From 723b1e3627f0c63832a6f08acfb4d49a5fe05a36 Mon Sep 17 00:00:00 2001
From: Ivo Gosemann <ivo.gosemann@sap.com>
Date: Wed, 9 Oct 2024 18:24:05 +0200
Subject: [PATCH 1/2] refactor(headscale): removal of headscale

Currently headscale is not used beeing deployed & used with Greenhouse.
To avoid unnecessary refactorings and time spend to validate Dependabot PRs
we decided to not touch the code for now.
This PR removes all usage of Headscale, so that we can revert when we have
a concrete usage for this in the future.
---
 .github/labeler.yml                           |    7 -
 .github/licenserc.yaml                        |    2 -
 .github/workflows/docker-build.yaml           |   12 -
 .github/workflows/pr-docker-build.yaml        |    6 -
 Dockerfile.headscalectl                       |   26 -
 Dockerfile.tailscale                          |   30 -
 Dockerfile.tcp-proxy                          |   27 -
 charts/greenhouse/Chart.lock                  |   10 +-
 charts/greenhouse/Chart.yaml                  |   10 +-
 charts/greenhouse/ci/test-values.yaml         |    6 -
 charts/headscale/.helmignore                  |   23 -
 charts/headscale/Chart.yaml                   |    9 -
 charts/headscale/ci/test-values.yaml          |   23 -
 charts/headscale/templates/_helpers.tpl       |   84 --
 charts/headscale/templates/deployment.yaml    |  122 --
 .../headscale/templates/etc/_acl_policy.yaml  |   45 -
 charts/headscale/templates/etc/_config.yaml   |  129 --
 charts/headscale/templates/etc/_derp.yaml     |    8 -
 charts/headscale/templates/etc/configmap.yaml |   23 -
 charts/headscale/templates/ingress-grpc.yaml  |   35 -
 charts/headscale/templates/ingress.yaml       |   46 -
 .../headscale/templates/postgres-service.yaml |   18 -
 .../templates/postgres-statefulset.yaml       |   58 -
 charts/headscale/templates/pvc.yaml           |   18 -
 charts/headscale/templates/rbac.yaml          |   34 -
 charts/headscale/templates/secret.yaml        |   16 -
 charts/headscale/templates/service.yaml       |   26 -
 .../headscale/templates/serviceaccount.yaml   |   11 -
 charts/headscale/values.yaml                  |   98 --
 .../manager/crds/greenhouse.sap_clusters.yaml |   48 -
 charts/manager/templates/deployment.yaml      |   11 -
 charts/manager/values.yaml                    |    7 -
 charts/tailscale-proxy/.helmignore            |   23 -
 charts/tailscale-proxy/Chart.yaml             |   27 -
 charts/tailscale-proxy/templates/_helpers.tpl |   62 -
 .../tailscale-proxy/templates/deployment.yaml |  156 ---
 charts/tailscale-proxy/templates/service.yaml |   22 -
 .../templates/serviceaccount.yaml             |   17 -
 charts/tailscale-proxy/values.yaml            |   84 --
 cmd/greenhouse/controllers.go                 |   32 +-
 cmd/greenhouse/main.go                        |   12 -
 cmd/headscalectl/main.go                      |   12 -
 cmd/tailscale-starter/main.go                 |   10 -
 cmd/tcp-proxy/main.go                         |  114 --
 docs/contribute/local-dev.md                  |    2 -
 docs/reference/api/index.html                 |  215 ----
 docs/reference/api/openapi.yaml               | 1062 ++++++++---------
 docs/user-guides/cluster/onboarding.md        |    4 +-
 go.mod                                        |   31 +-
 go.sum                                        |   70 --
 pkg/apis/greenhouse/v1alpha1/cluster_types.go |   35 +-
 .../greenhouse/v1alpha1/conditions_test.go    |   24 +-
 .../v1alpha1/zz_generated.deepcopy.go         |   54 -
 pkg/apis/well_known.go                        |    8 +-
 pkg/clientutil/client.go                      |   15 -
 pkg/clientutil/headscale.go                   |   92 --
 pkg/cmd/cluster_bootstrap.go                  |  377 +-----
 .../cluster/bootstrap_controller.go           |    9 -
 .../cluster/bootstrap_controller_test.go      |    2 +-
 .../cluster/cluster_exports_test.go           |   17 +-
 .../cluster/headscale_access_controller.go    |  505 --------
 .../headscale_access_controller_test.go       |  193 ---
 pkg/controllers/cluster/status_controller.go  |   11 +-
 pkg/controllers/cluster/suite_test.go         |  222 +---
 pkg/controllers/cluster/util.go               |  101 --
 pkg/controllers/fixtures/cluster.yaml         |   48 -
 pkg/controllers/fixtures/cluster_update.yaml  |   48 -
 pkg/headscalectl/apikey.go                    |  256 ----
 pkg/headscalectl/preauthkey.go                |  261 ----
 pkg/headscalectl/root.go                      |   52 -
 pkg/headscalectl/user.go                      |  254 ----
 pkg/headscalectl/util.go                      |  132 --
 pkg/tailscale-starter/root.go                 |   90 --
 pkg/tailscale-starter/util.go                 |  105 --
 pkg/tcp-proxy/metrics/metrics.go              |  118 --
 pkg/tcp-proxy/proxy/proxy.go                  |  167 ---
 pkg/test/headscale.go                         |  236 ----
 test/e2e/controllers.go                       |    1 -
 types/typescript/schema.d.ts                  |  955 ++++++++-------
 79 files changed, 1012 insertions(+), 6359 deletions(-)
 delete mode 100644 Dockerfile.headscalectl
 delete mode 100644 Dockerfile.tailscale
 delete mode 100644 Dockerfile.tcp-proxy
 delete mode 100644 charts/headscale/.helmignore
 delete mode 100644 charts/headscale/Chart.yaml
 delete mode 100644 charts/headscale/ci/test-values.yaml
 delete mode 100644 charts/headscale/templates/_helpers.tpl
 delete mode 100644 charts/headscale/templates/deployment.yaml
 delete mode 100644 charts/headscale/templates/etc/_acl_policy.yaml
 delete mode 100644 charts/headscale/templates/etc/_config.yaml
 delete mode 100644 charts/headscale/templates/etc/_derp.yaml
 delete mode 100644 charts/headscale/templates/etc/configmap.yaml
 delete mode 100644 charts/headscale/templates/ingress-grpc.yaml
 delete mode 100644 charts/headscale/templates/ingress.yaml
 delete mode 100644 charts/headscale/templates/postgres-service.yaml
 delete mode 100644 charts/headscale/templates/postgres-statefulset.yaml
 delete mode 100644 charts/headscale/templates/pvc.yaml
 delete mode 100644 charts/headscale/templates/rbac.yaml
 delete mode 100644 charts/headscale/templates/secret.yaml
 delete mode 100644 charts/headscale/templates/service.yaml
 delete mode 100644 charts/headscale/templates/serviceaccount.yaml
 delete mode 100644 charts/headscale/values.yaml
 delete mode 100644 charts/tailscale-proxy/.helmignore
 delete mode 100644 charts/tailscale-proxy/Chart.yaml
 delete mode 100644 charts/tailscale-proxy/templates/_helpers.tpl
 delete mode 100644 charts/tailscale-proxy/templates/deployment.yaml
 delete mode 100644 charts/tailscale-proxy/templates/service.yaml
 delete mode 100644 charts/tailscale-proxy/templates/serviceaccount.yaml
 delete mode 100644 charts/tailscale-proxy/values.yaml
 delete mode 100644 cmd/headscalectl/main.go
 delete mode 100644 cmd/tailscale-starter/main.go
 delete mode 100644 cmd/tcp-proxy/main.go
 delete mode 100644 pkg/clientutil/headscale.go
 delete mode 100644 pkg/controllers/cluster/headscale_access_controller.go
 delete mode 100644 pkg/controllers/cluster/headscale_access_controller_test.go
 delete mode 100644 pkg/headscalectl/apikey.go
 delete mode 100644 pkg/headscalectl/preauthkey.go
 delete mode 100644 pkg/headscalectl/root.go
 delete mode 100644 pkg/headscalectl/user.go
 delete mode 100644 pkg/headscalectl/util.go
 delete mode 100644 pkg/tailscale-starter/root.go
 delete mode 100644 pkg/tailscale-starter/util.go
 delete mode 100644 pkg/tcp-proxy/metrics/metrics.go
 delete mode 100644 pkg/tcp-proxy/proxy/proxy.go
 delete mode 100644 pkg/test/headscale.go

diff --git a/.github/labeler.yml b/.github/labeler.yml
index 74a77dd4f..2e070c99b 100644
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -15,13 +15,6 @@ documentation:
     - README.md
     - docs/**
 
-headscale:
-- changed-files:
-  - any-glob-to-any-file:
-    - charts/headscale/**
-    - pkg/headscale/**
-    - pkg/headscalectl/**
-
 idproxy:
 - changed-files:
   - any-glob-to-any-file:
diff --git a/.github/licenserc.yaml b/.github/licenserc.yaml
index 63ec964bc..cf5906d08 100644
--- a/.github/licenserc.yaml
+++ b/.github/licenserc.yaml
@@ -37,8 +37,6 @@ header:
     - 'Makefile'
     - 'pkg/idproxy/web/**'
     - 'pkg/apis/scheme_builder.go' # Belongs to the Kubernetes authors
-    - 'cmd/tcp-proxy/main.go' # MIT License
-    - 'pkg/tcp-proxy/proxy/*.go' # MIT License
     - '**/zz_generated.deepcopy.go' # Generated by Kubebuilder
     - 'charts/**/templates/*.yaml' # license headers on helm templates are causing issues 
     
diff --git a/.github/workflows/docker-build.yaml b/.github/workflows/docker-build.yaml
index cc0f5465f..cf01bbf7a 100644
--- a/.github/workflows/docker-build.yaml
+++ b/.github/workflows/docker-build.yaml
@@ -33,12 +33,6 @@ jobs:
             Imagename: greenhouse
           - Dockerfiles: Dockerfile.dev-env
             Imagename: greenhouse-dev-env
-          - Dockerfiles: Dockerfile.headscalectl
-            Imagename: greenhouse-headscalectl
-          - Dockerfiles: Dockerfile.tailscale
-            Imagename: greenhouse-tailscale
-          - Dockerfiles: Dockerfile.tcp-proxy
-            Imagename: greenhouse-tcp-proxy
           # - Dockerfiles: Dockerfile.dev-ui
           #   Imagename: greenhouse-dev-ui
 
@@ -151,12 +145,6 @@ jobs:
             Imagename: greenhouse
           - Dockerfiles: Dockerfile.dev-env
             Imagename: greenhouse-dev-env
-          - Dockerfiles: Dockerfile.headscalectl
-            Imagename: greenhouse-headscalectl
-          - Dockerfiles: Dockerfile.tailscale
-            Imagename: greenhouse-tailscale
-          - Dockerfiles: Dockerfile.tcp-proxy
-            Imagename: greenhouse-tcp-proxy
           # - Dockerfiles: Dockerfile.dev-ui
           #   Imagename: greenhouse-dev-ui
 
diff --git a/.github/workflows/pr-docker-build.yaml b/.github/workflows/pr-docker-build.yaml
index 5e8ce6878..deace2165 100644
--- a/.github/workflows/pr-docker-build.yaml
+++ b/.github/workflows/pr-docker-build.yaml
@@ -25,12 +25,6 @@ jobs:
             Imagename: greenhouse
           - Dockerfiles: Dockerfile.dev-env
             Imagename: greenhouse-dev-env
-          - Dockerfiles: Dockerfile.headscalectl
-            Imagename: greenhouse-headscalectl
-          - Dockerfiles: Dockerfile.tailscale
-            Imagename: greenhouse-tailscale
-          - Dockerfiles: Dockerfile.tcp-proxy
-            Imagename: greenhouse-tcp-proxy
 
     permissions:
       contents: read
diff --git a/Dockerfile.headscalectl b/Dockerfile.headscalectl
deleted file mode 100644
index 472ad8b92..000000000
--- a/Dockerfile.headscalectl
+++ /dev/null
@@ -1,26 +0,0 @@
-# Build the manager binary
-FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.23 AS builder
-
-ARG TARGETOS
-ARG TARGETARCH
-ENV CGO_ENABLED=0
-
-WORKDIR /workspace
-
-COPY Makefile .
-COPY . .
-
-# Build greenhouse operator and tooling.
-RUN --mount=type=cache,target=/go/pkg/mod \
-	--mount=type=cache,target=/root/.cache/go-build \
-	make build-headscalectl CGO_ENABLED=${CGO_ENABLED} GOOS=${TARGETOS} GOARCH=${TARGETARCH}
-
-# Use distroless as minimal base image to package the manager binary
-# Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM --platform=${BUILDPLATFORM:-linux/amd64} gcr.io/distroless/static:latest
-LABEL source_repository="https://github.com/cloudoperators/greenhouse"
-WORKDIR /
-COPY --from=builder /workspace/bin/* .
-
-RUN ["/headscalectl", "--version"]
-ENTRYPOINT ["/headscalectl"]
diff --git a/Dockerfile.tailscale b/Dockerfile.tailscale
deleted file mode 100644
index ac4246118..000000000
--- a/Dockerfile.tailscale
+++ /dev/null
@@ -1,30 +0,0 @@
-# Build the manager binary
-FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.23 AS builder
-
-ARG TARGETOS
-ARG TARGETARCH
-ENV CGO_ENABLED=0
-
-WORKDIR /workspace
-
-COPY Makefile .
-COPY . .
-
-# Build greenhouse operator and tooling.
-RUN --mount=type=cache,target=/go/pkg/mod \
-	--mount=type=cache,target=/root/.cache/go-build \
-	make build-tailscale-starter CGO_ENABLED=${CGO_ENABLED} GOOS=${TARGETOS} GOARCH=${TARGETARCH}
-
-FROM --platform=${BUILDPLATFORM:-linux/amd64} ghcr.io/tailscale/tailscale:v1.74.1
-LABEL source_repository="https://github.com/cloudoperators/greenhouse"
-
-# upgrade all installed packages to fix potential CVEs in advance
-RUN apk upgrade --no-cache --no-progress \
-  && apk del --no-cache --no-progress apk-tools alpine-keys
-
-COPY --from=builder /workspace/bin/* .
-
-RUN mkdir /tailscale && ln -s /usr/local/bin/containerboot /tailscale/run.sh
-
-RUN ["/tailscale-starter", "--version"]
-ENTRYPOINT ["/tailscale-starter"]
diff --git a/Dockerfile.tcp-proxy b/Dockerfile.tcp-proxy
deleted file mode 100644
index 00f92f4c4..000000000
--- a/Dockerfile.tcp-proxy
+++ /dev/null
@@ -1,27 +0,0 @@
-# Build the manager binary
-FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.23 AS builder
-
-ARG TARGETOS
-ARG TARGETARCH
-ENV CGO_ENABLED=0
-
-WORKDIR /workspace
-
-COPY Makefile .
-COPY . .
-
-# Build greenhouse operator and tooling.
-RUN --mount=type=cache,target=/go/pkg/mod \
-	--mount=type=cache,target=/root/.cache/go-build \
-	make build-tcp-proxy CGO_ENABLED=${CGO_ENABLED} GOOS=${TARGETOS} GOARCH=${TARGETARCH}
-
-# Use distroless as minimal base image to package the manager binary
-# Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM --platform=${BUILDPLATFORM:-linux/amd64} gcr.io/distroless/static:nonroot
-LABEL source_repository="https://github.com/cloudoperators/greenhouse"
-WORKDIR /
-COPY --from=builder /workspace/bin/* .
-USER 65532:65532
-
-RUN ["/tcp-proxy", "--version"]
-ENTRYPOINT ["/tcp-proxy"]
diff --git a/charts/greenhouse/Chart.lock b/charts/greenhouse/Chart.lock
index c4cb66860..f2515598e 100644
--- a/charts/greenhouse/Chart.lock
+++ b/charts/greenhouse/Chart.lock
@@ -5,12 +5,6 @@ dependencies:
 - name: cors-proxy
   repository: file://../cors-proxy
   version: 0.2.0
-- name: headscale
-  repository: file://../headscale
-  version: 0.1.3
-- name: tailscale-proxy
-  repository: file://../tailscale-proxy
-  version: 0.1.0
 - name: manager
   repository: file://../manager
   version: 0.1.6
@@ -20,5 +14,5 @@ dependencies:
 - name: demo
   repository: file://../demo
   version: 0.1.1
-digest: sha256:a9f3691f99496f2a587ab98e599c7b0cc00c0c5a6e712b75c2fc070aedd1615b
-generated: "2024-09-06T14:19:08.271429486+02:00"
+digest: sha256:fd38eac090116758caa914c00b9fb1065f08ccda7685f858007a3939ff6efbb4
+generated: "2024-10-09T11:57:04.231793+02:00"
diff --git a/charts/greenhouse/Chart.yaml b/charts/greenhouse/Chart.yaml
index 946344f87..b3ee28a38 100644
--- a/charts/greenhouse/Chart.yaml
+++ b/charts/greenhouse/Chart.yaml
@@ -5,7 +5,7 @@ apiVersion: v2
 name: greenhouse
 description: A Helm chart for deploying greenhouse
 type: application
-version: 0.2.8
+version: 0.3.0
 appVersion: "0.1.0"
 
 dependencies:
@@ -17,14 +17,6 @@ dependencies:
     name: cors-proxy
     repository: "file://../cors-proxy"
     version: 0.2.0
-  - condition: headscale.enabled
-    name: headscale
-    version: 0.1.3
-    repository: "file://../headscale"
-  - condition: tailscale-proxy.enabled
-    name: tailscale-proxy
-    version: 0.1.0
-    repository: "file://../tailscale-proxy"
   - name: manager
     version: 0.1.6
     repository: "file://../manager"
diff --git a/charts/greenhouse/ci/test-values.yaml b/charts/greenhouse/ci/test-values.yaml
index a738a2762..a949d3054 100644
--- a/charts/greenhouse/ci/test-values.yaml
+++ b/charts/greenhouse/ci/test-values.yaml
@@ -39,12 +39,6 @@ alerts:
     host: topSecret!
   endpoint: topSecret!
 
-headscale:
-  ingress:
-    host: "foo.bar"
-  postgres:
-    password: topSecret!
-
 tailscale-proxy:
   preauthkeyProvosioner:
     userName: topSecret!
diff --git a/charts/headscale/.helmignore b/charts/headscale/.helmignore
deleted file mode 100644
index 0e8a0eb36..000000000
--- a/charts/headscale/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/charts/headscale/Chart.yaml b/charts/headscale/Chart.yaml
deleted file mode 100644
index 3ae8ba184..000000000
--- a/charts/headscale/Chart.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-# SPDX-License-Identifier: Apache-2.0
-
-apiVersion: v2
-name: headscale
-description: Headscale
-type: application
-version: 0.1.3
-appVersion: 0.22.3
diff --git a/charts/headscale/ci/test-values.yaml b/charts/headscale/ci/test-values.yaml
deleted file mode 100644
index fe370158a..000000000
--- a/charts/headscale/ci/test-values.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-# SPDX-License-Identifier: Apache-2.0
-
-ingress:
-  enabled: true
-  host: headscale.example.com
-
-grpc:
-  insecure: true
-  ingress:
-    enabled: true
-    host: headscale-grpc.example.com
-
-postgres:
-  password: topSecret!
-
-oidc:
-  enabled: true
-  issuer: https://auth.greenhouse.com
-  clientID: topSecret!
-  clientSecret: topSecret!
-  allowedGroups:
-    - role:greenhouse:admin
diff --git a/charts/headscale/templates/_helpers.tpl b/charts/headscale/templates/_helpers.tpl
deleted file mode 100644
index d623670aa..000000000
--- a/charts/headscale/templates/_helpers.tpl
+++ /dev/null
@@ -1,84 +0,0 @@
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "headscale.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "headscale.fullname" -}}
-{{- $name := default .Chart.Name .Values.nameOverride }}
-{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
-
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "headscale.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "common.labels" -}}
-helm.sh/chart: {{ include "headscale.chart" . }}
-{{ include "common.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}
-
-{{/*
-Headscale labels
-*/}}
-{{- define "headscale.labels" -}}
-{{- include "common.labels" .}}
-app.kubernetes.io/component: headscale
-{{- end -}}
-
-{{/*
-Common selector labels
-*/}}
-{{- define "common.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "headscale.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-Headscale selector labels
-*/}}
-{{- define "headscale.selectorLabels" -}}
-{{- include "common.selectorLabels" .}}
-app.kubernetes.io/component: headscale
-{{- end -}}
-
-{{/*
-Postgres labels
-*/}}
-{{- define "postgres.labels"}}
-{{- include "common.labels" . }}
-app.kubernetes.io/component: postgres
-{{- end }}
-
-{{- define "postgres.fullname" -}}
-{{- include "headscale.fullname" . }}-postgres
-{{- end }}
-
-{{/*
-Postgres selector labels
-*/}}
-{{- define "postgres.selectorLabels" -}}
-{{- include "common.selectorLabels" . }}
-app.kubernetes.io/component: postgres
-{{- end }}
diff --git a/charts/headscale/templates/deployment.yaml b/charts/headscale/templates/deployment.yaml
deleted file mode 100644
index 1d2485d95..000000000
--- a/charts/headscale/templates/deployment.yaml
+++ /dev/null
@@ -1,122 +0,0 @@
-{{/* 
-SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-SPDX-License-Identifier: Apache-2.0
-*/}}
-
-{{- $fullName := include "headscale.fullname" . -}}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "headscale.fullname" . }}
-  labels:
-    {{- include "headscale.labels" . | nindent 4 }}
-spec:
-  replicas: 1
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      {{- include "headscale.selectorLabels" . | nindent 6 }}
-  template:
-    metadata:
-      annotations:
-        checksum/configmap: {{ include (print $.Template.BasePath "/etc/configmap.yaml") . | sha256sum }}
-        checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
-      labels:
-        {{- include "headscale.labels" . | nindent 8 }}
-    spec:
-      serviceAccountName: {{ include "headscale.fullname" . }}
-      initContainers:
-        - name: wait-for-postgres
-          image: "{{ required ".Values.postgres.image.repository missing" .Values.postgres.image.repository }}:{{ required ".Values.postgres.image.tag missing" .Values.postgres.image.tag }}"
-          command:
-          - sh
-          - -c
-          - "until pg_isready; do echo waiting for database; sleep 2; done;"
-          env:
-            - name: PGHOST
-              value: "{{ include "postgres.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local"
-            - name: PGPORT
-              value: {{ required ".Values.postgres.service.port missing" .Values.postgres.service.port | quote }}
-            - name: PGDATABASE
-              value: headscale
-            - name: PGUSER
-              value: {{ required ".Values.postgres.username missing" .Values.postgres.username }}
-            - name: PGPASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "headscale.fullname" . }}
-                  key: POSTGRES_PASSWORD
-      containers:
-        - name: headscale
-          image: "{{ required ".Values.server.image.repository missing" .Values.server.image.repository }}:{{ .Chart.AppVersion }}"
-          imagePullPolicy: {{ required ".Values.server.image.pullPolicy missing" .Values.server.image.pullPolicy }}
-          command: ["headscale", "serve"]
-          env:
-            - name: DB_PASS
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "headscale.fullname" . }}
-                  key: POSTGRES_PASSWORD
-          ports:
-            {{- range $name, $v := .Values.server.service }}
-            - name: {{ $name }}
-              protocol: TCP
-              containerPort: {{ $v.port }}
-            {{- end }}
-          livenessProbe:
-            tcpSocket:
-              port: http
-            initialDelaySeconds: 30
-            timeoutSeconds: 5
-            periodSeconds: 15
-          volumeMounts:
-            - name: config
-              mountPath: /vol/config
-            - name: secret
-              mountPath: /vol/secret
-            - name: config
-              mountPath: /etc/headscale
-            - name: data
-              mountPath: /var/lib/headscale
-            - name: socket
-              mountPath: /var/run/headscale
-        - name: headscale-ui
-          image: "{{ required ".Values.ui.image.repository missing" .Values.ui.image.repository }}:{{ required ".Values.ui.image.tag missing" .Values.ui.image.tag }}"
-          imagePullPolicy: {{ required ".Values.ui.image.pullPolicy missing" .Values.ui.image.pullPolicy }}
-          ports:
-            - name: http
-              protocol: TCP
-              containerPort: {{ required ".Values.ui.service.port missing" .Values.ui.service.port }}
-        - name: headscalectl
-          image: "{{ required ".Values.headscalectl.image.repository missing" .Values.headscalectl.image.repository }}:{{ required ".Values.headscalectl.image.tag missing" .Values.headscalectl.image.tag }}"
-          imagePullPolicy: {{ required ".Values.headscalectl.image.pullPolicy missing" .Values.headscalectl.image.pullPolicy }}
-          args:
-          - apikey
-          - create
-          - --output
-          - secret
-          - --secret-name
-          - {{ required ".Values.headscalectl.secret.name missing" .Values.headscalectl.secret.name }}
-          - --secret-namespace
-          - {{ .Release.Namespace }}
-          - --socket
-          - --socket-path
-          - /tmp/headscale.sock
-          volumeMounts:
-            - name: socket
-              mountPath: /tmp/
-      volumes:
-        - name: config
-          configMap:
-            name: {{ include "headscale.fullname" . }}-config
-        - name: secret
-          secret:
-            secretName: {{ include "headscale.fullname" . }}
-        - name: data
-          persistentVolumeClaim:
-            claimName: {{ include "headscale.fullname" . }}
-        - name: socket
-          emptyDir:
-            medium: Memory
-            sizeLimit: 10Mi
diff --git a/charts/headscale/templates/etc/_acl_policy.yaml b/charts/headscale/templates/etc/_acl_policy.yaml
deleted file mode 100644
index 41b0847eb..000000000
--- a/charts/headscale/templates/etc/_acl_policy.yaml
+++ /dev/null
@@ -1,45 +0,0 @@
-{{/* 
-SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-SPDX-License-Identifier: Apache-2.0
-*/}}
-
-{
-  "Groups":{
-    "group:admin":[
-      "manager"
-    ]
-  },
-  "TagOwners":{
-    "tag:greenhouse":[
-      "group:admin"
-    ],
-    "tag:client":[
-      "group:admin"
-    ]
-  },
-  "Hosts":{
-    "client-subnet":{{ required ".Values.clientSubnet missing" .Values.clientSubnet | quote }}
-  },
-  "ACLs":[
-    {
-      "action":"accept",
-      "src":[
-        "group:admin"
-      ],
-      "dst":[
-        "*:{{ required ".Values.server.service.http.port missing" .Values.server.service.http.port }}",
-        "*:53",
-        "*:443"
-      ]
-    },
-    {
-      "action":"accept",
-      "src":[
-        "*"
-      ],
-      "dst":[
-        "*:53",
-      ]
-    }
-  ]
-}
diff --git a/charts/headscale/templates/etc/_config.yaml b/charts/headscale/templates/etc/_config.yaml
deleted file mode 100644
index 2d216f3aa..000000000
--- a/charts/headscale/templates/etc/_config.yaml
+++ /dev/null
@@ -1,129 +0,0 @@
-{{/* 
-SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-SPDX-License-Identifier: Apache-2.0
-*/}}
-
-server_url: http://{{ required ".Values.ingress.host missing" .Values.ingress.host }}
-listen_addr: "0.0.0.0:{{ required ".Values.server.service.http.port missing" .Values.server.service.http.port }}"
-metrics_listen_addr: "127.0.0.1:{{ required ".Values.server.service.metrics.port missing" .Values.server.service.metrics.port }}"
-ephemeral_node_inactivity_timeout: "30m"
-acl_policy_path: /etc/headscale/acl.policy
-private_key_path: /var/lib/headscale/private.key
-noise:
-  private_key_path: /var/lib/headscale/noise_private.key
-
-grpc_listen_addr: "0.0.0.0:{{ required ".Values.server.service.grpc.port missing" .Values.server.service.grpc.port }}"
-grpc_allow_insecure: {{ .Values.grpc.insecure }}
-
-dns_config:
-  base_domain: {{ required ".Values.ingress.host missing" .Values.ingress.host }}
-  magic_dns: false
-  override_local_dns: true
-  {{- if and .Values.dnsConfig .Values.dnsConfig.nameservers }}
-  nameservers:
-  {{- toYaml .Values.dnsConfig.nameservers | nindent 4 }}
-  {{ end }}
-  {{- if and .Values.dnsConfig .Values.dnsConfig.restrictedNameservers }}
-  restricted_nameservers:
-  {{- toYaml .Values.dnsConfig.restrictedNameservers | nindent 4 }}
-  {{ end }}
-
-  # Search domains to inject.
-  domains: [sap,sap.corp,svc,svc.cluster.local,cluster.local]
-
-# headscale needs a list of DERP servers that can be presented
-# to the clients.
-derp:
-  server:
-    # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
-    # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place
-    enabled: false
-
-    # Region ID to use for the embedded DERP server.
-    # The local DERP prevails if the region ID collides with other region ID coming from
-    # the regular DERP config.
-    region_id: 999
-
-    # Region code and name are displayed in the Tailscale UI to identify a DERP region
-    region_code: "headscale"
-    region_name: "Headscale Embedded DERP"
-
-    # Listens over UDP at the configured address for STUN connections - to help with NAT traversal.
-    # When the embedded DERP server is enabled stun_listen_addr MUST be defined.
-    #
-    # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/
-    stun_listen_addr: "0.0.0.0:3478"
-
-  # List of externally available DERP maps encoded in JSON
-  # urls:
-  #   - https://controlplane.tailscale.com/derpmap/default
-
-  # Locally available DERP map files encoded in YAML
-  #
-  # This option is mostly interesting for people hosting
-  # their own DERP servers:
-  # https://tailscale.com/kb/1118/custom-derp-servers/
-  #
-  # paths:
-  #   - /etc/headscale/derp-example.yaml
-  paths:
-    - /etc/headscale/derp.yaml
-
-  # If enabled, a worker will be set up to periodically
-  # refresh the given sources and update the derpmap
-  # will be set up.
-  auto_update_enabled: true
-
-  # How often should we check for DERP updates?
-  update_frequency: 24h
-
-# List of IP prefixes to allocate tailaddresses from.
-# Each prefix consists of either an IPv4 or IPv6 address,
-# and the associated prefix length, delimited by a slash.
-# It must be within IP ranges supported by the Tailscale
-# client - i.e., subnets of 100.64.0.0/10 and fd7a:115c:a1e0::/48.
-# See below:
-# IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71
-# IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33
-# Any other range is NOT supported, and it will cause unexpected issues.
-ip_prefixes:
-  - {{ required ".Values.clientSubnet missing" .Values.clientSubnet | quote }}
-# Period to check for node updates within the tailnet. A value too low will severely affect
-# CPU consumption of Headscale. A value too high (over 60s) will cause problems
-# for the nodes, as they won't get updates or keep alive messages frequently enough.
-# In case of doubts, do not touch the default 10s.
-node_update_check_interval: 10s
-
-## Use already defined certificates:
-#tls_cert_path: /certs/tls.crt
-#tls_key_path: /certs/tls.key
-
-log:
-  # Output formatting for logs: text or json
-  format: text
-  level: info
-
-# Enabling this option makes devices prefer a random port for WireGuard traffic over the
-# default static port 41641. This option is intended as a workaround for some buggy
-# firewall devices. See https://tailscale.com/kb/1181/firewalls/ for more information.
-randomize_client_port: false
-
-# DB values.
-db_type: postgres
-db_name: headscale
-db_host: "{{ include "postgres.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local"
-db_port: {{ required ".Values.postgres.service.port missing" .Values.postgres.service.port }}
-db_user: {{ required ".Values.postgres.username missing" .Values.postgres.username }}
-# FIXME: This should be injected via DB_PASS environment variable.
-db_pass: {{ required ".Values.postgres.password missing" .Values.postgres.password }}
-
-{{ if .Values.oidc.enabled -}}
-oidc:
-  issuer: {{ required ".Values.oidc.issuer missing" .Values.oidc.issuer }}
-  client_id: {{ required ".Values.oidc.clientID missing" .Values.oidc.clientID }}
-  client_secret_path: /vol/secret/oidc_client_secret
-  {{ if .Values.oidc.allowedGroups -}}
-  allowed_groups:
-    {{- toYaml .Values.oidc.allowedGroups | nindent 4 -}}
-  {{ end }}
-{{ end }}
diff --git a/charts/headscale/templates/etc/_derp.yaml b/charts/headscale/templates/etc/_derp.yaml
deleted file mode 100644
index 6cc807d11..000000000
--- a/charts/headscale/templates/etc/_derp.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-{{/* 
-SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-SPDX-License-Identifier: Apache-2.0
-*/}}
-
-{{- if .Values.derp.enabled }}
-{{ toYaml .Values.derp}}
-{{ end }}
diff --git a/charts/headscale/templates/etc/configmap.yaml b/charts/headscale/templates/etc/configmap.yaml
deleted file mode 100644
index d7c2feb06..000000000
--- a/charts/headscale/templates/etc/configmap.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-{{/* 
-SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-SPDX-License-Identifier: Apache-2.0
-*/}}
-
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ include "headscale.fullname" . }}-config
-  labels:
-    {{- include "headscale.labels" . | nindent 4 }}
-
-data:
-  config.yaml: |
-    {{ include (print $.Template.BasePath "/etc/_config.yaml") . | nindent 4 }}
-
-  acl.policy: |
-    {{ include (print $.Template.BasePath "/etc/_acl_policy.yaml") . | nindent 4 }}
-
-{{- if .Values.derp.enabled }}
-  derp.yaml: |
-    {{ include (print $.Template.BasePath "/etc/_derp.yaml") . | nindent 4 }}
-{{ end }}
diff --git a/charts/headscale/templates/ingress-grpc.yaml b/charts/headscale/templates/ingress-grpc.yaml
deleted file mode 100644
index 87c5031cd..000000000
--- a/charts/headscale/templates/ingress-grpc.yaml
+++ /dev/null
@@ -1,35 +0,0 @@
-{{/* 
-SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-SPDX-License-Identifier: Apache-2.0
-*/}}
-
-{{ if .Values.grpc.ingress.enabled }}
-{{- $fullName := include "headscale.fullname" . -}}
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: {{ $fullName }}-grpc
-  labels:
-    {{- include "headscale.labels" . | nindent 4 }}
-  {{- with .Values.grpc.ingress.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  ingressClassName: {{ required ".Values.grpc.ingress.className missing" .Values.grpc.ingress.className }}
-  tls:
-    - hosts:
-        - {{ .Values.grpc.ingress.host }}
-      secretName: "tls-{{ $fullName }}-grpc"
-  rules:
-    - host: {{ .Values.grpc.ingress.host }}
-      http:
-        paths:
-          - path: /
-            pathType: ImplementationSpecific
-            backend:
-              service:
-                name: {{ $fullName }}
-                port:
-                  name: grpc
-{{- end }}
diff --git a/charts/headscale/templates/ingress.yaml b/charts/headscale/templates/ingress.yaml
deleted file mode 100644
index 4b15c7082..000000000
--- a/charts/headscale/templates/ingress.yaml
+++ /dev/null
@@ -1,46 +0,0 @@
-{{/* 
-SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-SPDX-License-Identifier: Apache-2.0
-*/}}
-
-{{ if .Values.ingress.enabled }}
-{{- $fullName := include "headscale.fullname" . -}}
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: {{ $fullName }}
-  labels:
-    {{- include "headscale.labels" . | nindent 4 }}
-  {{- with .Values.ingress.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-spec:
-  ingressClassName: {{ required ".Values.ingress.className missing" .Values.ingress.className }}
-  tls:
-    - hosts:
-        - {{ .Values.ingress.host }}
-      secretName: "tls-{{ $fullName }}"
-  rules:
-    - host: {{ .Values.ingress.host }}
-      http:
-        paths:
-          {{- range .Values.server.service }}
-          {{- if .path }}
-          - path: {{ .path }}
-            pathType: ImplementationSpecific
-            backend:
-              service:
-                name: {{ $fullName }}
-                port:
-                  number: {{ .port }}
-          {{- end }}
-          {{- end }}
-          - path: {{ .Values.ui.service.path }}
-            pathType: ImplementationSpecific
-            backend:
-              service:
-                name: {{ $fullName }}
-                port:
-                  number: {{ .Values.ui.service.port }}
-{{- end }}
diff --git a/charts/headscale/templates/postgres-service.yaml b/charts/headscale/templates/postgres-service.yaml
deleted file mode 100644
index f049839d3..000000000
--- a/charts/headscale/templates/postgres-service.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-{{/* 
-SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-SPDX-License-Identifier: Apache-2.0
-*/}}
-
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "postgres.fullname" . }}
-  labels:
-    {{- include "postgres.labels" . | nindent 4 }}
-spec:
-  selector:
-    {{- include "postgres.selectorLabels" . | nindent 4 }}
-  ports:
-    - name: postgres
-      targetPort: postgres
-      port: {{ required ".Values.postgres.service.port missing" .Values.postgres.service.port }}
diff --git a/charts/headscale/templates/postgres-statefulset.yaml b/charts/headscale/templates/postgres-statefulset.yaml
deleted file mode 100644
index c0d31b064..000000000
--- a/charts/headscale/templates/postgres-statefulset.yaml
+++ /dev/null
@@ -1,58 +0,0 @@
-{{/* 
-SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-SPDX-License-Identifier: Apache-2.0
-*/}}
-
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: {{ include "postgres.fullname" . }}
-  labels:
-    {{- include "postgres.labels" . | nindent 4 }}
-spec:
-  serviceName: {{ include "postgres.fullname" . }}
-  replicas: 1
-  selector:
-    matchLabels:
-      {{- include "postgres.selectorLabels" . | nindent 6 }}
-  template:
-    metadata:
-      labels:
-        {{- include "postgres.labels" . | nindent 8 }}
-    spec:
-      containers:
-        - name: postgres
-          image: "{{ required ".Values.postgres.image.repository missing" .Values.postgres.image.repository }}:{{ required ".Values.postgres.image.tag missing" .Values.postgres.image.tag }}"
-          imagePullPolicy: {{ required ".Values.postgres.image.pullPolicy missing" .Values.postgres.image.pullPolicy }}
-          env:
-            - name: PGDATA
-              value: /headscale/postgresql/data/pgdata
-            - name: POSTGRES_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ include "headscale.fullname" . }}
-                  key: POSTGRES_PASSWORD
-            - name: POSTGRES_USER
-              value: {{ required ".Values.postgres.username missing" .Values.postgres.username }}
-          ports:
-            - name: postgres
-              protocol: TCP
-              containerPort: 5432
-          livenessProbe:
-            tcpSocket:
-              port: 5432
-            initialDelaySeconds: 30
-            timeoutSeconds: 5
-            periodSeconds: 15
-          volumeMounts:
-            - name: {{ include "postgres.fullname" . }}
-              mountPath: /headscale/postgresql
-              subPath: data
-  volumeClaimTemplates:
-    - metadata:
-        name: {{ include "postgres.fullname" . }}
-      spec:
-        accessModes: ["ReadWriteOnce"]
-        resources:
-          requests:
-            storage: {{ required ".Values.postgres.pvc.storage missing" .Values.postgres.pvc.storage }}
diff --git a/charts/headscale/templates/pvc.yaml b/charts/headscale/templates/pvc.yaml
deleted file mode 100644
index 2978d497f..000000000
--- a/charts/headscale/templates/pvc.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-{{/* 
-SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-SPDX-License-Identifier: Apache-2.0
-*/}}
-
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: {{ include "headscale.fullname" . }}
-  labels:
-    {{- include "headscale.labels" . | nindent 4 }}
-spec:
-  storageClassName: default
-  accessModes:
-    - ReadWriteMany
-  resources:
-    requests:
-      storage: {{ required ".Values.server.pvc.storage missing" .Values.server.pvc.storage }}
diff --git a/charts/headscale/templates/rbac.yaml b/charts/headscale/templates/rbac.yaml
deleted file mode 100644
index a3045ded0..000000000
--- a/charts/headscale/templates/rbac.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-{{/* 
-SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-SPDX-License-Identifier: Apache-2.0
-*/}}
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ include "headscale.fullname" . }}-role
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - patch
-  - create
-  - update
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ include "headscale.fullname" . }}-rbac
-  labels:
-  {{- include "headscale.labels" . | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: '{{ include "headscale.fullname" . }}-role'
-subjects:
-- kind: ServiceAccount
-  name: {{ include "headscale.fullname" . }}
-  namespace: {{ .Release.Namespace }}
diff --git a/charts/headscale/templates/secret.yaml b/charts/headscale/templates/secret.yaml
deleted file mode 100644
index cfd0cdabb..000000000
--- a/charts/headscale/templates/secret.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-{{/* 
-SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-SPDX-License-Identifier: Apache-2.0
-*/}}
-
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "headscale.fullname" . }}
-  labels:
-    {{- include "headscale.labels" . | nindent 4 }}
-data:
-  POSTGRES_PASSWORD: {{ required ".Values.postgres.password missing" .Values.postgres.password | b64enc }}
-  {{ if .Values.oidc.enabled }}
-  oidc_client_secret: {{ required ".Values.oidc.clientSecret missing" .Values.oidc.clientSecret | b64enc }}
-  {{ end }}
diff --git a/charts/headscale/templates/service.yaml b/charts/headscale/templates/service.yaml
deleted file mode 100644
index 544ca7a10..000000000
--- a/charts/headscale/templates/service.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-{{/* 
-SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-SPDX-License-Identifier: Apache-2.0
-*/}}
-
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "headscale.fullname" . }}
-  labels:
-    {{- include "headscale.labels" . | nindent 4 }}
-spec:
-  type: ClusterIP
-  ports:
-    {{- range $name, $v := .Values.server.service }}
-    - name: {{ $name }}
-      port: {{ $v.port }}
-      targetPort: {{ $v.port }}
-      protocol: TCP
-    {{- end }}
-    - name: ui
-      port: {{ required ".Values.ui.service.port missing" .Values.ui.service.port }}
-      targetPort: {{ required ".Values.ui.service.port missing" .Values.ui.service.port }}
-      protocol: TCP
-  selector:
-    {{- include "headscale.selectorLabels" . | nindent 4 }}
diff --git a/charts/headscale/templates/serviceaccount.yaml b/charts/headscale/templates/serviceaccount.yaml
deleted file mode 100644
index aa93bd1c9..000000000
--- a/charts/headscale/templates/serviceaccount.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-{{/* 
-SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-SPDX-License-Identifier: Apache-2.0
-*/}}
-
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "headscale.fullname" . }}
-  labels:
-    {{- include "headscale.labels" . | nindent 4 }}
diff --git a/charts/headscale/values.yaml b/charts/headscale/values.yaml
deleted file mode 100644
index a9174f361..000000000
--- a/charts/headscale/values.yaml
+++ /dev/null
@@ -1,98 +0,0 @@
-# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-# SPDX-License-Identifier: Apache-2.0
-
-# Headscale coordination server.
-server:
-  image:
-    repository: juanfont/headscale
-    pullPolicy: IfNotPresent
-
-  # Services with a path will be included in the ingress routes.
-  service:
-    http:
-      port: 8080
-      path: /
-    grpc:
-      port: 50443
-    derp:
-      port: 3478
-    metrics:
-      port: 9090
-
-  pvc:
-    storage: 1Gi
-
-ui:
-  image:
-    repository: ghcr.io/gurucomputing/headscale-ui
-    tag: 2023.01.30-beta-1
-    pullPolicy: IfNotPresent
-  service:
-    port: 80
-    path: /web
-
-headscalectl:
-  image:
-    repository: ghcr.io/cloudoperators/greenhouse-headscalectl
-    tag: main
-    pullPolicy: Always
-  secret:
-    name: tailscale-auth
-
-ingress:
-  enabled: true
-  host:
-  className: nginx
-  annotations:
-    disco: "true"
-    kubernetes.io/tls-acme: "true"
-
-grpc:
-  insecure: false
-  ingress:
-    enabled: false
-    host:
-    className: nginx
-    annotations:
-      disco: "true"
-      kubernetes.io/tls-acme: "true"
-      nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
-      nginx.ingress.kubernetes.io/ssl-redirect: "true"
-
-postgres:
-  username: headscale
-  # Mandatory password to be supplied via secrets.
-  password:
-
-  service:
-    port: 5432
-
-  image:
-    repository: postgres
-    tag: 16.4
-    pullPolicy: IfNotPresent
-
-  pvc:
-    storage: 1Gi
-
-oidc:
-  enabled: false
-  issuer:
-  clientID:
-  clientSecret:
-  allowedGroups:
-    - role:greenhouse:admin
-
-derp:
-  enabled: false
-
-# IP prefixes to allocate tailaddresses from.
-clientSubnet: 1.2.3.4/5
-
-# Headscale DNS configuration.
-dnsConfig:
-  nameservers: []
-    # - 1.1.1.1
-  restrictedNameservers: {}
-    # nameserver1:
-    #  - 1.1.1.1
diff --git a/charts/manager/crds/greenhouse.sap_clusters.yaml b/charts/manager/crds/greenhouse.sap_clusters.yaml
index fb851295b..c25b8c50e 100644
--- a/charts/manager/crds/greenhouse.sap_clusters.yaml
+++ b/charts/manager/crds/greenhouse.sap_clusters.yaml
@@ -57,7 +57,6 @@ spec:
                   the Greenhouse operator.
                 enum:
                 - direct
-                - headscale
                 type: string
             required:
             - accessMode
@@ -70,53 +69,6 @@ spec:
                   timestamp of the bearer token used to access the cluster.
                 format: date-time
                 type: string
-              headScaleStatus:
-                description: HeadScaleStatus contains the current status of the headscale
-                  client.
-                properties:
-                  createdAt:
-                    format: date-time
-                    type: string
-                  expiry:
-                    format: date-time
-                    type: string
-                  forcedTags:
-                    items:
-                      type: string
-                    type: array
-                  id:
-                    format: int64
-                    type: integer
-                  ipAddresses:
-                    items:
-                      type: string
-                    type: array
-                  name:
-                    type: string
-                  online:
-                    type: boolean
-                  preAuthKey:
-                    description: PreAuthKey reflects the status of the pre-authentication
-                      key used by the Headscale machine.
-                    properties:
-                      createdAt:
-                        format: date-time
-                        type: string
-                      ephemeral:
-                        type: boolean
-                      expiration:
-                        format: date-time
-                        type: string
-                      id:
-                        type: string
-                      reusable:
-                        type: boolean
-                      used:
-                        type: boolean
-                      user:
-                        type: string
-                    type: object
-                type: object
               kubernetesVersion:
                 description: KubernetesVersion reflects the detected Kubernetes version
                   of the cluster.
diff --git a/charts/manager/templates/deployment.yaml b/charts/manager/templates/deployment.yaml
index cbf74b4eb..cec2d1274 100644
--- a/charts/manager/templates/deployment.yaml
+++ b/charts/manager/templates/deployment.yaml
@@ -52,17 +52,6 @@ spec:
               containerName: manager
               divisor: "0"
               resource: limits.cpu
-        {{- if .Values.headscale.enabled }}
-        - name: HEADSCALE_API_URL
-          value: {{ required ".Values.headscale.apiURL missing" .Values.headscale.apiURL }}
-        - name: HEADSCALE_API_KEY
-          valueFrom:
-            secretKeyRef:
-              name: {{ required ".Values.headscale.apiKeySecret missing" .Values.headscale.apiKeySecret }}
-              key: HEADSCALE_CLI_API_KEY
-        - name: TAILSCALE_PROXY
-          value: {{ required ".Values.headscale.proxyURL missing" .Values.headscale.proxyURL }}
-        {{ end }}
         image: {{ .Values.controllerManager.image.repository }}:{{ .Values.controllerManager.image.tag | default .Chart.AppVersion }}
         livenessProbe:
           httpGet:
diff --git a/charts/manager/values.yaml b/charts/manager/values.yaml
index 68e9a6e6c..c085f4ab4 100644
--- a/charts/manager/values.yaml
+++ b/charts/manager/values.yaml
@@ -6,13 +6,6 @@ nameOverride: greenhouse
 alerts:
   enabled: true
 
-# TODO: Move to globals to share with headscale chart
-headscale:
-  enabled: false
-  apiURL:
-  apiKeySecret: tailscale-auth
-  proxyURL: socks5://greenhouse-tailscale-proxy.greenhouse.svc.cluster.local:1055
-
 controllerManager:
   containerSecurityContext:
     allowPrivilegeEscalation: false
diff --git a/charts/tailscale-proxy/.helmignore b/charts/tailscale-proxy/.helmignore
deleted file mode 100644
index 0e8a0eb36..000000000
--- a/charts/tailscale-proxy/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*.orig
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-.vscode/
diff --git a/charts/tailscale-proxy/Chart.yaml b/charts/tailscale-proxy/Chart.yaml
deleted file mode 100644
index 92eafe72a..000000000
--- a/charts/tailscale-proxy/Chart.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
-# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-# SPDX-License-Identifier: Apache-2.0
-
-apiVersion: v2
-name: tailscale-proxy
-description: A Helm chart to deploy tailscale with userspace networking which exposes a socks5 and an http proxy
-
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
-type: application
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-# It is recommended to use it with quotes.
-appVersion: "1.50.1"
diff --git a/charts/tailscale-proxy/templates/_helpers.tpl b/charts/tailscale-proxy/templates/_helpers.tpl
deleted file mode 100644
index 52135ff15..000000000
--- a/charts/tailscale-proxy/templates/_helpers.tpl
+++ /dev/null
@@ -1,62 +0,0 @@
-{{/*
-Expand the name of the chart.
-*/}}
-{{- define "tailscale-proxy.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "tailscale-proxy.fullname" -}}
-{{- if .Values.fullnameOverride }}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- $name := default .Chart.Name .Values.nameOverride }}
-{{- if contains $name .Release.Name }}
-{{- .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- else }}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-{{- end }}
-{{- end }}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "tailscale-proxy.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "tailscale-proxy.labels" -}}
-helm.sh/chart: {{ include "tailscale-proxy.chart" . }}
-{{ include "tailscale-proxy.selectorLabels" . }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "tailscale-proxy.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "tailscale-proxy.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
-
-{{/*
-Create the name of the service account to use
-*/}}
-{{- define "tailscale-proxy.serviceAccountName" -}}
-{{- if .Values.serviceAccount.create }}
-{{- default (include "tailscale-proxy.fullname" .) .Values.serviceAccount.name }}
-{{- else }}
-{{- default "default" .Values.serviceAccount.name }}
-{{- end }}
-{{- end }}
diff --git a/charts/tailscale-proxy/templates/deployment.yaml b/charts/tailscale-proxy/templates/deployment.yaml
deleted file mode 100644
index 693ccd136..000000000
--- a/charts/tailscale-proxy/templates/deployment.yaml
+++ /dev/null
@@ -1,156 +0,0 @@
-{{/* 
-SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-SPDX-License-Identifier: Apache-2.0
-*/}}
-
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ include "tailscale-proxy.fullname" . }}
-  labels:
-    {{- include "tailscale-proxy.labels" . | nindent 4 }}
-spec:
-  replicas: {{ .Values.replicaCount }}
-  selector:
-    matchLabels:
-      {{- include "tailscale-proxy.selectorLabels" . | nindent 6 }}
-  template:
-    metadata:
-      {{- with .Values.podAnnotations }}
-      annotations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      labels:
-        {{- include "tailscale-proxy.selectorLabels" . | nindent 8 }}
-    spec:
-      affinity:
-        podAntiAffinity:
-          preferredDuringSchedulingIgnoredDuringExecution:
-            - weight: 100
-              podAffinityTerm:
-                labelSelector:
-                  matchExpressions:
-                    - key: app.kubernetes.io/name
-                      operator: In
-                      values:
-                        - {{ include "tailscale-proxy.name" . }}
-                topologyKey: "kubernetes.io/hostname"
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      serviceAccountName: {{ include "tailscale-proxy.serviceAccountName" . }}
-      initContainers:
-        - name: preauthkey-provisioner
-          image: "{{ .Values.preauthkeyProvosioner.image.repository }}:{{ .Values.preauthkeyProvosioner.image.tag}}"
-          imagePullPolicy: {{ .Values.preauthkeyProvosioner.image.pullPolicy }}
-          args:
-            - "preauthkey"
-            - "create" 
-            {{- with .Values.preauthkeyProvosioner.ephemeral }}
-            - "--ephemeral"
-            {{- end }}
-            {{- with .Values.preauthkeyProvosioner.reusable }}
-            - "--reusable"
-            {{- end }}
-            {{- with .Values.preauthkeyProvosioner.force }}
-            - "--force"
-            {{- end }}
-            {{- with .Values.preauthkeyProvosioner.keyExpiration }}
-            - "--expiration"
-            - "{{ $.Values.preauthkeyProvosioner.keyExpiration }}"
-            {{- end }}
-            {{- with .Values.preauthkeyProvosioner.tags }}
-            - "--tags"
-            - "{{ $.Values.preauthkeyProvosioner.tags }}"
-            {{- end }}
-            - "-u"
-            - "{{ required ".Values.preauthkeyProvosioner.userName missing" .Values.preauthkeyProvosioner.userName }}" 
-            - "--file"
-            - "/preauthkey/key"
-          env:
-            - name: POD_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-            - name: HEADSCALE_CLI_ADDRESS
-              value: {{ .Values.preauthkeyProvosioner.uri }}
-            - name: HEADSCALE_CLI_API_KEY
-              valueFrom:
-                secretKeyRef:
-                  key: HEADSCALE_CLI_API_KEY
-                  name: {{ .Values.headscale.authkeySecret }}
-          volumeMounts:
-            - mountPath: /preauthkey
-              name: preauthkey
-              readOnly: false
-      containers:
-      - env:
-        - name: POD_NAMESPACE
-          valueFrom:
-            fieldRef:
-              apiVersion: v1
-              fieldPath: metadata.namespace
-        - name: TS_ACCEPT_DNS
-          value: "false"
-        # Store the state in memory instead of a secret            
-        - name: TS_KUBE_SECRET
-          value: ""
-        - name: TS_STATE_DIR
-          value: /preauthkey/state
-        - name: TS_USERSPACE
-          value: "true"
-        - name: TS_EXTRA_ARGS
-          value: --login-server {{ .Values.headscale.uri }}
-        - name: TS_TAILSCALED_EXTRA_ARGS
-          value: '--state=mem: --no-logs-no-support --debug=:8080'
-        - name: TS_SOCKS5_SERVER
-          value: :{{ .Values.service.socks5.port }}
-        - name: TS_OUTBOUND_HTTP_PROXY_LISTEN
-          value: :{{ .Values.service.httpproxy.port }}
-        args:
-        - --socket
-        - /tmp/tailscaled.sock
-        image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-        imagePullPolicy: {{ .Values.image.pullPolicy }}
-        name: {{ .Chart.Name }}
-        securityContext:
-          {{- toYaml .Values.securityContext | nindent 12 }}
-        ports:
-        {{- range $name, $v := .Values.service }}
-        - name: {{ $name }}
-          protocol: TCP
-          containerPort: {{ $v.port }}
-        {{- end }}
-        livenessProbe:
-          httpGet:
-            path: /healthz
-            port: 8090
-          initialDelaySeconds: 10
-          periodSeconds: 5
-          timeoutSeconds: 5
-          failureThreshold: 5
-          successThreshold: 1
-        volumeMounts:
-          - mountPath: /preauthkey
-            name: preauthkey
-            readOnly: false
-        terminationMessagePath: /dev/termination-log
-        resources:
-          {{- toYaml .Values.resources | nindent 12 }}
-      dnsPolicy: ClusterFirst
-      securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
-      terminationGracePeriodSeconds: 10
-      volumes:
-        - name: preauthkey
-          emptyDir:
-            medium: Memory
-      {{- with .Values.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
\ No newline at end of file
diff --git a/charts/tailscale-proxy/templates/service.yaml b/charts/tailscale-proxy/templates/service.yaml
deleted file mode 100644
index 84005abac..000000000
--- a/charts/tailscale-proxy/templates/service.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
-{{/* 
-SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-SPDX-License-Identifier: Apache-2.0
-*/}}
-
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ include "tailscale-proxy.fullname" . }}
-  labels:
-    {{- include "tailscale-proxy.labels" . | nindent 4 }}
-spec:
-  type: {{ .Values.serviceType }}
-  ports:
-    {{- range $name, $x := $.Values.service }}
-    - name: {{ $name }}
-      port: {{ $x.port }}
-      targetPort: {{ $x.port }}
-      protocol: TCP
-    {{- end }}
-  selector:
-    {{- include "tailscale-proxy.selectorLabels" . | nindent 4 }}
diff --git a/charts/tailscale-proxy/templates/serviceaccount.yaml b/charts/tailscale-proxy/templates/serviceaccount.yaml
deleted file mode 100644
index 0da7f218d..000000000
--- a/charts/tailscale-proxy/templates/serviceaccount.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-{{/* 
-SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-SPDX-License-Identifier: Apache-2.0
-*/}}
-
-{{- if .Values.serviceAccount.create -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "tailscale-proxy.serviceAccountName" . }}
-  labels:
-    {{- include "tailscale-proxy.labels" . | nindent 4 }}
-  {{- with .Values.serviceAccount.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-{{- end }}
diff --git a/charts/tailscale-proxy/values.yaml b/charts/tailscale-proxy/values.yaml
deleted file mode 100644
index bc68781a7..000000000
--- a/charts/tailscale-proxy/values.yaml
+++ /dev/null
@@ -1,84 +0,0 @@
-# SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-# SPDX-License-Identifier: Apache-2.0
-
-# Default values for tailscale-proxy
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
-
-replicaCount: 2
-
-image:
-  repository: ghcr.io/cloudoperators/greenhouse-tailscale
-  pullPolicy: IfNotPresent
-  tag: main
-
-imagePullSecrets: []
-nameOverride: ""
-fullnameOverride: ""
-
-serviceAccount:
-  # Specifies whether a service account should be created
-  create: false
-  # Annotations to add to the service account
-  annotations: {}
-  # The name of the service account to use.
-  # If not set and create is true, a name is generated using the fullname template
-  name: ""
-
-podAnnotations: {}
-
-podSecurityContext: {}
-  # fsGroup: 2000
-
-securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
-
-serviceType: ClusterIP
-
-service:
-  socks5:
-    port: 1055
-  httpproxy:
-    port: 1066
-  metrics:
-    port: 8080
-
-resources: {}
-  # We usually recommend not to specify default resources and to leave this as a conscious
-  # choice for the user. This also increases chances charts run on environments with little
-  # resources, such as Minikube. If you do want to specify resources, uncomment the following
-  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  # limits:
-  #   cpu: 100m
-  #   memory: 128Mi
-  # requests:
-  #   cpu: 100m
-  #   memory: 128Mi
-
-nodeSelector: {}
-
-tolerations: []
-
-headscale:
-  # uri: headscale controller url with http:// or https://
-  uri:
-  authkeySecret: tailscale-auth
-
-preauthkeyProvosioner:
-  uri:
-  userName:
-  # tags: comma separated list of tags
-  tags:
-  # keyExpiration: 1h, 1d, ...
-  keyExpiration:
-  ephemeral: true
-  reusable: false
-  image:
-    repository: ghcr.io/cloudoperators/greenhouse-headscalectl
-    pullPolicy: IfNotPresent
-    tag: main
diff --git a/cmd/greenhouse/controllers.go b/cmd/greenhouse/controllers.go
index 81983b294..3dd606079 100644
--- a/cmd/greenhouse/controllers.go
+++ b/cmd/greenhouse/controllers.go
@@ -6,7 +6,6 @@ package main
 import (
 	"os"
 	"sort"
-	"time"
 
 	ctrl "sigs.k8s.io/controller-runtime"
 
@@ -54,8 +53,7 @@ var knownControllers = map[string]func(controllerName string, mgr ctrl.Manager)
 	"bootStrap":           (&clustercontrollers.BootstrapReconciler{}).SetupWithManager,
 	"clusterDirectAccess": startClusterDirectAccessReconciler,
 	// "clusterPropagation":     (&clustercontrollers.ClusterPropagationReconciler{}).SetupWithManager,
-	"clusterHeadscaleAccess": startClusterHeadscaleAccessReconciler,
-	"clusterStatus":          (&clustercontrollers.ClusterStatusReconciler{}).SetupWithManager,
+	"clusterStatus": (&clustercontrollers.ClusterStatusReconciler{}).SetupWithManager,
 }
 
 // knownControllers lists the name of known controllers.
@@ -99,31 +97,3 @@ func startClusterDirectAccessReconciler(name string, mgr ctrl.Manager) error {
 		RenewRemoteClusterBearerTokenAfter: renewRemoteClusterBearerTokenAfter,
 	}).SetupWithManager(name, mgr)
 }
-
-func startClusterHeadscaleAccessReconciler(name string, mgr ctrl.Manager) error {
-	if renewRemoteClusterBearerTokenAfter > remoteClusterBearerTokenValidity {
-		setupLog.Info("WARN: remoteClusterBearerTokenValidity is less than renewRemoteClusterBearerTokenAfter")
-		setupLog.Info("Setting renewRemoteClusterBearerTokenAfter to half of remoteClusterBearerTokenValidity")
-		renewRemoteClusterBearerTokenAfter = remoteClusterBearerTokenValidity / 2
-	}
-	if headscaleAPIKey == "" || headscaleAPIURL == "" {
-		setupLog.Info("WARN: headscaleApiKey or headscaleApiUrl is not set")
-		setupLog.Info("Skipping headscale access reconciler")
-		return nil
-	}
-
-	if tailscaleProxy == "" {
-		setupLog.Info("WARN: tailscaleProxy is not set")
-		setupLog.Info("Skipping headscale access reconciler")
-		return nil
-	}
-
-	return (&clustercontrollers.HeadscaleAccessReconciler{
-		HeadscaleAPIKey:                          headscaleAPIKey,
-		HeadscaleGRPCURL:                         headscaleAPIURL,
-		TailscaleProxy:                           tailscaleProxy,
-		HeadscalePreAuthenticationKeyMinValidity: 8 * time.Hour,
-		RemoteClusterBearerTokenValidity:         remoteClusterBearerTokenValidity,
-		RenewRemoteClusterBearerTokenAfter:       renewRemoteClusterBearerTokenAfter,
-	}).SetupWithManager(name, mgr)
-}
diff --git a/cmd/greenhouse/main.go b/cmd/greenhouse/main.go
index 0971ac086..4b0994e38 100644
--- a/cmd/greenhouse/main.go
+++ b/cmd/greenhouse/main.go
@@ -55,9 +55,6 @@ var (
 	setupLog = ctrl.Log.WithName("setup")
 
 	enabledControllers []string
-	headscaleAPIURL,
-	headscaleAPIKey,
-	tailscaleProxy string
 	remoteClusterBearerTokenValidity,
 	renewRemoteClusterBearerTokenAfter time.Duration
 	kubeClientOpts clientutil.RuntimeOptions
@@ -85,15 +82,6 @@ func main() {
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081",
 		"The address the probe endpoint binds to.")
 
-	flag.StringVar(&headscaleAPIURL, "headscale-api-url", clientutil.GetEnvOrDefault("HEADSCALE_API_URL", ""),
-		"Headscale API URL.(format https://<url>) Can be set via HEADSCALE_API_URL env var")
-
-	flag.StringVar(&headscaleAPIKey, "headscale-api-key", clientutil.GetEnvOrDefault("HEADSCALE_API_KEY", ""),
-		"Headscale API KEY. Can be set via HEADSCALE_API_KEY env var")
-
-	flag.StringVar(&tailscaleProxy, "tailscale-proxy", clientutil.GetEnvOrDefault("TAILSCALE_PROXY", ""),
-		"Tailscale proxy to be used by Greenhouse in case of type the communication is not direct. Can be set via TAILSCALE_PROXY env var")
-
 	flag.DurationVar(&remoteClusterBearerTokenValidity, "remote-cluster-bearer-token-validity", defaultRemoteClusterBearerTokenValidity,
 		"Validity of the bearer token we request to access the remote clusters")
 
diff --git a/cmd/headscalectl/main.go b/cmd/headscalectl/main.go
deleted file mode 100644
index 0de6adf24..000000000
--- a/cmd/headscalectl/main.go
+++ /dev/null
@@ -1,12 +0,0 @@
-// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-// SPDX-License-Identifier: Apache-2.0
-
-package main
-
-import (
-	"github.com/cloudoperators/greenhouse/pkg/headscalectl"
-)
-
-func main() {
-	headscalectl.Execute()
-}
diff --git a/cmd/tailscale-starter/main.go b/cmd/tailscale-starter/main.go
deleted file mode 100644
index fbdd99dc1..000000000
--- a/cmd/tailscale-starter/main.go
+++ /dev/null
@@ -1,10 +0,0 @@
-// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-// SPDX-License-Identifier: Apache-2.0
-
-package main
-
-import tailscalestarter "github.com/cloudoperators/greenhouse/pkg/tailscale-starter"
-
-func main() {
-	tailscalestarter.Execute()
-}
diff --git a/cmd/tcp-proxy/main.go b/cmd/tcp-proxy/main.go
deleted file mode 100644
index d3179c411..000000000
--- a/cmd/tcp-proxy/main.go
+++ /dev/null
@@ -1,114 +0,0 @@
-/*******************************************************************************
-* MIT License
-*
-* Copyright (c) 2020 dev@jpillora.com
-*
-* Permission is hereby granted, free of charge, to any person obtaining a copy
-* of this software and associated documentation files (the "Software"), to deal
-* in the Software without restriction, including without limitation the rights
-* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-* copies of the Software, and to permit persons to whom the Software is
-* furnished to do so, subject to the following conditions:
-*
-* The above copyright notice and this permission notice shall be included in all
-* copies or substantial portions of the Software.
-*
-* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-* SOFTWARE.
-*******************************************************************************/
-
-package main
-
-import (
-	goflag "flag"
-	"fmt"
-	"net"
-	"os"
-
-	"github.com/prometheus/client_golang/prometheus"
-	flag "github.com/spf13/pflag"
-	"k8s.io/klog/v2"
-
-	"github.com/cloudoperators/greenhouse/pkg/tcp-proxy/metrics"
-	"github.com/cloudoperators/greenhouse/pkg/tcp-proxy/proxy"
-	"github.com/cloudoperators/greenhouse/pkg/version"
-)
-
-var (
-	localAddr     = flag.String("l", ":443", "local address")
-	remoteAddr    = flag.String("r", fmt.Sprintf("%s:%s", "kubernetes.default.svc.cluster.local", os.Getenv("KUBERNETES_SERVICE_PORT_HTTPS")), "remote address")
-	metricAddress = flag.String("metrics", "127.0.0.1:3002", "IP address and port number to expose prometheus metrics on")
-	hex           = flag.Bool("h", false, "output hex")
-	unwrapTLS     = flag.Bool("unwrap-tls", false, "remote connection with TLS exposed unencrypted locally")
-)
-
-func init() {
-	prometheus.MustRegister(metrics.InboundConnCounter)
-	prometheus.MustRegister(metrics.OutboundConnCounter)
-	prometheus.MustRegister(metrics.InboundBytesCounter)
-	prometheus.MustRegister(metrics.OutboundBytesCounter)
-	prometheus.MustRegister(metrics.ActiveInboundConnGauge)
-	prometheus.MustRegister(metrics.ActiveOutboundConnGauge)
-}
-
-func main() {
-	goFlagSet := goflag.CommandLine
-	flag.CommandLine.AddGoFlagSet(goFlagSet)
-	flag.Parse()
-	version.ShowVersionAndExit("tcp-proxy")
-
-	klog.Infof("tcp-proxy proxing from %v to %v ", *localAddr, *remoteAddr)
-
-	laddr, err := net.ResolveTCPAddr("tcp", *localAddr)
-	if err != nil {
-		klog.Errorf("Failed to resolve local address: %s", err)
-		os.Exit(1)
-	}
-
-	_, err = net.LookupIP(*remoteAddr)
-	if err != nil {
-		klog.Errorf("Failed to resolve remote address: %s", err)
-		klog.Infof("Fallback to KUBERNETES_SERVICE_HOST env variable")
-		*remoteAddr = fmt.Sprintf("%s:%s", os.Getenv("KUBERNETES_SERVICE_HOST"), os.Getenv("KUBERNETES_SERVICE_PORT_HTTPS"))
-	}
-
-	raddr, err := net.ResolveTCPAddr("tcp", *remoteAddr)
-	if err != nil {
-		klog.Errorf("Failed to resolve remote address: %s", err)
-		os.Exit(1)
-	}
-	listener, err := net.ListenTCP("tcp", laddr)
-	if err != nil {
-		klog.Errorf("Failed to open local port to listen: %s", err)
-		os.Exit(1)
-	}
-
-	prom := metrics.Helper{}
-	go prom.StartMetricsServer(*metricAddress)
-
-	for {
-		conn, err := listener.AcceptTCP()
-		if err != nil {
-			klog.Errorf("Failed to accept connection '%s'", err)
-			continue
-		}
-
-		var p *proxy.Proxy
-		if *unwrapTLS {
-			klog.Info("Unwrapping TLS")
-			p = proxy.NewTLSUnwrapped(conn, laddr, raddr, *remoteAddr)
-		} else {
-			p = proxy.New(conn, laddr, raddr)
-		}
-
-		p.OutputHex = *hex
-
-		metrics.IncrementActiveInboundGauge()
-		go p.Start()
-	}
-}
diff --git a/docs/contribute/local-dev.md b/docs/contribute/local-dev.md
index 6354cb948..26e84d101 100644
--- a/docs/contribute/local-dev.md
+++ b/docs/contribute/local-dev.md
@@ -110,8 +110,6 @@ docker run --network host -e KUBECONFIG=/envtest/kubeconfig -v ./envtest:/envtes
 
 See all available flags [here](https://github.com/cloudoperators/greenhouse/blob/main/cmd/greenhouse/main.go#L59-L87).
 
-Note that not setting `headscaleAPIURL`, `headscaleAPIKey` or `tailscaleProxy` will prevent running the [headscale access controller](https://github.com/cloudoperators/greenhouse/blob/main/pkg/controllers/cluster/headscale_access_controller.go).
-
 ## Greenhouse UI
 
 Build the latest `dev-ui` image by running:
diff --git a/docs/reference/api/index.html b/docs/reference/api/index.html
index d39182474..22c97391d 100644
--- a/docs/reference/api/index.html
+++ b/docs/reference/api/index.html
@@ -730,19 +730,6 @@ <h3 id="greenhouse.sap/v1alpha1.ClusterStatus">ClusterStatus
 </tr>
 <tr>
 <td>
-<code>headScaleStatus</code><br>
-<em>
-<a href="#greenhouse.sap/v1alpha1.HeadScaleMachineStatus">
-HeadScaleMachineStatus
-</a>
-</em>
-</td>
-<td>
-<p>HeadScaleStatus contains the current status of the headscale client.</p>
-</td>
-</tr>
-<tr>
-<td>
 <code>statusConditions</code><br>
 <em>
 <a href="#greenhouse.sap/v1alpha1.StatusConditions">
@@ -870,113 +857,6 @@ <h3 id="greenhouse.sap/v1alpha1.ConditionType">ConditionType
 <a href="#greenhouse.sap/v1alpha1.Condition">Condition</a>)
 </p>
 <p>ConditionType is a valid condition of a resource.</p>
-<h3 id="greenhouse.sap/v1alpha1.HeadScaleMachineStatus">HeadScaleMachineStatus
-</h3>
-<p>
-(<em>Appears on:</em>
-<a href="#greenhouse.sap/v1alpha1.ClusterStatus">ClusterStatus</a>)
-</p>
-<p>HeadScaleMachineStatus is the status of a Headscale machine.</p>
-<div class="md-typeset__scrollwrap">
-<div class="md-typeset__table">
-<table>
-<thead>
-<tr>
-<th>Field</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr>
-<td>
-<code>id</code><br>
-<em>
-uint64
-</em>
-</td>
-<td>
-</td>
-</tr>
-<tr>
-<td>
-<code>ipAddresses</code><br>
-<em>
-[]string
-</em>
-</td>
-<td>
-</td>
-</tr>
-<tr>
-<td>
-<code>name</code><br>
-<em>
-string
-</em>
-</td>
-<td>
-</td>
-</tr>
-<tr>
-<td>
-<code>expiry</code><br>
-<em>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#time-v1-meta">
-Kubernetes meta/v1.Time
-</a>
-</em>
-</td>
-<td>
-</td>
-</tr>
-<tr>
-<td>
-<code>createdAt</code><br>
-<em>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#time-v1-meta">
-Kubernetes meta/v1.Time
-</a>
-</em>
-</td>
-<td>
-</td>
-</tr>
-<tr>
-<td>
-<code>forcedTags</code><br>
-<em>
-[]string
-</em>
-</td>
-<td>
-</td>
-</tr>
-<tr>
-<td>
-<code>preAuthKey</code><br>
-<em>
-<a href="#greenhouse.sap/v1alpha1.PreAuthKey">
-PreAuthKey
-</a>
-</em>
-</td>
-<td>
-</td>
-</tr>
-<tr>
-<td>
-<code>online</code><br>
-<em>
-bool
-</em>
-</td>
-<td>
-</td>
-</tr>
-</tbody>
-</table>
-</div>
-</div>
 <h3 id="greenhouse.sap/v1alpha1.HelmChartReference">HelmChartReference
 </h3>
 <p>
@@ -2391,101 +2271,6 @@ <h3 id="greenhouse.sap/v1alpha1.PluginStatus">PluginStatus
 </table>
 </div>
 </div>
-<h3 id="greenhouse.sap/v1alpha1.PreAuthKey">PreAuthKey
-</h3>
-<p>
-(<em>Appears on:</em>
-<a href="#greenhouse.sap/v1alpha1.HeadScaleMachineStatus">HeadScaleMachineStatus</a>)
-</p>
-<p>PreAuthKey reflects the status of the pre-authentication key used by the Headscale machine.</p>
-<div class="md-typeset__scrollwrap">
-<div class="md-typeset__table">
-<table>
-<thead>
-<tr>
-<th>Field</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr>
-<td>
-<code>id</code><br>
-<em>
-string
-</em>
-</td>
-<td>
-</td>
-</tr>
-<tr>
-<td>
-<code>user</code><br>
-<em>
-string
-</em>
-</td>
-<td>
-</td>
-</tr>
-<tr>
-<td>
-<code>reusable</code><br>
-<em>
-bool
-</em>
-</td>
-<td>
-</td>
-</tr>
-<tr>
-<td>
-<code>ephemeral</code><br>
-<em>
-bool
-</em>
-</td>
-<td>
-</td>
-</tr>
-<tr>
-<td>
-<code>used</code><br>
-<em>
-bool
-</em>
-</td>
-<td>
-</td>
-</tr>
-<tr>
-<td>
-<code>createdAt</code><br>
-<em>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#time-v1-meta">
-Kubernetes meta/v1.Time
-</a>
-</em>
-</td>
-<td>
-</td>
-</tr>
-<tr>
-<td>
-<code>expiration</code><br>
-<em>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#time-v1-meta">
-Kubernetes meta/v1.Time
-</a>
-</em>
-</td>
-<td>
-</td>
-</tr>
-</tbody>
-</table>
-</div>
-</div>
 <h3 id="greenhouse.sap/v1alpha1.PropagationStatus">PropagationStatus
 </h3>
 <p>
diff --git a/docs/reference/api/openapi.yaml b/docs/reference/api/openapi.yaml
index dc5e3752e..43e51dabb 100755
--- a/docs/reference/api/openapi.yaml
+++ b/docs/reference/api/openapi.yaml
@@ -1,7 +1,7 @@
 openapi: 3.0.0
 info:
   title: Greenhouse
-  version: 2fe4054
+  version: b6c8a6d
   description: PlusOne operations platform
 paths:
   /Organization:
@@ -9,21 +9,21 @@ paths:
       responses:
         default:
           description: Organization
-  /Plugin:
+  /ClusterKubeconfig:
     post:
       responses:
         default:
-          description: Plugin
+          description: ClusterKubeconfig
   /Cluster:
     post:
       responses:
         default:
           description: Cluster
-  /ClusterKubeconfig:
+  /TeamRole:
     post:
       responses:
         default:
-          description: ClusterKubeconfig
+          description: TeamRole
   /TeamMembership:
     post:
       responses:
@@ -34,26 +34,26 @@ paths:
       responses:
         default:
           description: PluginPreset
-  /PluginDefinition:
+  /Team:
     post:
       responses:
         default:
-          description: PluginDefinition
-  /TeamRole:
+          description: Team
+  /TeamRoleBinding:
     post:
       responses:
         default:
-          description: TeamRole
-  /Team:
+          description: TeamRoleBinding
+  /Plugin:
     post:
       responses:
         default:
-          description: Team
-  /TeamRoleBinding:
+          description: Plugin
+  /PluginDefinition:
     post:
       responses:
         default:
-          description: TeamRoleBinding
+          description: PluginDefinition
 components:
   schemas:
     Organization:
@@ -177,12 +177,12 @@ components:
           description: OrganizationStatus defines the observed state of an Organization
           type: object
       type: object
-    Plugin:
+    ClusterKubeconfig:
       xml:
         name: greenhouse.sap
         namespace: v1alpha1
-      title: Plugin
-      description: Plugin is the Schema for the plugins API
+      title: ClusterKubeconfig
+      description: ClusterKubeconfig is the Schema for the clusterkubeconfigs API\nObjectMeta.OwnerReferences is used to link the ClusterKubeconfig to the Cluster\nObjectMeta.Generation is used to detect changes in the ClusterKubeconfig and sync local kubeconfig files\nObjectMeta.Name is designed to be the same with the Cluster name
       properties:
         apiVersion:
           description: 'APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
@@ -193,179 +193,92 @@ components:
         metadata:
           type: object
         spec:
-          description: PluginSpec defines the desired state of Plugin
+          description: ClusterKubeconfigSpec stores the kubeconfig data for the cluster\nThe idea is to use kubeconfig data locally with minimum effort (with local tools or plain kubectl):\nkubectl get cluster-kubeconfig $NAME -o yaml | yq -y .spec.kubeconfig
           properties:
-            clusterName:
-              description: ClusterName is the name of the cluster the plugin is deployed to. If not set, the plugin is deployed to the greenhouse cluster.
-              type: string
-            disabled:
-              description: Disabled indicates that the plugin is administratively disabled.
-              type: boolean
-            displayName:
-              description: DisplayName is an optional name for the Plugin to be displayed in the Greenhouse UI.\nThis is especially helpful to distinguish multiple instances of a PluginDefinition in the same context.\nDefaults to a normalized version of metadata.name.
-              type: string
-            optionValues:
-              description: Values are the values for a PluginDefinition instance.
-              items:
-                description: PluginOptionValue is the value for a PluginOption.
-                properties:
-                  name:
-                    description: Name of the values.
-                    type: string
-                  value:
-                    description: Value is the actual value in plain text.
-                    x-kubernetes-preserve-unknown-fields: true
-                  valueFrom:
-                    description: ValueFrom references a potentially confidential value in another source.
+            kubeconfig:
+              description: 'ClusterKubeconfigData stores the kubeconfig data ready to use kubectl or other local tooling\nIt is a simplified version of clientcmdapi.Config: https://pkg.go.dev/k8s.io/client-go/tools/clientcmd/api#Config'
+              properties:
+                apiVersion:
+                  type: string
+                clusters:
+                  items:
                     properties:
-                      secret:
-                        description: Secret references the secret containing the value.
+                      cluster:
                         properties:
-                          key:
-                            description: Key in the secret to select the value from.
+                          certificate-authority-data:
+                            format: byte
                             type: string
-                          name:
-                            description: Name of the secret in the same namespace.
+                          server:
+                            type: string
+                        type: object
+                      name:
+                        type: string
+                    required:
+                      - cluster
+                      - name
+                    type: object
+                  type: array
+                contexts:
+                  items:
+                    properties:
+                      context:
+                        properties:
+                          cluster:
+                            type: string
+                          namespace:
+                            type: string
+                          user:
                             type: string
                         required:
-                          - key
-                          - name
+                          - cluster
+                          - user
                         type: object
+                      name:
+                        type: string
+                    required:
+                      - name
                     type: object
-                required:
-                  - name
-                type: object
-              type: array
-            pluginDefinition:
-              description: PluginDefinition is the name of the PluginDefinition this instance is for.
-              type: string
-            releaseNamespace:
-              description: ReleaseNamespace is the namespace in the remote cluster to which the backend is deployed.\nDefaults to the Greenhouse managed namespace if not set.
-              type: string
-          required:
-            - disabled
-            - pluginDefinition
-          type: object
-        status:
-          description: PluginStatus defines the observed state of Plugin
-          properties:
-            description:
-              description: Description provides additional details of the plugin.
-              type: string
-            exposedServices:
-              additionalProperties:
-                description: Service references a Kubernetes service of a Plugin.
-                properties:
-                  name:
-                    description: Name is the name of the service in the target cluster.
-                    type: string
-                  namespace:
-                    description: Namespace is the namespace of the service in the target cluster.
-                    type: string
-                  port:
-                    description: Port is the port of the service.
-                    format: int32
-                    type: integer
-                  protocol:
-                    description: Protocol is the protocol of the service.
-                    type: string
-                required:
-                  - name
-                  - namespace
-                  - port
-                type: object
-              description: ExposedServices provides an overview of the Plugins services that are centrally exposed.\nIt maps the exposed URL to the service found in the manifest.
-              type: object
-            helmChart:
-              description: HelmChart contains a reference the helm chart used for the deployed pluginDefinition version.
-              properties:
-                name:
-                  description: Name of the HelmChart chart.
-                  type: string
-                repository:
-                  description: Repository of the HelmChart chart.
-                  type: string
-                version:
-                  description: Version of the HelmChart chart.
-                  type: string
-              required:
-                - name
-                - repository
-                - version
-              type: object
-            helmReleaseStatus:
-              description: HelmReleaseStatus reflects the status of the latest HelmChart release.\nThis is only configured if the pluginDefinition is backed by HelmChart.
-              properties:
-                firstDeployed:
-                  description: FirstDeployed is the timestamp of the first deployment of the release.
-                  format: date-time
-                  type: string
-                lastDeployed:
-                  description: LastDeployed is the timestamp of the last deployment of the release.
-                  format: date-time
+                  type: array
+                current-context:
                   type: string
-                status:
-                  description: Status is the status of a HelmChart release.
+                kind:
                   type: string
-              required:
-                - status
-              type: object
-            statusConditions:
-              description: StatusConditions contain the different conditions that constitute the status of the Plugin.
-              properties:
-                conditions:
+                preferences:
+                  type: object
+                users:
                   items:
-                    description: Condition contains additional information on the state of a resource.
                     properties:
-                      lastTransitionTime:
-                        description: LastTransitionTime is the last time the condition transitioned from one status to another.
-                        format: date-time
-                        type: string
-                      message:
-                        description: Message is an optional human readable message indicating details about the last transition.
-                        type: string
-                      reason:
-                        description: Reason is a one-word, CamelCase reason for the condition's last transition.
-                        type: string
-                      status:
-                        description: Status of the condition.
-                        type: string
-                      type:
-                        description: Type of the condition.
+                      name:
                         type: string
+                      user:
+                        properties:
+                          auth-provider:
+                            description: AuthProviderConfig holds the configuration for a specified auth provider.
+                            properties:
+                              config:
+                                additionalProperties:
+                                  type: string
+                                type: object
+                              name:
+                                type: string
+                            required:
+                              - name
+                            type: object
+                          client-certificate-data:
+                            format: byte
+                            type: string
+                          client-key-data:
+                            format: byte
+                            type: string
+                        type: object
                     required:
-                      - lastTransitionTime
-                      - status
-                      - type
+                      - name
                     type: object
                   type: array
-                  x-kubernetes-list-map-keys:
-                    - type
-                  x-kubernetes-list-type: map
-              type: object
-            uiApplication:
-              description: UIApplication contains a reference to the frontend that is used for the deployed pluginDefinition version.
-              properties:
-                name:
-                  description: Name of the UI application.
-                  type: string
-                url:
-                  description: URL specifies the url to a built javascript asset.\nBy default, assets are loaded from the Juno asset server using the provided name and version.
-                  type: string
-                version:
-                  description: Version of the frontend application.
-                  type: string
               required:
-                - name
-                - version
+                - contexts
+                - users
               type: object
-            version:
-              description: Version contains the latest pluginDefinition version the config was last applied with successfully.
-              type: string
-            weight:
-              description: Weight configures the order in which Plugins are shown in the Greenhouse UI.
-              format: int32
-              type: integer
           type: object
       type: object
     Cluster:
@@ -390,7 +303,6 @@ components:
               description: AccessMode configures how the cluster is accessed from the Greenhouse operator.
               enum:
                 - direct
-                - headscale
               type: string
           required:
             - accessMode
@@ -402,51 +314,6 @@ components:
               description: BearerTokenExpirationTimestamp reflects the expiration timestamp of the bearer token used to access the cluster.
               format: date-time
               type: string
-            headScaleStatus:
-              description: HeadScaleStatus contains the current status of the headscale client.
-              properties:
-                createdAt:
-                  format: date-time
-                  type: string
-                expiry:
-                  format: date-time
-                  type: string
-                forcedTags:
-                  items:
-                    type: string
-                  type: array
-                id:
-                  format: int64
-                  type: integer
-                ipAddresses:
-                  items:
-                    type: string
-                  type: array
-                name:
-                  type: string
-                online:
-                  type: boolean
-                preAuthKey:
-                  description: PreAuthKey reflects the status of the pre-authentication key used by the Headscale machine.
-                  properties:
-                    createdAt:
-                      format: date-time
-                      type: string
-                    ephemeral:
-                      type: boolean
-                    expiration:
-                      format: date-time
-                      type: string
-                    id:
-                      type: string
-                    reusable:
-                      type: boolean
-                    used:
-                      type: boolean
-                    user:
-                      type: string
-                  type: object
-              type: object
             kubernetesVersion:
               description: KubernetesVersion reflects the detected Kubernetes version of the cluster.
               type: string
@@ -527,12 +394,12 @@ components:
               type: object
           type: object
       type: object
-    ClusterKubeconfig:
+    TeamRole:
       xml:
         name: greenhouse.sap
         namespace: v1alpha1
-      title: ClusterKubeconfig
-      description: ClusterKubeconfig is the Schema for the clusterkubeconfigs API\nObjectMeta.OwnerReferences is used to link the ClusterKubeconfig to the Cluster\nObjectMeta.Generation is used to detect changes in the ClusterKubeconfig and sync local kubeconfig files\nObjectMeta.Name is designed to be the same with the Cluster name
+      title: TeamRole
+      description: TeamRole is the Schema for the TeamRoles API
       properties:
         apiVersion:
           description: 'APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
@@ -543,92 +410,96 @@ components:
         metadata:
           type: object
         spec:
-          description: ClusterKubeconfigSpec stores the kubeconfig data for the cluster\nThe idea is to use kubeconfig data locally with minimum effort (with local tools or plain kubectl):\nkubectl get cluster-kubeconfig $NAME -o yaml | yq -y .spec.kubeconfig
+          description: TeamRoleSpec defines the desired state of a TeamRole
           properties:
-            kubeconfig:
-              description: 'ClusterKubeconfigData stores the kubeconfig data ready to use kubectl or other local tooling\nIt is a simplified version of clientcmdapi.Config: https://pkg.go.dev/k8s.io/client-go/tools/clientcmd/api#Config'
+            aggregationRule:
+              description: AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole on the remote cluster
               properties:
-                apiVersion:
-                  type: string
-                clusters:
-                  items:
-                    properties:
-                      cluster:
-                        properties:
-                          certificate-authority-data:
-                            format: byte
-                            type: string
-                          server:
-                            type: string
-                        type: object
-                      name:
-                        type: string
-                    required:
-                      - cluster
-                      - name
-                    type: object
-                  type: array
-                contexts:
-                  items:
-                    properties:
-                      context:
-                        properties:
-                          cluster:
-                            type: string
-                          namespace:
-                            type: string
-                          user:
-                            type: string
-                        required:
-                          - cluster
-                          - user
-                        type: object
-                      name:
-                        type: string
-                    required:
-                      - name
-                    type: object
-                  type: array
-                current-context:
-                  type: string
-                kind:
-                  type: string
-                preferences:
-                  type: object
-                users:
+                clusterRoleSelectors:
+                  description: ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules.\nIf any of the selectors match, then the ClusterRole's permissions will be added
                   items:
+                    description: A label selector is a label query over a set of resources. The result of matchLabels and\nmatchExpressions are ANDed. An empty label selector matches all objects. A null\nlabel selector matches no objects.
                     properties:
-                      name:
-                        type: string
-                      user:
-                        properties:
-                          auth-provider:
-                            description: AuthProviderConfig holds the configuration for a specified auth provider.
-                            properties:
-                              config:
-                                additionalProperties:
-                                  type: string
-                                type: object
-                              name:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.
+                              items:
                                 type: string
-                            required:
-                              - name
-                            type: object
-                          client-certificate-data:
-                            format: byte
-                            type: string
-                          client-key-data:
-                            format: byte
-                            type: string
+                              type: array
+                              x-kubernetes-list-type: atomic
+                          required:
+                            - key
+                            - operator
+                          type: object
+                        type: array
+                        x-kubernetes-list-type: atomic
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is "key", the\noperator is "In", and the values array contains only "value". The requirements are ANDed.
                         type: object
-                    required:
-                      - name
                     type: object
+                    x-kubernetes-map-type: atomic
                   type: array
-              required:
-                - contexts
-                - users
+                  x-kubernetes-list-type: atomic
+              type: object
+            labels:
+              additionalProperties:
+                type: string
+              description: Labels are applied to the ClusterRole created on the remote cluster.\nThis allows using TeamRoles as part of AggregationRules by other TeamRoles
               type: object
+            rules:
+              description: Rules is a list of rbacv1.PolicyRules used on a managed RBAC (Cluster)Role
+              items:
+                description: PolicyRule holds information that describes a policy rule, but does not contain information\nabout who the rule applies to or which namespace the rule applies to.
+                properties:
+                  apiGroups:
+                    description: APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of\nthe enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
+                    items:
+                      type: string
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  nonResourceURLs:
+                    description: NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path\nSince non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.\nRules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both.
+                    items:
+                      type: string
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  resourceNames:
+                    description: ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
+                    items:
+                      type: string
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  resources:
+                    description: Resources is a list of resources this rule applies to. '*' represents all resources.
+                    items:
+                      type: string
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  verbs:
+                    description: Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.
+                    items:
+                      type: string
+                    type: array
+                    x-kubernetes-list-type: atomic
+                required:
+                  - verbs
+                type: object
+              type: array
+          type: object
+        status:
+          description: TeamRoleStatus defines the observed state of a TeamRole
           type: object
       type: object
     TeamMembership:
@@ -910,12 +781,12 @@ components:
               type: object
           type: object
       type: object
-    PluginDefinition:
+    Team:
       xml:
         name: greenhouse.sap
         namespace: v1alpha1
-      title: PluginDefinition
-      description: PluginDefinition is the Schema for the PluginDefinitions API
+      title: Team
+      description: Team is the Schema for the teams API
       properties:
         apiVersion:
           description: 'APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
@@ -926,265 +797,42 @@ components:
         metadata:
           type: object
         spec:
-          description: PluginDefinitionSpec defines the desired state of PluginDefinitionSpec
+          description: TeamSpec defines the desired state of Team
           properties:
             description:
-              description: Description provides additional details of the pluginDefinition.
+              description: Description provides additional details of the team.
               type: string
-            displayName:
-              description: DisplayName provides a human-readable label for the pluginDefinition.
+            mappedIdPGroup:
+              description: IdP group id matching team.
               type: string
-            docMarkDownUrl:
-              description: DocMarkDownUrl specifies the URL to the markdown documentation file for this plugin.\nSource needs to allow all CORS origins.
+          type: object
+        status:
+          description: TeamStatus defines the observed state of Team
+          type: object
+      type: object
+    TeamRoleBinding:
+      xml:
+        name: greenhouse.sap
+        namespace: v1alpha1
+      title: TeamRoleBinding
+      description: TeamRoleBinding is the Schema for the rolebindings API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: TeamRoleBindingSpec defines the desired state of a TeamRoleBinding
+          properties:
+            clusterName:
+              description: ClusterName is the name of the cluster the rbacv1 resources are created on.
               type: string
-            helmChart:
-              description: HelmChart specifies where the Helm Chart for this pluginDefinition can be found.
-              properties:
-                name:
-                  description: Name of the HelmChart chart.
-                  type: string
-                repository:
-                  description: Repository of the HelmChart chart.
-                  type: string
-                version:
-                  description: Version of the HelmChart chart.
-                  type: string
-              required:
-                - name
-                - repository
-                - version
-              type: object
-            icon:
-              description: 'Icon specifies the icon to be used for this plugin in the Greenhouse UI.\nIcons can be either:\n- A string representing a juno icon in camel case from this list: https://github.com/sapcc/juno/blob/main/libs/juno-ui-components/src/components/Icon/Icon.component.js#L6-L52\n- A publicly accessible image reference to a .png file. Will be displayed 100x100px'
-              type: string
-            options:
-              description: RequiredValues is a list of values required to create an instance of this PluginDefinition.
-              items:
-                properties:
-                  default:
-                    description: Default provides a default value for the option
-                    x-kubernetes-preserve-unknown-fields: true
-                  description:
-                    description: Description provides a human-readable text for the value as shown in the UI.
-                    type: string
-                  displayName:
-                    description: DisplayName provides a human-readable label for the configuration option
-                    type: string
-                  name:
-                    description: Name/Key of the config option.
-                    type: string
-                  regex:
-                    description: Regex specifies a match rule for validating configuration options.
-                    type: string
-                  required:
-                    description: Required indicates that this config option is required
-                    type: boolean
-                  type:
-                    description: Type of this configuration option.
-                    enum:
-                      - string
-                      - secret
-                      - bool
-                      - int
-                      - list
-                      - map
-                    type: string
-                required:
-                  - name
-                  - required
-                  - type
-                type: object
-              type: array
-            uiApplication:
-              description: UIApplication specifies a reference to a UI application
-              properties:
-                name:
-                  description: Name of the UI application.
-                  type: string
-                url:
-                  description: URL specifies the url to a built javascript asset.\nBy default, assets are loaded from the Juno asset server using the provided name and version.
-                  type: string
-                version:
-                  description: Version of the frontend application.
-                  type: string
-              required:
-                - name
-                - version
-              type: object
-            version:
-              description: Version of this pluginDefinition
-              type: string
-            weight:
-              description: Weight configures the order in which Plugins are shown in the Greenhouse UI.\nDefaults to alphabetical sorting if not provided or on conflict.
-              format: int32
-              type: integer
-          required:
-            - version
-          type: object
-        status:
-          description: PluginDefinitionStatus defines the observed state of PluginDefinition
-          type: object
-      type: object
-    TeamRole:
-      xml:
-        name: greenhouse.sap
-        namespace: v1alpha1
-      title: TeamRole
-      description: TeamRole is the Schema for the TeamRoles API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          description: TeamRoleSpec defines the desired state of a TeamRole
-          properties:
-            aggregationRule:
-              description: AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole on the remote cluster
-              properties:
-                clusterRoleSelectors:
-                  description: ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules.\nIf any of the selectors match, then the ClusterRole's permissions will be added
-                  items:
-                    description: A label selector is a label query over a set of resources. The result of matchLabels and\nmatchExpressions are ANDed. An empty label selector matches all objects. A null\nlabel selector matches no objects.
-                    properties:
-                      matchExpressions:
-                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                        items:
-                          description: A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.
-                          properties:
-                            key:
-                              description: key is the label key that the selector applies to.
-                              type: string
-                            operator:
-                              description: operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.
-                              type: string
-                            values:
-                              description: values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.
-                              items:
-                                type: string
-                              type: array
-                              x-kubernetes-list-type: atomic
-                          required:
-                            - key
-                            - operator
-                          type: object
-                        type: array
-                        x-kubernetes-list-type: atomic
-                      matchLabels:
-                        additionalProperties:
-                          type: string
-                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is "key", the\noperator is "In", and the values array contains only "value". The requirements are ANDed.
-                        type: object
-                    type: object
-                    x-kubernetes-map-type: atomic
-                  type: array
-                  x-kubernetes-list-type: atomic
-              type: object
-            labels:
-              additionalProperties:
-                type: string
-              description: Labels are applied to the ClusterRole created on the remote cluster.\nThis allows using TeamRoles as part of AggregationRules by other TeamRoles
-              type: object
-            rules:
-              description: Rules is a list of rbacv1.PolicyRules used on a managed RBAC (Cluster)Role
-              items:
-                description: PolicyRule holds information that describes a policy rule, but does not contain information\nabout who the rule applies to or which namespace the rule applies to.
-                properties:
-                  apiGroups:
-                    description: APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of\nthe enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
-                    items:
-                      type: string
-                    type: array
-                    x-kubernetes-list-type: atomic
-                  nonResourceURLs:
-                    description: NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path\nSince non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.\nRules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both.
-                    items:
-                      type: string
-                    type: array
-                    x-kubernetes-list-type: atomic
-                  resourceNames:
-                    description: ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
-                    items:
-                      type: string
-                    type: array
-                    x-kubernetes-list-type: atomic
-                  resources:
-                    description: Resources is a list of resources this rule applies to. '*' represents all resources.
-                    items:
-                      type: string
-                    type: array
-                    x-kubernetes-list-type: atomic
-                  verbs:
-                    description: Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.
-                    items:
-                      type: string
-                    type: array
-                    x-kubernetes-list-type: atomic
-                required:
-                  - verbs
-                type: object
-              type: array
-          type: object
-        status:
-          description: TeamRoleStatus defines the observed state of a TeamRole
-          type: object
-      type: object
-    Team:
-      xml:
-        name: greenhouse.sap
-        namespace: v1alpha1
-      title: Team
-      description: Team is the Schema for the teams API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          description: TeamSpec defines the desired state of Team
-          properties:
-            description:
-              description: Description provides additional details of the team.
-              type: string
-            mappedIdPGroup:
-              description: IdP group id matching team.
-              type: string
-          type: object
-        status:
-          description: TeamStatus defines the observed state of Team
-          type: object
-      type: object
-    TeamRoleBinding:
-      xml:
-        name: greenhouse.sap
-        namespace: v1alpha1
-      title: TeamRoleBinding
-      description: TeamRoleBinding is the Schema for the rolebindings API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          description: TeamRoleBindingSpec defines the desired state of a TeamRoleBinding
-          properties:
-            clusterName:
-              description: ClusterName is the name of the cluster the rbacv1 resources are created on.
-              type: string
-            clusterSelector:
-              description: ClusterSelector is a label selector to select the Clusters the TeamRoleBinding should be deployed to.
+            clusterSelector:
+              description: ClusterSelector is a label selector to select the Clusters the TeamRoleBinding should be deployed to.
               properties:
                 matchExpressions:
                   description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
@@ -1305,3 +953,309 @@ components:
               type: object
           type: object
       type: object
+    Plugin:
+      xml:
+        name: greenhouse.sap
+        namespace: v1alpha1
+      title: Plugin
+      description: Plugin is the Schema for the plugins API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: PluginSpec defines the desired state of Plugin
+          properties:
+            clusterName:
+              description: ClusterName is the name of the cluster the plugin is deployed to. If not set, the plugin is deployed to the greenhouse cluster.
+              type: string
+            disabled:
+              description: Disabled indicates that the plugin is administratively disabled.
+              type: boolean
+            displayName:
+              description: DisplayName is an optional name for the Plugin to be displayed in the Greenhouse UI.\nThis is especially helpful to distinguish multiple instances of a PluginDefinition in the same context.\nDefaults to a normalized version of metadata.name.
+              type: string
+            optionValues:
+              description: Values are the values for a PluginDefinition instance.
+              items:
+                description: PluginOptionValue is the value for a PluginOption.
+                properties:
+                  name:
+                    description: Name of the values.
+                    type: string
+                  value:
+                    description: Value is the actual value in plain text.
+                    x-kubernetes-preserve-unknown-fields: true
+                  valueFrom:
+                    description: ValueFrom references a potentially confidential value in another source.
+                    properties:
+                      secret:
+                        description: Secret references the secret containing the value.
+                        properties:
+                          key:
+                            description: Key in the secret to select the value from.
+                            type: string
+                          name:
+                            description: Name of the secret in the same namespace.
+                            type: string
+                        required:
+                          - key
+                          - name
+                        type: object
+                    type: object
+                required:
+                  - name
+                type: object
+              type: array
+            pluginDefinition:
+              description: PluginDefinition is the name of the PluginDefinition this instance is for.
+              type: string
+            releaseNamespace:
+              description: ReleaseNamespace is the namespace in the remote cluster to which the backend is deployed.\nDefaults to the Greenhouse managed namespace if not set.
+              type: string
+          required:
+            - disabled
+            - pluginDefinition
+          type: object
+        status:
+          description: PluginStatus defines the observed state of Plugin
+          properties:
+            description:
+              description: Description provides additional details of the plugin.
+              type: string
+            exposedServices:
+              additionalProperties:
+                description: Service references a Kubernetes service of a Plugin.
+                properties:
+                  name:
+                    description: Name is the name of the service in the target cluster.
+                    type: string
+                  namespace:
+                    description: Namespace is the namespace of the service in the target cluster.
+                    type: string
+                  port:
+                    description: Port is the port of the service.
+                    format: int32
+                    type: integer
+                  protocol:
+                    description: Protocol is the protocol of the service.
+                    type: string
+                required:
+                  - name
+                  - namespace
+                  - port
+                type: object
+              description: ExposedServices provides an overview of the Plugins services that are centrally exposed.\nIt maps the exposed URL to the service found in the manifest.
+              type: object
+            helmChart:
+              description: HelmChart contains a reference the helm chart used for the deployed pluginDefinition version.
+              properties:
+                name:
+                  description: Name of the HelmChart chart.
+                  type: string
+                repository:
+                  description: Repository of the HelmChart chart.
+                  type: string
+                version:
+                  description: Version of the HelmChart chart.
+                  type: string
+              required:
+                - name
+                - repository
+                - version
+              type: object
+            helmReleaseStatus:
+              description: HelmReleaseStatus reflects the status of the latest HelmChart release.\nThis is only configured if the pluginDefinition is backed by HelmChart.
+              properties:
+                firstDeployed:
+                  description: FirstDeployed is the timestamp of the first deployment of the release.
+                  format: date-time
+                  type: string
+                lastDeployed:
+                  description: LastDeployed is the timestamp of the last deployment of the release.
+                  format: date-time
+                  type: string
+                status:
+                  description: Status is the status of a HelmChart release.
+                  type: string
+              required:
+                - status
+              type: object
+            statusConditions:
+              description: StatusConditions contain the different conditions that constitute the status of the Plugin.
+              properties:
+                conditions:
+                  items:
+                    description: Condition contains additional information on the state of a resource.
+                    properties:
+                      lastTransitionTime:
+                        description: LastTransitionTime is the last time the condition transitioned from one status to another.
+                        format: date-time
+                        type: string
+                      message:
+                        description: Message is an optional human readable message indicating details about the last transition.
+                        type: string
+                      reason:
+                        description: Reason is a one-word, CamelCase reason for the condition's last transition.
+                        type: string
+                      status:
+                        description: Status of the condition.
+                        type: string
+                      type:
+                        description: Type of the condition.
+                        type: string
+                    required:
+                      - lastTransitionTime
+                      - status
+                      - type
+                    type: object
+                  type: array
+                  x-kubernetes-list-map-keys:
+                    - type
+                  x-kubernetes-list-type: map
+              type: object
+            uiApplication:
+              description: UIApplication contains a reference to the frontend that is used for the deployed pluginDefinition version.
+              properties:
+                name:
+                  description: Name of the UI application.
+                  type: string
+                url:
+                  description: URL specifies the url to a built javascript asset.\nBy default, assets are loaded from the Juno asset server using the provided name and version.
+                  type: string
+                version:
+                  description: Version of the frontend application.
+                  type: string
+              required:
+                - name
+                - version
+              type: object
+            version:
+              description: Version contains the latest pluginDefinition version the config was last applied with successfully.
+              type: string
+            weight:
+              description: Weight configures the order in which Plugins are shown in the Greenhouse UI.
+              format: int32
+              type: integer
+          type: object
+      type: object
+    PluginDefinition:
+      xml:
+        name: greenhouse.sap
+        namespace: v1alpha1
+      title: PluginDefinition
+      description: PluginDefinition is the Schema for the PluginDefinitions API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: PluginDefinitionSpec defines the desired state of PluginDefinitionSpec
+          properties:
+            description:
+              description: Description provides additional details of the pluginDefinition.
+              type: string
+            displayName:
+              description: DisplayName provides a human-readable label for the pluginDefinition.
+              type: string
+            docMarkDownUrl:
+              description: DocMarkDownUrl specifies the URL to the markdown documentation file for this plugin.\nSource needs to allow all CORS origins.
+              type: string
+            helmChart:
+              description: HelmChart specifies where the Helm Chart for this pluginDefinition can be found.
+              properties:
+                name:
+                  description: Name of the HelmChart chart.
+                  type: string
+                repository:
+                  description: Repository of the HelmChart chart.
+                  type: string
+                version:
+                  description: Version of the HelmChart chart.
+                  type: string
+              required:
+                - name
+                - repository
+                - version
+              type: object
+            icon:
+              description: 'Icon specifies the icon to be used for this plugin in the Greenhouse UI.\nIcons can be either:\n- A string representing a juno icon in camel case from this list: https://github.com/sapcc/juno/blob/main/libs/juno-ui-components/src/components/Icon/Icon.component.js#L6-L52\n- A publicly accessible image reference to a .png file. Will be displayed 100x100px'
+              type: string
+            options:
+              description: RequiredValues is a list of values required to create an instance of this PluginDefinition.
+              items:
+                properties:
+                  default:
+                    description: Default provides a default value for the option
+                    x-kubernetes-preserve-unknown-fields: true
+                  description:
+                    description: Description provides a human-readable text for the value as shown in the UI.
+                    type: string
+                  displayName:
+                    description: DisplayName provides a human-readable label for the configuration option
+                    type: string
+                  name:
+                    description: Name/Key of the config option.
+                    type: string
+                  regex:
+                    description: Regex specifies a match rule for validating configuration options.
+                    type: string
+                  required:
+                    description: Required indicates that this config option is required
+                    type: boolean
+                  type:
+                    description: Type of this configuration option.
+                    enum:
+                      - string
+                      - secret
+                      - bool
+                      - int
+                      - list
+                      - map
+                    type: string
+                required:
+                  - name
+                  - required
+                  - type
+                type: object
+              type: array
+            uiApplication:
+              description: UIApplication specifies a reference to a UI application
+              properties:
+                name:
+                  description: Name of the UI application.
+                  type: string
+                url:
+                  description: URL specifies the url to a built javascript asset.\nBy default, assets are loaded from the Juno asset server using the provided name and version.
+                  type: string
+                version:
+                  description: Version of the frontend application.
+                  type: string
+              required:
+                - name
+                - version
+              type: object
+            version:
+              description: Version of this pluginDefinition
+              type: string
+            weight:
+              description: Weight configures the order in which Plugins are shown in the Greenhouse UI.\nDefaults to alphabetical sorting if not provided or on conflict.
+              format: int32
+              type: integer
+          required:
+            - version
+          type: object
+        status:
+          description: PluginDefinitionStatus defines the observed state of PluginDefinition
+          type: object
+      type: object
diff --git a/docs/user-guides/cluster/onboarding.md b/docs/user-guides/cluster/onboarding.md
index c8ff44e6f..39b3c1967 100644
--- a/docs/user-guides/cluster/onboarding.md
+++ b/docs/user-guides/cluster/onboarding.md
@@ -36,6 +36,7 @@ greenhousectl cluster bootstrap --bootstrap-kubeconfig <path/to/cluster-kubeconf
 ```
 
 A typical output when you ran the command looks like
+
 ```commandline
 2024-02-01T09:34:55.522+0100	INFO	setup	Loaded kubeconfig	{"context": "default", "host": "https://api.greenhouse-qa.eu-nl-1.cloud.sap"}
 2024-02-01T09:34:55.523+0100	INFO	setup	Loaded client kubeconfig	{"host": "https://api.monitoring.greenhouse.shoot.canary.k8s-hana.ondemand.com"}
@@ -43,9 +44,6 @@ A typical output when you ran the command looks like
 2024-02-01T09:34:56.639+0100	INFO	setup	created namespace	{"name": "ccloud"}
 2024-02-01T09:34:56.696+0100	INFO	setup	created serviceAccount	{"name": "greenhouse"}
 2024-02-01T09:34:56.810+0100	INFO	setup	created clusterRoleBinding	{"name": "greenhouse"}
-2024-02-01T09:34:56.867+0100	INFO	setup	created serviceAccount	{"name": "tailscale"}
-2024-02-01T09:34:56.925+0100	INFO	setup	created role	{"name": "tailscale"}
-2024-02-01T09:34:56.982+0100	INFO	setup	created roleBinding	{"name": "tailscale"}
 2024-02-01T09:34:57.189+0100	INFO	setup	created clusterSecret	{"name": "monitoring"}
 2024-02-01T09:34:58.309+0100	INFO	setup	Bootstraping cluster finished	{"clusterName": "monitoring", "orgName": "ccloud"}
 ```
diff --git a/go.mod b/go.mod
index 8cea3937b..3277ff45c 100644
--- a/go.mod
+++ b/go.mod
@@ -22,7 +22,6 @@ require (
 	github.com/dexidp/dex v0.0.0-20240807174518-43956db7fd75
 	github.com/ghodss/yaml v1.0.0
 	github.com/jeremywohl/flatten/v2 v2.0.0-20211013061545-07e4a09fb8e4
-	github.com/juanfont/headscale v0.22.3
 	github.com/oklog/run v1.1.1-0.20240127200640-eee6e044b77c
 	github.com/onsi/ginkgo/v2 v2.20.2
 	github.com/onsi/gomega v1.34.2
@@ -48,49 +47,35 @@ require (
 	sigs.k8s.io/controller-runtime v0.19.0
 	sigs.k8s.io/e2e-framework v0.4.0
 	sigs.k8s.io/yaml v1.4.0
-	tailscale.com v1.74.1
 )
 
 require (
 	cloud.google.com/go/auth v0.9.2 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.4 // indirect
 	dario.cat/mergo v1.0.1 // indirect
-	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/Microsoft/hcsshim v0.12.6 // indirect
-	github.com/akutz/memconn v0.1.0 // indirect
-	github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/containerd/errdefs v0.1.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/platforms v0.2.1 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
-	github.com/dblohm7/wingoes v0.0.0-20240820181039-f2b84150679e // indirect
+	github.com/creack/pty v1.1.23 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
-	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
-	github.com/go-json-experiment/json v0.0.0-20240815175050-ebd3a8989ca1 // indirect
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
 	github.com/gorilla/websocket v1.5.3 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 // indirect
-	github.com/hdevalence/ed25519consensus v0.2.0 // indirect
-	github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86 // indirect
-	github.com/jsimonetti/rtnetlink v1.4.2 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
-	github.com/mdlayher/netlink v1.7.2 // indirect
-	github.com/mdlayher/socket v0.5.1 // indirect
-	github.com/mitchellh/go-ps v1.0.0 // indirect
+	github.com/miekg/dns v1.1.58 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
-	github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55 // indirect
+	github.com/sergi/go-diff v1.3.1 // indirect
+	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/tidwall/gjson v1.17.3 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
 	github.com/tidwall/sjson v1.2.5 // indirect
-	github.com/x448/float16 v0.8.4 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect
-	go4.org/mem v0.0.0-20240501181205-ae6ca9944745 // indirect
-	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect
-	golang.zx2c4.com/wireguard/windows v0.5.3 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240827150818-7e3bb234dfed // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 )
@@ -151,7 +136,7 @@ require (
 	github.com/google/pprof v0.0.0-20240829160300-da1f7e9f2b25 // indirect
 	github.com/google/s2a-go v0.1.8 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
-	github.com/google/uuid v1.6.0
+	github.com/google/uuid v1.6.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.3 // indirect
 	github.com/googleapis/gax-go/v2 v2.13.0 // indirect
 	github.com/gorilla/handlers v1.5.2 // indirect
@@ -192,7 +177,7 @@ require (
 	github.com/otiai10/copy v1.14.0
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.59.1
+	github.com/prometheus/common v0.59.1 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rubenv/sql-migrate v1.7.0 // indirect
@@ -222,8 +207,8 @@ require (
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/api v0.195.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240827150818-7e3bb234dfed // indirect
-	google.golang.org/grpc v1.66.3
-	google.golang.org/protobuf v1.34.2
+	google.golang.org/grpc v1.66.3 // indirect
+	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	k8s.io/apiserver v0.31.0 // indirect
diff --git a/go.sum b/go.sum
index da21fa20d..908a1442a 100644
--- a/go.sum
+++ b/go.sum
@@ -38,8 +38,6 @@ github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERo
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/Microsoft/hcsshim v0.12.6 h1:qEnZjoHXv+4/s0LmKZWE0/AiZmMWEIkFfWBSf1a0wlU=
 github.com/Microsoft/hcsshim v0.12.6/go.mod h1:ZABCLVcvLMjIkzr9rUGcQ1QA0p0P3Ps+d3N1g2DsFfk=
-github.com/akutz/memconn v0.1.0 h1:NawI0TORU4hcOMsMr11g7vwlCdkYeLKXBcxWu2W/P8A=
-github.com/akutz/memconn v0.1.0/go.mod h1:Jo8rI7m0NieZyLI5e2CDlRdRqRRB4S7Xp77ukDjH+Fw=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI=
@@ -55,8 +53,6 @@ github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/bits-and-blooms/bitset v1.13.0 h1:bAQ9OPNFYbGHV6Nez0tmNI0RiEu7/hxlYJRUA0wFAVE=
-github.com/bits-and-blooms/bitset v1.13.0/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8=
 github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
 github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
 github.com/bshuster-repo/logrus-logstash-hook v1.0.0 h1:e+C0SB5R1pu//O4MQ3f9cFuPGoOVeF2fE4Og9otCc70=
@@ -68,8 +64,6 @@ github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UF
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chai2010/gettext-go v1.0.3 h1:9liNh8t+u26xl5ddmWLmsOsdNLwkdRTg5AG+JnTiM80=
 github.com/chai2010/gettext-go v1.0.3/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHeQQ+5AjwawxA=
-github.com/cilium/ebpf v0.15.0 h1:7NxJhNiBT3NG8pZJ3c+yfrVdHY8ScgKD27sScgjLMMk=
-github.com/cilium/ebpf v0.15.0/go.mod h1:DHp1WyrLeiBh19Cf/tfiSMhqheEiK8fXFZ4No0P1Hso=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM=
@@ -85,11 +79,8 @@ github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
 github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A=
 github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw=
-github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6 h1:8h5+bWd7R6AYUslN6c6iuZWTKsKxUFDlpnmilO6R2n0=
-github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
 github.com/coreos/go-oidc/v3 v3.11.0 h1:Ia3MxdwpSw702YW0xgfmP1GVCMA9aEFWu12XUZ3/OtI=
 github.com/coreos/go-oidc/v3 v3.11.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0=
-github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf h1:iW4rZ826su+pqaw19uhpSCzhj44qo35pNgKFGqzDKkU=
 github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4=
@@ -103,8 +94,6 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dblohm7/wingoes v0.0.0-20240820181039-f2b84150679e h1:L+XrFvD0vBIBm+Wf9sFN6aU395t7JROoai0qXZraA4U=
-github.com/dblohm7/wingoes v0.0.0-20240820181039-f2b84150679e/go.mod h1:SUxUaAK/0UG5lYyZR1L1nC4AaYYvSSYTWQSH3FPcxKU=
 github.com/dexidp/dex v0.0.0-20240807174518-43956db7fd75 h1:rhJGxE3OIwZQmReo7UO/u+Qd/DsH4pZUBaUr2wrSxp0=
 github.com/dexidp/dex v0.0.0-20240807174518-43956db7fd75/go.mod h1:r4AnI+KSlse0g9cmP+swnmsJscyXlMwDOugBOt5yWcA=
 github.com/dexidp/dex/api/v2 v2.2.0 h1:lMehnAw5NwMorWcCf5ncwzqe0uJ/g/PtK7DR4K8uM5E=
@@ -155,10 +144,6 @@ github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHk
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
-github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
-github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
-github.com/gaissmai/bart v0.11.1 h1:5Uv5XwsaFBRo4E5VBcb9TzY8B7zxFf+U7isDxqOrRfc=
-github.com/gaissmai/bart v0.11.1/go.mod h1:KHeYECXQiBjTzQz/om2tqn3sZF1J7hw9m6z41ftj3fg=
 github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
@@ -170,8 +155,6 @@ github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs
 github.com/go-gorp/gorp/v3 v3.1.0/go.mod h1:dLEjIyyRNiXvNZ8PSmzpt1GsWAUK8kjVhEpjH8TixEw=
 github.com/go-jose/go-jose/v4 v4.0.4 h1:VsjPI33J0SB9vQM6PLmNjoHqMQNGPiZ0rHL7Ni7Q6/E=
 github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
-github.com/go-json-experiment/json v0.0.0-20240815175050-ebd3a8989ca1 h1:xcuWappghOVI8iNWoF2OKahVejd1LSVi/v4JED44Amo=
-github.com/go-json-experiment/json v0.0.0-20240815175050-ebd3a8989ca1/go.mod h1:BWmvoE1Xia34f3l/ibJweyhrT+aROb/FQ6d+37F0e2s=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-ldap/ldap/v3 v3.4.8 h1:loKJyspcRezt2Q3ZRMq2p/0v8iOurlmeXDPw6fikSvQ=
 github.com/go-ldap/ldap/v3 v3.4.8/go.mod h1:qS3Sjlu76eHfHGpUdWkAXQTw4beih+cHsco2jXlIXrk=
@@ -184,8 +167,6 @@ github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
 github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg=
-github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=
-github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78=
 github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
 github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
 github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ=
@@ -199,8 +180,6 @@ github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1v
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
-github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 h1:sQspH8M4niEijh3PFscJRLDnkL547IeP7kpPe3uUhEg=
-github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466/go.mod h1:ZiQxhyQ+bbbfxUKVvjfO498oPYvtYhZzycal3G/NHmU=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
@@ -237,8 +216,6 @@ github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/nftables v0.2.1-0.20240414091927-5e242ec57806 h1:wG8RYIyctLhdFk6Vl1yPGtSRtwGpVkWyZww1OCil2MI=
-github.com/google/nftables v0.2.1-0.20240414091927-5e242ec57806/go.mod h1:Beg6V6zZ3oEn0JuiUQ4wqwuyqqzasOltcoXPtgLbFp4=
 github.com/google/pprof v0.0.0-20240829160300-da1f7e9f2b25 h1:sEDPKUw6iPjczdu33njxFjO6tYa9bfc0z/QyB/zSsBw=
 github.com/google/pprof v0.0.0-20240829160300-da1f7e9f2b25/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
 github.com/google/s2a-go v0.1.8 h1:zZDs9gcbt9ZPLV0ndSyQk6Kacx2g/X+SKYovpnz3SMM=
@@ -279,18 +256,12 @@ github.com/hashicorp/golang-lru/arc/v2 v2.0.5 h1:l2zaLDubNhW4XO3LnliVj0GXO3+/CGN
 github.com/hashicorp/golang-lru/arc/v2 v2.0.5/go.mod h1:ny6zBSQZi2JxIeYcv7kt2sH2PXJtirBN7RDhRpxPkxU=
 github.com/hashicorp/golang-lru/v2 v2.0.5 h1:wW7h1TG88eUIJ2i69gaE3uNVtEPIagzhGvHgwfx2Vm4=
 github.com/hashicorp/golang-lru/v2 v2.0.5/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
-github.com/hdevalence/ed25519consensus v0.2.0 h1:37ICyZqdyj0lAZ8P4D1d1id3HqbbG1N3iBb1Tb4rdcU=
-github.com/hdevalence/ed25519consensus v0.2.0/go.mod h1:w3BHWjwJbFU29IRHL1Iqkw3sus+7FctEyM4RqDxYNzo=
 github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI=
 github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
-github.com/illarion/gonotify/v2 v2.0.3 h1:B6+SKPo/0Sw8cRJh1aLzNEeNVFfzE3c6N+o+vyxM+9A=
-github.com/illarion/gonotify/v2 v2.0.3/go.mod h1:38oIJTgFqupkEydkkClkbL6i5lXV/bxdH9do5TALPEE=
 github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
 github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
-github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2 h1:9K06NfxkBh25x56yVhWWlKFE8YpicaSfHwoV8SFbueA=
-github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2/go.mod h1:3A9PQ1cunSDF/1rbTq99Ts4pVnycWg+vlPkfeD2NLFI=
 github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
 github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
 github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
@@ -312,16 +283,10 @@ github.com/jonboulle/clockwork v0.4.0 h1:p4Cf1aMWXnXAUh8lVfewRBx1zaTSYKrKMF2g3ST
 github.com/jonboulle/clockwork v0.4.0/go.mod h1:xgRqUGwRcjKCO1vbZUEtSLrqKoPSsUpK7fnezOII0kc=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
-github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86 h1:elKwZS1OcdQ0WwEDBeqxKwb7WB62QX8bvZ/FJnVXIfk=
-github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86/go.mod h1:aFAMtuldEgx/4q7iSGazk22+IcgvtiC+HIimFO9XlS8=
-github.com/jsimonetti/rtnetlink v1.4.2 h1:Df9w9TZ3npHTyDn0Ev9e1uzmN2odmXd0QX+J5GTEn90=
-github.com/jsimonetti/rtnetlink v1.4.2/go.mod h1:92s6LJdE+1iOrw+F2/RO7LYI2Qd8pPpFNNUYW06gcoM=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
-github.com/juanfont/headscale v0.22.3 h1:BHpPO9cIB1vBVyp0faEAk2Pq2Zi04NXXgsf3Wt60sac=
-github.com/juanfont/headscale v0.22.3/go.mod h1:NdBJ+givOOABlLd7GFT2WRjGP4e/ylLYy+U1WIkpTIQ=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
@@ -362,18 +327,10 @@ github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh
 github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
 github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/mdlayher/genetlink v1.3.2 h1:KdrNKe+CTu+IbZnm/GVUMXSqBBLqcGpRDa0xkQy56gw=
-github.com/mdlayher/genetlink v1.3.2/go.mod h1:tcC3pkCrPUGIKKsCsp0B3AdaaKuHtaxoJRz3cc+528o=
-github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/g=
-github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
-github.com/mdlayher/socket v0.5.1 h1:VZaqt6RkGkt2OE9l3GcC6nZkqD3xKeQLyfleW/uBcos=
-github.com/mdlayher/socket v0.5.1/go.mod h1:TjPLHI1UgwEv5J1B5q0zTZq12A/6H7nKmtTanQE37IQ=
 github.com/miekg/dns v1.1.58 h1:ca2Hdkz+cDg/7eNF6V56jjzuZ4aCAE+DbVkILdQWG/4=
 github.com/miekg/dns v1.1.58/go.mod h1:Ypv+3b/KadlvW9vJfXOTf300O4UqaHFzFCuHz+rPkBY=
 github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
 github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
-github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc=
-github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg=
 github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
 github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=
 github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
@@ -420,8 +377,6 @@ github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+v
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 h1:Ii+DKncOVM8Cu1Hc+ETb5K+23HdAMvESYE3ZJ5b5cMI=
 github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5/go.mod h1:iIss55rKnNBTvrwdmkUpLnDpZoAHvWaiq5+iMmen4AE=
-github.com/pierrec/lz4/v4 v4.1.21 h1:yOVMLb6qSIDP67pl/5F7RepeKYu/VmTyEXvuMI5d9mQ=
-github.com/pierrec/lz4/v4 v4.1.21/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -500,12 +455,6 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55 h1:Gzfnfk2TWrk8Jj4P4c1a3CtQyMaTVCznlkLZI++hok4=
-github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55/go.mod h1:4k4QO+dQ3R5FofL+SanAUZe+/QfeK0+OIuwDIRu2vSg=
-github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7 h1:uFsXVBE9Qr4ZoF094vE6iYTLDl0qCiKzYXlL6UeWObU=
-github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7/go.mod h1:NzVQi3Mleb+qzq8VmcWpSkcSYxXIg0DkI6XDzpVkhJ0=
-github.com/tailscale/wireguard-go v0.0.0-20240905161824-799c1978fafc h1:cezaQN9pvKVaw56Ma5qr/G646uKIYP0yQf+OyWN/okc=
-github.com/tailscale/wireguard-go v0.0.0-20240905161824-799c1978fafc/go.mod h1:BOm5fXUBFM+m9woLNBoxI9TaBXXhGNP50LX/TGIvGb4=
 github.com/tidwall/gjson v1.14.2/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
 github.com/tidwall/gjson v1.17.3 h1:bwWLZU7icoKRG+C+0PNwIKC6FCJO/Q3p2pZvuP0jN94=
 github.com/tidwall/gjson v1.17.3/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
@@ -516,16 +465,10 @@ github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4=
 github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
 github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY=
 github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28=
-github.com/u-root/uio v0.0.0-20240118234441-a3c409a6018e h1:BA9O3BmlTmpjbvajAwzWx4Wo2TRVdpPXZEeemGQcajw=
-github.com/u-root/uio v0.0.0-20240118234441-a3c409a6018e/go.mod h1:eLL9Nub3yfAho7qB0MzZizFhTU2QkLeoVsWdHtDW264=
-github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
-github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
 github.com/vladimirvivien/gexe v0.3.0 h1:4xwiOwGrDob5OMR6E92B9olDXYDglXdHhzR1ggYtWJM=
 github.com/vladimirvivien/gexe v0.3.0/go.mod h1:fp7cy60ON1xjhtEI/+bfSEIXX35qgmI+iRYlGOqbBFM=
 github.com/wI2L/jsondiff v0.6.0 h1:zrsH3FbfVa3JO9llxrcDy/XLkYPLgoMX6Mz3T2PP2AI=
 github.com/wI2L/jsondiff v0.6.0/go.mod h1:D6aQ5gKgPF9g17j+E9N7aasmU1O+XvfmWm1y8UMmNpw=
-github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
-github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
 github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo=
 github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
@@ -582,10 +525,6 @@ go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
-go4.org/mem v0.0.0-20240501181205-ae6ca9944745 h1:Tl++JLUCe4sxGu8cTpDzRLd3tN7US4hOxG5YpKCzkek=
-go4.org/mem v0.0.0-20240501181205-ae6ca9944745/go.mod h1:reUoABIJ9ikfM5sgtSF3Wushcza7+WeD01VB9Lirh3g=
-go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M=
-go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@@ -656,7 +595,6 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.4.1-0.20230131160137-e7d7f63158de/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -698,10 +636,6 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
-golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
-golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus8eIuExIE=
-golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
 gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw=
 gomodules.xyz/jsonpatch/v2 v2.4.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
 google.golang.org/api v0.195.0 h1:Ude4N8FvTKnnQJHU48RFI40jOBgIrL8Zqr3/QeST6yU=
@@ -755,8 +689,6 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
 gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
-gvisor.dev/gvisor v0.0.0-20240722211153-64c016c92987 h1:TU8z2Lh3Bbq77w0t1eG8yRlLcNHzZu3x6mhoH2Mk0c8=
-gvisor.dev/gvisor v0.0.0-20240722211153-64c016c92987/go.mod h1:sxc3Uvk/vHcd3tj7/DHVBoR5wvWT/MmRq2pj7HRJnwU=
 helm.sh/helm/v3 v3.15.4 h1:UFHd6oZ1IN3FsUZ7XNhOQDyQ2QYknBNWRHH57e9cbHY=
 helm.sh/helm/v3 v3.15.4/go.mod h1:phOwlxqGSgppCY/ysWBNRhG3MtnpsttOzxaTK+Mt40E=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
@@ -799,5 +731,3 @@ sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+s
 sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
 sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
 sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
-tailscale.com v1.74.1 h1:qhhkN+0gFZasczi+0n0eBxwfP/ZaUr+05cWdsOQ3GT0=
-tailscale.com v1.74.1/go.mod h1:3iACpCONQ4lauDXvwfoGlwNCpfbVxjdc2j6G9EuFOW8=
diff --git a/pkg/apis/greenhouse/v1alpha1/cluster_types.go b/pkg/apis/greenhouse/v1alpha1/cluster_types.go
index b90351438..c4f92919b 100644
--- a/pkg/apis/greenhouse/v1alpha1/cluster_types.go
+++ b/pkg/apis/greenhouse/v1alpha1/cluster_types.go
@@ -14,16 +14,13 @@ type ClusterSpec struct {
 }
 
 // ClusterAccessMode configures the access mode to the customer cluster.
-// +kubebuilder:validation:Enum=direct;headscale
+// +kubebuilder:validation:Enum=direct
 type ClusterAccessMode string
 
 const (
 	// ClusterAccessModeDirect configures direct access to the cluster.
 	ClusterAccessModeDirect ClusterAccessMode = "direct"
 
-	// ClusterAccessModeHeadscale configures headscale-based access to the cluster.
-	ClusterAccessModeHeadscale ClusterAccessMode = "headscale"
-
 	// AllNodesReady reflects the readiness status of all nodes of a cluster.
 	AllNodesReady ConditionType = "AllNodesReady"
 
@@ -40,45 +37,15 @@ type ClusterStatus struct {
 	KubernetesVersion string `json:"kubernetesVersion,omitempty"`
 	// BearerTokenExpirationTimestamp reflects the expiration timestamp of the bearer token used to access the cluster.
 	BearerTokenExpirationTimestamp metav1.Time `json:"bearerTokenExpirationTimestamp,omitempty"`
-	// HeadScaleStatus contains the current status of the headscale client.
-	HeadScaleStatus *HeadScaleMachineStatus `json:"headScaleStatus,omitempty"`
 	// StatusConditions contain the different conditions that constitute the status of the Cluster.
 	StatusConditions `json:"statusConditions,omitempty"`
 	// Nodes provides a map of cluster node names to node statuses
 	Nodes map[string]NodeStatus `json:"nodes,omitempty"`
 }
 
-// HeadScaleMachineStatus is the status of a Headscale machine.
-type HeadScaleMachineStatus struct {
-	ID          uint64      `json:"id,omitempty"`
-	IPAddresses []string    `json:"ipAddresses,omitempty"`
-	Name        string      `json:"name,omitempty"`
-	Expiry      metav1.Time `json:"expiry,omitempty"`
-	CreatedAt   metav1.Time `json:"createdAt,omitempty"`
-	ForcedTags  []string    `json:"forcedTags,omitempty"`
-	PreAuthKey  *PreAuthKey `json:"preAuthKey,omitempty"`
-	Online      bool        `json:"online,omitempty"`
-}
-
-// PreAuthKey reflects the status of the pre-authentication key used by the Headscale machine.
-type PreAuthKey struct {
-	ID         string      `json:"id,omitempty"`
-	User       string      `json:"user,omitempty"`
-	Reusable   bool        `json:"reusable,omitempty"`
-	Ephemeral  bool        `json:"ephemeral,omitempty"`
-	Used       bool        `json:"used,omitempty"`
-	CreatedAt  metav1.Time `json:"createdAt,omitempty"`
-	Expiration metav1.Time `json:"expiration,omitempty"`
-}
-
 // ClusterConditionType is a valid condition of a cluster.
 type ClusterConditionType string
 
-const (
-	// HeadscaleReady reflects the readiness status of the headscale access of a cluster.
-	HeadscaleReady ConditionType = "HeadscaleReady"
-)
-
 type NodeStatus struct {
 	// We mirror the node conditions here for faster reference
 	StatusConditions `json:"statusConditions,omitempty"`
diff --git a/pkg/apis/greenhouse/v1alpha1/conditions_test.go b/pkg/apis/greenhouse/v1alpha1/conditions_test.go
index 8c1d46db4..1b8e2fa35 100644
--- a/pkg/apis/greenhouse/v1alpha1/conditions_test.go
+++ b/pkg/apis/greenhouse/v1alpha1/conditions_test.go
@@ -132,7 +132,7 @@ var _ = Describe("Test conditions util functions", func() {
 			greenhousev1alpha1.StatusConditions{
 				Conditions: []greenhousev1alpha1.Condition{
 					{
-						Type:               greenhousev1alpha1.HeadscaleReady,
+						Type:               greenhousev1alpha1.KubeConfigValid,
 						Status:             metav1.ConditionFalse,
 						LastTransitionTime: timeNow,
 						Message:            "test",
@@ -142,7 +142,7 @@ var _ = Describe("Test conditions util functions", func() {
 			greenhousev1alpha1.StatusConditions{
 				Conditions: []greenhousev1alpha1.Condition{
 					{
-						Type:               greenhousev1alpha1.HeadscaleReady,
+						Type:               greenhousev1alpha1.KubeConfigValid,
 						Status:             metav1.ConditionFalse,
 						LastTransitionTime: timeNow,
 						Message:            "test",
@@ -166,7 +166,7 @@ var _ = Describe("Test conditions util functions", func() {
 			greenhousev1alpha1.StatusConditions{
 				Conditions: []greenhousev1alpha1.Condition{
 					{
-						Type:               greenhousev1alpha1.HeadscaleReady,
+						Type:               greenhousev1alpha1.KubeConfigValid,
 						Status:             metav1.ConditionFalse,
 						LastTransitionTime: timeNow,
 						Message:            "test",
@@ -182,7 +182,7 @@ var _ = Describe("Test conditions util functions", func() {
 			greenhousev1alpha1.StatusConditions{
 				Conditions: []greenhousev1alpha1.Condition{
 					{
-						Type:               greenhousev1alpha1.HeadscaleReady,
+						Type:               greenhousev1alpha1.KubeConfigValid,
 						Status:             metav1.ConditionFalse,
 						LastTransitionTime: timeNow,
 						Message:            "test",
@@ -206,7 +206,7 @@ var _ = Describe("Test conditions util functions", func() {
 			greenhousev1alpha1.StatusConditions{
 				Conditions: []greenhousev1alpha1.Condition{
 					{
-						Type:               greenhousev1alpha1.HeadscaleReady,
+						Type:               greenhousev1alpha1.KubeConfigValid,
 						Status:             metav1.ConditionFalse,
 						LastTransitionTime: timeNow,
 						Message:            "test",
@@ -222,7 +222,7 @@ var _ = Describe("Test conditions util functions", func() {
 			greenhousev1alpha1.StatusConditions{
 				Conditions: []greenhousev1alpha1.Condition{
 					{
-						Type:               greenhousev1alpha1.HeadscaleReady,
+						Type:               greenhousev1alpha1.KubeConfigValid,
 						Status:             metav1.ConditionFalse,
 						LastTransitionTime: timeNow,
 						Message:            "test",
@@ -246,7 +246,7 @@ var _ = Describe("Test conditions util functions", func() {
 			greenhousev1alpha1.StatusConditions{
 				Conditions: []greenhousev1alpha1.Condition{
 					{
-						Type:               greenhousev1alpha1.HeadscaleReady,
+						Type:               greenhousev1alpha1.KubeConfigValid,
 						Status:             metav1.ConditionFalse,
 						LastTransitionTime: timeNow,
 						Message:            "test",
@@ -256,7 +256,7 @@ var _ = Describe("Test conditions util functions", func() {
 			greenhousev1alpha1.StatusConditions{
 				Conditions: []greenhousev1alpha1.Condition{
 					{
-						Type:               greenhousev1alpha1.HeadscaleReady,
+						Type:               greenhousev1alpha1.KubeConfigValid,
 						Status:             metav1.ConditionFalse,
 						LastTransitionTime: timeNow,
 						Message:            "test2",
@@ -264,7 +264,7 @@ var _ = Describe("Test conditions util functions", func() {
 				},
 			},
 			greenhousev1alpha1.Condition{
-				Type:               greenhousev1alpha1.HeadscaleReady,
+				Type:               greenhousev1alpha1.KubeConfigValid,
 				Status:             metav1.ConditionFalse,
 				LastTransitionTime: metav1.NewTime(metav1.Now().AddDate(0, 0, -1)),
 				Message:            "test2",
@@ -275,7 +275,7 @@ var _ = Describe("Test conditions util functions", func() {
 			greenhousev1alpha1.StatusConditions{
 				Conditions: []greenhousev1alpha1.Condition{
 					{
-						Type:               greenhousev1alpha1.HeadscaleReady,
+						Type:               greenhousev1alpha1.KubeConfigValid,
 						Status:             metav1.ConditionFalse,
 						LastTransitionTime: timeNow,
 						Message:            "test",
@@ -285,7 +285,7 @@ var _ = Describe("Test conditions util functions", func() {
 			greenhousev1alpha1.StatusConditions{
 				Conditions: []greenhousev1alpha1.Condition{
 					{
-						Type:               greenhousev1alpha1.HeadscaleReady,
+						Type:               greenhousev1alpha1.KubeConfigValid,
 						Status:             metav1.ConditionFalse,
 						LastTransitionTime: timeNow,
 						Message:            "test2",
@@ -300,7 +300,7 @@ var _ = Describe("Test conditions util functions", func() {
 			},
 			greenhousev1alpha1.Condition{
 
-				Type:               greenhousev1alpha1.HeadscaleReady,
+				Type:               greenhousev1alpha1.KubeConfigValid,
 				Status:             metav1.ConditionFalse,
 				LastTransitionTime: metav1.NewTime(metav1.Now().AddDate(0, 0, -1)),
 				Message:            "test2",
diff --git a/pkg/apis/greenhouse/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/greenhouse/v1alpha1/zz_generated.deepcopy.go
index d7e4124ef..1481a8c3e 100644
--- a/pkg/apis/greenhouse/v1alpha1/zz_generated.deepcopy.go
+++ b/pkg/apis/greenhouse/v1alpha1/zz_generated.deepcopy.go
@@ -371,11 +371,6 @@ func (in *ClusterSpec) DeepCopy() *ClusterSpec {
 func (in *ClusterStatus) DeepCopyInto(out *ClusterStatus) {
 	*out = *in
 	in.BearerTokenExpirationTimestamp.DeepCopyInto(&out.BearerTokenExpirationTimestamp)
-	if in.HeadScaleStatus != nil {
-		in, out := &in.HeadScaleStatus, &out.HeadScaleStatus
-		*out = new(HeadScaleMachineStatus)
-		(*in).DeepCopyInto(*out)
-	}
 	in.StatusConditions.DeepCopyInto(&out.StatusConditions)
 	if in.Nodes != nil {
 		in, out := &in.Nodes, &out.Nodes
@@ -412,38 +407,6 @@ func (in *Condition) DeepCopy() *Condition {
 	return out
 }
 
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *HeadScaleMachineStatus) DeepCopyInto(out *HeadScaleMachineStatus) {
-	*out = *in
-	if in.IPAddresses != nil {
-		in, out := &in.IPAddresses, &out.IPAddresses
-		*out = make([]string, len(*in))
-		copy(*out, *in)
-	}
-	in.Expiry.DeepCopyInto(&out.Expiry)
-	in.CreatedAt.DeepCopyInto(&out.CreatedAt)
-	if in.ForcedTags != nil {
-		in, out := &in.ForcedTags, &out.ForcedTags
-		*out = make([]string, len(*in))
-		copy(*out, *in)
-	}
-	if in.PreAuthKey != nil {
-		in, out := &in.PreAuthKey, &out.PreAuthKey
-		*out = new(PreAuthKey)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HeadScaleMachineStatus.
-func (in *HeadScaleMachineStatus) DeepCopy() *HeadScaleMachineStatus {
-	if in == nil {
-		return nil
-	}
-	out := new(HeadScaleMachineStatus)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HelmChartReference) DeepCopyInto(out *HelmChartReference) {
 	*out = *in
@@ -982,23 +945,6 @@ func (in *PluginStatus) DeepCopy() *PluginStatus {
 	return out
 }
 
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PreAuthKey) DeepCopyInto(out *PreAuthKey) {
-	*out = *in
-	in.CreatedAt.DeepCopyInto(&out.CreatedAt)
-	in.Expiration.DeepCopyInto(&out.Expiration)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PreAuthKey.
-func (in *PreAuthKey) DeepCopy() *PreAuthKey {
-	if in == nil {
-		return nil
-	}
-	out := new(PreAuthKey)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PropagationStatus) DeepCopyInto(out *PropagationStatus) {
 	*out = *in
diff --git a/pkg/apis/well_known.go b/pkg/apis/well_known.go
index 49bce7376..bd8c7c0cf 100644
--- a/pkg/apis/well_known.go
+++ b/pkg/apis/well_known.go
@@ -33,9 +33,6 @@ const (
 	// This kubeconfig should be used by Greenhouse controllers and their kubernetes clients to access the remote cluster.
 	GreenHouseKubeConfigKey = "greenhousekubeconfig"
 
-	// HeadscalePreAuthKey is the key for the Headscale pre-authentication key in a secret of type greenhouse.sap/kubeconfig.
-	HeadscalePreAuthKey = "headscalePreAuthKey"
-
 	// LabelKeyPluginPreset is used to identify the PluginPreset managing the plugin.
 	LabelKeyPluginPreset = "greenhouse.sap/pluginpreset"
 
@@ -48,10 +45,7 @@ const (
 	// LabelKeyCluster is used to identify corresponding Cluster for the resource.
 	LabelKeyCluster = "greenhouse.sap/cluster"
 
-	// HeadScaleKey is the key for the Headscale client deployment
-	HeadScaleKey = "greenhouse.sap/headscale"
-
-	// LabelAccessMode is used to force the access mode to headscale for a cluster.
+	// LabelAccessMode is used to force the access mode for a cluster.
 	LabelAccessMode = "greenhouse.sap/access-mode"
 
 	// LabelKeyExposeService is applied to services that are part of a PluginDefinitions Helm chart to expose them via the central Greenhouse infrastructure.
diff --git a/pkg/clientutil/client.go b/pkg/clientutil/client.go
index 9298e9f4b..0a6f0087f 100644
--- a/pkg/clientutil/client.go
+++ b/pkg/clientutil/client.go
@@ -5,8 +5,6 @@ package clientutil
 
 import (
 	"context"
-	"net/http"
-	"net/url"
 
 	corev1 "k8s.io/api/core/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
@@ -49,19 +47,6 @@ func NewK8sClientFromRestClientGetter(restClientGetter genericclioptions.RESTCli
 	return NewK8sClient(cfg)
 }
 
-func NewHeadscaleK8sClientFromRestClientGetter(restClientGetter genericclioptions.RESTClientGetter, proxy, headscaleAddress string) (client.Client, error) {
-	cfg, err := restClientGetter.ToRESTConfig()
-	if err != nil {
-		return nil, err
-	}
-	cfg.Host = "https://" + headscaleAddress
-	cfg.TLSClientConfig.ServerName = "127.0.0.1"
-	cfg.Proxy = func(req *http.Request) (*url.URL, error) {
-		return url.Parse(proxy)
-	}
-	return NewK8sClient(cfg)
-}
-
 // NewK8sClientFromCluster returns a client.Client based on the given clusters kubeconfig secret.
 func NewK8sClientFromCluster(ctx context.Context, c client.Client, cluster *greenhousev1alpha1.Cluster) (client.Client, error) {
 	secret := new(corev1.Secret)
diff --git a/pkg/clientutil/headscale.go b/pkg/clientutil/headscale.go
deleted file mode 100644
index 6f49ae466..000000000
--- a/pkg/clientutil/headscale.go
+++ /dev/null
@@ -1,92 +0,0 @@
-// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-// SPDX-License-Identifier: Apache-2.0
-
-package clientutil
-
-import (
-	"context"
-	"net"
-	"os"
-
-	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/credentials"
-	"google.golang.org/grpc/credentials/insecure"
-	"sigs.k8s.io/controller-runtime/pkg/log"
-)
-
-const (
-	SocketWritePermissions = 0o666
-)
-
-// NewHeadscaleGRPCClient returns a new gRPC client for the Headscale API.
-func NewHeadscaleGRPCClient(url, apiKey string) (v1.HeadscaleServiceClient, error) {
-	grpcOptions := []grpc.DialOption{
-		grpc.WithPerRPCCredentials(tokenAuth{
-			token: apiKey,
-		}),
-		grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")),
-	}
-
-	cc, err := grpc.NewClient(url, grpcOptions...)
-	if err != nil {
-		return nil, err
-	}
-
-	cl := v1.NewHeadscaleServiceClient(cc)
-	return cl, nil
-}
-
-func NewHeadscaleGRPCSocketClient(socketPath string) (v1.HeadscaleServiceClient, error) {
-	// Call the headscale agent socket
-	grpcOptions := []grpc.DialOption{}
-
-	socket, err := os.OpenFile(socketPath, os.O_WRONLY, SocketWritePermissions)
-	if err != nil {
-		if os.IsPermission(err) {
-			log.FromContext(context.Background()).Error(err, "permission denied to open socket")
-			return nil, err
-		}
-		if os.IsNotExist(err) {
-			log.FromContext(context.Background()).Error(err, "socket does not exist", "socketPath", socketPath)
-			return nil, err
-		}
-	}
-	socket.Close()
-
-	grpcOptions = append(
-		grpcOptions,
-		grpc.WithTransportCredentials(insecure.NewCredentials()),
-		grpc.WithContextDialer(grpcDialer),
-	)
-
-	cc, err := grpc.NewClient(socketPath, grpcOptions...)
-	if err != nil {
-		return nil, err
-	}
-
-	cl := v1.NewHeadscaleServiceClient(cc)
-	return cl, nil
-}
-
-func grpcDialer(ctx context.Context, addr string) (net.Conn, error) {
-	var d net.Dialer
-
-	return d.DialContext(ctx, "unix", addr)
-}
-
-// tokenAuth struct to pass the token over the gRPC call.
-type tokenAuth struct {
-	token string
-}
-
-// Return value is mapped to request headers.
-func (t tokenAuth) GetRequestMetadata(ctx context.Context, in ...string) (map[string]string, error) {
-	return map[string]string{
-		"authorization": "Bearer " + t.token,
-	}, nil
-}
-
-func (tokenAuth) RequireTransportSecurity() bool {
-	return true
-}
diff --git a/pkg/cmd/cluster_bootstrap.go b/pkg/cmd/cluster_bootstrap.go
index 3297b2351..8d9eb6fbd 100644
--- a/pkg/cmd/cluster_bootstrap.go
+++ b/pkg/cmd/cluster_bootstrap.go
@@ -13,17 +13,12 @@ import (
 
 	"github.com/spf13/cobra"
 	"go.uber.org/zap/zapcore"
-	appsv1 "k8s.io/api/apps/v1"
 	authenticationv1 "k8s.io/api/authentication/v1"
 	authorizationv1 "k8s.io/api/authorization/v1"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
-	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/apimachinery/pkg/util/intstr"
-	"k8s.io/apimachinery/pkg/util/wait"
-	"k8s.io/client-go/discovery"
 	"k8s.io/client-go/kubernetes"
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 	"k8s.io/client-go/rest"
@@ -42,8 +37,7 @@ import (
 )
 
 const (
-	tailscaleServiceAccountName = "tailscale"
-	serviceAccountName          = "greenhouse"
+	serviceAccountName = "greenhouse"
 )
 
 var (
@@ -72,14 +66,8 @@ type newClusterBootstrapOptions struct {
 	ghClient           client.Client
 	ghConfig           rest.Config
 	kubecontext        string
-	headscaleURI       string
-	preAuthKey         string
 	orgName            string
 	clusterName        string
-	proxyImage         string
-	proxyImageTag      string
-	tailscaleImage     string
-	tailscaleImageTag  string
 	customerKubeConfig string
 	onBehafOfUser      string
 	freeAccessMode     bool
@@ -112,14 +100,8 @@ func newClusterBootstrapCmd() *cobra.Command {
 	bootstrapCmd.Flags().AddGoFlagSet(flag.CommandLine)
 
 	bootstrapCmd.Flags().StringVar(&o.kubecontext, "kubecontext", "", "The context to use from the kubeconfig (defaults to current-context)")
-	bootstrapCmd.Flags().StringVar(&o.headscaleURI, "headscale-uri", clientutil.GetEnvOrDefault("HEADSCALE_URI", ""), "The headscale URI to use. Can be set via HEADSCALE_URI env var")
-	bootstrapCmd.Flags().StringVar(&o.preAuthKey, "preauth-key", clientutil.GetEnvOrDefault("HEADSCALE_PREAUTHKEY", ""), "The pre-auth key to use. Can be set via HEADSCALE_PREAUTHKEY env var")
 	bootstrapCmd.Flags().StringVar(&o.orgName, "org", clientutil.GetEnvOrDefault("GREENHOUSE_ORG", ""), "The organization name to use. Can be set via GREENHOUSE_ORG env var")
 	bootstrapCmd.Flags().StringVar(&o.clusterName, "cluster-name", clientutil.GetEnvOrDefault("GREENHOUSE_CLUSTER_NAME", ""), "The cluster name to use. Can be set via GREENHOUSE_CLUSTER_NAME env var")
-	bootstrapCmd.Flags().StringVar(&o.proxyImage, "proxy-image", clientutil.GetEnvOrDefault("PROXY_IMAGE", "ghcr.io/cloudoperators/tcp-proxy"), "The proxy image to use. Can be set via PROXY_IMAGE env var")
-	bootstrapCmd.Flags().StringVar(&o.proxyImageTag, "proxy-image-tag", clientutil.GetEnvOrDefault("PROXY_IMAGE_TAG", "0.1.1"), "The proxy image tag to use. Can be set via PROXY_IMAGE_TAG env var")
-	bootstrapCmd.Flags().StringVar(&o.tailscaleImage, "tailscale-image", clientutil.GetEnvOrDefault("TAILSCALE_IMAGE", "ghcr.io/cloudoperators/tailscale"), "The tailscale image to use. Can be set via TAILSCALE_IMAGE env var")
-	bootstrapCmd.Flags().StringVar(&o.tailscaleImageTag, "tailscale-image-tag", clientutil.GetEnvOrDefault("TAILSCALE_IMAGE_TAG", "1.50.1"), "The tailscale image tag to use. Can be set via TAILSCALE_IMAGE_TAG env var")
 	bootstrapCmd.Flags().StringVar(&o.customerKubeConfig, "bootstrap-kubeconfig", "", "The kubeconfig of the cluster to bootstrap")
 	bootstrapCmd.Flags().BoolVar(&o.freeAccessMode, "free-access-mode", true, "Let the cluster bootstrap controller decide the access mode for the cluster")
 	bootstrapCmd.Flags().StringVar(&o.onBehafOfUser, "as", "", "The user to impersonate for the operation")
@@ -194,17 +176,6 @@ func (o *newClusterBootstrapOptions) fillDefaults() error {
 		o.clusterName = customerConfig.CurrentContext
 	}
 
-	// This is temporary solution till we have a headscale per org deployed
-	switch {
-	case strings.Contains(o.ghConfig.Host, "api.qa.greenhouse"):
-		o.headscaleURI = "https://headscale.greenhouse-qa.eu-nl-1.cloud.sap"
-	case strings.Contains(o.ghConfig.Host, "api.greenhouse-qa"):
-		o.headscaleURI = "https://headscale.greenhouse-qa.eu-nl-1.cloud.sap"
-	case strings.Contains(o.ghConfig.Host, "api.dev-david.greenhouse"):
-		o.headscaleURI = "https://headscale.davidg.c.eu-nl-1.cloud.sap"
-	default:
-		o.headscaleURI = "https://headscale.greenhouse.global.cloud.sap"
-	}
 	return nil
 }
 
@@ -224,29 +195,13 @@ func (o *newClusterBootstrapOptions) run() error {
 	if err := createClusterRoleBindingInRemoteCluster(ctx, o.customerClient, o.orgName); err != nil {
 		return err
 	}
-	if err := createServiceAccountInRemoteCluster(ctx, o.customerClient, tailscaleServiceAccountName, o.orgName); err != nil {
-		return err
-	}
-	if err := createRoleInRemoteCluster(ctx, o.customerClient, o.orgName); err != nil {
-		return err
-	}
-	if err := createRoleBindingInRemoteCluster(ctx, o.customerClient, o.orgName); err != nil {
-		return err
-	}
+
 	if !bootstrapped {
 		if err := o.createClusterObject(ctx); err != nil {
 			return err
 		}
 	}
-	/*
-		else {
-			// TODO: if the cluster already bootstraped we need to check if the preauthkey is still correct
-			// New bootstraptoken needs to be created and the cluster secret object needs to be updated
-		}
-	*/
-	if err := o.workOnCreatedCluster(ctx); err != nil {
-		return err
-	}
+
 	setupLog.Info("Bootstraping cluster finished", "clusterName", o.clusterName, "orgName", o.orgName)
 	return nil
 }
@@ -293,72 +248,6 @@ func createServiceAccountInRemoteCluster(ctx context.Context, k8sClient client.C
 	return nil
 }
 
-func createRoleInRemoteCluster(ctx context.Context, k8sClient client.Client, orgName string) error {
-	var role = new(rbacv1.Role)
-	role.Name = tailscaleServiceAccountName
-	role.Namespace = orgName
-	result, err := clientutil.CreateOrPatch(ctx, k8sClient, role, func() error {
-		role.Rules = []rbacv1.PolicyRule{
-			{
-				APIGroups: []string{""},
-				Resources: []string{"secrets"},
-				Verbs:     []string{"create"},
-			},
-			{
-				APIGroups:     []string{""},
-				ResourceNames: []string{tailscaleServiceAccountName + "-auth"},
-				Resources:     []string{"secrets"},
-				Verbs:         []string{"get", "update", "patch"},
-			},
-		}
-		return nil
-	})
-	if err != nil {
-		return err
-	}
-	switch result {
-	case clientutil.OperationResultNone:
-		setupLog.Info("role already exists", "name", role.Name)
-	case clientutil.OperationResultCreated:
-		setupLog.Info("created role", "name", role.Name)
-	case clientutil.OperationResultUpdated:
-		setupLog.Info("updated role", "name", role.Name)
-	}
-	return nil
-}
-
-func createRoleBindingInRemoteCluster(ctx context.Context, k8sClient client.Client, orgName string) error {
-	var roleBinding = new(rbacv1.RoleBinding)
-	roleBinding.Name = tailscaleServiceAccountName
-	roleBinding.Namespace = orgName
-	result, err := clientutil.CreateOrPatch(ctx, k8sClient, roleBinding, func() error {
-		roleBinding.Subjects = []rbacv1.Subject{
-			{
-				Kind: "ServiceAccount",
-				Name: tailscaleServiceAccountName,
-			},
-		}
-		roleBinding.RoleRef = rbacv1.RoleRef{
-			Kind:     "Role",
-			Name:     tailscaleServiceAccountName,
-			APIGroup: "rbac.authorization.k8s.io",
-		}
-		return nil
-	})
-	if err != nil {
-		return err
-	}
-	switch result {
-	case clientutil.OperationResultNone:
-		setupLog.Info("roleBinding already exists", "name", roleBinding.Name)
-	case clientutil.OperationResultCreated:
-		setupLog.Info("created roleBinding", "name", roleBinding.Name)
-	case clientutil.OperationResultUpdated:
-		setupLog.Info("updated roleBinding", "name", roleBinding.Name)
-	}
-	return nil
-}
-
 func createClusterRoleBindingInRemoteCluster(ctx context.Context, k8sClient client.Client, orgName string) error {
 	var clusterRoleBinding = new(rbacv1.ClusterRoleBinding)
 	clusterRoleBinding.Name = serviceAccountName
@@ -398,207 +287,6 @@ func createClusterRoleBindingInRemoteCluster(ctx context.Context, k8sClient clie
 	return nil
 }
 
-func createAuthSecretInRemoteCluster(ctx context.Context, k8sClient client.Client, orgName string, preAuthKey []byte) error {
-	var authSecret = new(corev1.Secret)
-	authSecret.Name = "tailscale-auth"
-	authSecret.Namespace = orgName
-
-	result, err := clientutil.CreateOrPatch(ctx, k8sClient, authSecret, func() error {
-		authSecret.Type = corev1.SecretTypeOpaque
-		authSecret.Data = map[string][]byte{"TS_AUTHKEY": preAuthKey}
-		return nil
-	})
-	if err != nil {
-		return err
-	}
-	switch result {
-	case clientutil.OperationResultNone:
-		setupLog.Info("authSecret already exists", "name", authSecret.Name)
-	case clientutil.OperationResultCreated:
-		setupLog.Info("created authSecret", "name", authSecret.Name)
-	case clientutil.OperationResultUpdated:
-		setupLog.Info("updated authSecret", "name", authSecret.Name)
-	}
-	return nil
-}
-
-func (o *newClusterBootstrapOptions) isCalicoUsed() bool {
-	dcClient, err := discovery.NewDiscoveryClientForConfig(getKubeconfigOrDie(o.customerKubeConfig))
-	if err != nil {
-		setupLog.Error(err, "unable to create discovery client")
-		return false
-	}
-	apiGroupList, err := dcClient.ServerGroups()
-	if err != nil {
-		setupLog.Error(err, "unable to list apiGroups")
-		return false
-	}
-	for _, apiGroup := range apiGroupList.Groups {
-		if apiGroup.Name == "crd.projectcalico.org" {
-			return true
-		}
-	}
-	return false
-}
-
-func (o *newClusterBootstrapOptions) deployTailscaleInRemoteCluster(ctx context.Context, k8sClient client.Client) error {
-	greenhouseTailscaleLabel := map[string]string{greenhouseapis.HeadScaleKey: "client"}
-	tailscaleImageStr := o.tailscaleImage + ":" + o.tailscaleImageTag
-	proxyImageStr := o.proxyImage + ":" + o.proxyImageTag
-	hostNetworkBool := o.isCalicoUsed()
-	setupLog.Info("hostNetworking is set to:", "hostNetwork", hostNetworkBool)
-	var tailscaleDeployment = new(appsv1.Deployment)
-	tailscaleDeployment.Name = o.clusterName + "tailscale"
-	tailscaleDeployment.Namespace = o.orgName
-
-	result, err := clientutil.CreateOrPatch(ctx, k8sClient, tailscaleDeployment, func() error {
-		tailscaleDeployment.Labels = greenhouseTailscaleLabel
-		tailscaleDeployment.Spec = appsv1.DeploymentSpec{
-			Selector: &metav1.LabelSelector{MatchLabels: greenhouseTailscaleLabel},
-			Template: corev1.PodTemplateSpec{
-				ObjectMeta: metav1.ObjectMeta{
-					Labels: greenhouseTailscaleLabel,
-				},
-				Spec: corev1.PodSpec{
-					ServiceAccountName: tailscaleServiceAccountName,
-					Containers: []corev1.Container{
-						{
-							Name:            "proxy",
-							ImagePullPolicy: corev1.PullAlways,
-							Image:           proxyImageStr,
-							Lifecycle: &corev1.Lifecycle{
-								PreStop: &corev1.LifecycleHandler{
-									Exec: &corev1.ExecAction{
-										Command: []string{
-											"/wait-shutdown",
-										},
-									},
-								},
-							},
-							Env: []corev1.EnvVar{
-								{
-									Name:  "ALL_PROXY",
-									Value: "socks5://localhost:1055",
-								},
-							},
-							Resources: corev1.ResourceRequirements{
-								Limits: map[corev1.ResourceName]resource.Quantity{
-									corev1.ResourceCPU:    resource.MustParse("50m"),
-									corev1.ResourceMemory: resource.MustParse("512Mi"),
-								},
-								Requests: map[corev1.ResourceName]resource.Quantity{
-									corev1.ResourceCPU:    resource.MustParse("5m"),
-									corev1.ResourceMemory: resource.MustParse("64Mi"),
-								},
-							},
-						},
-						{
-							Name:            "ts-sidecar",
-							ImagePullPolicy: corev1.PullAlways,
-							Image:           tailscaleImageStr,
-							Args: []string{
-								"--socket",
-								"/tmp/tailscaled.sock",
-							},
-							Env: []corev1.EnvVar{
-								{
-									Name:  "TS_STATE_DIR",
-									Value: "/state",
-								},
-								{
-									Name:  "TS_TAILSCALED_EXTRA_ARGS",
-									Value: "--state=mem: --no-logs-no-support --debug=:8080",
-								},
-								{
-									Name:  "TS_ACCEPT_DNS",
-									Value: "false",
-								},
-								{
-									Name:  "TS_EXTRA_ARGS",
-									Value: "--login-server " + o.headscaleURI,
-								},
-								{
-									Name:  "TS_KUBE_SECRET",
-									Value: "",
-								},
-								{
-									Name:  "TS_USERSPACE",
-									Value: "true",
-								},
-								{
-									Name:  "TS_SOCKS5_SERVER",
-									Value: ":1055",
-								},
-								{
-									Name: "TS_AUTH_KEY",
-									ValueFrom: &corev1.EnvVarSource{
-										SecretKeyRef: &corev1.SecretKeySelector{
-											LocalObjectReference: corev1.LocalObjectReference{
-												Name: "tailscale-auth",
-											},
-											Key: "TS_AUTHKEY",
-										},
-									},
-								},
-							},
-							LivenessProbe: &corev1.Probe{
-								FailureThreshold:    5,
-								SuccessThreshold:    2,
-								TimeoutSeconds:      5,
-								PeriodSeconds:       5,
-								InitialDelaySeconds: 10,
-								ProbeHandler: corev1.ProbeHandler{
-									HTTPGet: &corev1.HTTPGetAction{
-										Path: "/healthz",
-										Port: intstr.FromInt32(8090),
-									},
-								},
-							},
-							SecurityContext: &corev1.SecurityContext{
-								Capabilities: &corev1.Capabilities{
-									Add: []corev1.Capability{
-										"NET_ADMIN",
-									},
-								},
-							},
-							VolumeMounts: []corev1.VolumeMount{
-								{
-									Name:      "state",
-									MountPath: "/state",
-								},
-							},
-						},
-					},
-					HostNetwork: hostNetworkBool,
-					Volumes: []corev1.Volume{
-						{
-							Name: "state",
-							VolumeSource: corev1.VolumeSource{
-								EmptyDir: &corev1.EmptyDirVolumeSource{
-									Medium: corev1.StorageMediumMemory,
-								},
-							},
-						},
-					},
-				},
-			},
-		}
-		return nil
-	})
-	if err != nil {
-		return err
-	}
-	switch result {
-	case clientutil.OperationResultNone:
-		setupLog.Info("deployment already exists", "name", tailscaleDeployment.Name)
-	case clientutil.OperationResultCreated:
-		setupLog.Info("created deployment", "name", tailscaleDeployment.Name)
-	case clientutil.OperationResultUpdated:
-		setupLog.Info("updated deployment", "name", tailscaleDeployment.Name)
-	}
-	return nil
-}
-
 func canI(kubeClient client.Client, namespace, user, verb, group, resourceType string) bool {
 	if user == "" {
 		accessReview := &authorizationv1.SelfSubjectAccessReview{
@@ -670,9 +358,10 @@ func (o *newClusterBootstrapOptions) createClusterObject(ctx context.Context) er
 	clusterSecret := new(corev1.Secret)
 	clusterSecret.Name = o.clusterName
 	clusterSecret.Namespace = o.orgName
-	if !o.freeAccessMode {
-		clusterSecret.Labels = map[string]string{greenhouseapis.LabelAccessMode: "headscale"}
-	}
+	// access mode decision should happen before anything else is touched
+	// if !o.freeAccessMode {
+	// 	clusterSecret.Labels = map[string]string{greenhouseapis.LabelAccessMode: "headscale"}
+	// }
 	clusterSecret.Type = greenhouseapis.SecretTypeKubeConfig
 	clusterSecret.Data = map[string][]byte{"kubeconfig": genKubeConfig}
 
@@ -726,55 +415,3 @@ func getKubeconfigOrDie(kubecontext string) *rest.Config {
 	setupLog.Info("Loaded kubeconfig", "context", kubecontext, "host", restConfig.Host)
 	return restConfig
 }
-func (o *newClusterBootstrapOptions) isClusterObjectCreated(ctx context.Context) wait.ConditionWithContextFunc {
-	return func(_ context.Context) (bool, error) {
-		cluster := new(greenhouseapisv1alpha1.Cluster)
-		if err := o.ghClient.Get(ctx, client.ObjectKey{Name: o.clusterName, Namespace: o.orgName}, cluster); err != nil {
-			return false, err
-		}
-
-		switch cluster.Spec.AccessMode {
-		case greenhouseapisv1alpha1.ClusterAccessModeDirect:
-			return true, nil
-		case greenhouseapisv1alpha1.ClusterAccessModeHeadscale:
-			clusterSecret := new(corev1.Secret)
-			if err := o.ghClient.Get(ctx, client.ObjectKey{Name: o.clusterName, Namespace: o.orgName}, clusterSecret); err != nil {
-				return false, err
-			}
-			if clusterSecret.Data["headscalePreAuthKey"] == nil {
-				return true, nil
-			}
-		}
-
-		return false, nil
-	}
-}
-
-func (o *newClusterBootstrapOptions) waitForClusterCreated(ctx context.Context, timeout time.Duration) error {
-	return wait.PollUntilContextTimeout(ctx, time.Second, timeout, false, o.isClusterObjectCreated(ctx))
-}
-
-func (o *newClusterBootstrapOptions) workOnCreatedCluster(ctx context.Context) error {
-	if err := o.waitForClusterCreated(ctx, time.Duration(60)*time.Second); err != nil {
-		return err
-	}
-
-	cluster := new(greenhouseapisv1alpha1.Cluster)
-	if err := o.ghClient.Get(ctx, client.ObjectKey{Name: o.clusterName, Namespace: o.orgName}, cluster); err != nil {
-		return err
-	}
-	if cluster.Spec.AccessMode == greenhouseapisv1alpha1.ClusterAccessModeHeadscale {
-		clusterSecret := new(corev1.Secret)
-		if err := o.ghClient.Get(ctx, client.ObjectKey{Name: o.clusterName, Namespace: o.orgName}, clusterSecret); err != nil {
-			return err
-		}
-		if err := createAuthSecretInRemoteCluster(ctx, o.customerClient, o.orgName, clusterSecret.Data["headscalePreAuthKey"]); err != nil {
-			return err
-		}
-
-		if err := o.deployTailscaleInRemoteCluster(ctx, o.customerClient); err != nil {
-			return err
-		}
-	}
-	return nil
-}
diff --git a/pkg/controllers/cluster/bootstrap_controller.go b/pkg/controllers/cluster/bootstrap_controller.go
index 2db730371..ba1246c3a 100644
--- a/pkg/controllers/cluster/bootstrap_controller.go
+++ b/pkg/controllers/cluster/bootstrap_controller.go
@@ -115,7 +115,6 @@ func (r *BootstrapReconciler) getClusterAndIgnoreNotFoundError(ctx context.Conte
 }
 
 // createOrPatchCluster creates or patches the cluster resource and persists input err in the cluster.status.message.
-// Sets cluster.Spec.AccesMode to "headscale" if input err != nil
 func (r *BootstrapReconciler) createOrPatchCluster(
 	ctx context.Context,
 	cluster *greenhousev1alpha1.Cluster,
@@ -131,18 +130,10 @@ func (r *BootstrapReconciler) createOrPatchCluster(
 	readyCondition := greenhousev1alpha1.TrueCondition(greenhousev1alpha1.ReadyCondition, "", "")
 
 	accessMode := greenhousev1alpha1.ClusterAccessModeDirect
-	if metav1.HasLabel(kubeConfigSecret.ObjectMeta, greenhouseapis.LabelAccessMode) && kubeConfigSecret.Labels[greenhouseapis.LabelAccessMode] == "headscale" {
-		accessMode = greenhousev1alpha1.ClusterAccessModeHeadscale
-	}
 
 	if err != nil {
 		readyCondition.Message = "cluster not ready: " + err.Error()
 		readyCondition.Status = metav1.ConditionFalse
-		// Accessmode "headscale" when an error occurred.
-		accessMode = greenhousev1alpha1.ClusterAccessModeHeadscale
-		log.FromContext(ctx).Info("error in cluster reconciliation",
-			"namespace", kubeConfigSecret.GetNamespace(), "name", kubeConfigSecret.GetName(), "message", err.Error(),
-		)
 	}
 
 	cluster.Name = kubeConfigSecret.Name
diff --git a/pkg/controllers/cluster/bootstrap_controller_test.go b/pkg/controllers/cluster/bootstrap_controller_test.go
index 4d50cc820..32c60f63d 100644
--- a/pkg/controllers/cluster/bootstrap_controller_test.go
+++ b/pkg/controllers/cluster/bootstrap_controller_test.go
@@ -77,7 +77,7 @@ var _ = Describe("Bootstrap controller", Ordered, func() {
 				id := types.NamespacedName{Name: invalidKubeConfigSecret.Name, Namespace: setup.Namespace()}
 				Eventually(func(g Gomega) bool {
 					g.Expect(test.K8sClient.Get(test.Ctx, id, cluster)).Should(Succeed(), "the cluster should have been created")
-					g.Expect(cluster.Spec.AccessMode).To(Equal(greenhousev1alpha1.ClusterAccessModeHeadscale), "the cluster accessmode should be set to headscale")
+					g.Expect(cluster.Spec.AccessMode).To(Equal(greenhousev1alpha1.ClusterAccessModeDirect), "the cluster accessmode should still be direct")
 					g.Expect(cluster.Status.Conditions).ToNot(BeNil(), "status conditions should be present")
 					readyCondition := cluster.Status.GetConditionByType(greenhousev1alpha1.ReadyCondition)
 					g.Expect(readyCondition).ToNot(BeNil())
diff --git a/pkg/controllers/cluster/cluster_exports_test.go b/pkg/controllers/cluster/cluster_exports_test.go
index 8a95d0055..ea97276c0 100644
--- a/pkg/controllers/cluster/cluster_exports_test.go
+++ b/pkg/controllers/cluster/cluster_exports_test.go
@@ -3,21 +3,6 @@
 
 package cluster
 
-import (
-	headscalev1 "github.com/juanfont/headscale/gen/go/headscale/v1"
-	"k8s.io/cli-runtime/pkg/genericclioptions"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-)
-
 var (
-	ExportServiceAccountName        = serviceAccountName
-	ExportTailscaleAuthorizationKey = tailscaleAuthorizationKey
+	ExportServiceAccountName = serviceAccountName
 )
-
-func ExportSetHeadscaleGRPCClientOnHAR(r *HeadscaleAccessReconciler, c headscalev1.HeadscaleServiceClient) {
-	r.headscaleGRPCClient = c
-}
-
-func ExportSetRestClientGetterFunc(r *HeadscaleAccessReconciler, f func(restClientGetter genericclioptions.RESTClientGetter, proxy string, headscaleAddress string) (client.Client, error)) {
-	r.getHeadscaleClientFromRestClientGetter = f
-}
diff --git a/pkg/controllers/cluster/headscale_access_controller.go b/pkg/controllers/cluster/headscale_access_controller.go
deleted file mode 100644
index 67dcee106..000000000
--- a/pkg/controllers/cluster/headscale_access_controller.go
+++ /dev/null
@@ -1,505 +0,0 @@
-// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-// SPDX-License-Identifier: Apache-2.0
-
-package cluster
-
-import (
-	"context"
-	"fmt"
-	"sort"
-	"strings"
-	"time"
-
-	headscalev1 "github.com/juanfont/headscale/gen/go/headscale/v1"
-	"github.com/pkg/errors"
-	"google.golang.org/grpc/status"
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/types"
-	utilerrors "k8s.io/apimachinery/pkg/util/errors"
-	"k8s.io/cli-runtime/pkg/genericclioptions"
-	"k8s.io/client-go/tools/record"
-	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/builder"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
-	"sigs.k8s.io/controller-runtime/pkg/handler"
-	"sigs.k8s.io/controller-runtime/pkg/log"
-
-	greenhouseapis "github.com/cloudoperators/greenhouse/pkg/apis"
-	greenhousev1alpha1 "github.com/cloudoperators/greenhouse/pkg/apis/greenhouse/v1alpha1"
-	"github.com/cloudoperators/greenhouse/pkg/clientutil"
-)
-
-const tailscaleAuthorizationKey = "TS_AUTHKEY"
-
-type HeadscaleAccessReconciler struct {
-	client.Client
-	recorder                               record.EventRecorder
-	headscaleGRPCClient                    headscalev1.HeadscaleServiceClient
-	getHeadscaleClientFromRestClientGetter func(restClientGetter genericclioptions.RESTClientGetter, proxy string, headscaleAddress string) (client.Client, error)
-
-	HeadscaleGRPCURL,
-	HeadscaleAPIKey,
-	TailscaleProxy string
-	// HeadscalePreAuthenticationKeyMinValidity is the minimum duration a pre-authentication has to be valid for.
-	HeadscalePreAuthenticationKeyMinValidity,
-	RemoteClusterBearerTokenValidity,
-	RenewRemoteClusterBearerTokenAfter time.Duration
-}
-
-//+kubebuilder:rbac:groups=greenhouse.sap,resources=clusters,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=greenhouse.sap,resources=clusters/status,verbs=get;update;patch
-//+kubebuilder:rbac:groups=greenhouse.sap,resources=clusters/finalizers,verbs=update
-//+kubebuilder:rbac:groups="",resources=events,verbs=get;list;watch;create;update;patch
-//+kubebuilder:rbac:groups="",resources=events,verbs=get;list;watch;create;update;patch
-
-// SetupWithManager sets up the controller with the Manager.
-func (r *HeadscaleAccessReconciler) SetupWithManager(name string, mgr ctrl.Manager) error {
-	r.Client = mgr.GetClient()
-	r.recorder = mgr.GetEventRecorderFor(name)
-
-	if r.HeadscaleGRPCURL == "" {
-		return errors.New("headscale GRPC URL required but not provided")
-	}
-	if r.HeadscaleAPIKey == "" {
-		return errors.New("headscale API key required but no provided")
-	}
-	if r.HeadscalePreAuthenticationKeyMinValidity == 0 {
-		return errors.New("headscale pre authenticating key min validity required but no provided")
-	}
-	if r.RemoteClusterBearerTokenValidity == 0 {
-		return errors.New("remote cluster bearer token validity required but no provided")
-	}
-	if r.RenewRemoteClusterBearerTokenAfter == 0 {
-		return errors.New("remote cluster bearer token renewal after required but not provided")
-	}
-	if r.TailscaleProxy == "" {
-		return errors.New("tailscale proxy required but not configured")
-	}
-
-	grpcClient, err := clientutil.NewHeadscaleGRPCClient(r.HeadscaleGRPCURL, r.HeadscaleAPIKey)
-	if err != nil {
-		return err
-	}
-	r.headscaleGRPCClient = grpcClient
-	r.getHeadscaleClientFromRestClientGetter = clientutil.NewHeadscaleK8sClientFromRestClientGetter
-
-	return ctrl.NewControllerManagedBy(mgr).
-		Named(name).
-		For(&greenhousev1alpha1.Cluster{}, builder.WithPredicates(
-			clientutil.PredicateClusterByAccessMode(greenhousev1alpha1.ClusterAccessModeHeadscale),
-		)).
-		// Watch the secret owned by this cluster.
-		// This should trigger a reconciliation if the user-provided or controller-generated kubeconfig was changed.
-		Watches(&corev1.Secret{}, handler.EnqueueRequestForOwner(mgr.GetScheme(), mgr.GetRESTMapper(), &greenhousev1alpha1.Cluster{})).
-		Complete(r)
-}
-
-/*
-	The HeadscaleAccessReconciler manages clusters with access mode headscale.
-
-	Remote clusters connected via Headscale are air-gapped from the Greenhouse central cluster,
-	thus the bootstrap had to be done manually by a user with cluster-admin permissions in the remote cluster.
-	The following implementation handles:
-	1) User in Headscale
-	2) Pre-authentication key in Headscale
-	3) Namespace in remote cluster
-	4) ServiceAccount in remote cluster
-	5) Token for ServiceAccount in remote cluster
-	5) ClusterRoleBinding in remote cluster
-
-*/
-
-func (r *HeadscaleAccessReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
-	var cluster = new(greenhousev1alpha1.Cluster)
-	if err := r.Get(ctx, req.NamespacedName, cluster); err != nil {
-		return ctrl.Result{}, client.IgnoreNotFound(err)
-	}
-
-	// Manage only clusters with the headscale access mode.
-	// Though we use a predicate for the access mode, this check is necessary as we also watch secrets and enqueue by owner reference.
-	if cluster.Spec.AccessMode != greenhousev1alpha1.ClusterAccessModeHeadscale {
-		return ctrl.Result{}, nil
-	}
-
-	// Update metrics at the end of the reconcile function
-	defer updateMetrics(cluster)
-
-	// Cleanup logic
-	if cluster.DeletionTimestamp != nil && controllerutil.ContainsFinalizer(cluster, greenhouseapis.FinalizerCleanupCluster) {
-		// Delete resources (serviceAccount, clusterRoleBinding, namespace, etc.) in remote cluster before the secret.
-		isNamespaceInRemoteClusterDeleted, err := r.deleteResourcesOnRemoteCluster(ctx, cluster)
-		if err != nil {
-			return ctrl.Result{}, err
-		}
-		if !isNamespaceInRemoteClusterDeleted {
-			return ctrl.Result{RequeueAfter: defaultRequeueInterval}, nil
-		}
-		// Cleanup headscale resources.
-		isHeadscaleMachineDeleted, err := r.deleteHeadscaleMachine(ctx, cluster)
-		if err != nil {
-			return ctrl.Result{}, err
-		}
-		if !isHeadscaleMachineDeleted {
-			return ctrl.Result{RequeueAfter: defaultRequeueInterval}, nil
-		}
-		isHeadscaleUserDeleted, err := r.deleteHeadscaleUser(ctx, cluster)
-		if err != nil {
-			return ctrl.Result{}, err
-		}
-		if !isHeadscaleUserDeleted {
-			return ctrl.Result{RequeueAfter: defaultRequeueInterval}, nil
-		}
-		// Eventually, remove the finalizer.
-		err = clientutil.RemoveFinalizer(ctx, r.Client, cluster, greenhouseapis.FinalizerCleanupCluster)
-		return ctrl.Result{}, err
-	}
-
-	// Ensure the cluster status is always handled.
-	defer func() {
-		if err := r.reconcileStatus(ctx, cluster); err != nil {
-			log.FromContext(ctx).Error(err, "failed to reconcile status")
-		}
-	}()
-
-	// Add finalizer before modifying any resources.
-	if err := clientutil.EnsureFinalizer(ctx, r.Client, cluster, greenhouseapis.FinalizerCleanupCluster); err != nil {
-		return ctrl.Result{}, err
-	}
-
-	// Reconcile the Headscale resources for the cluster.
-	if err := ReconcileHeadscaleUser(ctx, r.recorder, cluster, r.headscaleGRPCClient); err != nil {
-		return ctrl.Result{}, err
-	}
-	// The remote cluster must have joined the headscale network before we can proceed.
-	hasJoined, err := r.hasClusterJoinedHeadscale(ctx, cluster)
-	if err != nil {
-		return ctrl.Result{}, err
-	}
-	if !hasJoined {
-		r.recorder.Eventf(cluster, corev1.EventTypeNormal, "HeadscaleClusterNotJoined",
-			"Waiting for the cluster to join the headscale network")
-		return ctrl.Result{RequeueAfter: defaultRequeueInterval}, nil
-	}
-
-	// Reconcile the resources in the remote cluster.
-	ipAddressOfHeadscaleClientInRemoteCluster, err := r.getIPAddressForHeadscaleClientInRemoteCluster(ctx, cluster)
-	if err != nil {
-		return ctrl.Result{}, err
-	}
-	restClientGetter, err := r.newRestClientGetterForCluster(ctx, cluster)
-	if err != nil {
-		return ctrl.Result{}, err
-	}
-	k8sHeadscaleProxyClientForRemoteCluster, err := r.getHeadscaleClientFromRestClientGetter(restClientGetter, r.TailscaleProxy, ipAddressOfHeadscaleClientInRemoteCluster)
-	if err != nil {
-		return ctrl.Result{}, err
-	}
-	if err := reconcileNamespaceInRemoteCluster(ctx, k8sHeadscaleProxyClientForRemoteCluster, cluster); err != nil {
-		return ctrl.Result{}, err
-	}
-	if err := reconcileServiceAccountInRemoteCluster(ctx, k8sHeadscaleProxyClientForRemoteCluster, cluster); err != nil {
-		return ctrl.Result{}, err
-	}
-	if err := reconcileClusterRoleBindingInRemoteCluster(ctx, k8sHeadscaleProxyClientForRemoteCluster, cluster); err != nil {
-		return ctrl.Result{}, err
-	}
-	if err := r.reconcileServiceAccountToken(ctx, restClientGetter, cluster); err != nil {
-		return ctrl.Result{}, err
-	}
-	// The initial pre-authentication used by the remote tailscale client was provisioned during bootstrap.
-	// This function only handles its timely renewal and rotation.
-	if err := r.reconcilePreAuthenticationKey(ctx, k8sHeadscaleProxyClientForRemoteCluster, cluster); err != nil {
-		return ctrl.Result{}, err
-	}
-
-	return ctrl.Result{RequeueAfter: defaultRequeueInterval}, nil
-}
-
-// reconcilePreAuthenticationKey reconciles the pre-authorization key used by the tailscale client in the remote cluster.
-func (r *HeadscaleAccessReconciler) reconcilePreAuthenticationKey(ctx context.Context, k8sClientForRemoteCluster client.Client, cluster *greenhousev1alpha1.Cluster) error {
-	preAuthKey, err := ReconcilePreAuthorizationKey(ctx, cluster, r.headscaleGRPCClient, r.HeadscalePreAuthenticationKeyMinValidity)
-	if err != nil {
-		return err
-	}
-	var tailscaleSecretInRemoteCluster = new(corev1.Secret)
-	tailscaleSecretInRemoteCluster.Namespace = cluster.GetNamespace()
-	tailscaleSecretInRemoteCluster.Name = "tailscale-auth"
-	result, err := clientutil.CreateOrPatch(ctx, k8sClientForRemoteCluster, tailscaleSecretInRemoteCluster, func() error {
-		tailscaleSecretInRemoteCluster.Type = corev1.SecretTypeOpaque
-		if tailscaleSecretInRemoteCluster.Data == nil {
-			tailscaleSecretInRemoteCluster.Data = make(map[string][]byte, 0)
-		}
-		tailscaleSecretInRemoteCluster.Data[tailscaleAuthorizationKey] = []byte(preAuthKey.Key)
-		return nil
-	})
-	if err != nil {
-		return err
-	}
-	switch result {
-	case clientutil.OperationResultCreated:
-		r.recorder.Eventf(cluster, corev1.EventTypeNormal, "HeadscalePreAuthenticationKeyProvisioned",
-			"Provisioned pre-authentication key for Headscale to secret %s", tailscaleSecretInRemoteCluster.GetName(),
-		)
-	case clientutil.OperationResultUpdated:
-		r.recorder.Eventf(cluster, corev1.EventTypeNormal, "HeadscalePreAuthenticationKeyRenewed",
-			"Renewed pre-authentication key for Headscale to secret %s", tailscaleSecretInRemoteCluster.GetName(),
-		)
-	}
-	if err := r.updateClusterSecret(ctx, cluster, preAuthKey.Key); err != nil {
-		return err
-	}
-	return nil
-}
-
-func (r *HeadscaleAccessReconciler) updateClusterSecret(ctx context.Context, cluster *greenhousev1alpha1.Cluster, key string) error {
-	clusterSecret := new(corev1.Secret)
-	clusterSecret.Namespace = cluster.GetNamespace()
-	clusterSecret.Name = cluster.GetSecretName()
-	result, err := clientutil.CreateOrPatch(ctx, r.Client, clusterSecret, func() error {
-		clusterSecret.Type = greenhouseapis.SecretTypeKubeConfig
-		if clusterSecret.Data == nil {
-			clusterSecret.Data = make(map[string][]byte, 0)
-		}
-		clusterSecret.Data[greenhouseapis.HeadscalePreAuthKey] = []byte(key)
-		return nil
-	})
-	if err != nil {
-		return err
-	}
-	switch result {
-	case clientutil.OperationResultCreated:
-		r.recorder.Eventf(cluster, corev1.EventTypeNormal, "HeadscalePreAuthenticationKeyProvisioned",
-			"Provisioned pre-authentication key for Headscale to secret %s", clusterSecret.GetName(),
-		)
-	case clientutil.OperationResultUpdated:
-		r.recorder.Eventf(cluster, corev1.EventTypeNormal, "HeadscalePreAuthenticationKeyRenewed",
-			"Renewed pre-authentication key for Headscale to secret %s", clusterSecret.GetName(),
-		)
-	}
-	return nil
-}
-
-func (r *HeadscaleAccessReconciler) hasClusterJoinedHeadscale(ctx context.Context, cluster *greenhousev1alpha1.Cluster) (bool, error) {
-	ipAddress, err := r.getIPAddressForHeadscaleClientInRemoteCluster(ctx, cluster)
-	if err != nil {
-		return false, err
-	}
-	return ipAddress != "", nil
-}
-
-func (r *HeadscaleAccessReconciler) getOnlineHeadscaleMachinesForRemoteCluster(ctx context.Context, cluster *greenhousev1alpha1.Cluster) ([]*headscalev1.Machine, error) {
-	machineList, err := r.headscaleGRPCClient.ListMachines(ctx, &headscalev1.ListMachinesRequest{
-		User: headscaleKeyForCluster(cluster),
-	})
-	if err != nil {
-		return nil, err
-	}
-	onlineMachineList := make([]*headscalev1.Machine, 0)
-	for _, machine := range machineList.GetMachines() {
-		if machine.Online && len(machine.IpAddresses) > 0 && machine.User != nil && machine.User.Name == headscaleKeyForCluster(cluster) {
-			onlineMachineList = append(onlineMachineList, machine)
-		}
-	}
-	// Sort by ID highest to lowest to have the most recent machine first in the list.
-	sort.SliceStable(onlineMachineList, func(i, j int) bool {
-		return onlineMachineList[i].Id > onlineMachineList[j].Id
-	})
-	return onlineMachineList, nil
-}
-
-func (r *HeadscaleAccessReconciler) getIPAddressForHeadscaleClientInRemoteCluster(ctx context.Context, cluster *greenhousev1alpha1.Cluster) (string, error) {
-	machineList, err := r.getOnlineHeadscaleMachinesForRemoteCluster(ctx, cluster)
-	if err != nil {
-		return "", err
-	}
-	for _, machine := range machineList {
-		if len(machine.IpAddresses) > 0 {
-			return machine.IpAddresses[0], nil
-		}
-	}
-	return "", nil
-}
-
-func (r *HeadscaleAccessReconciler) reconcileServiceAccountToken(ctx context.Context, restClientGetter *clientutil.RestClientGetter, cluster *greenhousev1alpha1.Cluster) error {
-	ipAddress, err := r.getIPAddressForHeadscaleClientInRemoteCluster(ctx, cluster)
-	if err != nil {
-		return err
-	}
-	var tokenRequestor = &tokenHelper{
-		Client:                             r.Client,
-		Proxy:                              r.TailscaleProxy,
-		HeadscaleAddress:                   ipAddress,
-		RemoteClusterBearerTokenValidity:   r.RemoteClusterBearerTokenValidity,
-		RenewRemoteClusterBearerTokenAfter: r.RenewRemoteClusterBearerTokenAfter,
-	}
-	return tokenRequestor.ReconcileServiceAccountToken(ctx, restClientGetter, cluster)
-}
-
-// reconcileStatus updates the cluster status for transparency purposes.
-// In contrast to other reconciliation functions, errors don't end the flow to ensure the status is always reported.
-func (r *HeadscaleAccessReconciler) reconcileStatus(ctx context.Context, cluster *greenhousev1alpha1.Cluster) error {
-	var (
-		headscaleMachineStatus  = new(greenhousev1alpha1.HeadScaleMachineStatus)
-		headscaleReadyCondition = greenhousev1alpha1.UnknownCondition(greenhousev1alpha1.HeadscaleReady, "", "")
-	)
-	if machineList, err := r.getOnlineHeadscaleMachinesForRemoteCluster(ctx, cluster); err == nil && len(machineList) > 0 {
-		// TODO: I adapted the status collection from the initial implementation to have the tests green.
-		// Why is only the first machine considered though?
-		firstMachine := machineList[0]
-		headscaleMachineStatus.ID = firstMachine.GetId()
-		headscaleMachineStatus.IPAddresses = firstMachine.GetIpAddresses()
-		headscaleMachineStatus.Name = firstMachine.GetName()
-		headscaleMachineStatus.ForcedTags = firstMachine.GetForcedTags()
-		headscaleMachineStatus.Online = firstMachine.GetOnline()
-		if expirationTime := firstMachine.GetExpiry(); expirationTime != nil {
-			headscaleMachineStatus.Expiry = metav1.NewTime(expirationTime.AsTime())
-		}
-		if createdAtTime := firstMachine.GetCreatedAt(); createdAtTime != nil {
-			headscaleMachineStatus.CreatedAt = metav1.NewTime(createdAtTime.AsTime())
-		}
-		if preAuthKey := firstMachine.PreAuthKey; preAuthKey != nil {
-			headscaleMachineStatus.PreAuthKey = &greenhousev1alpha1.PreAuthKey{
-				ID:        preAuthKey.GetId(),
-				User:      preAuthKey.GetUser(),
-				Reusable:  preAuthKey.GetReusable(),
-				Ephemeral: preAuthKey.GetEphemeral(),
-				Used:      preAuthKey.GetUsed(),
-			}
-			if createdAtTime := preAuthKey.GetCreatedAt(); createdAtTime != nil {
-				headscaleMachineStatus.PreAuthKey.CreatedAt = metav1.NewTime(createdAtTime.AsTime())
-			}
-			if expirationTime := preAuthKey.GetExpiration(); expirationTime != nil {
-				headscaleMachineStatus.PreAuthKey.Expiration = metav1.NewTime(expirationTime.AsTime())
-			}
-		}
-		headscaleReadyCondition.Status = metav1.ConditionTrue
-	} else if len(machineList) == 0 {
-		headscaleReadyCondition.Status = metav1.ConditionFalse
-		headscaleReadyCondition.Message = "no headscale machine found"
-		log.FromContext(ctx).Error(nil, "no headscale machine found", "cluster", cluster.GetName(), "namespace", cluster.GetNamespace())
-	} else {
-		headscaleReadyCondition.Status = metav1.ConditionFalse
-		headscaleReadyCondition.Message = err.Error()
-		log.FromContext(ctx).Error(err, "failed to get headscale machine status")
-	}
-
-	var kubernetesVersion = "unknown"
-	if restClientGetterForRemoteCluster, err := r.newRestClientGetterForCluster(ctx, cluster); err == nil {
-		// Get the kubernetes version of the remote cluster.
-		if k8sVersion, err := clientutil.GetKubernetesVersion(restClientGetterForRemoteCluster); err == nil {
-			kubernetesVersion = k8sVersion.String()
-		} else {
-			log.FromContext(ctx).Error(err, "failed to get cluster version")
-		}
-	} else {
-		log.FromContext(ctx).Error(err, "failed to get rest client getter for cluster")
-	}
-
-	_, err := clientutil.PatchStatus(ctx, r.Client, cluster, func() error {
-		cluster.Status.KubernetesVersion = kubernetesVersion
-		cluster.Status.HeadScaleStatus = headscaleMachineStatus
-		cluster.Status.SetConditions(headscaleReadyCondition)
-		return nil
-	})
-	return err
-}
-
-// deleteHeadscaleMachine deletes all headscale machines for the given cluster and returns true if none can be found.
-// Note: This function is meant to be re-tried on false or an error.
-func (r *HeadscaleAccessReconciler) deleteHeadscaleMachine(ctx context.Context, cluster *greenhousev1alpha1.Cluster) (bool, error) {
-	machinesToDelete, err := r.headscaleGRPCClient.ListMachines(ctx, &headscalev1.ListMachinesRequest{
-		User: headscaleKeyForCluster(cluster),
-	})
-	if err != nil {
-		return false, err
-	}
-	// Report done if there's no machine associated with the cluster.
-	if len(machinesToDelete.GetMachines()) == 0 {
-		return true, nil
-	}
-	allErrs := make([]error, 0)
-	for _, machine := range machinesToDelete.GetMachines() {
-		if _, err := r.headscaleGRPCClient.DeleteMachine(ctx, &headscalev1.DeleteMachineRequest{
-			MachineId: machine.GetId(),
-		}); err != nil {
-			allErrs = append(allErrs, err)
-		}
-	}
-	// We return false here to indicate this function should be called again as deleting machines in Headscale might take a while.
-	return false, utilerrors.NewAggregate(allErrs)
-}
-
-func (r *HeadscaleAccessReconciler) deleteHeadscaleUser(ctx context.Context, cluster *greenhousev1alpha1.Cluster) (bool, error) {
-	// Check if the user still exists.
-	_, err := r.headscaleGRPCClient.GetUser(ctx, &headscalev1.GetUserRequest{
-		Name: headscaleKeyForCluster(cluster),
-	})
-	if err != nil {
-		errStatus, ok := status.FromError(err)
-		if !ok {
-			return false, err
-		}
-		if strings.Contains(errStatus.Message(), "not found") {
-			return true, nil
-		}
-		return false, err
-	}
-	// Attempt deletion of the user.
-	if _, err := r.headscaleGRPCClient.DeleteUser(ctx, &headscalev1.DeleteUserRequest{
-		Name: headscaleKeyForCluster(cluster),
-	}); err != nil {
-		errStatus, ok := status.FromError(err)
-		if !ok {
-			return false, err
-		}
-		if strings.Contains(errStatus.Message(), "not found") {
-			return true, nil
-		}
-		return false, err
-	}
-	return true, nil
-}
-
-func (r *HeadscaleAccessReconciler) deleteResourcesOnRemoteCluster(ctx context.Context, cluster *greenhousev1alpha1.Cluster) (bool, error) {
-	ipAddress, err := r.getIPAddressForHeadscaleClientInRemoteCluster(ctx, cluster)
-	if err != nil {
-		return false, err
-	}
-	restClientGetter, err := r.newRestClientGetterForCluster(ctx, cluster)
-	if err != nil {
-		return false, err
-	}
-	k8sHeadscaleProxyClientForRemoteCluster, err := r.getHeadscaleClientFromRestClientGetter(restClientGetter, r.TailscaleProxy, ipAddress)
-	if err != nil {
-		return false, err
-	}
-	// all remote resources are bound by owner-reference to the namespace
-	if err := deleteNamespaceInRemoteCluster(ctx, k8sHeadscaleProxyClientForRemoteCluster, cluster); err != nil {
-		return false, err
-	}
-	return true, nil
-}
-
-func (r *HeadscaleAccessReconciler) newRestClientGetterForCluster(ctx context.Context, cluster *greenhousev1alpha1.Cluster) (*clientutil.RestClientGetter, error) {
-	var clusterSecret = new(corev1.Secret)
-	if err := r.Get(ctx, types.NamespacedName{Name: cluster.GetSecretName(), Namespace: cluster.GetNamespace()}, clusterSecret); err != nil {
-		return nil, err
-	}
-	return clientutil.NewRestClientGetterFromSecret(clusterSecret, cluster.Namespace)
-}
-
-// headscaleKeyForCluster returns the key for the given cluster to use in headscale.
-func headscaleKeyForCluster(cluster *greenhousev1alpha1.Cluster) string {
-	return fmt.Sprintf("%s-%s", cluster.GetNamespace(), cluster.GetName())
-}
-
-// isPreAuthenticationKeyIsNotExpired returns true if the given pre-authentication key is valid and not yet expired.
-func isPreAuthenticationKeyIsNotExpired(preAuthenticationKey *headscalev1.PreAuthKey, preAuthenticationKeyMinValidity time.Duration) bool {
-	if preAuthenticationKey.Expiration == nil {
-		return false
-	}
-	return preAuthenticationKey.Expiration.IsValid() &&
-		preAuthenticationKey.Expiration.AsTime().After(time.Now().Add(preAuthenticationKeyMinValidity))
-}
diff --git a/pkg/controllers/cluster/headscale_access_controller_test.go b/pkg/controllers/cluster/headscale_access_controller_test.go
deleted file mode 100644
index e395638ab..000000000
--- a/pkg/controllers/cluster/headscale_access_controller_test.go
+++ /dev/null
@@ -1,193 +0,0 @@
-// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-// SPDX-License-Identifier: Apache-2.0
-
-package cluster_test
-
-import (
-	"strings"
-
-	. "github.com/onsi/ginkgo/v2"
-	. "github.com/onsi/gomega"
-	corev1 "k8s.io/api/core/v1"
-	rbacv1 "k8s.io/api/rbac/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/types"
-	client "sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/envtest"
-
-	greenhouseapis "github.com/cloudoperators/greenhouse/pkg/apis"
-	greenhousev1alpha1 "github.com/cloudoperators/greenhouse/pkg/apis/greenhouse/v1alpha1"
-	"github.com/cloudoperators/greenhouse/pkg/clientutil"
-	clusterpkg "github.com/cloudoperators/greenhouse/pkg/controllers/cluster"
-	"github.com/cloudoperators/greenhouse/pkg/test"
-)
-
-var _ = Describe("Reconciling a Headscale Cluster with mocked Headscale GRPC client and swapped client getter", Ordered, func() {
-	const (
-		headscaleTestCase = "headscale-access"
-	)
-
-	var (
-		cluster *greenhousev1alpha1.Cluster
-
-		remoteEnvTest *envtest.Environment
-		remoteClient  client.Client
-		setup         *test.TestSetup
-	)
-
-	BeforeAll(func() {
-		var remoteKubeConfig []byte
-		_, remoteClient, remoteEnvTest, remoteKubeConfig = test.StartControlPlane("6887", false, false)
-
-		// inject the fake headscale client getter
-		clusterpkg.ExportSetRestClientGetterFunc(headscaleReconciler, newFakeHeadscaleClientGetter(remoteClient))
-
-		setup = test.NewTestSetup(test.Ctx, test.K8sClient, headscaleTestCase)
-
-		// create a greenhouse cluster with headscale access type
-		cluster = setup.CreateCluster(test.Ctx, headscaleTestCase, test.WithAccessMode(greenhousev1alpha1.ClusterAccessModeHeadscale))
-
-		setup.CreateSecret(test.Ctx, headscaleTestCase,
-			test.WithSecretType(greenhouseapis.SecretTypeKubeConfig),
-			test.WithSecretData(map[string][]byte{greenhouseapis.KubeConfigKey: remoteKubeConfig}))
-
-		expectedOwnerReference := metav1.OwnerReference{
-			Kind:       "Cluster",
-			APIVersion: "greenhouse.sap/v1alpha1",
-			UID:        cluster.UID,
-			Name:       cluster.Name,
-		}
-		secret := corev1.Secret{}
-		Eventually(func(g Gomega) bool {
-			g.Expect(test.K8sClient.Get(test.Ctx, types.NamespacedName{Name: cluster.Name, Namespace: setup.Namespace()}, &secret)).To(Succeed())
-			g.Expect(secret.ObjectMeta.OwnerReferences).To(ContainElement(expectedOwnerReference), "the kubeconfig secret should have an owner reference to the cluster")
-			return true
-		}).Should(BeTrue(), "eventually the secret should have an owner reference to the cluster")
-
-	})
-	AfterAll(func() {
-		test.MustDeleteCluster(test.Ctx, test.K8sClient, types.NamespacedName{Name: cluster.Name, Namespace: setup.Namespace()})
-		Expect(remoteEnvTest.Stop()).To(Succeed(), "there must be no error stopping the remote environment")
-	})
-
-	It("should reconcile headscale cluster", func() {
-		By("Checking the Headscale Status is being set in the local cluster")
-		getCluster := &greenhousev1alpha1.Cluster{}
-		id := types.NamespacedName{Name: cluster.Name, Namespace: setup.Namespace()}
-		Eventually(func(g Gomega) bool {
-			g.Expect(test.K8sClient.Get(test.Ctx, id, getCluster)).To(Succeed(), "There should be no error getting the cluster")
-			g.Expect(getCluster.Spec.AccessMode).To(Equal(greenhousev1alpha1.ClusterAccessModeHeadscale), "The cluster access mode should be set to headscale")
-			g.Expect(getCluster.Status.HeadScaleStatus).ToNot(BeNil(), "headscale status should be set")
-			headscaleCondition := getCluster.Status.GetConditionByType(greenhousev1alpha1.HeadscaleReady)
-			g.Expect(headscaleCondition).ToNot(BeNil(), "The HeadscaleReady condition should be present")
-			g.Expect(headscaleCondition.Status).To(Equal(metav1.ConditionTrue), "The HeadscaleReady condition status should be true")
-			return true
-		}).
-			Should(BeTrue(), "getting the cluster should succeed eventually and status should be set correctly")
-
-		By("Checking the Namespace is created in the Remote Cluster")
-		getNamespace := &corev1.Namespace{}
-		id = types.NamespacedName{Name: setup.Namespace()}
-		Eventually(func(g Gomega) bool {
-			g.Expect(remoteClient.Get(test.Ctx, id, getNamespace)).To(Succeed(), "There should be no error getting the remote namespace")
-			g.Expect(getNamespace.GetName()).To(Equal(setup.Namespace()), "The remote namespace name should be correct")
-			g.Expect(getNamespace.Status.Phase).To(Equal(corev1.NamespaceActive), "The remote namespace should be active")
-			return true
-		}).Should(BeTrue(), "getting the namespace should succeed eventually")
-
-		By("Checking the Service Account is created in the Remote Cluster")
-		getServiceAccount := &corev1.ServiceAccount{}
-		id = types.NamespacedName{Name: clusterpkg.ExportServiceAccountName, Namespace: setup.Namespace()}
-		Eventually(func(g Gomega) bool {
-			g.Expect(remoteClient.Get(test.Ctx, id, getServiceAccount)).To(Succeed(), "There should be no error getting the remote service account")
-			g.Expect(getServiceAccount.GetName()).To(Equal(clusterpkg.ExportServiceAccountName), "The SA name should be correct")
-			g.Expect(getServiceAccount.Namespace).To(Equal(setup.Namespace()), "The SA should be deployed to the correct namespace")
-			return true
-		}).Should(BeTrue(), "getting the service account should succeed eventually")
-
-		By("Checking the Cluster Role Binding is created in the Remote Cluster")
-		getClusterRoleBinding := &rbacv1.ClusterRoleBinding{}
-		id = types.NamespacedName{Name: "greenhouse"}
-		Eventually(func(g Gomega) bool {
-			g.Expect(remoteClient.Get(test.Ctx, id, getClusterRoleBinding)).To(Succeed(), "There should be no error getting the remote crb")
-			g.Expect(getClusterRoleBinding.RoleRef.Name).To(Equal("cluster-admin"), "crb should bind cluster-admin")
-			g.Expect(getClusterRoleBinding.Subjects[0].Namespace).To(Equal(setup.Namespace()), "crb should be deployed to correct namespace")
-			g.Expect(getClusterRoleBinding.OwnerReferences[0].Name).To(Equal(setup.Namespace()), "crb should have owner-reference to namespace")
-			return true
-		}).Should(BeTrue(), "getting the cluster role binding should succeed eventually")
-
-		By("Checking the Service Account Token is updated in the Local Cluster")
-		getSecret := &corev1.Secret{}
-		id = types.NamespacedName{Name: cluster.Name, Namespace: setup.Namespace()}
-		Eventually(func(g Gomega) bool {
-			g.Expect(test.K8sClient.Get(test.Ctx, id, getSecret)).To(Succeed(), "There should be no error getting the cluster secret")
-			actConfig, ok := getSecret.Data[greenhouseapis.GreenHouseKubeConfigKey]
-			if !ok {
-				return false
-			}
-			g.Expect(strings.Contains(string(actConfig), tailscaleProxyURL)).To(BeTrue(), "The secret should contain the proxy url")
-			return true
-		}).Should(BeTrue(), "getting the secret should succeed eventually and the secret should contain the proxy url")
-
-		By("Checking the Headscale PreAuthKey is set in the secret in the remote cluster")
-		getSecret = &corev1.Secret{}
-		id = types.NamespacedName{Name: "tailscale-auth", Namespace: setup.Namespace()}
-		Eventually(func(g Gomega) bool {
-			g.Expect(remoteClient.Get(test.Ctx, id, getSecret)).To(Succeed(), "There should be no error getting the remote secret")
-			actConfig, ok := getSecret.Data[clusterpkg.ExportTailscaleAuthorizationKey]
-			if !ok {
-				return false
-			}
-			g.Expect(actConfig).ToNot(BeNil(), "The secret should containt the preauthke")
-			return true
-		}).Should(BeTrue(), "getting the secret should succeed eventually and the secret should contain the preauthkey")
-
-		By("Checking that an error is persisted in the headscaleReady condition message")
-		// replace mock function with original client getter func as this client will fail
-		grpcClient, err := clientutil.NewHeadscaleGRPCClient(headscaleReconciler.HeadscaleGRPCURL, headscaleReconciler.HeadscaleAPIKey)
-		Expect(err).ToNot(HaveOccurred(), "There should be no error instantiating the original grpc client")
-		clusterpkg.ExportSetHeadscaleGRPCClientOnHAR(headscaleReconciler, grpcClient)
-		// trigger cluster reconcile
-		Expect(test.K8sClient.Get(test.Ctx, types.NamespacedName{Name: cluster.Name, Namespace: setup.Namespace()}, getCluster)).Should(Succeed(), "There should be no error getting the cluster")
-		getCluster.SetLabels(map[string]string{"reconcile-me": "true"})
-		Expect(test.K8sClient.Update(test.Ctx, getCluster)).Should(Succeed(), "There should be no error updating the cluster")
-
-		Eventually(func(g Gomega) bool {
-			g.Expect(test.K8sClient.Get(test.Ctx, types.NamespacedName{Name: getCluster.Name, Namespace: setup.Namespace()}, getCluster)).To(Succeed(), "There should be no error getting the cluster")
-			g.Expect(getCluster.Status.HeadScaleStatus).ToNot(BeNil(), "headscale status should be set")
-			headscaleCondition := getCluster.Status.GetConditionByType(greenhousev1alpha1.HeadscaleReady)
-			g.Expect(headscaleCondition).ToNot(BeNil(), "The HeadscaleReady condition should be present")
-			g.Expect(headscaleCondition.Status).To(Equal(metav1.ConditionFalse), "The HeadscaleReady condition status should be false")
-			g.Expect(headscaleCondition.Message).To(ContainSubstring("no headscale machine found"), "The client error message should be reflected to the condition")
-
-			// We are testing the part of the status controller depending on the headscale ready condition here!
-			// All other test setups would expect separation of running controllers
-			readyCondition := getCluster.Status.GetConditionByType(greenhousev1alpha1.ReadyCondition)
-			g.Expect(readyCondition).ToNot(BeNil(), "The Ready condition should be present")
-			g.Expect(readyCondition.Status).To(Equal(metav1.ConditionFalse), "The Ready condition status should be false")
-			g.Expect(readyCondition.Message).To(ContainSubstring("Headscale connection not ready"), "The default headscale error message should be present")
-			return true
-		}).
-			Should(BeTrue(), "getting the cluster should succeed eventually and status should be set correctly")
-
-		/*
-			This is commented as the access to the remote cluster requires a https proxy.
-			Though the proxy is in-place, golang does not account for a proxy on localhost (1) and
-			injecting custom transport in the client.Client is not supported when using TLS certificates (2).
-			(1) https://maelvls.dev/go-ignores-proxy-localhost,
-			(2) https://github.com/kubernetes/client-go/blob/master/transport/transport.go#L38-L40.
-
-			By("Checking the Cluster Status contains the K8s Version in the local cluster")
-			getCluster = &greenhousev1alpha1.Cluster{}
-			id = types.NamespacedName{Name: headscaleClusterName, Namespace: orgName}
-			Eventually(func() bool {
-				err := test.K8sClient.Get(test.Ctx, id, getCluster)
-				if err != nil {
-					return false
-				}
-				return getCluster.Status.KubernetesVersion != ""
-			}, updateTimeout, pollInterval).
-				Should(BeTrue(), "getting the cluster should succeed eventually and the cluster kubernetes status should be set")
-		*/
-	})
-})
diff --git a/pkg/controllers/cluster/status_controller.go b/pkg/controllers/cluster/status_controller.go
index 9da93a017..3b406e90a 100644
--- a/pkg/controllers/cluster/status_controller.go
+++ b/pkg/controllers/cluster/status_controller.go
@@ -72,7 +72,7 @@ func (r *ClusterStatusReconciler) Reconcile(ctx context.Context, req ctrl.Reques
 		allNodesReadyCondition, clusterNodeStatus = r.reconcileNodeStatus(ctx, restClientGetter)
 	}
 
-	readyCondition := r.reconcileReadyStatus(cluster, kubeConfigValidCondition)
+	readyCondition := r.reconcileReadyStatus(kubeConfigValidCondition)
 
 	conditions = append(conditions, readyCondition, allNodesReadyCondition, kubeConfigValidCondition)
 
@@ -151,19 +151,12 @@ func (r *ClusterStatusReconciler) reconcileClusterSecret(
 	return
 }
 
-func (r *ClusterStatusReconciler) reconcileReadyStatus(cluster *greenhousev1alpha1.Cluster, kubeConfigValidCondition greenhousev1alpha1.Condition) (readyCondition greenhousev1alpha1.Condition) {
+func (r *ClusterStatusReconciler) reconcileReadyStatus(kubeConfigValidCondition greenhousev1alpha1.Condition) (readyCondition greenhousev1alpha1.Condition) {
 	readyCondition = greenhousev1alpha1.UnknownCondition(greenhousev1alpha1.ReadyCondition, "", "")
 
 	if kubeConfigValidCondition.IsFalse() {
 		readyCondition.Status = metav1.ConditionFalse
 		readyCondition.Message = "kubeconfig not valid - cannot access cluster"
-		// change ready condition message if headscale not ready
-		if cluster.Spec.AccessMode == greenhousev1alpha1.ClusterAccessModeHeadscale {
-			headscaleReadyCondition := cluster.Status.StatusConditions.GetConditionByType(greenhousev1alpha1.HeadscaleReady)
-			if headscaleReadyCondition == nil || !headscaleReadyCondition.IsTrue() {
-				readyCondition.Message = "Headscale connection not ready"
-			}
-		}
 	} else {
 		readyCondition.Status = metav1.ConditionTrue
 	}
diff --git a/pkg/controllers/cluster/suite_test.go b/pkg/controllers/cluster/suite_test.go
index bbb7c2057..ccbbe68e9 100644
--- a/pkg/controllers/cluster/suite_test.go
+++ b/pkg/controllers/cluster/suite_test.go
@@ -4,28 +4,11 @@
 package cluster_test
 
 import (
-	"context"
-	"crypto/tls"
-	"crypto/x509"
-	"errors"
-	"fmt"
-	"net"
-	"net/http"
-	"net/http/httputil"
-	"net/url"
-	"path/filepath"
 	"testing"
 	"time"
 
-	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/status"
-	"google.golang.org/protobuf/types/known/timestamppb"
-	"k8s.io/cli-runtime/pkg/genericclioptions"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/envtest"
 
 	"github.com/cloudoperators/greenhouse/pkg/admission"
 	clusterpkg "github.com/cloudoperators/greenhouse/pkg/controllers/cluster"
@@ -33,9 +16,6 @@ import (
 )
 
 var (
-	tailscaleProxyURL = "https://127.0.0.1:8080"
-
-	headscaleReconciler *clusterpkg.HeadscaleAccessReconciler
 	bootstrapReconciler *clusterpkg.BootstrapReconciler
 )
 
@@ -52,215 +32,15 @@ var _ = BeforeSuite(func() {
 		RemoteClusterBearerTokenValidity:   10 * time.Minute,
 		RenewRemoteClusterBearerTokenAfter: 9 * time.Minute,
 	}).SetupWithManager)
-	headscaleReconciler = &clusterpkg.HeadscaleAccessReconciler{
-		HeadscaleGRPCURL:                         "willBeMocked",
-		HeadscaleAPIKey:                          "willBeMocked",
-		TailscaleProxy:                           tailscaleProxyURL,
-		HeadscalePreAuthenticationKeyMinValidity: 5 * time.Minute,
-		RemoteClusterBearerTokenValidity:         10 * time.Minute,
-		RenewRemoteClusterBearerTokenAfter:       9 * time.Minute,
-	}
-	test.RegisterController("clusterHeadscaleAccess", (headscaleReconciler).SetupWithManager)
+
 	test.RegisterController("clusterStatus", (&clusterpkg.ClusterStatusReconciler{}).SetupWithManager)
 	test.RegisterWebhook("clusterValidation", admission.SetupClusterWebhookWithManager)
 	test.RegisterWebhook("secretsWebhook", admission.SetupSecretWebhookWithManager)
 
 	test.TestBeforeSuite()
-
-	// inject fake headscale grpc client
-	clusterpkg.ExportSetHeadscaleGRPCClientOnHAR(headscaleReconciler, newFakeHeadscaleClient())
-
-	/*
-		This is commented as the access to the remote cluster requires a https proxy.
-			Though the proxy is in-place, golang does not account for a proxy on localhost (1) and
-		injecting custom transport in the client.Client is not supported when using TLS certificates (2).
-		(1) https://maelvls.dev/go-ignores-proxy-localhost,
-		(2) https://github.com/kubernetes/client-go/blob/master/transport/transport.go#L38-L40.
-		go func() {
-			if err := runReverseProxy(test.Ctx, tailscaleProxyURL, headscaleEnvTest); err != nil {
-				log.Fatalf("Server error: %v", err)
-			}
-		}()
-	*/
 })
 
 var _ = AfterSuite(func() {
 	By("tearing down the test environment and remote cluster")
 	test.TestAfterSuite()
 })
-
-func newFakeHeadscaleClientGetter(c client.Client) func(restClientGetter genericclioptions.RESTClientGetter, proxy string, headscaleAddress string) (client.Client, error) {
-	/*
-		This is commented as the access to the remote cluster requires a https proxy.
-			Though the proxy is in-place, golang does not account for a proxy on localhost (1) and
-		injecting custom transport in the client.Client is not supported when using TLS certificates (2).
-		(1) https://maelvls.dev/go-ignores-proxy-localhost,
-		(2) https://github.com/kubernetes/client-go/blob/master/transport/transport.go#L38-L40.
-		cfgTransportCfg, err := headscaleCfg.TransportConfig()
-		if err != nil {
-			return nil, err
-		}
-		tlsCfg, err := transport.TLSConfigFor(cfgTransportCfg)
-		if err != nil {
-			return nil, err
-		}
-		headscaleCfg.Transport = &http.Transport{
-			Proxy: func(req *http.Request) (*url.URL, error) {
-				return url.Parse(tailscaleProxyURL)
-			},
-			DialContext: (&net.Dialer{
-				Timeout:   30 * time.Second,
-				KeepAlive: 30 * time.Second,
-				DualStack: true,
-			}).DialContext,
-			TLSClientConfig:       tlsCfg,
-			ForceAttemptHTTP2:     true,
-			MaxIdleConns:          100,
-			IdleConnTimeout:       90 * time.Second,
-			TLSHandshakeTimeout:   10 * time.Second,
-			ExpectContinueTimeout: 1 * time.Second,
-		}*/
-
-	return func(_ genericclioptions.RESTClientGetter, _, _ string) (client.Client, error) {
-		return c, nil
-	}
-}
-
-// newFakeHeadscaleClient mocks the Headscale GRPC client and returns the configured responses
-func newFakeHeadscaleClient() v1.HeadscaleServiceClient {
-	cl := test.FakeHeadscaleClient{
-		IsUserDeleted: false,
-	}
-	cl.GetUserFunc = func(ctx context.Context, in *v1.GetUserRequest, opts ...grpc.CallOption) (*v1.GetUserResponse, error) {
-		if cl.IsUserDeleted {
-			return nil, status.Errorf(2, "User not found")
-		}
-		return &v1.GetUserResponse{User: &v1.User{
-			Id:        "1",
-			Name:      in.GetName(),
-			CreatedAt: timestamppb.Now(),
-		}}, nil
-	}
-	cl.CreateUserFunc = func(ctx context.Context, request *v1.CreateUserRequest, option ...grpc.CallOption) (*v1.CreateUserResponse, error) {
-		return &v1.CreateUserResponse{User: &v1.User{Id: "1", Name: request.GetName(), CreatedAt: timestamppb.Now()}}, nil
-	}
-	cl.ListMachinesFunc = func(ctx context.Context, in *v1.ListMachinesRequest, opts ...grpc.CallOption) (*v1.ListMachinesResponse, error) {
-		return &v1.ListMachinesResponse{Machines: []*v1.Machine{{
-			Id:                   uint64(1337),
-			MachineKey:           "machine",
-			NodeKey:              "node",
-			DiscoKey:             "disco",
-			IpAddresses:          []string{"127.0.0.1"},
-			Name:                 "myMachine",
-			User:                 &v1.User{Id: "1", Name: in.GetUser(), CreatedAt: timestamppb.Now()},
-			LastSeen:             timestamppb.Now(),
-			LastSuccessfulUpdate: timestamppb.Now(),
-			Expiry:               timestamppb.New(time.Now().Add(10 * time.Minute)),
-			PreAuthKey:           newFakePreAuthKey(in.GetUser()),
-			CreatedAt:            timestamppb.Now(),
-			RegisterMethod:       v1.RegisterMethod_REGISTER_METHOD_AUTH_KEY,
-			ForcedTags:           []string{"tag:one"},
-			InvalidTags:          nil,
-			ValidTags:            nil,
-			GivenName:            "myMachine",
-			Online:               true,
-		}}}, nil
-	}
-	cl.CreatePreAuthKeyFunc = func(ctx context.Context, in *v1.CreatePreAuthKeyRequest, opts ...grpc.CallOption) (*v1.CreatePreAuthKeyResponse, error) {
-		return &v1.CreatePreAuthKeyResponse{
-			PreAuthKey: newFakePreAuthKey(in.GetUser()),
-		}, nil
-	}
-	cl.ListPreAuthKeysFunc = func(ctx context.Context, request *v1.ListPreAuthKeysRequest, option ...grpc.CallOption) (*v1.ListPreAuthKeysResponse, error) {
-		return &v1.ListPreAuthKeysResponse{
-			PreAuthKeys: []*v1.PreAuthKey{newFakePreAuthKey(request.GetUser())},
-		}, nil
-	}
-	cl.DeleteMachineFunc = func(ctx context.Context, in *v1.DeleteMachineRequest, opts ...grpc.CallOption) (*v1.DeleteMachineResponse, error) {
-		return &v1.DeleteMachineResponse{}, nil
-	}
-	cl.DeleteUserFunc = func(ctx context.Context, in *v1.DeleteUserRequest, opts ...grpc.CallOption) (*v1.DeleteUserResponse, error) {
-		cl.IsUserDeleted = true
-		return &v1.DeleteUserResponse{}, nil
-	}
-	return cl
-}
-
-func newFakePreAuthKey(userName string) *v1.PreAuthKey {
-	return &v1.PreAuthKey{
-		User:       userName,
-		Id:         "1",
-		Key:        "someKey",
-		Reusable:   false,
-		Ephemeral:  false,
-		Used:       false,
-		Expiration: timestamppb.New(time.Now().Add(10 * time.Minute)),
-		CreatedAt:  timestamppb.Now(),
-		AclTags:    nil,
-	}
-}
-
-//nolint:unused // See comments on unit test with proxy on localhost using TLS certificates.
-func runReverseProxy(ctx context.Context, proxyAddress string, testEnv *envtest.Environment) error {
-	testEnvAPIServerConfig := testEnv.ControlPlane.APIServer
-	if testEnvAPIServerConfig == nil {
-		return errors.New("the test environment has no api server configured")
-	}
-	remote, err := url.Parse("http://" + net.JoinHostPort(testEnvAPIServerConfig.SecureServing.Address, testEnvAPIServerConfig.SecureServing.Port))
-	if err != nil {
-		return err
-	}
-	handler := func(p *httputil.ReverseProxy) func(http.ResponseWriter, *http.Request) {
-		return func(w http.ResponseWriter, r *http.Request) {
-			r.Host = remote.Host
-			p.ServeHTTP(w, r)
-		}
-	}
-	tlsX509KeyPair, err := tls.LoadX509KeyPair(
-		filepath.Join(testEnvAPIServerConfig.CertDir, "apiserver.crt"),
-		filepath.Join(testEnvAPIServerConfig.CertDir, "apiserver.key"),
-	)
-	if err != nil {
-		return err
-	}
-	certPool := x509.NewCertPool()
-	if !certPool.AppendCertsFromPEM(testEnvAPIServerConfig.CA) {
-		return errors.New("failed to append CA certs")
-	}
-	//nolint:gosec // I promise to not use that in production.
-	tlsConfig := &tls.Config{
-		RootCAs:      certPool,
-		Certificates: []tls.Certificate{tlsX509KeyPair},
-	}
-	proxy := httputil.NewSingleHostReverseProxy(remote)
-	proxy.Transport = &http.Transport{TLSClientConfig: tlsConfig}
-	//nolint:forbidigo // I promise to not use that in production.
-	http.HandleFunc("/", handler(proxy))
-	server := &http.Server{TLSConfig: tlsConfig}
-	proxyURL, err := url.Parse(proxyAddress)
-	if err != nil {
-		return err
-	}
-	listener, err := net.Listen("tcp4", proxyURL.Host)
-	if err != nil {
-		return err
-	}
-	defer listener.Close()
-	tlsListener := tls.NewListener(listener, tlsConfig)
-	defer tlsListener.Close()
-
-	go func() {
-		//nolint:gosimple // I promise to not use that in production.
-		select {
-		case <-ctx.Done():
-			if err := server.Shutdown(ctx); err != nil {
-				fmt.Printf("error shutting reverse proxy: %v\n", err)
-			}
-		}
-	}()
-	if err := server.Serve(tlsListener); err != nil {
-		fmt.Println(err.Error())
-	}
-	<-ctx.Done()
-	return nil
-}
diff --git a/pkg/controllers/cluster/util.go b/pkg/controllers/cluster/util.go
index 6a79317bc..bbc98cca2 100644
--- a/pkg/controllers/cluster/util.go
+++ b/pkg/controllers/cluster/util.go
@@ -6,23 +6,15 @@ package cluster
 import (
 	"context"
 	"fmt"
-	"strings"
 	"time"
 
-	"google.golang.org/protobuf/types/known/timestamppb"
-
-	headscalev1 "github.com/juanfont/headscale/gen/go/headscale/v1"
-	"github.com/pkg/errors"
-	"google.golang.org/grpc/status"
 	authenticationv1 "k8s.io/api/authentication/v1"
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/tools/clientcmd"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
-	"k8s.io/client-go/tools/record"
 	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
@@ -159,7 +151,6 @@ func reconcileClusterRoleBindingInRemoteCluster(ctx context.Context, k8sClient c
 type tokenHelper struct {
 	client.Client
 	Proxy                              string
-	HeadscaleAddress                   string
 	RemoteClusterBearerTokenValidity   time.Duration
 	RenewRemoteClusterBearerTokenAfter time.Duration
 }
@@ -201,11 +192,6 @@ func (t *tokenHelper) ReconcileServiceAccountToken(ctx context.Context, restClie
 		if err != nil {
 			return err
 		}
-	case greenhousev1alpha1.ClusterAccessModeHeadscale:
-		generatedKubeConfig, err = generateNewClientKubeConfigHeadscale(ctx, restClientGetter, tokenRequestResponse.Status.Token, cluster, t.Proxy, t.HeadscaleAddress)
-		if err != nil {
-			return err
-		}
 	default:
 		return fmt.Errorf("unknown access mode %s", cluster.Spec.AccessMode)
 	}
@@ -239,29 +225,6 @@ func (t *tokenHelper) ReconcileServiceAccountToken(ctx context.Context, restClie
 	return err
 }
 
-// generateNewClientKubeConfigHeadscale generates a kubeconfig for the client to access the cluster from REST config coming from the secret plus the modifications needed for headscale.
-func generateNewClientKubeConfigHeadscale(_ context.Context, restConfigGetter *clientutil.RestClientGetter, bearerToken string, cluster *greenhousev1alpha1.Cluster, proxy, headscaleAddress string) ([]byte, error) {
-	restConfig, err := restConfigGetter.ToRawKubeConfigLoader().ClientConfig()
-	if err != nil {
-		return nil, errors.Wrapf(err, "failed to load kube clientConfig for cluster %s", cluster.GetName())
-	}
-
-	kubeConfigGenerator := &KubeConfigHelper{
-		Host:          "https://" + headscaleAddress,
-		TLSServerName: "127.0.0.1",
-		ProxyURL:      proxy,
-		CAData:        restConfig.CAData,
-		BearerToken:   bearerToken,
-		Username:      serviceAccountName,
-		Namespace:     cluster.GetNamespace(),
-	}
-	kubeconfigByte, err := clientcmd.Write(kubeConfigGenerator.RestConfigToAPIConfig(cluster.Name))
-	if err != nil {
-		return nil, errors.Wrapf(err, "failed to generate kubeconfig for cluster %s", cluster.GetName())
-	}
-	return kubeconfigByte, nil
-}
-
 // reconcileRemoteAPIServerVersion fetches the api server version from the remote cluster and reflects it in the cluster CR
 func reconcileRemoteAPIServerVersion(ctx context.Context, restConfigGetter *clientutil.RestClientGetter, k8sclient client.Client, cluster *greenhousev1alpha1.Cluster) error {
 	k8sVersion, err := clientutil.GetKubernetesVersion(restConfigGetter)
@@ -284,67 +247,3 @@ func deleteNamespaceInRemoteCluster(ctx context.Context, remoteK8sClient client.
 	// Ignore errors if was already deleted.
 	return client.IgnoreNotFound(err)
 }
-
-// ReconcileHeadscaleUser ensure a user for the cluster exists in the headscale coordination server.
-func ReconcileHeadscaleUser(ctx context.Context, recorder record.EventRecorder, cluster *greenhousev1alpha1.Cluster, headscaleGRPCClient headscalev1.HeadscaleServiceClient) error {
-	createResp, err := headscaleGRPCClient.CreateUser(ctx, &headscalev1.CreateUserRequest{
-		Name: headscaleKeyForCluster(cluster),
-	})
-	if err != nil {
-		errStatus, ok := status.FromError(err)
-		if !ok {
-			return err
-		}
-		switch {
-		case strings.Contains(errStatus.Message(), "Unauthorized"):
-			return fmt.Errorf("headscale: unauthorized to create user %s", headscaleKeyForCluster(cluster))
-		case strings.Contains(errStatus.Message(), "already exists"):
-			return nil
-		}
-		return err
-	}
-	recorder.Eventf(cluster, corev1.EventTypeNormal, "HeadscaleUserCreated", "Headscale user %s created for cluster", createResp.User.Name)
-	return nil
-}
-
-// ReconcilePreAuthorizationKey ensure a pre-authorization key exists for the given cluster.
-func ReconcilePreAuthorizationKey(ctx context.Context, cluster *greenhousev1alpha1.Cluster, headscaleGRPCClient headscalev1.HeadscaleServiceClient, headscalePreAuthenticationKeyMinValidity time.Duration) (*headscalev1.PreAuthKey, error) {
-	// Check whether an existing pre-authorization key can be used.
-	resp, err := headscaleGRPCClient.ListPreAuthKeys(ctx, &headscalev1.ListPreAuthKeysRequest{
-		User: headscaleKeyForCluster(cluster),
-	})
-	if err != nil {
-		return nil, err
-	}
-	for _, key := range resp.GetPreAuthKeys() {
-		if isPreAuthenticationKeyIsNotExpired(key, headscalePreAuthenticationKeyMinValidity) {
-			return key, nil
-		}
-	}
-
-	// Request a new pre-authorization key.
-	expiration := time.Now().UTC().Add(7 * 24 * time.Hour)
-	createPreAuth := &headscalev1.CreatePreAuthKeyRequest{
-		User:       headscaleKeyForCluster(cluster),
-		Reusable:   true,
-		Ephemeral:  true,
-		Expiration: timestamppb.New(expiration),
-		AclTags:    []string{"tag:greenhouse", "tag:client", "tag:" + headscaleKeyForCluster(cluster)},
-	}
-	createResp, err := headscaleGRPCClient.CreatePreAuthKey(ctx, createPreAuth)
-	if err != nil {
-		errStatus, ok := status.FromError(err)
-		if !ok {
-			return nil, err
-		}
-		switch {
-		case strings.Contains(errStatus.Message(), "Unauthorized"):
-			return nil, fmt.Errorf("headscale: unauthorized to create user %s", headscaleKeyForCluster(cluster))
-		case strings.Contains(errStatus.Message(), "tag is invalid"):
-			return nil, fmt.Errorf("headscale: failed to create PreAuthKey for user %s: %s", headscaleKeyForCluster(cluster), errStatus.Message())
-		}
-		return nil, errors.Wrapf(err, "failed to create PreAuthenticationKey for user %s", headscaleKeyForCluster(cluster))
-	}
-	log.FromContext(ctx).Info("PreAuthenticationKey issued", "user", headscaleKeyForCluster(cluster), "expireDate", createResp.PreAuthKey.Expiration.AsTime())
-	return createResp.PreAuthKey, nil
-}
diff --git a/pkg/controllers/fixtures/cluster.yaml b/pkg/controllers/fixtures/cluster.yaml
index e5412f496..ecc69b56d 100644
--- a/pkg/controllers/fixtures/cluster.yaml
+++ b/pkg/controllers/fixtures/cluster.yaml
@@ -50,7 +50,6 @@ spec:
                   the Greenhouse operator.
                 enum:
                 - direct
-                - headscale
                 type: string
             required:
             - accessMode
@@ -63,53 +62,6 @@ spec:
                   timestamp of the bearer token used to access the cluster.
                 format: date-time
                 type: string
-              headScaleStatus:
-                description: HeadScaleStatus contains the current status of the headscale
-                  client.
-                properties:
-                  createdAt:
-                    format: date-time
-                    type: string
-                  expiry:
-                    format: date-time
-                    type: string
-                  forcedTags:
-                    items:
-                      type: string
-                    type: array
-                  id:
-                    format: int64
-                    type: integer
-                  ipAddresses:
-                    items:
-                      type: string
-                    type: array
-                  name:
-                    type: string
-                  online:
-                    type: boolean
-                  preAuthKey:
-                    description: PreAuthKey reflects the status of the pre-authentication
-                      key used by the Headscale machine.
-                    properties:
-                      createdAt:
-                        format: date-time
-                        type: string
-                      ephemeral:
-                        type: boolean
-                      expiration:
-                        format: date-time
-                        type: string
-                      id:
-                        type: string
-                      reusable:
-                        type: boolean
-                      used:
-                        type: boolean
-                      user:
-                        type: string
-                    type: object
-                type: object
               kubernetesVersion:
                 description: KubernetesVersion reflects the detected Kubernetes version
                   of the cluster.
diff --git a/pkg/controllers/fixtures/cluster_update.yaml b/pkg/controllers/fixtures/cluster_update.yaml
index a004ccec1..0e5ebd944 100644
--- a/pkg/controllers/fixtures/cluster_update.yaml
+++ b/pkg/controllers/fixtures/cluster_update.yaml
@@ -50,7 +50,6 @@ spec:
                   the Greenhouse operator.
                 enum:
                 - direct
-                - headscale
                 type: string
               newRequiredField:
                 type: string
@@ -67,53 +66,6 @@ spec:
                   timestamp of the bearer token used to access the cluster.
                 format: date-time
                 type: string
-              headScaleStatus:
-                description: HeadScaleStatus contains the current status of the headscale
-                  client.
-                properties:
-                  createdAt:
-                    format: date-time
-                    type: string
-                  expiry:
-                    format: date-time
-                    type: string
-                  forcedTags:
-                    items:
-                      type: string
-                    type: array
-                  id:
-                    format: int64
-                    type: integer
-                  ipAddresses:
-                    items:
-                      type: string
-                    type: array
-                  name:
-                    type: string
-                  online:
-                    type: boolean
-                  preAuthKey:
-                    description: PreAuthKey reflects the status of the pre-authentication
-                      key used by the Headscale machine.
-                    properties:
-                      createdAt:
-                        format: date-time
-                        type: string
-                      ephemeral:
-                        type: boolean
-                      expiration:
-                        format: date-time
-                        type: string
-                      id:
-                        type: string
-                      reusable:
-                        type: boolean
-                      used:
-                        type: boolean
-                      user:
-                        type: string
-                    type: object
-                type: object
               kubernetesVersion:
                 description: KubernetesVersion reflects the detected Kubernetes version
                   of the cluster.
diff --git a/pkg/headscalectl/apikey.go b/pkg/headscalectl/apikey.go
deleted file mode 100644
index a0f4864b8..000000000
--- a/pkg/headscalectl/apikey.go
+++ /dev/null
@@ -1,256 +0,0 @@
-// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-// SPDX-License-Identifier: Apache-2.0
-
-package headscalectl
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"strings"
-	"time"
-
-	headscalev1 "github.com/juanfont/headscale/gen/go/headscale/v1"
-	"github.com/prometheus/common/model"
-	"github.com/spf13/cobra"
-	"google.golang.org/grpc/status"
-	"google.golang.org/protobuf/types/known/timestamppb"
-	"sigs.k8s.io/controller-runtime/pkg/log"
-)
-
-const (
-	defaultAPIKeyExpiry = "90d"
-	apiPrefixLength     = 10
-)
-
-var (
-	apiKeyExpiry    string
-	socketPath      string
-	socketCall      bool
-	prefix          string
-	secretName      string
-	secretNamespace string
-)
-
-func init() {
-	rootCmd.AddCommand(apiKeyCMD)
-	apiKeyCMD.AddCommand(createAPIKeyCmd())
-	apiKeyCMD.AddCommand(listAPIKeyCmd())
-	apiKeyCMD.AddCommand(expireAPIKeyCmd())
-}
-
-var apiKeyCMD = &cobra.Command{
-	Use:   "apikey",
-	Short: "Commands to interact with Headscale API keys",
-}
-
-var createAPIKeyCmdUsage = "create"
-
-type createAPIKeyCmdOptions struct {
-	headscaleGRPCClient headscalev1.HeadscaleServiceClient
-	outputFormat        string
-}
-
-func createAPIKeyCmd() *cobra.Command {
-	c := createAPIKeyCmdOptions{}
-	cmd := &cobra.Command{
-		Use:   createAPIKeyCmdUsage,
-		Short: "Creates a new APIKey for Headscale",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			var err error
-			var grpcClient headscalev1.HeadscaleServiceClient
-			if o, err := cmd.Flags().GetString("output"); err != nil {
-				return fmt.Errorf("invalid value for flag --output: %w", err)
-			} else {
-				c.outputFormat = o
-			}
-			if !socketCall {
-				grpcClient, err = headscaleGRCPClientFunc(headscaleGRPCURL, headscaleAPIKey)
-			} else {
-				grpcClient, err = headscaleGRPCSocketClientFunc(socketPath)
-				if err != nil {
-					return err
-				}
-			}
-			if err != nil {
-				return err
-			}
-			c.headscaleGRPCClient = grpcClient
-			return c.run()
-		},
-		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
-			return validateFlags()
-		},
-	}
-	cmd.Flags().StringVarP(&apiKeyExpiry, "expiration", "e", defaultAPIKeyExpiry, "Expiration time for the apikey")
-	cmd.Flags().StringVar(&socketPath, "socket-path", "", "Path to the headscale agent socket")
-	cmd.Flags().BoolVar(&socketCall, "socket", false, "Call the headscale agent socket")
-	cmd.Flags().StringVar(&secretName, "secret-name", "", "Name of the secret to create")
-	cmd.Flags().StringVar(&secretNamespace, "secret-namespace", "", "Kubernetes namespace to create the secret in")
-	return cmd
-}
-
-func (o *createAPIKeyCmdOptions) run() error {
-	duration, err := model.ParseDuration(apiKeyExpiry)
-	if err != nil {
-		log.FromContext(context.Background()).Error(err, "error parsing duration")
-		return err
-	}
-	timeDuration := time.Duration(duration)
-	if timeDuration < time.Hour*24 {
-		log.FromContext(context.Background()).Info("duration must be greater than 1 day")
-		timeDuration = time.Hour * 24
-	}
-
-	createResp, err := o.headscaleGRPCClient.CreateApiKey(context.Background(), &headscalev1.CreateApiKeyRequest{
-		Expiration: timestamppb.New(time.Now().Add(timeDuration)),
-	})
-	if err != nil {
-		errStatus, ok := status.FromError(err)
-		switch {
-		case !ok:
-			return err
-		case strings.Contains(errStatus.Message(), "Unauthorized"):
-			return errors.New("headscale: unauthorized to create APIKey")
-		default:
-			return err
-		}
-	}
-	if o.outputFormat == "secret" {
-		tickerDuration := timeDuration - (time.Hour * 8)
-		ticker := time.NewTicker(tickerDuration)
-		for ; true; <-ticker.C {
-			createOrUpdateSecretInCluster(createResp.ApiKey, secretName, secretNamespace)
-			log.FromContext(context.Background()).Info("New APIKey would be generated", "at:", time.Now().Add(tickerDuration))
-		}
-	}
-	Output(createResp.ApiKey, createResp.ApiKey, o.outputFormat)
-	return nil
-}
-
-var listAPIKeyCmdUsage = "list"
-
-type listAPIKeyCmdOptions struct {
-	headscaleGRPCClient headscalev1.HeadscaleServiceClient
-	outputFormat        string
-}
-
-func listAPIKeyCmd() *cobra.Command {
-	c := listAPIKeyCmdOptions{}
-	cmd := &cobra.Command{
-		Use:   listAPIKeyCmdUsage,
-		Short: "Lists all APIKey for Headscale",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			var err error
-			var grpcClient headscalev1.HeadscaleServiceClient
-			if o, err := cmd.Flags().GetString("output"); err != nil {
-				return fmt.Errorf("invalid value for flag --output: %w", err)
-			} else {
-				c.outputFormat = o
-			}
-			if !socketCall {
-				grpcClient, err = headscaleGRCPClientFunc(headscaleGRPCURL, headscaleAPIKey)
-			} else {
-				grpcClient, err = headscaleGRPCSocketClientFunc(socketPath)
-			}
-			if err != nil {
-				return err
-			}
-			c.headscaleGRPCClient = grpcClient
-			return c.run()
-		},
-		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
-			return validateFlags()
-		},
-	}
-	cmd.Flags().StringVar(&socketPath, "socket-path", "", "Path to the headscale agent socket")
-	cmd.Flags().BoolVar(&socketCall, "socket", false, "Call the headscale agent socket")
-	return cmd
-}
-
-func (o *listAPIKeyCmdOptions) run() error {
-	listResp, err := o.headscaleGRPCClient.ListApiKeys(context.Background(), &headscalev1.ListApiKeysRequest{})
-	if err != nil {
-		errStatus, ok := status.FromError(err)
-		switch {
-		case !ok:
-			return err
-		case strings.Contains(errStatus.Message(), "Unauthorized"):
-			return errors.New("headscale: unauthorized to list APIKey")
-		default:
-			return err
-		}
-	}
-	if o.outputFormat != "" {
-		Output(listResp.ApiKeys, "", o.outputFormat)
-		return nil
-	}
-	log.FromContext(context.Background()).Info("APIKey", "apikey", listResp.ApiKeys)
-	return nil
-}
-
-var expireAPIKeyCmdUsage = "expire"
-
-type expireAPIKeyCmdOptions struct {
-	headscaleGRPCClient headscalev1.HeadscaleServiceClient
-	outputFormat        string
-}
-
-func expireAPIKeyCmd() *cobra.Command {
-	c := expireAPIKeyCmdOptions{}
-	cmd := &cobra.Command{
-		Use:   expireAPIKeyCmdUsage,
-		Short: "Expire an APIKey for Headscale",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			var err error
-			var grpcClient headscalev1.HeadscaleServiceClient
-			if o, err := cmd.Flags().GetString("output"); err != nil {
-				return fmt.Errorf("invalid value for flag --output: %w", err)
-			} else {
-				c.outputFormat = o
-			}
-			if !socketCall {
-				grpcClient, err = headscaleGRCPClientFunc(headscaleGRPCURL, headscaleAPIKey)
-			} else {
-				grpcClient, err = headscaleGRPCSocketClientFunc(socketPath)
-			}
-			if err != nil {
-				return err
-			}
-			c.headscaleGRPCClient = grpcClient
-			return c.run()
-		},
-		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
-			return validateFlags()
-		},
-	}
-
-	cmd.Flags().StringVar(&prefix, "prefix", "", "Prefix of the apikey to expire")
-	cmd.Flags().StringVar(&socketPath, "socket-path", "", "Path to the headscale agent socket")
-	cmd.Flags().BoolVar(&socketCall, "socket", false, "Call the headscale agent socket")
-	return cmd
-}
-
-func (o *expireAPIKeyCmdOptions) run() error {
-	if len(prefix) != apiPrefixLength {
-		return fmt.Errorf("prefix must be exactly %d characters long", apiPrefixLength)
-	}
-	expResp, err := o.headscaleGRPCClient.ExpireApiKey(context.Background(), &headscalev1.ExpireApiKeyRequest{
-		Prefix: prefix,
-	})
-	if err != nil {
-		errStatus, ok := status.FromError(err)
-		switch {
-		case !ok:
-			return err
-		case strings.Contains(errStatus.Message(), "Unauthorized"):
-			return errors.New("headscale: unauthorized to expire APIKey")
-		case strings.Contains(errStatus.Message(), "record not found"):
-			return errors.New("headscale: APIKey not found")
-		default:
-			return err
-		}
-	}
-	Output(expResp, "APIKey expired", o.outputFormat)
-	return nil
-}
diff --git a/pkg/headscalectl/preauthkey.go b/pkg/headscalectl/preauthkey.go
deleted file mode 100644
index e355e0844..000000000
--- a/pkg/headscalectl/preauthkey.go
+++ /dev/null
@@ -1,261 +0,0 @@
-// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-// SPDX-License-Identifier: Apache-2.0
-
-package headscalectl
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"os"
-	"strings"
-	"time"
-
-	headscalev1 "github.com/juanfont/headscale/gen/go/headscale/v1"
-	"github.com/prometheus/common/model"
-	"github.com/spf13/cobra"
-	"google.golang.org/grpc/status"
-	"google.golang.org/protobuf/types/known/timestamppb"
-	"sigs.k8s.io/controller-runtime/pkg/log"
-)
-
-const (
-	DefaultPreAuthKeyExpiry = "1d"
-)
-
-var (
-	reusable    bool
-	ephemeral   bool
-	durationStr string
-	tags        []string
-	user        string
-	key         string
-	filePath    string
-	force       bool
-)
-
-func init() {
-	rootCmd.AddCommand(preauthKeyCmd)
-	preauthKeyCmd.AddCommand(createPreAuthKeyCmd())
-	preauthKeyCmd.AddCommand(listPreAuthKeyCmd())
-	preauthKeyCmd.AddCommand(expirePreAuthKeyCmd())
-	createPreAuthKeyCmd().DisableSuggestions = true
-}
-
-var preauthKeyCmd = &cobra.Command{
-	Use:   "preauthkey",
-	Short: "Command to issue PreAuthKey",
-}
-
-var createPreAuthKeyCmdUsage = "create [flags] [username]"
-
-type createPreAuthKeyCmdOptions struct {
-	headscaleGRPCClient headscalev1.HeadscaleServiceClient
-	outputFormat        string
-}
-
-func createPreAuthKeyCmd() *cobra.Command {
-	c := createPreAuthKeyCmdOptions{}
-	cmd := &cobra.Command{
-		Use:   createPreAuthKeyCmdUsage,
-		Short: "Create a preauthkey for a headscale user",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			if o, err := cmd.Flags().GetString("output"); err != nil {
-				return fmt.Errorf("invalid value for flag --output: %w", err)
-			} else {
-				c.outputFormat = o
-			}
-			grpcClient, err := headscaleGRCPClientFunc(headscaleGRPCURL, headscaleAPIKey)
-			if err != nil {
-				return err
-			}
-			c.headscaleGRPCClient = grpcClient
-			return c.run()
-		},
-		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
-			return validateFlags()
-		},
-	}
-	cmd.Flags().BoolVar(&reusable, "reusable", false, "Create a reusable preauthkey")
-	cmd.Flags().BoolVar(&ephemeral, "ephemeral", false, "Create an ephemeral preauthkey")
-	cmd.Flags().StringVar(&durationStr, "expiration", DefaultPreAuthKeyExpiry, "Expiration time for the preauthkey")
-	cmd.Flags().StringSliceVar(&tags, "tags", []string{}, "Tags for the preauthkey")
-	cmd.Flags().StringVarP(&user, "user", "u", "", "User for the preauthkey")
-	cmd.Flags().BoolVar(&force, "force", false, "Force the creation of a preauthkey, by creating the user if it doesn't exist")
-	cmd.Flags().StringVar(&filePath, "file", "", "File to write the preauthkey to")
-	return cmd
-}
-
-func (o *createPreAuthKeyCmdOptions) run() error {
-	if user == "" {
-		return errors.New("user is required to create preauthkeys")
-	}
-	duration, err := model.ParseDuration(durationStr)
-	if err != nil {
-		log.FromContext(context.Background()).Error(err, "error parsing duration")
-		return err
-	}
-
-	createResp, err := o.headscaleGRPCClient.CreatePreAuthKey(context.Background(), &headscalev1.CreatePreAuthKeyRequest{
-		User:       user,
-		Reusable:   reusable,
-		Ephemeral:  ephemeral,
-		Expiration: timestamppb.New(time.Now().Add(time.Duration(duration))),
-		AclTags:    tags,
-	})
-	if err != nil {
-		errStatus, ok := status.FromError(err)
-		switch {
-		case !ok:
-			return err
-		case strings.Contains(errStatus.Message(), "Unauthorized"):
-			return fmt.Errorf("headscale: unauthorized to create preauthkey for user %s", user)
-		case strings.Contains(errStatus.Message(), "User not found"):
-			if force {
-				createResp, err := o.headscaleGRPCClient.CreateUser(context.Background(), &headscalev1.CreateUserRequest{
-					Name: user,
-				})
-				if err != nil {
-					return err
-				}
-				Output(createResp.User, "", o.outputFormat)
-				return o.run()
-			}
-			return fmt.Errorf("headscale: user %s not found", user)
-		default:
-			return err
-		}
-	}
-
-	if filePath != "" {
-		err := os.WriteFile(filePath, []byte(createResp.PreAuthKey.Key), 0644)
-		if err != nil {
-			log.FromContext(context.Background()).Error(err, "error writing preauthkey to file")
-			return err
-		}
-		fmt.Println("PreAuthKey written to file", filePath)
-		return nil
-	}
-	Output(createResp.PreAuthKey, createResp.PreAuthKey.Key, o.outputFormat)
-
-	return nil
-}
-
-var listPreAuthKeyCmdUsage = "list [flags] [username]"
-
-type listPreAuthKeyCmdOptions struct {
-	headscaleGRPCClient headscalev1.HeadscaleServiceClient
-	outputFormat        string
-}
-
-func listPreAuthKeyCmd() *cobra.Command {
-	c := listPreAuthKeyCmdOptions{}
-	cmd := &cobra.Command{
-		Use:   listPreAuthKeyCmdUsage,
-		Short: "List a preauthkey for a headscale user",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			if o, err := cmd.Flags().GetString("output"); err != nil {
-				return fmt.Errorf("invalid value for flag --output: %w", err)
-			} else {
-				c.outputFormat = o
-			}
-			grpcClient, err := headscaleGRCPClientFunc(headscaleGRPCURL, headscaleAPIKey)
-			if err != nil {
-				return err
-			}
-			c.headscaleGRPCClient = grpcClient
-			return c.run()
-		},
-		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
-			return validateFlags()
-		},
-	}
-	cmd.Flags().StringVarP(&user, "user", "u", "", "User for the preauthkey")
-	return cmd
-}
-
-func (o *listPreAuthKeyCmdOptions) run() error {
-	if user == "" {
-		return errors.New("user is required to list preauthkeys")
-	}
-	listResp, err := o.headscaleGRPCClient.ListPreAuthKeys(context.Background(), &headscalev1.ListPreAuthKeysRequest{
-		User: user,
-	})
-	if err != nil {
-		errStatus, ok := status.FromError(err)
-		switch {
-		case !ok:
-			return err
-		case strings.Contains(errStatus.Message(), "Unauthorized"):
-			return fmt.Errorf("headscale: unauthorized to list preauthkey for user %s", user)
-		default:
-			return err
-		}
-	}
-	if o.outputFormat != "" {
-		Output(listResp.PreAuthKeys, "", o.outputFormat)
-		return nil
-	}
-	log.FromContext(context.Background()).Info("PreAuthKey", "user", listResp.PreAuthKeys)
-	return nil
-}
-
-var expirePreAuthKeyCmdUsage = "expire [flags] [username]"
-
-type expirePreAuthKeyCmdOptions struct {
-	headscaleGRPCClient headscalev1.HeadscaleServiceClient
-	outputFormat        string
-}
-
-func expirePreAuthKeyCmd() *cobra.Command {
-	c := expirePreAuthKeyCmdOptions{}
-	cmd := &cobra.Command{
-		Use:   expirePreAuthKeyCmdUsage,
-		Short: "Expire a preauthkey for a headscale user",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			if o, err := cmd.Flags().GetString("output"); err != nil {
-				return fmt.Errorf("invalid value for flag --output: %w", err)
-			} else {
-				c.outputFormat = o
-			}
-			grpcClient, err := headscaleGRCPClientFunc(headscaleGRPCURL, headscaleAPIKey)
-			if err != nil {
-				return err
-			}
-			c.headscaleGRPCClient = grpcClient
-			return c.run()
-		},
-		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
-			return validateFlags()
-		},
-	}
-	cmd.Flags().StringVarP(&user, "user", "u", "", "User for the preauthkey")
-	cmd.Flags().StringVar(&key, "key", "", "preauthkey")
-
-	return cmd
-}
-
-func (o *expirePreAuthKeyCmdOptions) run() error {
-	if key == "" || user == "" {
-		return errors.New("user and key are required to expire preauthkeys")
-	}
-	delResp, err := o.headscaleGRPCClient.ExpirePreAuthKey(context.Background(), &headscalev1.ExpirePreAuthKeyRequest{
-		User: user,
-		Key:  key,
-	})
-	if err != nil {
-		errStatus, ok := status.FromError(err)
-		switch {
-		case !ok:
-			return err
-		case strings.Contains(errStatus.Message(), "Unauthorized"):
-			return fmt.Errorf("headscale: unauthorized to list preauthkey for user %s", user)
-		case strings.Contains(errStatus.Message(), "AuthKey expired"):
-			return fmt.Errorf("headscale: preauthkey %s for user %s already expired", key, user)
-		default:
-			return err
-		}
-	}
-	Output(delResp, "PreAuthKey expired", o.outputFormat)
-	return nil
-}
diff --git a/pkg/headscalectl/root.go b/pkg/headscalectl/root.go
deleted file mode 100644
index e19e492d1..000000000
--- a/pkg/headscalectl/root.go
+++ /dev/null
@@ -1,52 +0,0 @@
-// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-// SPDX-License-Identifier: Apache-2.0
-
-package headscalectl
-
-import (
-	"github.com/spf13/cobra"
-	"go.uber.org/zap/zapcore"
-	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/log"
-	"sigs.k8s.io/controller-runtime/pkg/log/zap"
-
-	"github.com/cloudoperators/greenhouse/pkg/clientutil"
-	"github.com/cloudoperators/greenhouse/pkg/version"
-)
-
-const programName = "headscalectl"
-
-var (
-	headscaleGRPCURL string
-	headscaleAPIKey  string
-)
-
-func init() {
-	rootCmd.PersistentFlags().StringVarP(&headscaleGRPCURL, "headscale-cli-address", "a", clientutil.GetEnvOrDefault("HEADSCALE_CLI_ADDRESS", ""), "Headscale API address. Can be set via HEADSCALE_CLI_ADDRESS env variable. Only GRPC is supported.")
-	rootCmd.PersistentFlags().StringVarP(&headscaleAPIKey, "headscale-api-key", "k", clientutil.GetEnvOrDefault("HEADSCALE_CLI_API_KEY", ""), "Headscale API key. Can be set via HEADSCALE_CLI_API_KEY env variable")
-	rootCmd.PersistentFlags().StringP("output", "o", "", "Output format. Empty for human-readable, 'json','json-line', 'yaml' or 'secret' | secret only works for apikey create")
-	rootCmd.DisableSuggestions = true
-
-	opts := zap.Options{
-		Development: true,
-		TimeEncoder: zapcore.RFC3339TimeEncoder,
-	}
-
-	ctrl.SetLogger(zap.New(
-		zap.UseFlagOptions(&opts)),
-	)
-	rootCmd.DisableSuggestions = true
-}
-
-// rootCmd for headscalectl.
-var rootCmd = &cobra.Command{
-	Use:     programName,
-	Short:   "Headscale command line tool for REST API",
-	Version: version.GetVersionTemplate(programName),
-}
-
-func Execute() {
-	if err := rootCmd.Execute(); err != nil {
-		log.FromContext(ctrl.SetupSignalHandler()).Error(err, "Error executing command")
-	}
-}
diff --git a/pkg/headscalectl/user.go b/pkg/headscalectl/user.go
deleted file mode 100644
index 03a29069a..000000000
--- a/pkg/headscalectl/user.go
+++ /dev/null
@@ -1,254 +0,0 @@
-// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-// SPDX-License-Identifier: Apache-2.0
-
-package headscalectl
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"strings"
-
-	headscalev1 "github.com/juanfont/headscale/gen/go/headscale/v1"
-	"github.com/spf13/cobra"
-	"google.golang.org/grpc/status"
-	"sigs.k8s.io/controller-runtime/pkg/log"
-)
-
-func init() {
-	rootCmd.AddCommand(userCmd)
-	userCmd.AddCommand(createUserCmd())
-	userCmd.AddCommand(deleteUserCmd())
-	userCmd.AddCommand(getUserCmd())
-	userCmd.AddCommand(listUserCmd())
-}
-
-var userCmd = &cobra.Command{
-	Use:   "user",
-	Short: "Commands to interact with Users",
-}
-
-var createUserCmdUsage = "create [username]"
-
-type createUserCmdOptions struct {
-	headscaleGRPCClient headscalev1.HeadscaleServiceClient
-	outputFormat        string
-}
-
-func createUserCmd() *cobra.Command {
-	c := createUserCmdOptions{}
-	return &cobra.Command{
-		Use:   createUserCmdUsage,
-		Short: "Create a User in Headscale",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			if o, err := cmd.Flags().GetString("output"); err != nil {
-				return fmt.Errorf("invalid value for flag --output: %w", err)
-			} else {
-				c.outputFormat = o
-			}
-			userName := args[0]
-			grpcClient, err := headscaleGRCPClientFunc(headscaleGRPCURL, headscaleAPIKey)
-			if err != nil {
-				return err
-			}
-			c.headscaleGRPCClient = grpcClient
-			return c.run(userName)
-		},
-		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
-			return validateFlags()
-		},
-		Args: cobra.ExactArgs(1),
-	}
-}
-
-func (o *createUserCmdOptions) run(userName string) error {
-	createResp, err := o.headscaleGRPCClient.CreateUser(context.Background(), &headscalev1.CreateUserRequest{
-		Name: userName,
-	})
-	if err != nil {
-		errStatus, ok := status.FromError(err)
-		if !ok {
-			return err
-		}
-		switch {
-		case strings.Contains(errStatus.Message(), "Unauthorized"):
-			return fmt.Errorf("headscale: unauthorized to create user %s", userName)
-		case strings.Contains(errStatus.Message(), "already exists"):
-			log.FromContext(context.Background()).Info("User already exists", "user", userName)
-			return nil
-		}
-		return err
-	}
-
-	Output(createResp.User, "User created", o.outputFormat)
-	return nil
-}
-
-var deleteUserCmdUsage = "delete [username]"
-
-type deleteUserCmdOptions struct {
-	headscaleGRPCClient headscalev1.HeadscaleServiceClient
-	outputFormat        string
-}
-
-func deleteUserCmd() *cobra.Command {
-	c := deleteUserCmdOptions{}
-	return &cobra.Command{
-		Use:   deleteUserCmdUsage,
-		Short: "Delete a User in Headscale",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			if o, err := cmd.Flags().GetString("output"); err != nil {
-				return fmt.Errorf("invalid value for flag --output: %w", err)
-			} else {
-				c.outputFormat = o
-			}
-			userName := args[0]
-			grpcClient, err := headscaleGRCPClientFunc(headscaleGRPCURL, headscaleAPIKey)
-			if err != nil {
-				return err
-			}
-			c.headscaleGRPCClient = grpcClient
-			return c.run(userName)
-		},
-		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
-			return validateFlags()
-		},
-		Args: cobra.ExactArgs(1),
-	}
-}
-
-func (o *deleteUserCmdOptions) run(userName string) error {
-	delResp, err := o.headscaleGRPCClient.DeleteUser(context.Background(), &headscalev1.DeleteUserRequest{
-		Name: userName,
-	})
-	if err != nil {
-		errStatus, ok := status.FromError(err)
-		if !ok {
-			return err
-		}
-		switch {
-		case strings.Contains(errStatus.Message(), "Unauthorized"):
-			return fmt.Errorf("headscale: unauthorized to delete user %s", userName)
-		case strings.Contains(errStatus.Message(), "not found"):
-			return fmt.Errorf("headscale: user %s not found", userName)
-		}
-		return err
-	}
-	Output(delResp, "User deleted", o.outputFormat)
-	return nil
-}
-
-var getUserCmdUsage = "get [username]"
-
-type getUserCmdOptions struct {
-	headscaleGRPCClient headscalev1.HeadscaleServiceClient
-	outputFormat        string
-}
-
-func getUserCmd() *cobra.Command {
-	c := getUserCmdOptions{}
-	return &cobra.Command{
-		Use:   getUserCmdUsage,
-		Short: "Get a User in Headscale",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			if o, err := cmd.Flags().GetString("output"); err != nil {
-				return fmt.Errorf("invalid value for flag --output: %w", err)
-			} else {
-				c.outputFormat = o
-			}
-			userName := args[0]
-			grpcClient, err := headscaleGRCPClientFunc(headscaleGRPCURL, headscaleAPIKey)
-			if err != nil {
-				return err
-			}
-			c.headscaleGRPCClient = grpcClient
-			return c.run(userName)
-		},
-		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
-			return validateFlags()
-		},
-		Args: cobra.ExactArgs(1),
-	}
-}
-
-func (o *getUserCmdOptions) run(userName string) error {
-	getResp, err := o.headscaleGRPCClient.GetUser(context.Background(), &headscalev1.GetUserRequest{
-		Name: userName,
-	})
-	if err != nil {
-		errStatus, ok := status.FromError(err)
-		if !ok {
-			return err
-		}
-		switch {
-		case strings.Contains(errStatus.Message(), "Unauthorized"):
-			return fmt.Errorf("headscale: unauthorized to get user %s", userName)
-		case strings.Contains(errStatus.Message(), "not found"):
-			return fmt.Errorf("headscale: user %s not found", userName)
-		}
-		return err
-	}
-	if o.outputFormat != "" {
-		Output(getResp.User, "", o.outputFormat)
-		return nil
-	}
-	log.FromContext(context.Background()).Info("User", "user", getResp.User.Name, "created at", getResp.User.CreatedAt)
-	return nil
-}
-
-var listUserCmdUsage = "list"
-
-type listUserCmdOptions struct {
-	headscaleGRPCClient headscalev1.HeadscaleServiceClient
-	outputFormat        string
-}
-
-func listUserCmd() *cobra.Command {
-	c := listUserCmdOptions{}
-	return &cobra.Command{
-		Use:   listUserCmdUsage,
-		Short: "List Users in Headscale",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			if o, err := cmd.Flags().GetString("output"); err != nil {
-				return fmt.Errorf("invalid value for flag --output: %w", err)
-			} else {
-				c.outputFormat = o
-			}
-			grpcClient, err := headscaleGRCPClientFunc(headscaleGRPCURL, headscaleAPIKey)
-			if err != nil {
-				return err
-			}
-			c.headscaleGRPCClient = grpcClient
-			return c.run()
-		},
-		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
-			return validateFlags()
-		},
-		Args: cobra.NoArgs,
-	}
-}
-
-func (o *listUserCmdOptions) run() error {
-	listResp, err := o.headscaleGRPCClient.ListUsers(context.Background(), &headscalev1.ListUsersRequest{})
-	if err != nil {
-		errStatus, ok := status.FromError(err)
-		if !ok {
-			return err
-		}
-
-		if strings.Contains(errStatus.Message(), "Unauthorized") {
-			return errors.New("headscale: unauthorized to list users")
-		}
-		return err
-	}
-	if o.outputFormat != "" {
-		Output(listResp.Users, "", o.outputFormat)
-		return nil
-	}
-	var userNames []string
-	for _, user := range listResp.Users {
-		userNames = append(userNames, user.Name)
-	}
-	log.FromContext(context.Background()).Info("Users", "users", userNames)
-	return nil
-}
diff --git a/pkg/headscalectl/util.go b/pkg/headscalectl/util.go
deleted file mode 100644
index b76b8999b..000000000
--- a/pkg/headscalectl/util.go
+++ /dev/null
@@ -1,132 +0,0 @@
-// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-// SPDX-License-Identifier: Apache-2.0
-
-package headscalectl
-
-import (
-	"context"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"os"
-
-	"gopkg.in/yaml.v3"
-	corev1 "k8s.io/api/core/v1"
-	"k8s.io/client-go/rest"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/client/config"
-	"sigs.k8s.io/controller-runtime/pkg/log"
-
-	"github.com/cloudoperators/greenhouse/pkg/clientutil"
-)
-
-const (
-	secretKey = "HEADSCALE_CLI_API_KEY" //nolint:gosec
-)
-
-var (
-	headscaleGRCPClientFunc       = clientutil.NewHeadscaleGRPCClient
-	headscaleGRPCSocketClientFunc = clientutil.NewHeadscaleGRPCSocketClient
-)
-
-func validateFlags() error {
-	if socketCall {
-		if socketPath == "" {
-			return errors.New("socket path is empty")
-		}
-		return nil
-	}
-	if headscaleGRPCURL == "" {
-		return errors.New("headscale GRPC URL is empty")
-	}
-	if headscaleAPIKey == "" {
-		return errors.New("headscale API key is empty")
-	}
-	return nil
-}
-
-func getKubeconfigOrDie(kubecontext string) *rest.Config {
-	if kubecontext == "" {
-		kubecontext = os.Getenv("KUBECONTEXT")
-	}
-	restConfig, err := config.GetConfigWithContext(kubecontext)
-	if err != nil {
-		log.FromContext(context.Background()).Error(err, "Failed to load kubeconfig")
-		os.Exit(1)
-	}
-	return restConfig
-}
-
-/*
-	func checkIfSecretExistsInCluster(secretName, secretNamespace string) (*corev1.Secret, bool) {
-		var kubeClient client.Client
-		restConfig := getKubeconfigOrDie("")
-		kubeClient, err := clientutil.NewK8sClient(restConfig)
-		if err != nil {
-			log.FromContext(context.Background()).Error(err, "Failed to create Kubernetes client")
-		}
-		secret := new(corev1.Secret)
-		secret.Name = secretName
-		secret.Namespace = secretNamespace
-		err = kubeClient.Get(context.Background(), client.ObjectKey{
-			Name:      secret.Name,
-			Namespace: secret.Namespace,
-		}, secret)
-		if err != nil {
-			return nil, false
-		}
-		return secret, true
-	}
-*/
-func createOrUpdateSecretInCluster(apiKey, secretName, secretNamespace string) {
-	var kubeClient client.Client
-	restConfig := getKubeconfigOrDie("")
-	kubeClient, err := clientutil.NewK8sClient(restConfig)
-	if err != nil {
-		log.FromContext(context.Background()).Error(err, "Failed to create Kubernetes client")
-	}
-	secret := new(corev1.Secret)
-	secret.Name = secretName
-	secret.Namespace = secretNamespace
-	result, err := clientutil.CreateOrPatch(context.Background(), kubeClient, secret, func() error {
-		secret.StringData = map[string]string{
-			secretKey: apiKey,
-		}
-		return nil
-	})
-	if err != nil {
-		log.FromContext(context.Background()).Error(err, "Failed to create secret")
-	}
-	switch result {
-	case clientutil.OperationResultCreated:
-		log.FromContext(context.Background()).Info("created secret", "name", secret.Name)
-	case clientutil.OperationResultUpdated:
-		log.FromContext(context.Background()).Info("updated secret", "name", secret.Name)
-	}
-}
-
-func Output(result interface{}, override, outputFormat string) {
-	var jsonBytes []byte
-	var err error
-	switch outputFormat {
-	case "json":
-		jsonBytes, err = json.MarshalIndent(result, "", "\t")
-		if err != nil {
-			log.FromContext(context.Background()).Error(err, "Error marshalling JSON")
-		}
-	case "json-line":
-		jsonBytes, err = json.Marshal(result)
-		if err != nil {
-			log.FromContext(context.Background()).Error(err, "Error marshalling JSON")
-		}
-	case "yaml":
-		jsonBytes, err = yaml.Marshal(result)
-		if err != nil {
-			log.FromContext(context.Background()).Error(err, "Error marshalling YAML")
-		}
-	default:
-		log.FromContext(context.Background()).Info(override)
-		return
-	}
-	fmt.Println(string(jsonBytes))
-}
diff --git a/pkg/tailscale-starter/root.go b/pkg/tailscale-starter/root.go
deleted file mode 100644
index 6427beb5a..000000000
--- a/pkg/tailscale-starter/root.go
+++ /dev/null
@@ -1,90 +0,0 @@
-// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-// SPDX-License-Identifier: Apache-2.0
-
-package tailscalestarter
-
-import (
-	"errors"
-	"net/http"
-	"os"
-	"os/exec"
-	"time"
-
-	"github.com/spf13/cobra"
-	"go.uber.org/zap/zapcore"
-	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/log"
-	"sigs.k8s.io/controller-runtime/pkg/log/zap"
-	"tailscale.com/client/tailscale"
-
-	"github.com/cloudoperators/greenhouse/pkg/version"
-)
-
-const programName = "tailscale_starter"
-
-var (
-	localClient tailscale.LocalClient
-)
-
-func init() {
-	opts := zap.Options{
-		Development: true,
-		TimeEncoder: zapcore.RFC3339TimeEncoder,
-	}
-	ctrl.SetLogger(zap.New(
-		zap.UseFlagOptions(&opts)),
-	)
-}
-
-// rootCmd for headscalectl.
-func rootCmd() *cobra.Command {
-	cmd := &cobra.Command{
-		Use:     programName,
-		Short:   "tailscale_starter is a tool to start tailscale and expose a health endpoint",
-		Version: version.GetVersionTemplate(programName),
-		RunE: func(cmd *cobra.Command, args []string) error {
-			if len(args) > 0 {
-				return errors.New("unexpected non-flag arguments to 'tailscale status'")
-			}
-
-			go func() {
-				// start tailscale
-				cmd := exec.Command("/tailscale/run.sh")
-				cmd.Stdout = os.Stdout // or any other io.Writer
-				cmd.Stderr = os.Stdout // or any other io.Writer
-				if err := cmd.Run(); err != nil {
-					log.FromContext(ctrl.SetupSignalHandler()).Error(err, "Error starting tailscaled")
-					os.Exit(1)
-				}
-			}()
-
-			httpServer := &http.Server{
-				Addr:              ":8090",
-				Handler:           newHealthMux(),
-				IdleTimeout:       30 * time.Second,
-				ReadHeaderTimeout: 20 * time.Second,
-				ReadTimeout:       20 * time.Second,
-			}
-
-			if err := httpServer.ListenAndServe(); err != nil {
-				log.FromContext(ctrl.SetupSignalHandler()).Error(err, "Error starting HTTP server")
-				os.Exit(1)
-			}
-
-			return nil
-		},
-		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
-			return setPreAuthKey()
-		},
-	}
-	cmd.DisableSuggestions = true
-	cmd.Flags().StringVar(&localClient.Socket, "socket", "/var/run/tailscale/tailscaled.sock", "Path to the tailscale socket")
-	return cmd
-}
-
-func Execute() {
-	if err := rootCmd().Execute(); err != nil {
-		log.FromContext(ctrl.SetupSignalHandler()).Error(err, "Error executing command")
-		os.Exit(1)
-	}
-}
diff --git a/pkg/tailscale-starter/util.go b/pkg/tailscale-starter/util.go
deleted file mode 100644
index c22b81ae5..000000000
--- a/pkg/tailscale-starter/util.go
+++ /dev/null
@@ -1,105 +0,0 @@
-// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-// SPDX-License-Identifier: Apache-2.0
-
-package tailscalestarter
-
-import (
-	"context"
-	"encoding/json"
-	"errors"
-	"net/http"
-	"os"
-
-	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/log"
-
-	"tailscale.com/ipn"
-	"tailscale.com/ipn/ipnstate"
-)
-
-func fileExists(fileName string) bool {
-	fileInfo, err := os.Stat(fileName)
-	if os.IsNotExist(err) {
-		return false
-	}
-	return !fileInfo.IsDir()
-}
-
-func readFile(fileName string) string {
-	buff, err := os.ReadFile(fileName)
-	if err != nil {
-		return ""
-	}
-	return string(buff)
-}
-
-func setPreAuthKey() error {
-	switch {
-	case os.Getenv("TS_AUTHKEY") != "", os.Getenv("TS_AUTH_KEY") != "":
-		log.FromContext(ctrl.SetupSignalHandler()).Info("TS_AUTHKEY or TS_AUTH_KEY is set, skipping preauthkey")
-		return nil
-	case fileExists("/preauthkey/key"):
-		if err := os.Setenv("TS_AUTHKEY", readFile("/preauthkey/key")); err != nil {
-			return err
-		}
-		return nil
-	default:
-		return errors.New("no preauthkey found, stopping tailscale")
-	}
-}
-
-func isRunningOrStarting(status *ipnstate.Status) (description string, ok bool) {
-	switch status.BackendState {
-	case ipn.Stopped.String():
-		return "Tailscale is stopped.", false
-	case ipn.NeedsLogin.String():
-		return "Logged out.", false
-	case ipn.NeedsMachineAuth.String():
-		return "Client needs to be approved", false
-	case ipn.Running.String(), ipn.Starting.String():
-		return status.BackendState, true
-	default:
-		return "unknown state: " + status.BackendState, false
-	}
-}
-
-type healthResponse struct {
-	TailscaleVersion *string  `json:"tailscaleVersion,omitempty"`
-	ErrorMessage     *string  `json:"errorMessage,omitempty"`
-	HealthStatus     []string `json:"healthStatus,omitempty"`
-}
-
-func healthHandler(w http.ResponseWriter, _ *http.Request) {
-	response := new(healthResponse)
-	w.Header().Set("Content-Type", "application/json")
-	localClient.UseSocketOnly = true
-	status, err := localClient.StatusWithoutPeers(context.Background())
-	if err != nil {
-		w.WriteHeader(http.StatusInternalServerError)
-		response.HealthStatus = append(response.HealthStatus, err.Error())
-	}
-	description, ok := isRunningOrStarting(status)
-	if ok {
-		w.WriteHeader(http.StatusOK)
-		response.TailscaleVersion = &status.Version
-		response.HealthStatus = append(response.HealthStatus, description)
-	} else {
-		w.WriteHeader(http.StatusInternalServerError)
-		if len(status.Health) > 0 && (status.BackendState == ipn.Starting.String() || status.BackendState == ipn.NoState.String()) {
-			response.HealthStatus = append(response.HealthStatus, status.Health...)
-		}
-		response.TailscaleVersion = &status.Version
-		response.HealthStatus = append(response.HealthStatus, description)
-	}
-	jsonResp, _ := json.Marshal(response)
-	_, err = w.Write(jsonResp)
-	if err != nil {
-		log.FromContext(ctrl.SetupSignalHandler()).Error(err, "error during json Marshal")
-	}
-}
-
-func newHealthMux() *http.ServeMux {
-	mux := http.NewServeMux()
-	mux.HandleFunc("/healthz", healthHandler)
-	return mux
-}
diff --git a/pkg/tcp-proxy/metrics/metrics.go b/pkg/tcp-proxy/metrics/metrics.go
deleted file mode 100644
index 956b251b5..000000000
--- a/pkg/tcp-proxy/metrics/metrics.go
+++ /dev/null
@@ -1,118 +0,0 @@
-// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-// SPDX-License-Identifier: Apache-2.0
-
-package metrics
-
-import (
-	"errors"
-	"net/http"
-	"os"
-	"sync/atomic"
-
-	"github.com/google/uuid"
-	"github.com/prometheus/client_golang/prometheus"
-	"github.com/prometheus/client_golang/prometheus/promhttp"
-	"k8s.io/klog/v2"
-)
-
-type Helper struct {
-	metricsServer *http.Server
-	MetricsAddr   string
-}
-
-func setupMetricsServer(metricAddress string) *http.Server {
-	return &http.Server{
-		Addr:    metricAddress,
-		Handler: promhttp.Handler(),
-	}
-}
-
-func (p *Helper) StartMetricsServer(metricsAddr string) {
-	p.metricsServer = setupMetricsServer(metricsAddr)
-
-	klog.Infof("started: prometheus metrics server on %s", metricsAddr)
-
-	err := p.metricsServer.ListenAndServe()
-	if !errors.Is(err, http.ErrServerClosed) {
-		// Error starting or closing listener
-		klog.Errorf("error starting prometheus metrics server: %s", err)
-		os.Exit(1)
-	}
-}
-
-var (
-	ID                 = uuid.New().String()
-	InboundConnCounter = prometheus.NewCounterVec(
-		prometheus.CounterOpts{
-			Name: "inbound_connection_count",
-			Help: "The total number of inbound connections established",
-		},
-		[]string{"id"},
-	)
-	OutboundConnCounter = prometheus.NewCounterVec(
-		prometheus.CounterOpts{
-			Name: "outbound_connection_count",
-			Help: "The total number of outbound connections established",
-		},
-		[]string{"id"},
-	)
-	InboundBytesCounter = prometheus.NewCounterVec(
-		prometheus.CounterOpts{
-			Name: "inbound_bytes_count",
-			Help: "The total number of bytes sent and received on inbound connections",
-		},
-		[]string{"id"},
-	)
-	OutboundBytesCounter = prometheus.NewCounterVec(
-		prometheus.CounterOpts{
-			Name: "outbound_bytes_count",
-			Help: "The total number of bytes sent and received on outbound connections",
-		},
-		[]string{"id"},
-	)
-	ActiveInboundConnCount int64 = 0
-	ActiveInboundConnGauge       = prometheus.NewGaugeVec(
-		prometheus.GaugeOpts{
-			Name: "active_inbound_connections",
-			Help: "The number of currently active inbound connections",
-		},
-		[]string{"id"},
-	)
-	ActiveOutboundConnCount int64 = 0
-	ActiveOutboundConnGauge       = prometheus.NewGaugeVec(
-		prometheus.GaugeOpts{
-			Name: "active_outbound_connections",
-			Help: "The number of currently active outbound connections",
-		},
-		[]string{"id"},
-	)
-)
-
-func IncrementActiveInboundGauge() {
-	InboundConnCounter.WithLabelValues(ID).Inc()
-	atomic.AddInt64(&ActiveInboundConnCount, 1)
-	ActiveInboundConnGauge.WithLabelValues(ID).Inc()
-}
-
-func IncrementActiveOutboundGauge() {
-	OutboundConnCounter.WithLabelValues(ID).Inc()
-	atomic.AddInt64(&ActiveOutboundConnCount, 1)
-	ActiveOutboundConnGauge.WithLabelValues(ID).Inc()
-}
-
-func DecrementActiveInboundGauge() {
-	atomic.AddInt64(&ActiveInboundConnCount, -1)
-	ActiveInboundConnGauge.WithLabelValues(ID).Dec()
-}
-
-func DecrementActiveOutboundGauge() {
-	atomic.AddInt64(&ActiveOutboundConnCount, -1)
-	ActiveOutboundConnGauge.WithLabelValues(ID).Dec()
-}
-
-func UpdateBytesReceivedCounter(inboundBytesCopied uint64) {
-	InboundBytesCounter.WithLabelValues(ID).Add(float64(inboundBytesCopied))
-}
-func UpdateBytesSentCounter(outboundBytesCopied uint64) {
-	OutboundBytesCounter.WithLabelValues(ID).Add(float64(outboundBytesCopied))
-}
diff --git a/pkg/tcp-proxy/proxy/proxy.go b/pkg/tcp-proxy/proxy/proxy.go
deleted file mode 100644
index d5f0137b5..000000000
--- a/pkg/tcp-proxy/proxy/proxy.go
+++ /dev/null
@@ -1,167 +0,0 @@
-/*******************************************************************************
-* MIT License
-*
-* Copyright (c) 2020 dev@jpillora.com
-*
-* Permission is hereby granted, free of charge, to any person obtaining a copy
-* of this software and associated documentation files (the "Software"), to deal
-* in the Software without restriction, including without limitation the rights
-* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-* copies of the Software, and to permit persons to whom the Software is
-* furnished to do so, subject to the following conditions:
-*
-* The above copyright notice and this permission notice shall be included in all
-* copies or substantial portions of the Software.
-*
-* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-* SOFTWARE.
-*******************************************************************************/
-
-package proxy
-
-import (
-	"crypto/tls"
-	"errors"
-	"io"
-	"net"
-
-	"k8s.io/klog/v2"
-
-	"github.com/cloudoperators/greenhouse/pkg/tcp-proxy/metrics"
-)
-
-// Proxy - Manages a Proxy connection, piping data between local and remote.
-type Proxy struct {
-	sentBytes     uint64
-	receivedBytes uint64
-	laddr, raddr  *net.TCPAddr
-	lconn, rconn  io.ReadWriteCloser
-	erred         bool
-	errsig        chan bool
-	tlsUnwrapp    bool
-	tlsAddress    string
-
-	// Settings
-	OutputHex bool
-}
-
-// New - Create a new Proxy instance. Takes over local connection passed in,
-// and closes it when finished.
-func New(lconn *net.TCPConn, laddr, raddr *net.TCPAddr) *Proxy {
-	return &Proxy{
-		lconn:  lconn,
-		laddr:  laddr,
-		raddr:  raddr,
-		erred:  false,
-		errsig: make(chan bool),
-	}
-}
-
-// NewTLSUnwrapped - Create a new Proxy instance with a remote TLS server for
-// which we want to unwrap the TLS to be able to connect without encryption
-// locally
-func NewTLSUnwrapped(lconn *net.TCPConn, laddr, raddr *net.TCPAddr, addr string) *Proxy {
-	p := New(lconn, laddr, raddr)
-	p.tlsUnwrapp = true
-	p.tlsAddress = addr
-	return p
-}
-
-// Start - open connection to remote and start proxying data.
-func (p *Proxy) Start() {
-	defer p.lconn.Close()
-
-	var err error
-	// connect to remote
-	if p.tlsUnwrapp {
-		p.rconn, err = tls.Dial("tcp", p.tlsAddress, nil)
-	} else {
-		p.rconn, err = net.DialTCP("tcp", nil, p.raddr)
-	}
-	if err != nil {
-		klog.Errorf("Remote connection failed: %s", err)
-		// Inbound connection has been closed, so decrement active inbound gauge
-		metrics.DecrementActiveInboundGauge()
-		return
-	}
-	// Outbound connection established, so increment active outbound gauge
-	metrics.IncrementActiveOutboundGauge()
-	defer p.rconn.Close()
-
-	// display both ends
-	klog.Infof("Opened %s >>> %s", p.laddr.String(), p.raddr.String())
-
-	// bidirectional copy
-	go p.pipe(p.lconn, p.rconn)
-	go p.pipe(p.rconn, p.lconn)
-
-	// wait for close...
-	<-p.errsig
-	klog.Infof("Closed (%d bytes sent, %d bytes received)", p.sentBytes, p.receivedBytes)
-	// Connection proxying complete, so update all metrics
-	metrics.UpdateBytesReceivedCounter(p.receivedBytes)
-	metrics.UpdateBytesSentCounter(p.sentBytes)
-	metrics.DecrementActiveInboundGauge()
-	metrics.DecrementActiveOutboundGauge()
-}
-
-func (p *Proxy) err(s string, err error) {
-	if p.erred {
-		return
-	}
-	if !errors.Is(err, io.EOF) {
-		klog.Errorf(s, err)
-	}
-	p.errsig <- true
-	p.erred = true
-}
-
-func (p *Proxy) pipe(src, dst io.ReadWriter) {
-	islocal := src == p.lconn
-
-	var dataDirection string
-	if islocal {
-		dataDirection = ">>> %d bytes sent%s"
-	} else {
-		dataDirection = "<<< %d bytes received%s"
-	}
-
-	var byteFormat string
-	if p.OutputHex {
-		byteFormat = "%x"
-	} else {
-		byteFormat = "%s"
-	}
-
-	// directional copy (64k buffer)
-	buff := make([]byte, 0xffff)
-	for {
-		n, err := src.Read(buff)
-		if err != nil {
-			p.err("Read failed '%s'\n", err)
-			return
-		}
-		b := buff[:n]
-
-		// show output
-		klog.V(5).Infof(dataDirection, n, "")
-		klog.V(5).Infof(byteFormat, b)
-
-		// write out result
-		n, err = dst.Write(b)
-		if err != nil {
-			p.err("Write failed '%s'\n", err)
-			return
-		}
-		if islocal {
-			p.sentBytes += uint64(n)
-		} else {
-			p.receivedBytes += uint64(n)
-		}
-	}
-}
diff --git a/pkg/test/headscale.go b/pkg/test/headscale.go
deleted file mode 100644
index 58c22d4a9..000000000
--- a/pkg/test/headscale.go
+++ /dev/null
@@ -1,236 +0,0 @@
-// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Greenhouse contributors
-// SPDX-License-Identifier: Apache-2.0
-
-package test
-
-import (
-	"context"
-	"errors"
-
-	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
-	"google.golang.org/grpc"
-	"k8s.io/cli-runtime/pkg/genericclioptions"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-
-	"github.com/cloudoperators/greenhouse/pkg/clientutil"
-)
-
-// FakeHeadscaleClient is a fake implementation of the HeadscaleClient interface.
-//
-//nolint:stylecheck
-type FakeHeadscaleClient struct {
-	// IsUserDeleted is used to simulate the deletion of a user. If set to true, the GetUserFunc will return an error.
-	IsUserDeleted bool
-
-	CreateApiKeyFunc       func(context.Context, *v1.CreateApiKeyRequest, ...grpc.CallOption) (*v1.CreateApiKeyResponse, error) // no-lint:stylecheck
-	CreatePreAuthKeyFunc   func(context.Context, *v1.CreatePreAuthKeyRequest, ...grpc.CallOption) (*v1.CreatePreAuthKeyResponse, error)
-	CreateUserFunc         func(context.Context, *v1.CreateUserRequest, ...grpc.CallOption) (*v1.CreateUserResponse, error)
-	DebugCreateMachineFunc func(context.Context, *v1.DebugCreateMachineRequest, ...grpc.CallOption) (*v1.DebugCreateMachineResponse, error)
-	DeleteMachineFunc      func(context.Context, *v1.DeleteMachineRequest, ...grpc.CallOption) (*v1.DeleteMachineResponse, error)
-	DeleteRouteFunc        func(context.Context, *v1.DeleteRouteRequest, ...grpc.CallOption) (*v1.DeleteRouteResponse, error)
-	DeleteUserFunc         func(context.Context, *v1.DeleteUserRequest, ...grpc.CallOption) (*v1.DeleteUserResponse, error)
-	DisableRouteFunc       func(context.Context, *v1.DisableRouteRequest, ...grpc.CallOption) (*v1.DisableRouteResponse, error)
-	EnableRouteFunc        func(context.Context, *v1.EnableRouteRequest, ...grpc.CallOption) (*v1.EnableRouteResponse, error)
-	ExpireApiKeyFunc       func(context.Context, *v1.ExpireApiKeyRequest, ...grpc.CallOption) (*v1.ExpireApiKeyResponse, error) // no-lint:stylecheck
-	ExpireMachineFunc      func(context.Context, *v1.ExpireMachineRequest, ...grpc.CallOption) (*v1.ExpireMachineResponse, error)
-	ExpirePreAuthKeyFunc   func(context.Context, *v1.ExpirePreAuthKeyRequest, ...grpc.CallOption) (*v1.ExpirePreAuthKeyResponse, error)
-	GetMachineFunc         func(context.Context, *v1.GetMachineRequest, ...grpc.CallOption) (*v1.GetMachineResponse, error)
-	GetMachineRoutesFunc   func(context.Context, *v1.GetMachineRoutesRequest, ...grpc.CallOption) (*v1.GetMachineRoutesResponse, error)
-	GetRoutesFunc          func(context.Context, *v1.GetRoutesRequest, ...grpc.CallOption) (*v1.GetRoutesResponse, error)
-	GetUserFunc            func(context.Context, *v1.GetUserRequest, ...grpc.CallOption) (*v1.GetUserResponse, error)
-	ListApiKeysFunc        func(context.Context, *v1.ListApiKeysRequest, ...grpc.CallOption) (*v1.ListApiKeysResponse, error)
-	ListMachinesFunc       func(context.Context, *v1.ListMachinesRequest, ...grpc.CallOption) (*v1.ListMachinesResponse, error)
-	ListPreAuthKeysFunc    func(context.Context, *v1.ListPreAuthKeysRequest, ...grpc.CallOption) (*v1.ListPreAuthKeysResponse, error)
-	ListUsersFunc          func(context.Context, *v1.ListUsersRequest, ...grpc.CallOption) (*v1.ListUsersResponse, error)
-	MoveMachineFunc        func(context.Context, *v1.MoveMachineRequest, ...grpc.CallOption) (*v1.MoveMachineResponse, error)
-	RegisterMachineFunc    func(context.Context, *v1.RegisterMachineRequest, ...grpc.CallOption) (*v1.RegisterMachineResponse, error)
-	RenameMachineFunc      func(context.Context, *v1.RenameMachineRequest, ...grpc.CallOption) (*v1.RenameMachineResponse, error)
-	RenameUserFunc         func(context.Context, *v1.RenameUserRequest, ...grpc.CallOption) (*v1.RenameUserResponse, error)
-	SetTagsFunc            func(context.Context, *v1.SetTagsRequest, ...grpc.CallOption) (*v1.SetTagsResponse, error)
-}
-
-func (f FakeHeadscaleClient) CreateUser(ctx context.Context, in *v1.CreateUserRequest, opts ...grpc.CallOption) (*v1.CreateUserResponse, error) {
-	if f.CreateUserFunc == nil {
-		return nil, errors.New("FakeHeadscaleClient was not configured to respond to CreateUser")
-	}
-	return f.CreateUserFunc(ctx, in, opts...)
-}
-
-func (f FakeHeadscaleClient) DeleteUser(ctx context.Context, in *v1.DeleteUserRequest, opts ...grpc.CallOption) (*v1.DeleteUserResponse, error) {
-	if f.DeleteUserFunc == nil {
-		return nil, errors.New("FakeHeadscaleClient was not configured to respond to DeleteUser")
-	}
-	return f.DeleteUserFunc(ctx, in, opts...)
-}
-
-func (f FakeHeadscaleClient) GetUser(ctx context.Context, in *v1.GetUserRequest, opts ...grpc.CallOption) (*v1.GetUserResponse, error) {
-	if f.GetUserFunc == nil {
-		return nil, errors.New("FakeHeadscaleClient was not configured to respond to GetUser")
-	}
-	return f.GetUserFunc(ctx, in, opts...)
-}
-
-func (f FakeHeadscaleClient) CreatePreAuthKey(ctx context.Context, in *v1.CreatePreAuthKeyRequest, opts ...grpc.CallOption) (*v1.CreatePreAuthKeyResponse, error) {
-	if f.CreatePreAuthKeyFunc == nil {
-		return nil, errors.New("FakeHeadscaleClient was not configured to respond to CreatePreAuthKey")
-	}
-	return f.CreatePreAuthKeyFunc(ctx, in, opts...)
-}
-
-func (f FakeHeadscaleClient) DeleteMachine(ctx context.Context, in *v1.DeleteMachineRequest, opts ...grpc.CallOption) (*v1.DeleteMachineResponse, error) {
-	if f.DeleteMachineFunc == nil {
-		return nil, errors.New("FakeHeadscaleClient was not configured to respond to DeleteMachine")
-	}
-	return f.DeleteMachineFunc(ctx, in, opts...)
-}
-
-func (f FakeHeadscaleClient) ListMachines(ctx context.Context, in *v1.ListMachinesRequest, opts ...grpc.CallOption) (*v1.ListMachinesResponse, error) {
-	if f.ListMachinesFunc == nil {
-		return nil, errors.New("FakeHeadscaleClient was not configured to respond to ListMachines")
-	}
-	return f.ListMachinesFunc(ctx, in, opts...)
-}
-
-//nolint:stylecheck
-func (f FakeHeadscaleClient) CreateApiKey(ctx context.Context, in *v1.CreateApiKeyRequest, opts ...grpc.CallOption) (*v1.CreateApiKeyResponse, error) {
-	if f.CreateApiKeyFunc == nil {
-		return nil, errors.New("FakeHeadscaleClient was not configured to respond to CreateApiKey")
-	}
-	return f.CreateApiKeyFunc(ctx, in, opts...)
-}
-
-func (f FakeHeadscaleClient) DebugCreateMachine(ctx context.Context, in *v1.DebugCreateMachineRequest, opts ...grpc.CallOption) (*v1.DebugCreateMachineResponse, error) {
-	if f.DebugCreateMachineFunc == nil {
-		return nil, errors.New("FakeHeadscaleClient was not configured to respond to DebugCreateMachine")
-	}
-	return f.DebugCreateMachineFunc(ctx, in, opts...)
-}
-
-func (f FakeHeadscaleClient) DeleteRoute(ctx context.Context, in *v1.DeleteRouteRequest, opts ...grpc.CallOption) (*v1.DeleteRouteResponse, error) {
-	if f.DeleteRouteFunc == nil {
-		return nil, errors.New("FakeHeadscaleClient was not configured to respond to DeleteRoute")
-	}
-	return f.DeleteRouteFunc(ctx, in, opts...)
-}
-
-func (f FakeHeadscaleClient) DisableRoute(ctx context.Context, in *v1.DisableRouteRequest, opts ...grpc.CallOption) (*v1.DisableRouteResponse, error) {
-	if f.DisableRouteFunc == nil {
-		return nil, errors.New("FakeHeadscaleClient was not configured to respond to DisableRoute")
-	}
-	return f.DisableRouteFunc(ctx, in, opts...)
-}
-
-func (f FakeHeadscaleClient) EnableRoute(ctx context.Context, in *v1.EnableRouteRequest, opts ...grpc.CallOption) (*v1.EnableRouteResponse, error) {
-	if f.EnableRouteFunc == nil {
-		return nil, errors.New("FakeHeadscaleClient was not configured to respond to EnableRoute")
-	}
-	return f.EnableRouteFunc(ctx, in, opts...)
-}
-
-//nolint:stylecheck
-func (f FakeHeadscaleClient) ExpireApiKey(ctx context.Context, in *v1.ExpireApiKeyRequest, opts ...grpc.CallOption) (*v1.ExpireApiKeyResponse, error) {
-	if f.ExpireApiKeyFunc == nil {
-		return nil, errors.New("FakeHeadscaleClient was not configured to respond to ExpireApiKey")
-	}
-	return f.ExpireApiKeyFunc(ctx, in, opts...)
-}
-
-func (f FakeHeadscaleClient) ExpireMachine(ctx context.Context, in *v1.ExpireMachineRequest, opts ...grpc.CallOption) (*v1.ExpireMachineResponse, error) {
-	if f.ExpireMachineFunc == nil {
-		return nil, errors.New("FakeHeadscaleClient was not configured to respond to ExpireMachine")
-	}
-	return f.ExpireMachineFunc(ctx, in, opts...)
-}
-
-func (f FakeHeadscaleClient) ExpirePreAuthKey(ctx context.Context, in *v1.ExpirePreAuthKeyRequest, opts ...grpc.CallOption) (*v1.ExpirePreAuthKeyResponse, error) {
-	if f.ExpirePreAuthKeyFunc == nil {
-		return nil, errors.New("FakeHeadscaleClient was not configured to respond to ExpirePreAuthKey")
-	}
-	return f.ExpirePreAuthKeyFunc(ctx, in, opts...)
-}
-
-func (f FakeHeadscaleClient) GetMachine(ctx context.Context, in *v1.GetMachineRequest, opts ...grpc.CallOption) (*v1.GetMachineResponse, error) {
-	if f.GetMachineFunc == nil {
-		return nil, errors.New("FakeHeadscaleClient was not configured to respond to GetMachine")
-	}
-	return f.GetMachineFunc(ctx, in, opts...)
-}
-
-func (f FakeHeadscaleClient) GetMachineRoutes(ctx context.Context, in *v1.GetMachineRoutesRequest, opts ...grpc.CallOption) (*v1.GetMachineRoutesResponse, error) {
-	if f.GetMachineRoutesFunc == nil {
-		return nil, errors.New("FakeHeadscaleClient was not configured to respond to GetMachineRoutes")
-	}
-	return f.GetMachineRoutesFunc(ctx, in, opts...)
-}
-
-func (f FakeHeadscaleClient) GetRoutes(ctx context.Context, in *v1.GetRoutesRequest, opts ...grpc.CallOption) (*v1.GetRoutesResponse, error) {
-	if f.GetRoutesFunc == nil {
-		return nil, errors.New("FakeHeadscaleClient was not configured to respond to GetRoutes")
-	}
-	return f.GetRoutesFunc(ctx, in, opts...)
-}
-
-//nolint:stylecheck
-func (f FakeHeadscaleClient) ListApiKeys(ctx context.Context, in *v1.ListApiKeysRequest, opts ...grpc.CallOption) (*v1.ListApiKeysResponse, error) {
-	if f.ListApiKeysFunc == nil {
-		return nil, errors.New("FakeHeadscaleClient was not configured to respond to ListApiKeys")
-	}
-	return f.ListApiKeysFunc(ctx, in, opts...)
-}
-
-func (f FakeHeadscaleClient) ListPreAuthKeys(ctx context.Context, in *v1.ListPreAuthKeysRequest, opts ...grpc.CallOption) (*v1.ListPreAuthKeysResponse, error) {
-	if f.ListPreAuthKeysFunc == nil {
-		return nil, errors.New("FakeHeadscaleClient was not configured to respond to ListPreAuthKeys")
-	}
-	return f.ListPreAuthKeysFunc(ctx, in, opts...)
-}
-func (f FakeHeadscaleClient) ListUsers(ctx context.Context, in *v1.ListUsersRequest, opts ...grpc.CallOption) (*v1.ListUsersResponse, error) {
-	if f.ListUsersFunc == nil {
-		return nil, errors.New("FakeHeadscaleClient was not configured to respond to ListUsers")
-	}
-	return f.ListUsersFunc(ctx, in, opts...)
-}
-
-func (f FakeHeadscaleClient) MoveMachine(ctx context.Context, in *v1.MoveMachineRequest, opts ...grpc.CallOption) (*v1.MoveMachineResponse, error) {
-	if f.MoveMachineFunc == nil {
-		return nil, errors.New("FakeHeadscaleClient was not configured to respond to MoveMachines")
-	}
-	return f.MoveMachineFunc(ctx, in, opts...)
-}
-
-func (f FakeHeadscaleClient) RegisterMachine(ctx context.Context, in *v1.RegisterMachineRequest, opts ...grpc.CallOption) (*v1.RegisterMachineResponse, error) {
-	if f.RegisterMachineFunc == nil {
-		return nil, errors.New("FakeHeadscaleClient was not configured to respond to RegisterMachine")
-	}
-	return f.RegisterMachineFunc(ctx, in, opts...)
-}
-
-func (f FakeHeadscaleClient) RenameMachine(ctx context.Context, in *v1.RenameMachineRequest, opts ...grpc.CallOption) (*v1.RenameMachineResponse, error) {
-	if f.RenameMachineFunc == nil {
-		return nil, errors.New("FakeHeadscaleClient was not configured to respond to RenameMachine")
-	}
-	return f.RenameMachineFunc(ctx, in, opts...)
-}
-
-func (f FakeHeadscaleClient) RenameUser(ctx context.Context, in *v1.RenameUserRequest, opts ...grpc.CallOption) (*v1.RenameUserResponse, error) {
-	if f.RenameUserFunc == nil {
-		return nil, errors.New("FakeHeadscaleClient was not configured to respond to RenameUser")
-	}
-	return f.RenameUserFunc(ctx, in, opts...)
-}
-
-func (f FakeHeadscaleClient) SetTags(ctx context.Context, in *v1.SetTagsRequest, opts ...grpc.CallOption) (*v1.SetTagsResponse, error) {
-	if f.SetTagsFunc == nil {
-		return nil, errors.New("FakeHeadscaleClient was not configured to respond to SetTags")
-	}
-	return f.SetTagsFunc(ctx, in, opts...)
-}
-
-// DummyTailscaleClienGetter is a dummy tailscale client getter for testing purposes. As we do not have a headscale setup for testing, we need to mock the tailscale client getter.
-func DummyTailscaleClientGetter(restClientGetter genericclioptions.RESTClientGetter, proxy, headscaleAddress string) (client.Client, error) {
-	cfg, err := restClientGetter.ToRESTConfig()
-	if err != nil {
-		return nil, err
-	}
-	return clientutil.NewK8sClient(cfg)
-}
diff --git a/test/e2e/controllers.go b/test/e2e/controllers.go
index 5fec478ae..fc3caa2d0 100644
--- a/test/e2e/controllers.go
+++ b/test/e2e/controllers.go
@@ -57,7 +57,6 @@ var knownControllers = map[string]func(controllerName string, mgr ctrl.Manager)
 	"bootStrap":           (&clustercontrollers.BootstrapReconciler{}).SetupWithManager,
 	"clusterDirectAccess": startClusterDirectAccessReconciler,
 	// "clusterPropagation":     (&clustercontrollers.ClusterPropagationReconciler{}).SetupWithManager,
-	// "clusterHeadscaleAccess": startClusterHeadscaleAccessReconciler,
 	"clusterStatus": (&clustercontrollers.ClusterStatusReconciler{}).SetupWithManager,
 }
 
diff --git a/types/typescript/schema.d.ts b/types/typescript/schema.d.ts
index a663b7a2d..305c7fdbe 100644
--- a/types/typescript/schema.d.ts
+++ b/types/typescript/schema.d.ts
@@ -9,7 +9,7 @@
  */
 
 export interface paths {
-    "/Plugin": {
+    "/Organization": {
         parameters: {
             query?: never;
             header?: never;
@@ -27,7 +27,7 @@ export interface paths {
             };
             requestBody?: never;
             responses: {
-                /** @description Plugin */
+                /** @description Organization */
                 default: {
                     headers: {
                         [name: string]: unknown;
@@ -42,7 +42,7 @@ export interface paths {
         patch?: never;
         trace?: never;
     };
-    "/Organization": {
+    "/ClusterKubeconfig": {
         parameters: {
             query?: never;
             header?: never;
@@ -60,7 +60,7 @@ export interface paths {
             };
             requestBody?: never;
             responses: {
-                /** @description Organization */
+                /** @description ClusterKubeconfig */
                 default: {
                     headers: {
                         [name: string]: unknown;
@@ -75,7 +75,7 @@ export interface paths {
         patch?: never;
         trace?: never;
     };
-    "/TeamRole": {
+    "/Cluster": {
         parameters: {
             query?: never;
             header?: never;
@@ -93,7 +93,7 @@ export interface paths {
             };
             requestBody?: never;
             responses: {
-                /** @description TeamRole */
+                /** @description Cluster */
                 default: {
                     headers: {
                         [name: string]: unknown;
@@ -108,7 +108,7 @@ export interface paths {
         patch?: never;
         trace?: never;
     };
-    "/PluginPreset": {
+    "/TeamRole": {
         parameters: {
             query?: never;
             header?: never;
@@ -126,7 +126,7 @@ export interface paths {
             };
             requestBody?: never;
             responses: {
-                /** @description PluginPreset */
+                /** @description TeamRole */
                 default: {
                     headers: {
                         [name: string]: unknown;
@@ -141,7 +141,7 @@ export interface paths {
         patch?: never;
         trace?: never;
     };
-    "/Cluster": {
+    "/TeamMembership": {
         parameters: {
             query?: never;
             header?: never;
@@ -159,7 +159,7 @@ export interface paths {
             };
             requestBody?: never;
             responses: {
-                /** @description Cluster */
+                /** @description TeamMembership */
                 default: {
                     headers: {
                         [name: string]: unknown;
@@ -174,7 +174,7 @@ export interface paths {
         patch?: never;
         trace?: never;
     };
-    "/ClusterKubeconfig": {
+    "/PluginPreset": {
         parameters: {
             query?: never;
             header?: never;
@@ -192,7 +192,7 @@ export interface paths {
             };
             requestBody?: never;
             responses: {
-                /** @description ClusterKubeconfig */
+                /** @description PluginPreset */
                 default: {
                     headers: {
                         [name: string]: unknown;
@@ -207,7 +207,7 @@ export interface paths {
         patch?: never;
         trace?: never;
     };
-    "/PluginDefinition": {
+    "/Team": {
         parameters: {
             query?: never;
             header?: never;
@@ -225,7 +225,7 @@ export interface paths {
             };
             requestBody?: never;
             responses: {
-                /** @description PluginDefinition */
+                /** @description Team */
                 default: {
                     headers: {
                         [name: string]: unknown;
@@ -240,7 +240,7 @@ export interface paths {
         patch?: never;
         trace?: never;
     };
-    "/Team": {
+    "/TeamRoleBinding": {
         parameters: {
             query?: never;
             header?: never;
@@ -258,7 +258,7 @@ export interface paths {
             };
             requestBody?: never;
             responses: {
-                /** @description Team */
+                /** @description TeamRoleBinding */
                 default: {
                     headers: {
                         [name: string]: unknown;
@@ -273,7 +273,7 @@ export interface paths {
         patch?: never;
         trace?: never;
     };
-    "/TeamMembership": {
+    "/Plugin": {
         parameters: {
             query?: never;
             header?: never;
@@ -291,7 +291,7 @@ export interface paths {
             };
             requestBody?: never;
             responses: {
-                /** @description TeamMembership */
+                /** @description Plugin */
                 default: {
                     headers: {
                         [name: string]: unknown;
@@ -306,7 +306,7 @@ export interface paths {
         patch?: never;
         trace?: never;
     };
-    "/TeamRoleBinding": {
+    "/PluginDefinition": {
         parameters: {
             query?: never;
             header?: never;
@@ -324,7 +324,7 @@ export interface paths {
             };
             requestBody?: never;
             responses: {
-                /** @description TeamRoleBinding */
+                /** @description PluginDefinition */
                 default: {
                     headers: {
                         [name: string]: unknown;
@@ -343,142 +343,6 @@ export interface paths {
 export type webhooks = Record<string, never>;
 export interface components {
     schemas: {
-        /**
-         * Plugin
-         * @description Plugin is the Schema for the plugins API
-         */
-        Plugin: {
-            /** @description APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */
-            apiVersion?: string;
-            /** @description Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */
-            kind?: string;
-            metadata?: {
-                name?: string;
-                namespace?: string;
-                /** Format: uuid */
-                uid?: string;
-                resourceVersion?: string;
-                /** Format: date-time */
-                creationTimestamp?: string;
-                /** Format: date-time */
-                deletionTimestamp?: string;
-                labels?: {
-                    [key: string]: string;
-                };
-                annotations?: {
-                    [key: string]: string;
-                };
-            };
-            /** @description PluginSpec defines the desired state of Plugin */
-            spec?: {
-                /** @description ClusterName is the name of the cluster the plugin is deployed to. If not set, the plugin is deployed to the greenhouse cluster. */
-                clusterName?: string;
-                /** @description Disabled indicates that the plugin is administratively disabled. */
-                disabled: boolean;
-                /** @description DisplayName is an optional name for the Plugin to be displayed in the Greenhouse UI.\nThis is especially helpful to distinguish multiple instances of a PluginDefinition in the same context.\nDefaults to a normalized version of metadata.name. */
-                displayName?: string;
-                /** @description Values are the values for a PluginDefinition instance. */
-                optionValues?: {
-                    /** @description Name of the values. */
-                    name: string;
-                    /** @description Value is the actual value in plain text. */
-                    value?: unknown;
-                    /** @description ValueFrom references a potentially confidential value in another source. */
-                    valueFrom?: {
-                        /** @description Secret references the secret containing the value. */
-                        secret?: {
-                            /** @description Key in the secret to select the value from. */
-                            key: string;
-                            /** @description Name of the secret in the same namespace. */
-                            name: string;
-                        };
-                    };
-                }[];
-                /** @description PluginDefinition is the name of the PluginDefinition this instance is for. */
-                pluginDefinition: string;
-                /** @description ReleaseNamespace is the namespace in the remote cluster to which the backend is deployed.\nDefaults to the Greenhouse managed namespace if not set. */
-                releaseNamespace?: string;
-            };
-            /** @description PluginStatus defines the observed state of Plugin */
-            status?: {
-                /** @description Description provides additional details of the plugin. */
-                description?: string;
-                /** @description ExposedServices provides an overview of the Plugins services that are centrally exposed.\nIt maps the exposed URL to the service found in the manifest. */
-                exposedServices?: {
-                    [key: string]: {
-                        /** @description Name is the name of the service in the target cluster. */
-                        name: string;
-                        /** @description Namespace is the namespace of the service in the target cluster. */
-                        namespace: string;
-                        /**
-                         * Format: int32
-                         * @description Port is the port of the service.
-                         */
-                        port: number;
-                        /** @description Protocol is the protocol of the service. */
-                        protocol?: string;
-                    };
-                };
-                /** @description HelmChart contains a reference the helm chart used for the deployed pluginDefinition version. */
-                helmChart?: {
-                    /** @description Name of the HelmChart chart. */
-                    name: string;
-                    /** @description Repository of the HelmChart chart. */
-                    repository: string;
-                    /** @description Version of the HelmChart chart. */
-                    version: string;
-                };
-                /** @description HelmReleaseStatus reflects the status of the latest HelmChart release.\nThis is only configured if the pluginDefinition is backed by HelmChart. */
-                helmReleaseStatus?: {
-                    /**
-                     * Format: date-time
-                     * @description FirstDeployed is the timestamp of the first deployment of the release.
-                     */
-                    firstDeployed?: string;
-                    /**
-                     * Format: date-time
-                     * @description LastDeployed is the timestamp of the last deployment of the release.
-                     */
-                    lastDeployed?: string;
-                    /** @description Status is the status of a HelmChart release. */
-                    status: string;
-                };
-                /** @description StatusConditions contain the different conditions that constitute the status of the Plugin. */
-                statusConditions?: {
-                    conditions?: {
-                        /**
-                         * Format: date-time
-                         * @description LastTransitionTime is the last time the condition transitioned from one status to another.
-                         */
-                        lastTransitionTime: string;
-                        /** @description Message is an optional human readable message indicating details about the last transition. */
-                        message?: string;
-                        /** @description Reason is a one-word, CamelCase reason for the condition's last transition. */
-                        reason?: string;
-                        /** @description Status of the condition. */
-                        status: string;
-                        /** @description Type of the condition. */
-                        type: string;
-                    }[];
-                };
-                /** @description UIApplication contains a reference to the frontend that is used for the deployed pluginDefinition version. */
-                uiApplication?: {
-                    /** @description Name of the UI application. */
-                    name: string;
-                    /** @description URL specifies the url to a built javascript asset.\nBy default, assets are loaded from the Juno asset server using the provided name and version. */
-                    url?: string;
-                    /** @description Version of the frontend application. */
-                    version: string;
-                };
-                /** @description Version contains the latest pluginDefinition version the config was last applied with successfully. */
-                version?: string;
-                /**
-                 * Format: int32
-                 * @description Weight configures the order in which Plugins are shown in the Greenhouse UI.
-                 */
-                weight?: number;
-            };
-        };
         /**
          * Organization
          * @description Organization is the Schema for the organizations API
@@ -567,10 +431,10 @@ export interface components {
             status?: Record<string, never>;
         };
         /**
-         * TeamRole
-         * @description TeamRole is the Schema for the TeamRoles API
+         * ClusterKubeconfig
+         * @description ClusterKubeconfig is the Schema for the clusterkubeconfigs API\nObjectMeta.OwnerReferences is used to link the ClusterKubeconfig to the Cluster\nObjectMeta.Generation is used to detect changes in the ClusterKubeconfig and sync local kubeconfig files\nObjectMeta.Name is designed to be the same with the Cluster name
          */
-        TeamRole: {
+        ClusterKubeconfig: {
             /** @description APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */
             apiVersion?: string;
             /** @description Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */
@@ -592,162 +456,46 @@ export interface components {
                     [key: string]: string;
                 };
             };
-            /** @description TeamRoleSpec defines the desired state of a TeamRole */
+            /** @description ClusterKubeconfigSpec stores the kubeconfig data for the cluster\nThe idea is to use kubeconfig data locally with minimum effort (with local tools or plain kubectl):\nkubectl get cluster-kubeconfig $NAME -o yaml | yq -y .spec.kubeconfig */
             spec?: {
-                /** @description AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole on the remote cluster */
-                aggregationRule?: {
-                    /** @description ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules.\nIf any of the selectors match, then the ClusterRole's permissions will be added */
-                    clusterRoleSelectors?: {
-                        /** @description matchExpressions is a list of label selector requirements. The requirements are ANDed. */
-                        matchExpressions?: {
-                            /** @description key is the label key that the selector applies to. */
-                            key: string;
-                            /** @description operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist. */
-                            operator: string;
-                            /** @description values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch. */
-                            values?: string[];
-                        }[];
-                        /** @description matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is "key", the\noperator is "In", and the values array contains only "value". The requirements are ANDed. */
-                        matchLabels?: {
-                            [key: string]: string;
+                /** @description ClusterKubeconfigData stores the kubeconfig data ready to use kubectl or other local tooling\nIt is a simplified version of clientcmdapi.Config: https://pkg.go.dev/k8s.io/client-go/tools/clientcmd/api#Config */
+                kubeconfig?: {
+                    apiVersion?: string;
+                    clusters?: {
+                        cluster: {
+                            /** Format: byte */
+                            "certificate-authority-data"?: string;
+                            server?: string;
+                        };
+                        name: string;
+                    }[];
+                    contexts: {
+                        context?: {
+                            cluster: string;
+                            namespace?: string;
+                            user: string;
+                        };
+                        name: string;
+                    }[];
+                    "current-context"?: string;
+                    kind?: string;
+                    preferences?: Record<string, never>;
+                    users: {
+                        name: string;
+                        user?: {
+                            /** @description AuthProviderConfig holds the configuration for a specified auth provider. */
+                            "auth-provider"?: {
+                                config?: {
+                                    [key: string]: string;
+                                };
+                                name: string;
+                            };
+                            /** Format: byte */
+                            "client-certificate-data"?: string;
+                            /** Format: byte */
+                            "client-key-data"?: string;
                         };
                     }[];
-                };
-                /** @description Labels are applied to the ClusterRole created on the remote cluster.\nThis allows using TeamRoles as part of AggregationRules by other TeamRoles */
-                labels?: {
-                    [key: string]: string;
-                };
-                /** @description Rules is a list of rbacv1.PolicyRules used on a managed RBAC (Cluster)Role */
-                rules?: {
-                    /** @description APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of\nthe enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups. */
-                    apiGroups?: string[];
-                    /** @description NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path\nSince non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.\nRules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both. */
-                    nonResourceURLs?: string[];
-                    /** @description ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed. */
-                    resourceNames?: string[];
-                    /** @description Resources is a list of resources this rule applies to. '*' represents all resources. */
-                    resources?: string[];
-                    /** @description Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs. */
-                    verbs: string[];
-                }[];
-            };
-            /** @description TeamRoleStatus defines the observed state of a TeamRole */
-            status?: Record<string, never>;
-        };
-        /**
-         * PluginPreset
-         * @description PluginPreset is the Schema for the PluginPresets API
-         */
-        PluginPreset: {
-            /** @description APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */
-            apiVersion?: string;
-            /** @description Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */
-            kind?: string;
-            metadata?: {
-                name?: string;
-                namespace?: string;
-                /** Format: uuid */
-                uid?: string;
-                resourceVersion?: string;
-                /** Format: date-time */
-                creationTimestamp?: string;
-                /** Format: date-time */
-                deletionTimestamp?: string;
-                labels?: {
-                    [key: string]: string;
-                };
-                annotations?: {
-                    [key: string]: string;
-                };
-            };
-            /** @description PluginPresetSpec defines the desired state of PluginPreset */
-            spec?: {
-                /** @description ClusterOptionOverrides define plugin option values to override by the PluginPreset */
-                clusterOptionOverrides?: {
-                    clusterName: string;
-                    overrides: {
-                        /** @description Name of the values. */
-                        name: string;
-                        /** @description Value is the actual value in plain text. */
-                        value?: unknown;
-                        /** @description ValueFrom references a potentially confidential value in another source. */
-                        valueFrom?: {
-                            /** @description Secret references the secret containing the value. */
-                            secret?: {
-                                /** @description Key in the secret to select the value from. */
-                                key: string;
-                                /** @description Name of the secret in the same namespace. */
-                                name: string;
-                            };
-                        };
-                    }[];
-                }[];
-                /** @description ClusterSelector is a label selector to select the clusters the plugin bundle should be deployed to. */
-                clusterSelector: {
-                    /** @description matchExpressions is a list of label selector requirements. The requirements are ANDed. */
-                    matchExpressions?: {
-                        /** @description key is the label key that the selector applies to. */
-                        key: string;
-                        /** @description operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist. */
-                        operator: string;
-                        /** @description values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch. */
-                        values?: string[];
-                    }[];
-                    /** @description matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is "key", the\noperator is "In", and the values array contains only "value". The requirements are ANDed. */
-                    matchLabels?: {
-                        [key: string]: string;
-                    };
-                };
-                /** @description PluginSpec is the spec of the plugin to be deployed by the PluginPreset. */
-                plugin: {
-                    /** @description ClusterName is the name of the cluster the plugin is deployed to. If not set, the plugin is deployed to the greenhouse cluster. */
-                    clusterName?: string;
-                    /** @description Disabled indicates that the plugin is administratively disabled. */
-                    disabled: boolean;
-                    /** @description DisplayName is an optional name for the Plugin to be displayed in the Greenhouse UI.\nThis is especially helpful to distinguish multiple instances of a PluginDefinition in the same context.\nDefaults to a normalized version of metadata.name. */
-                    displayName?: string;
-                    /** @description Values are the values for a PluginDefinition instance. */
-                    optionValues?: {
-                        /** @description Name of the values. */
-                        name: string;
-                        /** @description Value is the actual value in plain text. */
-                        value?: unknown;
-                        /** @description ValueFrom references a potentially confidential value in another source. */
-                        valueFrom?: {
-                            /** @description Secret references the secret containing the value. */
-                            secret?: {
-                                /** @description Key in the secret to select the value from. */
-                                key: string;
-                                /** @description Name of the secret in the same namespace. */
-                                name: string;
-                            };
-                        };
-                    }[];
-                    /** @description PluginDefinition is the name of the PluginDefinition this instance is for. */
-                    pluginDefinition: string;
-                    /** @description ReleaseNamespace is the namespace in the remote cluster to which the backend is deployed.\nDefaults to the Greenhouse managed namespace if not set. */
-                    releaseNamespace?: string;
-                };
-            };
-            /** @description PluginPresetStatus defines the observed state of PluginPreset */
-            status?: {
-                /** @description StatusConditions contain the different conditions that constitute the status of the PluginPreset. */
-                statusConditions?: {
-                    conditions?: {
-                        /**
-                         * Format: date-time
-                         * @description LastTransitionTime is the last time the condition transitioned from one status to another.
-                         */
-                        lastTransitionTime: string;
-                        /** @description Message is an optional human readable message indicating details about the last transition. */
-                        message?: string;
-                        /** @description Reason is a one-word, CamelCase reason for the condition's last transition. */
-                        reason?: string;
-                        /** @description Status of the condition. */
-                        status: string;
-                        /** @description Type of the condition. */
-                        type: string;
-                    }[];
                 };
             };
         };
@@ -783,7 +531,7 @@ export interface components {
                  * @description AccessMode configures how the cluster is accessed from the Greenhouse operator.
                  * @enum {string}
                  */
-                accessMode: "direct" | "headscale";
+                accessMode: "direct";
             };
             /** @description ClusterStatus defines the observed state of Cluster */
             status?: {
@@ -792,31 +540,6 @@ export interface components {
                  * @description BearerTokenExpirationTimestamp reflects the expiration timestamp of the bearer token used to access the cluster.
                  */
                 bearerTokenExpirationTimestamp?: string;
-                /** @description HeadScaleStatus contains the current status of the headscale client. */
-                headScaleStatus?: {
-                    /** Format: date-time */
-                    createdAt?: string;
-                    /** Format: date-time */
-                    expiry?: string;
-                    forcedTags?: string[];
-                    /** Format: int64 */
-                    id?: number;
-                    ipAddresses?: string[];
-                    name?: string;
-                    online?: boolean;
-                    /** @description PreAuthKey reflects the status of the pre-authentication key used by the Headscale machine. */
-                    preAuthKey?: {
-                        /** Format: date-time */
-                        createdAt?: string;
-                        ephemeral?: boolean;
-                        /** Format: date-time */
-                        expiration?: string;
-                        id?: string;
-                        reusable?: boolean;
-                        used?: boolean;
-                        user?: string;
-                    };
-                };
                 /** @description KubernetesVersion reflects the detected Kubernetes version of the cluster. */
                 kubernetesVersion?: string;
                 /** @description Nodes provides a map of cluster node names to node statuses */
@@ -865,10 +588,10 @@ export interface components {
             };
         };
         /**
-         * ClusterKubeconfig
-         * @description ClusterKubeconfig is the Schema for the clusterkubeconfigs API\nObjectMeta.OwnerReferences is used to link the ClusterKubeconfig to the Cluster\nObjectMeta.Generation is used to detect changes in the ClusterKubeconfig and sync local kubeconfig files\nObjectMeta.Name is designed to be the same with the Cluster name
+         * TeamRole
+         * @description TeamRole is the Schema for the TeamRoles API
          */
-        ClusterKubeconfig: {
+        TeamRole: {
             /** @description APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */
             apiVersion?: string;
             /** @description Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */
@@ -890,54 +613,53 @@ export interface components {
                     [key: string]: string;
                 };
             };
-            /** @description ClusterKubeconfigSpec stores the kubeconfig data for the cluster\nThe idea is to use kubeconfig data locally with minimum effort (with local tools or plain kubectl):\nkubectl get cluster-kubeconfig $NAME -o yaml | yq -y .spec.kubeconfig */
+            /** @description TeamRoleSpec defines the desired state of a TeamRole */
             spec?: {
-                /** @description ClusterKubeconfigData stores the kubeconfig data ready to use kubectl or other local tooling\nIt is a simplified version of clientcmdapi.Config: https://pkg.go.dev/k8s.io/client-go/tools/clientcmd/api#Config */
-                kubeconfig?: {
-                    apiVersion?: string;
-                    clusters?: {
-                        cluster: {
-                            /** Format: byte */
-                            "certificate-authority-data"?: string;
-                            server?: string;
-                        };
-                        name: string;
-                    }[];
-                    contexts: {
-                        context?: {
-                            cluster: string;
-                            namespace?: string;
-                            user: string;
-                        };
-                        name: string;
-                    }[];
-                    "current-context"?: string;
-                    kind?: string;
-                    preferences?: Record<string, never>;
-                    users: {
-                        name: string;
-                        user?: {
-                            /** @description AuthProviderConfig holds the configuration for a specified auth provider. */
-                            "auth-provider"?: {
-                                config?: {
-                                    [key: string]: string;
-                                };
-                                name: string;
-                            };
-                            /** Format: byte */
-                            "client-certificate-data"?: string;
-                            /** Format: byte */
-                            "client-key-data"?: string;
+                /** @description AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole on the remote cluster */
+                aggregationRule?: {
+                    /** @description ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules.\nIf any of the selectors match, then the ClusterRole's permissions will be added */
+                    clusterRoleSelectors?: {
+                        /** @description matchExpressions is a list of label selector requirements. The requirements are ANDed. */
+                        matchExpressions?: {
+                            /** @description key is the label key that the selector applies to. */
+                            key: string;
+                            /** @description operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist. */
+                            operator: string;
+                            /** @description values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch. */
+                            values?: string[];
+                        }[];
+                        /** @description matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is "key", the\noperator is "In", and the values array contains only "value". The requirements are ANDed. */
+                        matchLabels?: {
+                            [key: string]: string;
                         };
                     }[];
                 };
+                /** @description Labels are applied to the ClusterRole created on the remote cluster.\nThis allows using TeamRoles as part of AggregationRules by other TeamRoles */
+                labels?: {
+                    [key: string]: string;
+                };
+                /** @description Rules is a list of rbacv1.PolicyRules used on a managed RBAC (Cluster)Role */
+                rules?: {
+                    /** @description APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of\nthe enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups. */
+                    apiGroups?: string[];
+                    /** @description NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path\nSince non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.\nRules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both. */
+                    nonResourceURLs?: string[];
+                    /** @description ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed. */
+                    resourceNames?: string[];
+                    /** @description Resources is a list of resources this rule applies to. '*' represents all resources. */
+                    resources?: string[];
+                    /** @description Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs. */
+                    verbs: string[];
+                }[];
             };
+            /** @description TeamRoleStatus defines the observed state of a TeamRole */
+            status?: Record<string, never>;
         };
         /**
-         * PluginDefinition
-         * @description PluginDefinition is the Schema for the PluginDefinitions API
+         * TeamMembership
+         * @description TeamMembership is the Schema for the teammemberships API
          */
-        PluginDefinition: {
+        TeamMembership: {
             /** @description APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */
             apiVersion?: string;
             /** @description Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */
@@ -959,70 +681,57 @@ export interface components {
                     [key: string]: string;
                 };
             };
-            /** @description PluginDefinitionSpec defines the desired state of PluginDefinitionSpec */
+            /** @description TeamMembershipSpec defines the desired state of TeamMembership */
             spec?: {
-                /** @description Description provides additional details of the pluginDefinition. */
-                description?: string;
-                /** @description DisplayName provides a human-readable label for the pluginDefinition. */
-                displayName?: string;
-                /** @description DocMarkDownUrl specifies the URL to the markdown documentation file for this plugin.\nSource needs to allow all CORS origins. */
-                docMarkDownUrl?: string;
-                /** @description HelmChart specifies where the Helm Chart for this pluginDefinition can be found. */
-                helmChart?: {
-                    /** @description Name of the HelmChart chart. */
-                    name: string;
-                    /** @description Repository of the HelmChart chart. */
-                    repository: string;
-                    /** @description Version of the HelmChart chart. */
-                    version: string;
-                };
-                /** @description Icon specifies the icon to be used for this plugin in the Greenhouse UI.\nIcons can be either:\n- A string representing a juno icon in camel case from this list: https://github.com/sapcc/juno/blob/main/libs/juno-ui-components/src/components/Icon/Icon.component.js#L6-L52\n- A publicly accessible image reference to a .png file. Will be displayed 100x100px */
-                icon?: string;
-                /** @description RequiredValues is a list of values required to create an instance of this PluginDefinition. */
-                options?: {
-                    /** @description Default provides a default value for the option */
-                    default?: unknown;
-                    /** @description Description provides a human-readable text for the value as shown in the UI. */
-                    description?: string;
-                    /** @description DisplayName provides a human-readable label for the configuration option */
-                    displayName?: string;
-                    /** @description Name/Key of the config option. */
-                    name: string;
-                    /** @description Regex specifies a match rule for validating configuration options. */
-                    regex?: string;
-                    /** @description Required indicates that this config option is required */
-                    required: boolean;
-                    /**
-                     * @description Type of this configuration option.
-                     * @enum {string}
-                     */
-                    type: "string" | "secret" | "bool" | "int" | "list" | "map";
+                /** @description Members list users that are part of a team. */
+                members?: {
+                    /** @description Email of the user. */
+                    email: string;
+                    /** @description FirstName of the user. */
+                    firstName: string;
+                    /** @description ID is the unique identifier of the user. */
+                    id: string;
+                    /** @description LastName of the user. */
+                    lastName: string;
                 }[];
-                /** @description UIApplication specifies a reference to a UI application */
-                uiApplication?: {
-                    /** @description Name of the UI application. */
-                    name: string;
-                    /** @description URL specifies the url to a built javascript asset.\nBy default, assets are loaded from the Juno asset server using the provided name and version. */
-                    url?: string;
-                    /** @description Version of the frontend application. */
-                    version: string;
-                };
-                /** @description Version of this pluginDefinition */
-                version: string;
+            };
+            /** @description TeamMembershipStatus defines the observed state of TeamMembership */
+            status?: {
                 /**
-                 * Format: int32
-                 * @description Weight configures the order in which Plugins are shown in the Greenhouse UI.\nDefaults to alphabetical sorting if not provided or on conflict.
+                 * Format: date-time
+                 * @description LastSyncedTime is the information when was the last time the membership was synced
                  */
-                weight?: number;
+                lastSyncedTime?: string;
+                /**
+                 * Format: date-time
+                 * @description LastChangedTime is the information when was the last time the membership was actually changed
+                 */
+                lastUpdateTime?: string;
+                /** @description StatusConditions contain the different conditions that constitute the status of the TeamRoleBinding. */
+                statusConditions?: {
+                    conditions?: {
+                        /**
+                         * Format: date-time
+                         * @description LastTransitionTime is the last time the condition transitioned from one status to another.
+                         */
+                        lastTransitionTime: string;
+                        /** @description Message is an optional human readable message indicating details about the last transition. */
+                        message?: string;
+                        /** @description Reason is a one-word, CamelCase reason for the condition's last transition. */
+                        reason?: string;
+                        /** @description Status of the condition. */
+                        status: string;
+                        /** @description Type of the condition. */
+                        type: string;
+                    }[];
+                };
             };
-            /** @description PluginDefinitionStatus defines the observed state of PluginDefinition */
-            status?: Record<string, never>;
         };
         /**
-         * Team
-         * @description Team is the Schema for the teams API
+         * PluginPreset
+         * @description PluginPreset is the Schema for the PluginPresets API
          */
-        Team: {
+        PluginPreset: {
             /** @description APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */
             apiVersion?: string;
             /** @description Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */
@@ -1044,21 +753,102 @@ export interface components {
                     [key: string]: string;
                 };
             };
-            /** @description TeamSpec defines the desired state of Team */
+            /** @description PluginPresetSpec defines the desired state of PluginPreset */
             spec?: {
-                /** @description Description provides additional details of the team. */
-                description?: string;
-                /** @description IdP group id matching team. */
-                mappedIdPGroup?: string;
+                /** @description ClusterOptionOverrides define plugin option values to override by the PluginPreset */
+                clusterOptionOverrides?: {
+                    clusterName: string;
+                    overrides: {
+                        /** @description Name of the values. */
+                        name: string;
+                        /** @description Value is the actual value in plain text. */
+                        value?: unknown;
+                        /** @description ValueFrom references a potentially confidential value in another source. */
+                        valueFrom?: {
+                            /** @description Secret references the secret containing the value. */
+                            secret?: {
+                                /** @description Key in the secret to select the value from. */
+                                key: string;
+                                /** @description Name of the secret in the same namespace. */
+                                name: string;
+                            };
+                        };
+                    }[];
+                }[];
+                /** @description ClusterSelector is a label selector to select the clusters the plugin bundle should be deployed to. */
+                clusterSelector: {
+                    /** @description matchExpressions is a list of label selector requirements. The requirements are ANDed. */
+                    matchExpressions?: {
+                        /** @description key is the label key that the selector applies to. */
+                        key: string;
+                        /** @description operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist. */
+                        operator: string;
+                        /** @description values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch. */
+                        values?: string[];
+                    }[];
+                    /** @description matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is "key", the\noperator is "In", and the values array contains only "value". The requirements are ANDed. */
+                    matchLabels?: {
+                        [key: string]: string;
+                    };
+                };
+                /** @description PluginSpec is the spec of the plugin to be deployed by the PluginPreset. */
+                plugin: {
+                    /** @description ClusterName is the name of the cluster the plugin is deployed to. If not set, the plugin is deployed to the greenhouse cluster. */
+                    clusterName?: string;
+                    /** @description Disabled indicates that the plugin is administratively disabled. */
+                    disabled: boolean;
+                    /** @description DisplayName is an optional name for the Plugin to be displayed in the Greenhouse UI.\nThis is especially helpful to distinguish multiple instances of a PluginDefinition in the same context.\nDefaults to a normalized version of metadata.name. */
+                    displayName?: string;
+                    /** @description Values are the values for a PluginDefinition instance. */
+                    optionValues?: {
+                        /** @description Name of the values. */
+                        name: string;
+                        /** @description Value is the actual value in plain text. */
+                        value?: unknown;
+                        /** @description ValueFrom references a potentially confidential value in another source. */
+                        valueFrom?: {
+                            /** @description Secret references the secret containing the value. */
+                            secret?: {
+                                /** @description Key in the secret to select the value from. */
+                                key: string;
+                                /** @description Name of the secret in the same namespace. */
+                                name: string;
+                            };
+                        };
+                    }[];
+                    /** @description PluginDefinition is the name of the PluginDefinition this instance is for. */
+                    pluginDefinition: string;
+                    /** @description ReleaseNamespace is the namespace in the remote cluster to which the backend is deployed.\nDefaults to the Greenhouse managed namespace if not set. */
+                    releaseNamespace?: string;
+                };
+            };
+            /** @description PluginPresetStatus defines the observed state of PluginPreset */
+            status?: {
+                /** @description StatusConditions contain the different conditions that constitute the status of the PluginPreset. */
+                statusConditions?: {
+                    conditions?: {
+                        /**
+                         * Format: date-time
+                         * @description LastTransitionTime is the last time the condition transitioned from one status to another.
+                         */
+                        lastTransitionTime: string;
+                        /** @description Message is an optional human readable message indicating details about the last transition. */
+                        message?: string;
+                        /** @description Reason is a one-word, CamelCase reason for the condition's last transition. */
+                        reason?: string;
+                        /** @description Status of the condition. */
+                        status: string;
+                        /** @description Type of the condition. */
+                        type: string;
+                    }[];
+                };
             };
-            /** @description TeamStatus defines the observed state of Team */
-            status?: Record<string, never>;
         };
         /**
-         * TeamMembership
-         * @description TeamMembership is the Schema for the teammemberships API
+         * Team
+         * @description Team is the Schema for the teams API
          */
-        TeamMembership: {
+        Team: {
             /** @description APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */
             apiVersion?: string;
             /** @description Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */
@@ -1080,51 +870,15 @@ export interface components {
                     [key: string]: string;
                 };
             };
-            /** @description TeamMembershipSpec defines the desired state of TeamMembership */
+            /** @description TeamSpec defines the desired state of Team */
             spec?: {
-                /** @description Members list users that are part of a team. */
-                members?: {
-                    /** @description Email of the user. */
-                    email: string;
-                    /** @description FirstName of the user. */
-                    firstName: string;
-                    /** @description ID is the unique identifier of the user. */
-                    id: string;
-                    /** @description LastName of the user. */
-                    lastName: string;
-                }[];
-            };
-            /** @description TeamMembershipStatus defines the observed state of TeamMembership */
-            status?: {
-                /**
-                 * Format: date-time
-                 * @description LastSyncedTime is the information when was the last time the membership was synced
-                 */
-                lastSyncedTime?: string;
-                /**
-                 * Format: date-time
-                 * @description LastChangedTime is the information when was the last time the membership was actually changed
-                 */
-                lastUpdateTime?: string;
-                /** @description StatusConditions contain the different conditions that constitute the status of the TeamRoleBinding. */
-                statusConditions?: {
-                    conditions?: {
-                        /**
-                         * Format: date-time
-                         * @description LastTransitionTime is the last time the condition transitioned from one status to another.
-                         */
-                        lastTransitionTime: string;
-                        /** @description Message is an optional human readable message indicating details about the last transition. */
-                        message?: string;
-                        /** @description Reason is a one-word, CamelCase reason for the condition's last transition. */
-                        reason?: string;
-                        /** @description Status of the condition. */
-                        status: string;
-                        /** @description Type of the condition. */
-                        type: string;
-                    }[];
-                };
+                /** @description Description provides additional details of the team. */
+                description?: string;
+                /** @description IdP group id matching team. */
+                mappedIdPGroup?: string;
             };
+            /** @description TeamStatus defines the observed state of Team */
+            status?: Record<string, never>;
         };
         /**
          * TeamRoleBinding
@@ -1222,6 +976,227 @@ export interface components {
                 };
             };
         };
+        /**
+         * Plugin
+         * @description Plugin is the Schema for the plugins API
+         */
+        Plugin: {
+            /** @description APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */
+            apiVersion?: string;
+            /** @description Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */
+            kind?: string;
+            metadata?: {
+                name?: string;
+                namespace?: string;
+                /** Format: uuid */
+                uid?: string;
+                resourceVersion?: string;
+                /** Format: date-time */
+                creationTimestamp?: string;
+                /** Format: date-time */
+                deletionTimestamp?: string;
+                labels?: {
+                    [key: string]: string;
+                };
+                annotations?: {
+                    [key: string]: string;
+                };
+            };
+            /** @description PluginSpec defines the desired state of Plugin */
+            spec?: {
+                /** @description ClusterName is the name of the cluster the plugin is deployed to. If not set, the plugin is deployed to the greenhouse cluster. */
+                clusterName?: string;
+                /** @description Disabled indicates that the plugin is administratively disabled. */
+                disabled: boolean;
+                /** @description DisplayName is an optional name for the Plugin to be displayed in the Greenhouse UI.\nThis is especially helpful to distinguish multiple instances of a PluginDefinition in the same context.\nDefaults to a normalized version of metadata.name. */
+                displayName?: string;
+                /** @description Values are the values for a PluginDefinition instance. */
+                optionValues?: {
+                    /** @description Name of the values. */
+                    name: string;
+                    /** @description Value is the actual value in plain text. */
+                    value?: unknown;
+                    /** @description ValueFrom references a potentially confidential value in another source. */
+                    valueFrom?: {
+                        /** @description Secret references the secret containing the value. */
+                        secret?: {
+                            /** @description Key in the secret to select the value from. */
+                            key: string;
+                            /** @description Name of the secret in the same namespace. */
+                            name: string;
+                        };
+                    };
+                }[];
+                /** @description PluginDefinition is the name of the PluginDefinition this instance is for. */
+                pluginDefinition: string;
+                /** @description ReleaseNamespace is the namespace in the remote cluster to which the backend is deployed.\nDefaults to the Greenhouse managed namespace if not set. */
+                releaseNamespace?: string;
+            };
+            /** @description PluginStatus defines the observed state of Plugin */
+            status?: {
+                /** @description Description provides additional details of the plugin. */
+                description?: string;
+                /** @description ExposedServices provides an overview of the Plugins services that are centrally exposed.\nIt maps the exposed URL to the service found in the manifest. */
+                exposedServices?: {
+                    [key: string]: {
+                        /** @description Name is the name of the service in the target cluster. */
+                        name: string;
+                        /** @description Namespace is the namespace of the service in the target cluster. */
+                        namespace: string;
+                        /**
+                         * Format: int32
+                         * @description Port is the port of the service.
+                         */
+                        port: number;
+                        /** @description Protocol is the protocol of the service. */
+                        protocol?: string;
+                    };
+                };
+                /** @description HelmChart contains a reference the helm chart used for the deployed pluginDefinition version. */
+                helmChart?: {
+                    /** @description Name of the HelmChart chart. */
+                    name: string;
+                    /** @description Repository of the HelmChart chart. */
+                    repository: string;
+                    /** @description Version of the HelmChart chart. */
+                    version: string;
+                };
+                /** @description HelmReleaseStatus reflects the status of the latest HelmChart release.\nThis is only configured if the pluginDefinition is backed by HelmChart. */
+                helmReleaseStatus?: {
+                    /**
+                     * Format: date-time
+                     * @description FirstDeployed is the timestamp of the first deployment of the release.
+                     */
+                    firstDeployed?: string;
+                    /**
+                     * Format: date-time
+                     * @description LastDeployed is the timestamp of the last deployment of the release.
+                     */
+                    lastDeployed?: string;
+                    /** @description Status is the status of a HelmChart release. */
+                    status: string;
+                };
+                /** @description StatusConditions contain the different conditions that constitute the status of the Plugin. */
+                statusConditions?: {
+                    conditions?: {
+                        /**
+                         * Format: date-time
+                         * @description LastTransitionTime is the last time the condition transitioned from one status to another.
+                         */
+                        lastTransitionTime: string;
+                        /** @description Message is an optional human readable message indicating details about the last transition. */
+                        message?: string;
+                        /** @description Reason is a one-word, CamelCase reason for the condition's last transition. */
+                        reason?: string;
+                        /** @description Status of the condition. */
+                        status: string;
+                        /** @description Type of the condition. */
+                        type: string;
+                    }[];
+                };
+                /** @description UIApplication contains a reference to the frontend that is used for the deployed pluginDefinition version. */
+                uiApplication?: {
+                    /** @description Name of the UI application. */
+                    name: string;
+                    /** @description URL specifies the url to a built javascript asset.\nBy default, assets are loaded from the Juno asset server using the provided name and version. */
+                    url?: string;
+                    /** @description Version of the frontend application. */
+                    version: string;
+                };
+                /** @description Version contains the latest pluginDefinition version the config was last applied with successfully. */
+                version?: string;
+                /**
+                 * Format: int32
+                 * @description Weight configures the order in which Plugins are shown in the Greenhouse UI.
+                 */
+                weight?: number;
+            };
+        };
+        /**
+         * PluginDefinition
+         * @description PluginDefinition is the Schema for the PluginDefinitions API
+         */
+        PluginDefinition: {
+            /** @description APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */
+            apiVersion?: string;
+            /** @description Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */
+            kind?: string;
+            metadata?: {
+                name?: string;
+                namespace?: string;
+                /** Format: uuid */
+                uid?: string;
+                resourceVersion?: string;
+                /** Format: date-time */
+                creationTimestamp?: string;
+                /** Format: date-time */
+                deletionTimestamp?: string;
+                labels?: {
+                    [key: string]: string;
+                };
+                annotations?: {
+                    [key: string]: string;
+                };
+            };
+            /** @description PluginDefinitionSpec defines the desired state of PluginDefinitionSpec */
+            spec?: {
+                /** @description Description provides additional details of the pluginDefinition. */
+                description?: string;
+                /** @description DisplayName provides a human-readable label for the pluginDefinition. */
+                displayName?: string;
+                /** @description DocMarkDownUrl specifies the URL to the markdown documentation file for this plugin.\nSource needs to allow all CORS origins. */
+                docMarkDownUrl?: string;
+                /** @description HelmChart specifies where the Helm Chart for this pluginDefinition can be found. */
+                helmChart?: {
+                    /** @description Name of the HelmChart chart. */
+                    name: string;
+                    /** @description Repository of the HelmChart chart. */
+                    repository: string;
+                    /** @description Version of the HelmChart chart. */
+                    version: string;
+                };
+                /** @description Icon specifies the icon to be used for this plugin in the Greenhouse UI.\nIcons can be either:\n- A string representing a juno icon in camel case from this list: https://github.com/sapcc/juno/blob/main/libs/juno-ui-components/src/components/Icon/Icon.component.js#L6-L52\n- A publicly accessible image reference to a .png file. Will be displayed 100x100px */
+                icon?: string;
+                /** @description RequiredValues is a list of values required to create an instance of this PluginDefinition. */
+                options?: {
+                    /** @description Default provides a default value for the option */
+                    default?: unknown;
+                    /** @description Description provides a human-readable text for the value as shown in the UI. */
+                    description?: string;
+                    /** @description DisplayName provides a human-readable label for the configuration option */
+                    displayName?: string;
+                    /** @description Name/Key of the config option. */
+                    name: string;
+                    /** @description Regex specifies a match rule for validating configuration options. */
+                    regex?: string;
+                    /** @description Required indicates that this config option is required */
+                    required: boolean;
+                    /**
+                     * @description Type of this configuration option.
+                     * @enum {string}
+                     */
+                    type: "string" | "secret" | "bool" | "int" | "list" | "map";
+                }[];
+                /** @description UIApplication specifies a reference to a UI application */
+                uiApplication?: {
+                    /** @description Name of the UI application. */
+                    name: string;
+                    /** @description URL specifies the url to a built javascript asset.\nBy default, assets are loaded from the Juno asset server using the provided name and version. */
+                    url?: string;
+                    /** @description Version of the frontend application. */
+                    version: string;
+                };
+                /** @description Version of this pluginDefinition */
+                version: string;
+                /**
+                 * Format: int32
+                 * @description Weight configures the order in which Plugins are shown in the Greenhouse UI.\nDefaults to alphabetical sorting if not provided or on conflict.
+                 */
+                weight?: number;
+            };
+            /** @description PluginDefinitionStatus defines the observed state of PluginDefinition */
+            status?: Record<string, never>;
+        };
     };
     responses: never;
     parameters: never;

From 777142306823d0f0f0ea08c1125d8ac72ece6b34 Mon Sep 17 00:00:00 2001
From: CRD API Docs Bot <crd_api_docs_bot@github.com>
Date: Thu, 10 Oct 2024 11:46:13 +0000
Subject: [PATCH 2/2] Automatic generation of CRD API Docs

---
 docs/reference/api/openapi.yaml | 1100 +++++++++++++++----------------
 1 file changed, 550 insertions(+), 550 deletions(-)

diff --git a/docs/reference/api/openapi.yaml b/docs/reference/api/openapi.yaml
index 43e51dabb..519340b77 100755
--- a/docs/reference/api/openapi.yaml
+++ b/docs/reference/api/openapi.yaml
@@ -1,7 +1,7 @@
 openapi: 3.0.0
 info:
   title: Greenhouse
-  version: b6c8a6d
+  version: 723b1e3
   description: PlusOne operations platform
 paths:
   /Organization:
@@ -9,21 +9,21 @@ paths:
       responses:
         default:
           description: Organization
-  /ClusterKubeconfig:
+  /Plugin:
     post:
       responses:
         default:
-          description: ClusterKubeconfig
+          description: Plugin
   /Cluster:
     post:
       responses:
         default:
           description: Cluster
-  /TeamRole:
+  /ClusterKubeconfig:
     post:
       responses:
         default:
-          description: TeamRole
+          description: ClusterKubeconfig
   /TeamMembership:
     post:
       responses:
@@ -34,26 +34,26 @@ paths:
       responses:
         default:
           description: PluginPreset
-  /Team:
+  /PluginDefinition:
     post:
       responses:
         default:
-          description: Team
-  /TeamRoleBinding:
+          description: PluginDefinition
+  /TeamRole:
     post:
       responses:
         default:
-          description: TeamRoleBinding
-  /Plugin:
+          description: TeamRole
+  /Team:
     post:
       responses:
         default:
-          description: Plugin
-  /PluginDefinition:
+          description: Team
+  /TeamRoleBinding:
     post:
       responses:
         default:
-          description: PluginDefinition
+          description: TeamRoleBinding
 components:
   schemas:
     Organization:
@@ -177,12 +177,12 @@ components:
           description: OrganizationStatus defines the observed state of an Organization
           type: object
       type: object
-    ClusterKubeconfig:
+    Plugin:
       xml:
         name: greenhouse.sap
         namespace: v1alpha1
-      title: ClusterKubeconfig
-      description: ClusterKubeconfig is the Schema for the clusterkubeconfigs API\nObjectMeta.OwnerReferences is used to link the ClusterKubeconfig to the Cluster\nObjectMeta.Generation is used to detect changes in the ClusterKubeconfig and sync local kubeconfig files\nObjectMeta.Name is designed to be the same with the Cluster name
+      title: Plugin
+      description: Plugin is the Schema for the plugins API
       properties:
         apiVersion:
           description: 'APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
@@ -193,92 +193,179 @@ components:
         metadata:
           type: object
         spec:
-          description: ClusterKubeconfigSpec stores the kubeconfig data for the cluster\nThe idea is to use kubeconfig data locally with minimum effort (with local tools or plain kubectl):\nkubectl get cluster-kubeconfig $NAME -o yaml | yq -y .spec.kubeconfig
+          description: PluginSpec defines the desired state of Plugin
           properties:
-            kubeconfig:
-              description: 'ClusterKubeconfigData stores the kubeconfig data ready to use kubectl or other local tooling\nIt is a simplified version of clientcmdapi.Config: https://pkg.go.dev/k8s.io/client-go/tools/clientcmd/api#Config'
-              properties:
-                apiVersion:
-                  type: string
-                clusters:
-                  items:
-                    properties:
-                      cluster:
-                        properties:
-                          certificate-authority-data:
-                            format: byte
-                            type: string
-                          server:
-                            type: string
-                        type: object
-                      name:
-                        type: string
-                    required:
-                      - cluster
-                      - name
-                    type: object
-                  type: array
-                contexts:
-                  items:
+            clusterName:
+              description: ClusterName is the name of the cluster the plugin is deployed to. If not set, the plugin is deployed to the greenhouse cluster.
+              type: string
+            disabled:
+              description: Disabled indicates that the plugin is administratively disabled.
+              type: boolean
+            displayName:
+              description: DisplayName is an optional name for the Plugin to be displayed in the Greenhouse UI.\nThis is especially helpful to distinguish multiple instances of a PluginDefinition in the same context.\nDefaults to a normalized version of metadata.name.
+              type: string
+            optionValues:
+              description: Values are the values for a PluginDefinition instance.
+              items:
+                description: PluginOptionValue is the value for a PluginOption.
+                properties:
+                  name:
+                    description: Name of the values.
+                    type: string
+                  value:
+                    description: Value is the actual value in plain text.
+                    x-kubernetes-preserve-unknown-fields: true
+                  valueFrom:
+                    description: ValueFrom references a potentially confidential value in another source.
                     properties:
-                      context:
+                      secret:
+                        description: Secret references the secret containing the value.
                         properties:
-                          cluster:
-                            type: string
-                          namespace:
+                          key:
+                            description: Key in the secret to select the value from.
                             type: string
-                          user:
+                          name:
+                            description: Name of the secret in the same namespace.
                             type: string
                         required:
-                          - cluster
-                          - user
+                          - key
+                          - name
                         type: object
-                      name:
-                        type: string
-                    required:
-                      - name
                     type: object
-                  type: array
-                current-context:
+                required:
+                  - name
+                type: object
+              type: array
+            pluginDefinition:
+              description: PluginDefinition is the name of the PluginDefinition this instance is for.
+              type: string
+            releaseNamespace:
+              description: ReleaseNamespace is the namespace in the remote cluster to which the backend is deployed.\nDefaults to the Greenhouse managed namespace if not set.
+              type: string
+          required:
+            - disabled
+            - pluginDefinition
+          type: object
+        status:
+          description: PluginStatus defines the observed state of Plugin
+          properties:
+            description:
+              description: Description provides additional details of the plugin.
+              type: string
+            exposedServices:
+              additionalProperties:
+                description: Service references a Kubernetes service of a Plugin.
+                properties:
+                  name:
+                    description: Name is the name of the service in the target cluster.
+                    type: string
+                  namespace:
+                    description: Namespace is the namespace of the service in the target cluster.
+                    type: string
+                  port:
+                    description: Port is the port of the service.
+                    format: int32
+                    type: integer
+                  protocol:
+                    description: Protocol is the protocol of the service.
+                    type: string
+                required:
+                  - name
+                  - namespace
+                  - port
+                type: object
+              description: ExposedServices provides an overview of the Plugins services that are centrally exposed.\nIt maps the exposed URL to the service found in the manifest.
+              type: object
+            helmChart:
+              description: HelmChart contains a reference the helm chart used for the deployed pluginDefinition version.
+              properties:
+                name:
+                  description: Name of the HelmChart chart.
                   type: string
-                kind:
+                repository:
+                  description: Repository of the HelmChart chart.
                   type: string
-                preferences:
-                  type: object
-                users:
+                version:
+                  description: Version of the HelmChart chart.
+                  type: string
+              required:
+                - name
+                - repository
+                - version
+              type: object
+            helmReleaseStatus:
+              description: HelmReleaseStatus reflects the status of the latest HelmChart release.\nThis is only configured if the pluginDefinition is backed by HelmChart.
+              properties:
+                firstDeployed:
+                  description: FirstDeployed is the timestamp of the first deployment of the release.
+                  format: date-time
+                  type: string
+                lastDeployed:
+                  description: LastDeployed is the timestamp of the last deployment of the release.
+                  format: date-time
+                  type: string
+                status:
+                  description: Status is the status of a HelmChart release.
+                  type: string
+              required:
+                - status
+              type: object
+            statusConditions:
+              description: StatusConditions contain the different conditions that constitute the status of the Plugin.
+              properties:
+                conditions:
                   items:
+                    description: Condition contains additional information on the state of a resource.
                     properties:
-                      name:
+                      lastTransitionTime:
+                        description: LastTransitionTime is the last time the condition transitioned from one status to another.
+                        format: date-time
+                        type: string
+                      message:
+                        description: Message is an optional human readable message indicating details about the last transition.
+                        type: string
+                      reason:
+                        description: Reason is a one-word, CamelCase reason for the condition's last transition.
+                        type: string
+                      status:
+                        description: Status of the condition.
+                        type: string
+                      type:
+                        description: Type of the condition.
                         type: string
-                      user:
-                        properties:
-                          auth-provider:
-                            description: AuthProviderConfig holds the configuration for a specified auth provider.
-                            properties:
-                              config:
-                                additionalProperties:
-                                  type: string
-                                type: object
-                              name:
-                                type: string
-                            required:
-                              - name
-                            type: object
-                          client-certificate-data:
-                            format: byte
-                            type: string
-                          client-key-data:
-                            format: byte
-                            type: string
-                        type: object
                     required:
-                      - name
+                      - lastTransitionTime
+                      - status
+                      - type
                     type: object
                   type: array
+                  x-kubernetes-list-map-keys:
+                    - type
+                  x-kubernetes-list-type: map
+              type: object
+            uiApplication:
+              description: UIApplication contains a reference to the frontend that is used for the deployed pluginDefinition version.
+              properties:
+                name:
+                  description: Name of the UI application.
+                  type: string
+                url:
+                  description: URL specifies the url to a built javascript asset.\nBy default, assets are loaded from the Juno asset server using the provided name and version.
+                  type: string
+                version:
+                  description: Version of the frontend application.
+                  type: string
               required:
-                - contexts
-                - users
+                - name
+                - version
               type: object
+            version:
+              description: Version contains the latest pluginDefinition version the config was last applied with successfully.
+              type: string
+            weight:
+              description: Weight configures the order in which Plugins are shown in the Greenhouse UI.
+              format: int32
+              type: integer
           type: object
       type: object
     Cluster:
@@ -394,12 +481,12 @@ components:
               type: object
           type: object
       type: object
-    TeamRole:
+    ClusterKubeconfig:
       xml:
         name: greenhouse.sap
         namespace: v1alpha1
-      title: TeamRole
-      description: TeamRole is the Schema for the TeamRoles API
+      title: ClusterKubeconfig
+      description: ClusterKubeconfig is the Schema for the clusterkubeconfigs API\nObjectMeta.OwnerReferences is used to link the ClusterKubeconfig to the Cluster\nObjectMeta.Generation is used to detect changes in the ClusterKubeconfig and sync local kubeconfig files\nObjectMeta.Name is designed to be the same with the Cluster name
       properties:
         apiVersion:
           description: 'APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
@@ -410,96 +497,92 @@ components:
         metadata:
           type: object
         spec:
-          description: TeamRoleSpec defines the desired state of a TeamRole
+          description: ClusterKubeconfigSpec stores the kubeconfig data for the cluster\nThe idea is to use kubeconfig data locally with minimum effort (with local tools or plain kubectl):\nkubectl get cluster-kubeconfig $NAME -o yaml | yq -y .spec.kubeconfig
           properties:
-            aggregationRule:
-              description: AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole on the remote cluster
+            kubeconfig:
+              description: 'ClusterKubeconfigData stores the kubeconfig data ready to use kubectl or other local tooling\nIt is a simplified version of clientcmdapi.Config: https://pkg.go.dev/k8s.io/client-go/tools/clientcmd/api#Config'
               properties:
-                clusterRoleSelectors:
-                  description: ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules.\nIf any of the selectors match, then the ClusterRole's permissions will be added
+                apiVersion:
+                  type: string
+                clusters:
                   items:
-                    description: A label selector is a label query over a set of resources. The result of matchLabels and\nmatchExpressions are ANDed. An empty label selector matches all objects. A null\nlabel selector matches no objects.
                     properties:
-                      matchExpressions:
-                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                        items:
-                          description: A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.
-                          properties:
-                            key:
-                              description: key is the label key that the selector applies to.
-                              type: string
-                            operator:
-                              description: operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.
-                              type: string
-                            values:
-                              description: values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.
-                              items:
+                      cluster:
+                        properties:
+                          certificate-authority-data:
+                            format: byte
+                            type: string
+                          server:
+                            type: string
+                        type: object
+                      name:
+                        type: string
+                    required:
+                      - cluster
+                      - name
+                    type: object
+                  type: array
+                contexts:
+                  items:
+                    properties:
+                      context:
+                        properties:
+                          cluster:
+                            type: string
+                          namespace:
+                            type: string
+                          user:
+                            type: string
+                        required:
+                          - cluster
+                          - user
+                        type: object
+                      name:
+                        type: string
+                    required:
+                      - name
+                    type: object
+                  type: array
+                current-context:
+                  type: string
+                kind:
+                  type: string
+                preferences:
+                  type: object
+                users:
+                  items:
+                    properties:
+                      name:
+                        type: string
+                      user:
+                        properties:
+                          auth-provider:
+                            description: AuthProviderConfig holds the configuration for a specified auth provider.
+                            properties:
+                              config:
+                                additionalProperties:
+                                  type: string
+                                type: object
+                              name:
                                 type: string
-                              type: array
-                              x-kubernetes-list-type: atomic
-                          required:
-                            - key
-                            - operator
-                          type: object
-                        type: array
-                        x-kubernetes-list-type: atomic
-                      matchLabels:
-                        additionalProperties:
-                          type: string
-                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is "key", the\noperator is "In", and the values array contains only "value". The requirements are ANDed.
+                            required:
+                              - name
+                            type: object
+                          client-certificate-data:
+                            format: byte
+                            type: string
+                          client-key-data:
+                            format: byte
+                            type: string
                         type: object
+                    required:
+                      - name
                     type: object
-                    x-kubernetes-map-type: atomic
                   type: array
-                  x-kubernetes-list-type: atomic
-              type: object
-            labels:
-              additionalProperties:
-                type: string
-              description: Labels are applied to the ClusterRole created on the remote cluster.\nThis allows using TeamRoles as part of AggregationRules by other TeamRoles
+              required:
+                - contexts
+                - users
               type: object
-            rules:
-              description: Rules is a list of rbacv1.PolicyRules used on a managed RBAC (Cluster)Role
-              items:
-                description: PolicyRule holds information that describes a policy rule, but does not contain information\nabout who the rule applies to or which namespace the rule applies to.
-                properties:
-                  apiGroups:
-                    description: APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of\nthe enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
-                    items:
-                      type: string
-                    type: array
-                    x-kubernetes-list-type: atomic
-                  nonResourceURLs:
-                    description: NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path\nSince non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.\nRules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both.
-                    items:
-                      type: string
-                    type: array
-                    x-kubernetes-list-type: atomic
-                  resourceNames:
-                    description: ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
-                    items:
-                      type: string
-                    type: array
-                    x-kubernetes-list-type: atomic
-                  resources:
-                    description: Resources is a list of resources this rule applies to. '*' represents all resources.
-                    items:
-                      type: string
-                    type: array
-                    x-kubernetes-list-type: atomic
-                  verbs:
-                    description: Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.
-                    items:
-                      type: string
-                    type: array
-                    x-kubernetes-list-type: atomic
-                required:
-                  - verbs
-                type: object
-              type: array
-          type: object
-        status:
-          description: TeamRoleStatus defines the observed state of a TeamRole
           type: object
       type: object
     TeamMembership:
@@ -781,12 +864,12 @@ components:
               type: object
           type: object
       type: object
-    Team:
+    PluginDefinition:
       xml:
         name: greenhouse.sap
         namespace: v1alpha1
-      title: Team
-      description: Team is the Schema for the teams API
+      title: PluginDefinition
+      description: PluginDefinition is the Schema for the PluginDefinitions API
       properties:
         apiVersion:
           description: 'APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
@@ -797,168 +880,219 @@ components:
         metadata:
           type: object
         spec:
-          description: TeamSpec defines the desired state of Team
+          description: PluginDefinitionSpec defines the desired state of PluginDefinitionSpec
           properties:
             description:
-              description: Description provides additional details of the team.
+              description: Description provides additional details of the pluginDefinition.
               type: string
-            mappedIdPGroup:
-              description: IdP group id matching team.
+            displayName:
+              description: DisplayName provides a human-readable label for the pluginDefinition.
               type: string
-          type: object
-        status:
-          description: TeamStatus defines the observed state of Team
-          type: object
-      type: object
-    TeamRoleBinding:
-      xml:
-        name: greenhouse.sap
-        namespace: v1alpha1
-      title: TeamRoleBinding
-      description: TeamRoleBinding is the Schema for the rolebindings API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          description: TeamRoleBindingSpec defines the desired state of a TeamRoleBinding
-          properties:
-            clusterName:
-              description: ClusterName is the name of the cluster the rbacv1 resources are created on.
+            docMarkDownUrl:
+              description: DocMarkDownUrl specifies the URL to the markdown documentation file for this plugin.\nSource needs to allow all CORS origins.
               type: string
-            clusterSelector:
-              description: ClusterSelector is a label selector to select the Clusters the TeamRoleBinding should be deployed to.
+            helmChart:
+              description: HelmChart specifies where the Helm Chart for this pluginDefinition can be found.
               properties:
-                matchExpressions:
-                  description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
-                  items:
-                    description: A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.
-                    properties:
-                      key:
-                        description: key is the label key that the selector applies to.
-                        type: string
-                      operator:
-                        description: operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.
-                        type: string
-                      values:
-                        description: values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.
-                        items:
-                          type: string
-                        type: array
-                        x-kubernetes-list-type: atomic
-                    required:
-                      - key
-                      - operator
-                    type: object
-                  type: array
-                  x-kubernetes-list-type: atomic
-                matchLabels:
-                  additionalProperties:
-                    type: string
-                  description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is "key", the\noperator is "In", and the values array contains only "value". The requirements are ANDed.
-                  type: object
+                name:
+                  description: Name of the HelmChart chart.
+                  type: string
+                repository:
+                  description: Repository of the HelmChart chart.
+                  type: string
+                version:
+                  description: Version of the HelmChart chart.
+                  type: string
+              required:
+                - name
+                - repository
+                - version
               type: object
-              x-kubernetes-map-type: atomic
-            namespaces:
-              description: Namespaces is the immutable list of namespaces in the Greenhouse Clusters to apply the RoleBinding to.\nIf empty, a ClusterRoleBinding will be created on the remote cluster, otherwise a RoleBinding per namespace.
+            icon:
+              description: 'Icon specifies the icon to be used for this plugin in the Greenhouse UI.\nIcons can be either:\n- A string representing a juno icon in camel case from this list: https://github.com/sapcc/juno/blob/main/libs/juno-ui-components/src/components/Icon/Icon.component.js#L6-L52\n- A publicly accessible image reference to a .png file. Will be displayed 100x100px'
+              type: string
+            options:
+              description: RequiredValues is a list of values required to create an instance of this PluginDefinition.
               items:
-                type: string
-              type: array
-            teamRef:
-              description: TeamRef references a Greenhouse Team by name
-              type: string
-            teamRoleRef:
-              description: TeamRoleRef references a Greenhouse TeamRole by name
-              type: string
-          type: object
-        status:
-          description: TeamRoleBindingStatus defines the observed state of the TeamRoleBinding
-          properties:
-            clusters:
-              description: PropagationStatus is the list of clusters the TeamRoleBinding is applied to
-              items:
-                description: PropagationStatus defines the observed state of the TeamRoleBinding's associated rbacv1 resources  on a Cluster
                 properties:
-                  clusterName:
-                    description: ClusterName is the name of the cluster the rbacv1 resources are created on.
+                  default:
+                    description: Default provides a default value for the option
+                    x-kubernetes-preserve-unknown-fields: true
+                  description:
+                    description: Description provides a human-readable text for the value as shown in the UI.
+                    type: string
+                  displayName:
+                    description: DisplayName provides a human-readable label for the configuration option
+                    type: string
+                  name:
+                    description: Name/Key of the config option.
+                    type: string
+                  regex:
+                    description: Regex specifies a match rule for validating configuration options.
+                    type: string
+                  required:
+                    description: Required indicates that this config option is required
+                    type: boolean
+                  type:
+                    description: Type of this configuration option.
+                    enum:
+                      - string
+                      - secret
+                      - bool
+                      - int
+                      - list
+                      - map
                     type: string
-                  condition:
-                    description: Condition is the overall Status of the rbacv1 resources created on the cluster
-                    properties:
-                      lastTransitionTime:
-                        description: LastTransitionTime is the last time the condition transitioned from one status to another.
-                        format: date-time
-                        type: string
-                      message:
-                        description: Message is an optional human readable message indicating details about the last transition.
-                        type: string
-                      reason:
-                        description: Reason is a one-word, CamelCase reason for the condition's last transition.
-                        type: string
-                      status:
-                        description: Status of the condition.
-                        type: string
-                      type:
-                        description: Type of the condition.
-                        type: string
-                    required:
-                      - lastTransitionTime
-                      - status
-                      - type
-                    type: object
                 required:
-                  - clusterName
+                  - name
+                  - required
+                  - type
                 type: object
               type: array
-              x-kubernetes-list-map-keys:
-                - clusterName
-              x-kubernetes-list-type: map
-            statusConditions:
-              description: StatusConditions contain the different conditions that constitute the status of the TeamRoleBinding.
+            uiApplication:
+              description: UIApplication specifies a reference to a UI application
               properties:
-                conditions:
+                name:
+                  description: Name of the UI application.
+                  type: string
+                url:
+                  description: URL specifies the url to a built javascript asset.\nBy default, assets are loaded from the Juno asset server using the provided name and version.
+                  type: string
+                version:
+                  description: Version of the frontend application.
+                  type: string
+              required:
+                - name
+                - version
+              type: object
+            version:
+              description: Version of this pluginDefinition
+              type: string
+            weight:
+              description: Weight configures the order in which Plugins are shown in the Greenhouse UI.\nDefaults to alphabetical sorting if not provided or on conflict.
+              format: int32
+              type: integer
+          required:
+            - version
+          type: object
+        status:
+          description: PluginDefinitionStatus defines the observed state of PluginDefinition
+          type: object
+      type: object
+    TeamRole:
+      xml:
+        name: greenhouse.sap
+        namespace: v1alpha1
+      title: TeamRole
+      description: TeamRole is the Schema for the TeamRoles API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: TeamRoleSpec defines the desired state of a TeamRole
+          properties:
+            aggregationRule:
+              description: AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole on the remote cluster
+              properties:
+                clusterRoleSelectors:
+                  description: ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules.\nIf any of the selectors match, then the ClusterRole's permissions will be added
                   items:
-                    description: Condition contains additional information on the state of a resource.
+                    description: A label selector is a label query over a set of resources. The result of matchLabels and\nmatchExpressions are ANDed. An empty label selector matches all objects. A null\nlabel selector matches no objects.
                     properties:
-                      lastTransitionTime:
-                        description: LastTransitionTime is the last time the condition transitioned from one status to another.
-                        format: date-time
-                        type: string
-                      message:
-                        description: Message is an optional human readable message indicating details about the last transition.
-                        type: string
-                      reason:
-                        description: Reason is a one-word, CamelCase reason for the condition's last transition.
-                        type: string
-                      status:
-                        description: Status of the condition.
-                        type: string
-                      type:
-                        description: Type of the condition.
-                        type: string
-                    required:
-                      - lastTransitionTime
-                      - status
-                      - type
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.
+                              items:
+                                type: string
+                              type: array
+                              x-kubernetes-list-type: atomic
+                          required:
+                            - key
+                            - operator
+                          type: object
+                        type: array
+                        x-kubernetes-list-type: atomic
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is "key", the\noperator is "In", and the values array contains only "value". The requirements are ANDed.
+                        type: object
                     type: object
+                    x-kubernetes-map-type: atomic
                   type: array
-                  x-kubernetes-list-map-keys:
-                    - type
-                  x-kubernetes-list-type: map
+                  x-kubernetes-list-type: atomic
+              type: object
+            labels:
+              additionalProperties:
+                type: string
+              description: Labels are applied to the ClusterRole created on the remote cluster.\nThis allows using TeamRoles as part of AggregationRules by other TeamRoles
               type: object
+            rules:
+              description: Rules is a list of rbacv1.PolicyRules used on a managed RBAC (Cluster)Role
+              items:
+                description: PolicyRule holds information that describes a policy rule, but does not contain information\nabout who the rule applies to or which namespace the rule applies to.
+                properties:
+                  apiGroups:
+                    description: APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of\nthe enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
+                    items:
+                      type: string
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  nonResourceURLs:
+                    description: NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path\nSince non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.\nRules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both.
+                    items:
+                      type: string
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  resourceNames:
+                    description: ResourceNames is an optional white list of names that the rule applies to.  An empty set means that everything is allowed.
+                    items:
+                      type: string
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  resources:
+                    description: Resources is a list of resources this rule applies to. '*' represents all resources.
+                    items:
+                      type: string
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  verbs:
+                    description: Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.
+                    items:
+                      type: string
+                    type: array
+                    x-kubernetes-list-type: atomic
+                required:
+                  - verbs
+                type: object
+              type: array
+          type: object
+        status:
+          description: TeamRoleStatus defines the observed state of a TeamRole
           type: object
       type: object
-    Plugin:
+    Team:
       xml:
         name: greenhouse.sap
         namespace: v1alpha1
-      title: Plugin
-      description: Plugin is the Schema for the plugins API
+      title: Team
+      description: Team is the Schema for the teams API
       properties:
         apiVersion:
           description: 'APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
@@ -969,125 +1103,129 @@ components:
         metadata:
           type: object
         spec:
-          description: PluginSpec defines the desired state of Plugin
+          description: TeamSpec defines the desired state of Team
           properties:
-            clusterName:
-              description: ClusterName is the name of the cluster the plugin is deployed to. If not set, the plugin is deployed to the greenhouse cluster.
+            description:
+              description: Description provides additional details of the team.
               type: string
-            disabled:
-              description: Disabled indicates that the plugin is administratively disabled.
-              type: boolean
-            displayName:
-              description: DisplayName is an optional name for the Plugin to be displayed in the Greenhouse UI.\nThis is especially helpful to distinguish multiple instances of a PluginDefinition in the same context.\nDefaults to a normalized version of metadata.name.
+            mappedIdPGroup:
+              description: IdP group id matching team.
               type: string
-            optionValues:
-              description: Values are the values for a PluginDefinition instance.
-              items:
-                description: PluginOptionValue is the value for a PluginOption.
-                properties:
-                  name:
-                    description: Name of the values.
-                    type: string
-                  value:
-                    description: Value is the actual value in plain text.
-                    x-kubernetes-preserve-unknown-fields: true
-                  valueFrom:
-                    description: ValueFrom references a potentially confidential value in another source.
+          type: object
+        status:
+          description: TeamStatus defines the observed state of Team
+          type: object
+      type: object
+    TeamRoleBinding:
+      xml:
+        name: greenhouse.sap
+        namespace: v1alpha1
+      title: TeamRoleBinding
+      description: TeamRoleBinding is the Schema for the rolebindings API
+      properties:
+        apiVersion:
+          description: 'APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+          type: string
+        kind:
+          description: 'Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: TeamRoleBindingSpec defines the desired state of a TeamRoleBinding
+          properties:
+            clusterName:
+              description: ClusterName is the name of the cluster the rbacv1 resources are created on.
+              type: string
+            clusterSelector:
+              description: ClusterSelector is a label selector to select the Clusters the TeamRoleBinding should be deployed to.
+              properties:
+                matchExpressions:
+                  description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+                  items:
+                    description: A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.
                     properties:
-                      secret:
-                        description: Secret references the secret containing the value.
-                        properties:
-                          key:
-                            description: Key in the secret to select the value from.
-                            type: string
-                          name:
-                            description: Name of the secret in the same namespace.
-                            type: string
-                        required:
-                          - key
-                          - name
-                        type: object
+                      key:
+                        description: key is the label key that the selector applies to.
+                        type: string
+                      operator:
+                        description: operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.
+                        type: string
+                      values:
+                        description: values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.
+                        items:
+                          type: string
+                        type: array
+                        x-kubernetes-list-type: atomic
+                    required:
+                      - key
+                      - operator
                     type: object
-                required:
-                  - name
-                type: object
+                  type: array
+                  x-kubernetes-list-type: atomic
+                matchLabels:
+                  additionalProperties:
+                    type: string
+                  description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is "key", the\noperator is "In", and the values array contains only "value". The requirements are ANDed.
+                  type: object
+              type: object
+              x-kubernetes-map-type: atomic
+            namespaces:
+              description: Namespaces is the immutable list of namespaces in the Greenhouse Clusters to apply the RoleBinding to.\nIf empty, a ClusterRoleBinding will be created on the remote cluster, otherwise a RoleBinding per namespace.
+              items:
+                type: string
               type: array
-            pluginDefinition:
-              description: PluginDefinition is the name of the PluginDefinition this instance is for.
+            teamRef:
+              description: TeamRef references a Greenhouse Team by name
               type: string
-            releaseNamespace:
-              description: ReleaseNamespace is the namespace in the remote cluster to which the backend is deployed.\nDefaults to the Greenhouse managed namespace if not set.
+            teamRoleRef:
+              description: TeamRoleRef references a Greenhouse TeamRole by name
               type: string
-          required:
-            - disabled
-            - pluginDefinition
           type: object
         status:
-          description: PluginStatus defines the observed state of Plugin
+          description: TeamRoleBindingStatus defines the observed state of the TeamRoleBinding
           properties:
-            description:
-              description: Description provides additional details of the plugin.
-              type: string
-            exposedServices:
-              additionalProperties:
-                description: Service references a Kubernetes service of a Plugin.
+            clusters:
+              description: PropagationStatus is the list of clusters the TeamRoleBinding is applied to
+              items:
+                description: PropagationStatus defines the observed state of the TeamRoleBinding's associated rbacv1 resources  on a Cluster
                 properties:
-                  name:
-                    description: Name is the name of the service in the target cluster.
-                    type: string
-                  namespace:
-                    description: Namespace is the namespace of the service in the target cluster.
-                    type: string
-                  port:
-                    description: Port is the port of the service.
-                    format: int32
-                    type: integer
-                  protocol:
-                    description: Protocol is the protocol of the service.
+                  clusterName:
+                    description: ClusterName is the name of the cluster the rbacv1 resources are created on.
                     type: string
+                  condition:
+                    description: Condition is the overall Status of the rbacv1 resources created on the cluster
+                    properties:
+                      lastTransitionTime:
+                        description: LastTransitionTime is the last time the condition transitioned from one status to another.
+                        format: date-time
+                        type: string
+                      message:
+                        description: Message is an optional human readable message indicating details about the last transition.
+                        type: string
+                      reason:
+                        description: Reason is a one-word, CamelCase reason for the condition's last transition.
+                        type: string
+                      status:
+                        description: Status of the condition.
+                        type: string
+                      type:
+                        description: Type of the condition.
+                        type: string
+                    required:
+                      - lastTransitionTime
+                      - status
+                      - type
+                    type: object
                 required:
-                  - name
-                  - namespace
-                  - port
+                  - clusterName
                 type: object
-              description: ExposedServices provides an overview of the Plugins services that are centrally exposed.\nIt maps the exposed URL to the service found in the manifest.
-              type: object
-            helmChart:
-              description: HelmChart contains a reference the helm chart used for the deployed pluginDefinition version.
-              properties:
-                name:
-                  description: Name of the HelmChart chart.
-                  type: string
-                repository:
-                  description: Repository of the HelmChart chart.
-                  type: string
-                version:
-                  description: Version of the HelmChart chart.
-                  type: string
-              required:
-                - name
-                - repository
-                - version
-              type: object
-            helmReleaseStatus:
-              description: HelmReleaseStatus reflects the status of the latest HelmChart release.\nThis is only configured if the pluginDefinition is backed by HelmChart.
-              properties:
-                firstDeployed:
-                  description: FirstDeployed is the timestamp of the first deployment of the release.
-                  format: date-time
-                  type: string
-                lastDeployed:
-                  description: LastDeployed is the timestamp of the last deployment of the release.
-                  format: date-time
-                  type: string
-                status:
-                  description: Status is the status of a HelmChart release.
-                  type: string
-              required:
-                - status
-              type: object
+              type: array
+              x-kubernetes-list-map-keys:
+                - clusterName
+              x-kubernetes-list-type: map
             statusConditions:
-              description: StatusConditions contain the different conditions that constitute the status of the Plugin.
+              description: StatusConditions contain the different conditions that constitute the status of the TeamRoleBinding.
               properties:
                 conditions:
                   items:
@@ -1119,143 +1257,5 @@ components:
                     - type
                   x-kubernetes-list-type: map
               type: object
-            uiApplication:
-              description: UIApplication contains a reference to the frontend that is used for the deployed pluginDefinition version.
-              properties:
-                name:
-                  description: Name of the UI application.
-                  type: string
-                url:
-                  description: URL specifies the url to a built javascript asset.\nBy default, assets are loaded from the Juno asset server using the provided name and version.
-                  type: string
-                version:
-                  description: Version of the frontend application.
-                  type: string
-              required:
-                - name
-                - version
-              type: object
-            version:
-              description: Version contains the latest pluginDefinition version the config was last applied with successfully.
-              type: string
-            weight:
-              description: Weight configures the order in which Plugins are shown in the Greenhouse UI.
-              format: int32
-              type: integer
-          type: object
-      type: object
-    PluginDefinition:
-      xml:
-        name: greenhouse.sap
-        namespace: v1alpha1
-      title: PluginDefinition
-      description: PluginDefinition is the Schema for the PluginDefinitions API
-      properties:
-        apiVersion:
-          description: 'APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-          type: string
-        kind:
-          description: 'Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-          type: string
-        metadata:
-          type: object
-        spec:
-          description: PluginDefinitionSpec defines the desired state of PluginDefinitionSpec
-          properties:
-            description:
-              description: Description provides additional details of the pluginDefinition.
-              type: string
-            displayName:
-              description: DisplayName provides a human-readable label for the pluginDefinition.
-              type: string
-            docMarkDownUrl:
-              description: DocMarkDownUrl specifies the URL to the markdown documentation file for this plugin.\nSource needs to allow all CORS origins.
-              type: string
-            helmChart:
-              description: HelmChart specifies where the Helm Chart for this pluginDefinition can be found.
-              properties:
-                name:
-                  description: Name of the HelmChart chart.
-                  type: string
-                repository:
-                  description: Repository of the HelmChart chart.
-                  type: string
-                version:
-                  description: Version of the HelmChart chart.
-                  type: string
-              required:
-                - name
-                - repository
-                - version
-              type: object
-            icon:
-              description: 'Icon specifies the icon to be used for this plugin in the Greenhouse UI.\nIcons can be either:\n- A string representing a juno icon in camel case from this list: https://github.com/sapcc/juno/blob/main/libs/juno-ui-components/src/components/Icon/Icon.component.js#L6-L52\n- A publicly accessible image reference to a .png file. Will be displayed 100x100px'
-              type: string
-            options:
-              description: RequiredValues is a list of values required to create an instance of this PluginDefinition.
-              items:
-                properties:
-                  default:
-                    description: Default provides a default value for the option
-                    x-kubernetes-preserve-unknown-fields: true
-                  description:
-                    description: Description provides a human-readable text for the value as shown in the UI.
-                    type: string
-                  displayName:
-                    description: DisplayName provides a human-readable label for the configuration option
-                    type: string
-                  name:
-                    description: Name/Key of the config option.
-                    type: string
-                  regex:
-                    description: Regex specifies a match rule for validating configuration options.
-                    type: string
-                  required:
-                    description: Required indicates that this config option is required
-                    type: boolean
-                  type:
-                    description: Type of this configuration option.
-                    enum:
-                      - string
-                      - secret
-                      - bool
-                      - int
-                      - list
-                      - map
-                    type: string
-                required:
-                  - name
-                  - required
-                  - type
-                type: object
-              type: array
-            uiApplication:
-              description: UIApplication specifies a reference to a UI application
-              properties:
-                name:
-                  description: Name of the UI application.
-                  type: string
-                url:
-                  description: URL specifies the url to a built javascript asset.\nBy default, assets are loaded from the Juno asset server using the provided name and version.
-                  type: string
-                version:
-                  description: Version of the frontend application.
-                  type: string
-              required:
-                - name
-                - version
-              type: object
-            version:
-              description: Version of this pluginDefinition
-              type: string
-            weight:
-              description: Weight configures the order in which Plugins are shown in the Greenhouse UI.\nDefaults to alphabetical sorting if not provided or on conflict.
-              format: int32
-              type: integer
-          required:
-            - version
-          type: object
-        status:
-          description: PluginDefinitionStatus defines the observed state of PluginDefinition
           type: object
       type: object