+EOF
+```
+
+### OIDC Provider Setup
+
+Kube-bind requires an OIDC provider for authentication. Here's how to set up Dex as an example:
+
+#### Install Dex OIDC Provider
+
+```bash
+kubectl create namespace oidc
+
+# Request TLS certificate for Dex
+kubectl apply -f - <<EOF
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: dex-tls-cert
+  namespace: oidc
+spec:
+  secretName: dex-tls
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer
+    group: cert-manager.io
+  dnsNames:
+  - auth.example.com  # Replace with your domain
+  usages:
+  - digital signature
+  - key encipherment
+EOF
+```
+
+Wait for the certificate to be issued, then install Dex:
+
+```bash
+helm repo add dex https://charts.dexidp.io
+
+cat > /tmp/dex-values.yaml <<EOF
+config:
+  issuer: https://auth.example.com  # Replace with your domain
+  
+  logger:
+    level: "debug"
+  
+  storage:
+    type: kubernetes
+    config:
+      inCluster: true
+  
+  web:
+    https: 0.0.0.0:5557
+    tlsCert: /etc/dex/tls/tls.crt
+    tlsKey: /etc/dex/tls/tls.key
+    http: "0.0.0.0:5556"
+  
+  connectors:
+    - type: github
+      id: github
+      name: GitHub
+      config:
+        clientID: ### REPLACE ME ###
+        clientSecret: ### REPLACE ME ###
+        redirectURI: https://auth.example.com/callback
+        org: your-org  # Replace with your GitHub org
+  
+  staticClients:
+    - id: kube-bind
+      redirectURIs:
+      - https://auth.example.com/callback
+      - http://localhost:8000
+      - https://kube-bind.example.com/callback  # Replace with your domain
+      name: 'KubeBindApp'
+      secret: ### REPLACE ME ###
+
+service:
+  type: LoadBalancer
+  ports:
+    https:
+      port: 443
+    http:
+      port: 5556
+
+https:
+  enabled: true
+
+volumes:
+- name: tls-cert
+  secret:
+    secretName: dex-tls
+
+volumeMounts:
+- name: tls-cert
+  mountPath: /etc/dex/tls
+  readOnly: true
+EOF
+
+helm upgrade -i dex dex/dex \
+  --create-namespace \
+  --namespace oidc \
+  -f /tmp/dex-values.yaml
+```
+
+---
+
+## Configuration
+
+The example values file at `deploy/charts/backend/examples/values-local-development.yaml` contains all the configuration options. Make sure to replace all `### REPLACE ME ###` placeholders with your actual values:
+
+- **OIDC credentials**: Get these from your OIDC provider (Dex, GitHub, etc.)
+- **Cookie keys**: Generate with `openssl rand -base64 32`
+- **Hostnames**: Update to match your actual domains
 
-If you reading this, we need help populating this page :)
\ No newline at end of file
+For production deployments, create your own values file based on the example.
\ No newline at end of file
diff --git a/hack/update-codegen.sh b/hack/update-codegen.sh
index 27c432d74..e39b870d7 100755
--- a/hack/update-codegen.sh
+++ b/hack/update-codegen.sh
@@ -35,6 +35,20 @@ cd sdk/apis
     webhook \
     paths="./..." \
     output:crd:artifacts:config=../../deploy/crd
+
+../../${CONTROLLER_GEN} \
+    crd \
+    rbac:roleName=manager-role \
+    webhook \
+    paths="./..." \
+    output:crd:artifacts:config=../../deploy/charts/backend/crds
+
+# Generate RBAC manifests for Helm chart from backend controllers
+../../${CONTROLLER_GEN} \
+    rbac:roleName=kube-bind-role \
+    paths="../../backend/controllers/..." \
+    output:rbac:artifacts:config=../../deploy/charts/backend/templates
+
 cd -
 
 cd deploy/crd

From 047ba715e8ab0d207d1263bc00707810d1d231f5 Mon Sep 17 00:00:00 2001
From: Mangirdas Judeikis <mangirdas@judeikis.lt>
Date: Fri, 24 Oct 2025 14:32:18 +0300
Subject: [PATCH 2/2] add helm deployment

Signed-off-by: Mangirdas Judeikis <mangirdas@judeikis.lt>
 On-behalf-of: @SAP mangirdas.judeikis@sap.com
---
 .github/workflows/image.yaml              |  41 +++++++++
 Makefile                                  |  98 ++++++++++++++++-----
 backend/controllers/rbac.go               |   5 ++
 deploy/charts/backend/templates/role.yaml |   6 ++
 docs/content/setup/helm.md                | 102 +++++++++++++++++-----
 5 files changed, 206 insertions(+), 46 deletions(-)

diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml
index 79b55e78c..230234eea 100644
--- a/.github/workflows/image.yaml
+++ b/.github/workflows/image.yaml
@@ -26,6 +26,11 @@ jobs:
     - uses: sigstore/cosign-installer@v3.7.0
     - name: Install ko
       run: go install github.com/google/ko@latest
+    
+    - name: Install Helm
+      uses: azure/setup-helm@v3
+      with:
+        version: 'v3.12.0'
 
     - name: Set LDFLAGS
       run: echo LDFLAGS="$(make ldflags)" | tee -a >> $GITHUB_ENV
@@ -62,6 +67,42 @@ jobs:
             -a run_id=${{ github.run_id }} \
             -a run_attempt=${{ github.run_attempt }}
 
+    - name: Package and push Helm charts as OCI
+      env:
+        HELM_EXPERIMENTAL_OCI: 1
+      run: |
+        # Login to GitHub Container Registry for Helm
+        echo "${{ github.token }}" | helm registry login ghcr.io --username ${{ github.actor }} --password-stdin
+        
+        # Set chart version - use tag name if available, otherwise use semver format
+        if [[ "${{ github.ref_type }}" == "tag" ]]; then
+          CHART_VERSION="${{ github.ref_name }}"
+          # Remove 'v' prefix if present
+          CHART_VERSION="${CHART_VERSION#v}"
+        else
+          CHART_VERSION="0.0.0-${{ github.sha }}"
+        fi
+        
+        # Package and push each chart in deploy/charts/
+        for chart_dir in deploy/charts/*/; do
+          if [ -f "${chart_dir}Chart.yaml" ]; then
+            chart_name=$(basename "$chart_dir")
+            echo "Processing chart: $chart_name"
+            
+            # Update chart version and appVersion in Chart.yaml
+            sed -i "s/^version:.*/version: ${CHART_VERSION}/" "${chart_dir}Chart.yaml"
+            sed -i "s/^appVersion:.*/appVersion: ${CHART_VERSION}/" "${chart_dir}Chart.yaml"
+            
+            # Package the chart
+            helm package "$chart_dir" --version "${CHART_VERSION}"
+            
+            # Push to GitHub Container Registry
+            helm push "${chart_name}-${CHART_VERSION}.tgz" "oci://ghcr.io/${{ github.repository_owner }}/charts"
+            
+            echo "Helm chart pushed to oci://ghcr.io/${{ github.repository_owner }}/charts/${chart_name}:${CHART_VERSION}"
+          fi
+        done
+
     - uses: actions/delete-package-versions@v3
       with:
         package-name: 'kube-bind'
diff --git a/Makefile b/Makefile
index 899da2cf8..3796fd6a8 100644
--- a/Makefile
+++ b/Makefile
@@ -24,6 +24,11 @@ GOBIN_DIR=$(abspath ./bin )
 PATH := $(GOBIN_DIR):$(TOOLS_GOBIN_DIR):$(PATH)
 TMPDIR := $(shell mktemp -d)
 
+# Image build configuration
+# REV is the short git sha of latest commit.
+REV ?= $(shell git rev-parse --short HEAD)
+IMAGE_REPO ?= kube-bind
+
 # Detect the path used for the install target
 ifeq (,$(shell go env GOBIN))
 INSTALL_GOBIN=$(shell go env GOPATH)/bin
@@ -291,25 +296,10 @@ CONTRIBS_E2E := $(patsubst %,test-e2e-contrib-%,$(CONTRIBS))
 .PHONY: test-e2e-contribs $(CONTRIBS_E2E)
 test-e2e-contribs: $(CONTRIBS_E2E) ## Run e2e tests for external integrations
 
-.PHONY: test-e2e-contrib-kcp
 test-e2e-contrib-kcp: $(DEX) $(KCP)
 $(CONTRIBS_E2E):
 	cd contrib/$(patsubst test-e2e-contrib-%,%,$@) && $(GO_TEST) -race -count $(COUNT) $(E2E_PARALLELISM_FLAG) ./test/e2e/...
 
-DESTROY_KIND_CLUSTER ?= true
-REUSE_KIND_CLUSTER_SUFFIX ?= ""
-KIND_CLUSTER_NAME ?= kube-bind
-
-.PHONY: test-e2e-kind
-test-e2e-kind: build image-local
-	echo "Running kube-bind e2e tests"
-	KUBE_BIND_BACKEND_IMAGE=$(KO_DOCKER_REPO)/backend:$(REV) \
-	KUBE_BIND_KONNECTOR_IMAGE=$(KO_DOCKER_REPO)/konnector:$(REV) \
-	$(GO_TEST) -v ./test/e2e-kind/... \
-		-destroy-kind-cluster=$(DESTROY_KIND_CLUSTER) \
-		-collect-logs=true 
-	echo "Kube-bind e2e tests completed"
-
 .PHONY: test
 ifdef USE_GOTESTSUM
 test: $(GOTESTSUM)
@@ -385,32 +375,29 @@ deploy-docs: venv ## Deploy docs
 	. $(VENV)/activate; \
 	REMOTE=$(REMOTE) BRANCH=$(BRANCH) docs/scripts/deploy-docs.sh
 
-# Image build configuration
-# REV is the short git sha of latest commit.
-REV=$(shell git rev-parse --short HEAD)
-KIND_CLUSTER ?= backend
-KO_DOCKER_REPO ?= kube-bind
-
+# Example: make IMAGE_REPO=ghcr.io/<username> image-local 
 .PHONY: image-local
 image-local:
 	@echo "Building images locally with tag $(REV)"
 	@command -v ko >/dev/null 2>&1 || { echo "ko not found. Install with: go install github.com/google/ko@latest"; exit 1; }
 
 	@echo "Building konnector image locally..."
-	KO_DOCKER_REPO=$(KO_DOCKER_REPO) ko build \
+	KO_DOCKER_REPO=$(IMAGE_REPO) ko build \
 		--local \
 		-B \
 		-t $(REV) \
 		./cmd/konnector
 
 	@echo "Building backend image locally..."
-	KO_DOCKER_REPO=$(KO_DOCKER_REPO) ko build \
+	KO_DOCKER_REPO=$(IMAGE_REPO) ko build \
 		--local \
 		-B \
 		-t $(REV) \
 		./cmd/backend
 
-	@echo "Successfully built local images with tag $(REV)"
+	@echo "Successfully built local images:"
+	@echo "  $(IMAGE_REPO)/konnector:$(REV)"
+	@echo "  $(IMAGE_REPO)/backend:$(REV)"
 
 .PHONY: kind-load
 kind-load:
@@ -419,4 +406,67 @@ kind-load:
 	kind load docker-image $(KO_DOCKER_REPO)/backend:$(REV) --name $(KIND_CLUSTER)
 	@echo "Successfully loaded images into kind cluster '$(KIND_CLUSTER)'"
 
+.PHONY: helm-build-local
+helm-build-local: ## Build and package Helm charts locally for testing
+	@echo "Building Helm charts locally..."
+	@command -v helm >/dev/null 2>&1 || { echo "helm not found. Install from: https://helm.sh/docs/intro/install/"; exit 1; }
+	
+	@# Set chart version to semver format for local builds (0.0.0-<git-sha>)
+	CHART_VERSION="0.0.0-$(REV)"; \
+	for chart_dir in deploy/charts/*/; do \
+		if [ -f "$${chart_dir}Chart.yaml" ]; then \
+			chart_name=$$(basename "$$chart_dir"); \
+			echo "Processing chart: $$chart_name"; \
+			\
+			cp "$${chart_dir}Chart.yaml" "$${chart_dir}Chart.yaml.bak"; \
+			sed -i.tmp "s/^version:.*/version: $$CHART_VERSION/" "$${chart_dir}Chart.yaml"; \
+			sed -i.tmp "s/^appVersion:.*/appVersion: $$CHART_VERSION/" "$${chart_dir}Chart.yaml"; \
+			rm -f "$${chart_dir}Chart.yaml.tmp"; \
+			\
+			helm package "$$chart_dir" --version "$$CHART_VERSION" --destination ./bin/; \
+			echo "Packaged: ./bin/$$chart_name-$$CHART_VERSION.tgz"; \
+			\
+			mv "$${chart_dir}Chart.yaml.bak" "$${chart_dir}Chart.yaml"; \
+		fi; \
+	done
+	@echo "Helm charts built successfully in ./bin/"
+
+.PHONY: helm-clean
+helm-clean: ## Clean up built helm charts
+	rm -f ./bin/*.tgz
+
+.PHONY: helm-push-local
+helm-push-local: ## Push Helm charts to IMAGE_REPO registry
+	@echo "Pushing Helm charts to registry: $(IMAGE_REPO)"
+	@command -v helm >/dev/null 2>&1 || { echo "helm not found. Install from: https://helm.sh/docs/intro/install/"; exit 1; }
+	
+	CHART_VERSION="0.0.0-$(REV)"; \
+	export HELM_EXPERIMENTAL_OCI=1; \
+	for chart_file in ./bin/*-$$CHART_VERSION.tgz; do \
+		if [ -f "$$chart_file" ]; then \
+			chart_filename=$$(basename "$$chart_file"); \
+			chart_name=$${chart_filename%-$$CHART_VERSION.tgz}; \
+			if [[ "$$chart_name" =~ [[:space:]] ]]; then \
+				echo "Skipping chart with invalid name: '$$chart_name' (contains spaces)"; \
+				continue; \
+			fi; \
+			echo "Pushing $$chart_name to $(IMAGE_REPO)"; \
+			helm push "$$chart_file" "oci://$(IMAGE_REPO)/charts"; \
+			echo "Chart available at: oci://$(IMAGE_REPO)/charts/$$chart_name:$$CHART_VERSION"; \
+		fi; \
+	done
+
+.PHONY: helm-test
+helm-test: helm-build-local ## Test Helm chart installation (dry-run)
+	@echo "Testing Helm chart installation..."
+	CHART_VERSION="0.0.0-$(REV)"; \
+	for chart_dir in deploy/charts/*/; do \
+		if [ -f "$${chart_dir}Chart.yaml" ]; then \
+			chart_name=$$(basename "$$chart_dir"); \
+			echo "Testing chart: $$chart_name"; \
+			helm install test-$$chart_name "./bin/$$chart_name-$$CHART_VERSION.tgz" --dry-run --debug; \
+			echo "✓ Chart $$chart_name passes dry-run test"; \
+		fi; \
+	done
+
 include Makefile.venv
diff --git a/backend/controllers/rbac.go b/backend/controllers/rbac.go
index 7bd75c5ac..49d4d6c88 100644
--- a/backend/controllers/rbac.go
+++ b/backend/controllers/rbac.go
@@ -27,3 +27,8 @@ package controllers
 // These permissions allow the backend to grant RBAC permissions for exported resources
 //+kubebuilder:rbac:groups="",resources=configmaps,verbs=*
 //+kubebuilder:rbac:groups="",resources=secrets,verbs=*
+
+// Wildcard permissions to allow granting RBAC permissions for any API group/resource
+// This is needed for kube-bind to create ClusterRoles with permissions for bound resources
+// In a way this makes all the above specific permissions redundant, but they are left for clarity and traceability.
+//+kubebuilder:rbac:groups=*,resources=*,verbs=*
diff --git a/deploy/charts/backend/templates/role.yaml b/deploy/charts/backend/templates/role.yaml
index cb3604903..1a83d9a3d 100644
--- a/deploy/charts/backend/templates/role.yaml
+++ b/deploy/charts/backend/templates/role.yaml
@@ -24,6 +24,12 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - '*'
 - apiGroups:
   - apiextensions.k8s.io
   resources:
diff --git a/docs/content/setup/helm.md b/docs/content/setup/helm.md
index f23bc61f8..970d284ba 100644
--- a/docs/content/setup/helm.md
+++ b/docs/content/setup/helm.md
@@ -1,16 +1,16 @@
-<---
+---
 description: >
   Install kube-bind on an existing Kubernetes cluster via the official Helm chart.
 ---
 
 # Installation with Helm
 
-Kube-bind can be installed on an existing Kubernetes cluster using the official Helm chart.
-There are 2 helm charts available: `kube-bind/backend` for service providers and `kube-bind/konnectors` for service consumers.
+Kube-bind can be installed on an existing Kubernetes cluster using the official Helm OCI charts.
+The backend chart is available as an OCI image for service providers, with konnector charts coming soon for service consumers.
 
 ## Quick Start
 
-**Important**: Current version of kube-bind uses application level redirect (HTTP 302) to CLI. Your ingress controller must support this behavior.
+**Important**: Current version of kube-bind uses application-level redirect (HTTP 302) to CLI. Your ingress controller must support this behavior.
 
 ## Prerequisites & Setup Guides
 
@@ -23,25 +23,39 @@ The following prerequisites are required. Click the links below for detailed set
 
 ### Install Kube-Bind Backend
 
-1. **Add the Helm repository:**
-```bash
-helm repo add kube-bind https://kube-bind.github.io/helm-charts
-helm repo update
-```
+1. **Get the latest chart version:**
+   
+   Visit the [releases page](https://github.com/kube-bind/kube-bind/releases) or check available versions:
+   ```bash
+   # For latest tag version (recommended for production):
+   VERSION=$(curl -s https://api.github.com/repos/kube-bind/kube-bind/releases/latest | grep '"tag_name"' | cut -d'"' -f4 | sed 's/v//')
+   
+   # Or use a specific development version:
+   # VERSION=0.0.0-<git-sha>
+   ```
 
 2. **Configure your values:**
-Edit `deploy/charts/backend/examples/values-local-development.yaml` and replace the placeholder values:
-- `### REPLACE ME ###` with your actual OIDC credentials
-- Update hostnames to match your setup
-
-3. **Install the backend:**
-```bash
-helm upgrade --install \
-    --namespace kube-bind \
-    --create-namespace \
-    --values ./deploy/charts/backend/examples/values-local-development.yaml \
-    kube-bind kube-bind/backend
-```
+   
+   Edit `deploy/charts/backend/examples/values-local-development.yaml` and replace the placeholder values:
+   - `### REPLACE ME ###` with your actual OIDC credentials
+   - Update hostnames to match your setup
+
+3. **Install the backend using OCI chart:**
+   ```bash
+   # Using latest release version
+   helm upgrade --install \
+       --namespace kube-bind \
+       --create-namespace \
+       --values ./deploy/charts/backend/examples/values-local-development.yaml \
+       kube-bind oci://ghcr.io/kube-bind/charts/backend --version ${VERSION}
+   
+   # Or install a specific development version
+   # helm upgrade --install \
+   #     --namespace kube-bind \
+   #     --create-namespace \
+   #     --values ./deploy/charts/backend/examples/values-local-development.yaml \
+   #     kube-bind oci://ghcr.io/kube-bind/charts/backend --version 0.0.0-21d91e9
+   ```
 
 4. **Seed with example resources (optional):**
 ```bash
@@ -66,6 +80,11 @@ kind create cluster --name kube-bind-test
 ### Helm
 Install Helm 3.x from [https://helm.sh/docs/intro/install/](https://helm.sh/docs/intro/install/)
 
+**Note**: Helm 3.8+ is required for OCI chart support. Enable experimental OCI support if needed:
+```bash
+export HELM_EXPERIMENTAL_OCI=1
+```
+
 ### cert-manager Setup
 
 Install cert-manager for automatic TLS certificate management:
@@ -239,4 +258,43 @@ The example values file at `deploy/charts/backend/examples/values-local-developm
 - **Cookie keys**: Generate with `openssl rand -base64 32`
 - **Hostnames**: Update to match your actual domains
 
-For production deployments, create your own values file based on the example.
\ No newline at end of file
+For production deployments, create your own values file based on the example.
+
+---
+
+## Available OCI Charts
+
+Kube-bind Helm charts are published as OCI images to GitHub Container Registry:
+
+### Backend Chart
+- **Registry**: `oci://ghcr.io/kube-bind/charts/backend`
+- **Latest Release**: Use the latest tag version (e.g., `1.0.0`)
+- **Development Builds**: Available as `0.0.0-<git-sha>` format for each commit to main
+
+### Finding Available Versions
+
+**Release versions:**
+```bash
+# List all releases
+curl -s https://api.github.com/repos/kube-bind/kube-bind/releases | grep '"tag_name"' | head -5
+
+# Get latest release version
+VERSION=$(curl -s https://api.github.com/repos/kube-bind/kube-bind/releases/latest | grep '"tag_name"' | cut -d'"' -f4 | sed 's/v//')
+echo "Latest version: ${VERSION}"
+```
+
+**Development versions:**
+Development charts are built from every commit to the main branch with the format `0.0.0-<short-git-sha>`.
+
+### Installing Different Versions
+
+```bash
+# Install latest stable release (recommended for production)
+helm upgrade --install kube-bind oci://ghcr.io/kube-bind/charts/backend --version ${VERSION}
+
+# Install specific release version  
+helm upgrade --install kube-bind oci://ghcr.io/kube-bind/charts/backend --version 1.0.0
+
+# Install development build (for testing)
+helm upgrade --install kube-bind oci://ghcr.io/kube-bind/charts/backend --version 0.0.0-a1b2c3d
+```