diff --git a/.github/workflows/check-codegen.yml b/.github/workflows/check-codegen.yml
new file mode 100644
index 00000000..e9699f64
--- /dev/null
+++ b/.github/workflows/check-codegen.yml
@@ -0,0 +1,30 @@
+name: Check Codegen
+
+on:
+  pull_request:
+    paths-ignore:
+    - 'docs/**'
+    - '**/*.md'
+
+jobs:
+  check-codegen:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-go@v5
+      with:
+        go-version-file: 'go.mod'
+    - name: Run make generate
+      run: make generate
+    - name: Run make docs
+      run: make docs
+    - name: Run make helm
+      run: make helm
+    - name: Compare the expected and actual generated/* directories
+      run: |
+        if [ "$(git diff | wc -l)" -gt "0" ]; then
+          echo "Detected uncommitted changes after build. Consider running 'make generate && make docs && make helm'."
+          echo "See status below:"
+          git diff
+          exit 1
+        fi
diff --git a/.github/workflows/publish-chart.yml b/.github/workflows/publish-chart.yml
index 61c429ca..e9339c08 100644
--- a/.github/workflows/publish-chart.yml
+++ b/.github/workflows/publish-chart.yml
@@ -55,6 +55,10 @@ jobs:
           fi
           echo "version=$CHART_VERSION" >> $GITHUB_OUTPUT
 
+      - name: Package Helm chart with crds folder in template
+        run: |
+          helm package dist/chart --version ${{ steps.chart_version.outputs.version }}-crds
+
       - name: Install Kustomize
         run: |
           curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash
@@ -66,7 +70,7 @@ jobs:
           kustomize build config/default | yq ea 'select(.kind == "CustomResourceDefinition")' > dist/chart/crds/crds.yaml
           rm -rf dist/chart/templates/crd
 
-      - name: Package Helm chart
+      - name: Package Helm chart with removed crds folder from template folder
         run: |
           helm package dist/chart --version ${{ steps.chart_version.outputs.version }}
 
@@ -77,3 +81,4 @@ jobs:
       - name: Push Helm chart to GHCR
         run: |
           helm push boot-operator-${{ steps.chart_version.outputs.version }}.tgz oci://ghcr.io/${{ github.repository_owner }}/charts
+          helm push boot-operator-${{ steps.chart_version.outputs.version }}-crds.tgz oci://ghcr.io/${{ github.repository_owner }}/charts
diff --git a/Makefile b/Makefile
index d25be786..9eb48004 100644
--- a/Makefile
+++ b/Makefile
@@ -191,7 +191,7 @@ GOLANGCI_LINT = $(LOCALBIN)/golangci-lint
 ADDLICENSE ?= $(LOCALBIN)/addlicense
 GOIMPORTS ?= $(LOCALBIN)/goimports
 GEN_CRD_API_REFERENCE_DOCS ?= $(LOCALBIN)/gen-crd-api-reference-docs
-KUBEBUILDER ?= $(LOCALBIN)/kubebuilder-$(KUBEBUILDER_VERSION)
+KUBEBUILDER ?= $(LOCALBIN)/kubebuilder
 
 ## Tool Versions
 KUSTOMIZE_VERSION ?= v5.5.0
diff --git a/dist/chart/templates/crd/boot.ironcore.dev_httpbootconfigs.yaml b/dist/chart/templates/crd/boot.ironcore.dev_httpbootconfigs.yaml
index 31bdbbbc..68472673 100755
--- a/dist/chart/templates/crd/boot.ironcore.dev_httpbootconfigs.yaml
+++ b/dist/chart/templates/crd/boot.ironcore.dev_httpbootconfigs.yaml
@@ -9,7 +9,7 @@ metadata:
     {{- if .Values.crd.keep }}
     "helm.sh/resource-policy": keep
     {{- end }}
-    controller-gen.kubebuilder.io/version: v0.16.0
+    controller-gen.kubebuilder.io/version: v0.17.1
   name: httpbootconfigs.boot.ironcore.dev
 spec:
   group: boot.ironcore.dev
diff --git a/dist/chart/templates/crd/boot.ironcore.dev_ipxebootconfigs.yaml b/dist/chart/templates/crd/boot.ironcore.dev_ipxebootconfigs.yaml
index 7056daa3..f6721eec 100755
--- a/dist/chart/templates/crd/boot.ironcore.dev_ipxebootconfigs.yaml
+++ b/dist/chart/templates/crd/boot.ironcore.dev_ipxebootconfigs.yaml
@@ -9,7 +9,7 @@ metadata:
     {{- if .Values.crd.keep }}
     "helm.sh/resource-policy": keep
     {{- end }}
-    controller-gen.kubebuilder.io/version: v0.16.0
+    controller-gen.kubebuilder.io/version: v0.17.1
   name: ipxebootconfigs.boot.ironcore.dev
 spec:
   group: boot.ironcore.dev
diff --git a/dist/chart/templates/manager/manager.yaml b/dist/chart/templates/manager/manager.yaml
index e0ea1d6f..5008e85c 100644
--- a/dist/chart/templates/manager/manager.yaml
+++ b/dist/chart/templates/manager/manager.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.controllerManager.enable }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -7,7 +8,7 @@ metadata:
     {{- include "chart.labels" . | nindent 4 }}
     control-plane: controller-manager
 spec:
-  replicas:  {{ .Values.controllerManager.replicas }}
+  replicas: {{ .Values.controllerManager.replicas }}
   strategy:
     type: {{ .Values.controllerManager.strategy.type | quote }}
   selector:
@@ -40,7 +41,15 @@ spec:
           env:
             {{- range $key, $value := .Values.controllerManager.manager.env }}
             - name: {{ $key }}
-              value: {{ $value }}
+              value: {{ $value | quote }}
+            {{- end }}
+          {{- end }}
+          {{- if .Values.controllerManager.manager.ports }}
+          ports:
+            {{- range $port := .Values.controllerManager.manager.ports }}
+            - name: {{ $port.name }}
+              containerPort: {{ $port.containerPort }}
+              protocol: {{ $port.protocol | default "TCP" }}
             {{- end }}
           {{- end }}
           livenessProbe:
@@ -51,28 +60,42 @@ spec:
             {{- toYaml .Values.controllerManager.manager.resources | nindent 12 }}
           securityContext:
             {{- toYaml .Values.controllerManager.manager.containerSecurityContext | nindent 12 }}
-          {{- if and .Values.certmanager.enable (or .Values.webhook.enable .Values.metrics.enable) }}
+          {{- if or (and .Values.certmanager.enable (or .Values.webhook.enable .Values.metrics.enable))
+                    .Values.controllerManager.manager.volumes }}
           volumeMounts:
             {{- if and .Values.metrics.enable .Values.certmanager.enable }}
             - name: metrics-certs
               mountPath: /tmp/k8s-metrics-server/metrics-certs
               readOnly: true
             {{- end }}
+            {{- range $volume := .Values.controllerManager.manager.volumes }}
+            - name: {{ $volume.name }}
+              mountPath: {{ $volume.mountPath }}
+              {{- if $volume.readOnly }}
+              readOnly: true
+              {{- end }}
+            {{- end }}
           {{- end }}
       securityContext:
         {{- toYaml .Values.controllerManager.podSecurityContext | nindent 8 }}
       serviceAccountName: {{ .Values.controllerManager.serviceAccountName }}
       hostNetwork: {{ .Values.controllerManager.hostNetwork }}
       terminationGracePeriodSeconds: {{ .Values.controllerManager.terminationGracePeriodSeconds }}
-      {{- if and .Values.certmanager.enable (or .Values.webhook.enable .Values.metrics.enable) }}
+      {{- if or (and .Values.certmanager.enable (or .Values.webhook.enable .Values.metrics.enable))
+                .Values.controllerManager.manager.volumes }}
       volumes:
         {{- if and .Values.metrics.enable .Values.certmanager.enable }}
         - name: metrics-certs
           secret:
             secretName: metrics-server-cert
         {{- end }}
+        {{- range $volume := .Values.controllerManager.manager.volumes }}
+        - name: {{ $volume.name }}
+          {{- toYaml $volume.source | nindent 10 }}
+        {{- end }}
       {{- end }}
       {{- if .Values.controllerManager.tolerations }}
       tolerations:
         {{- toYaml .Values.controllerManager.tolerations | nindent 8 }}
       {{- end }}
+{{- end }}
diff --git a/dist/chart/templates/rbac/metrics_auth_role.yaml b/dist/chart/templates/rbac/metrics_auth_role.yaml
new file mode 100755
index 00000000..8909f10d
--- /dev/null
+++ b/dist/chart/templates/rbac/metrics_auth_role.yaml
@@ -0,0 +1,21 @@
+{{- if and .Values.rbac.enable .Values.metrics.enable }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+  name: boot-operator-metrics-auth-role
+rules:
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
+{{- end -}}
diff --git a/dist/chart/templates/rbac/metrics_auth_role_binding.yaml b/dist/chart/templates/rbac/metrics_auth_role_binding.yaml
new file mode 100755
index 00000000..b2cb97f0
--- /dev/null
+++ b/dist/chart/templates/rbac/metrics_auth_role_binding.yaml
@@ -0,0 +1,16 @@
+{{- if and .Values.rbac.enable .Values.metrics.enable }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+  name: boot-operator-metrics-auth-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: boot-operator-metrics-auth-role
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.controllerManager.serviceAccountName }}
+  namespace: {{ .Release.Namespace }}
+{{- end -}}
diff --git a/dist/chart/templates/rbac/metrics_reader_role.yaml b/dist/chart/templates/rbac/metrics_reader_role.yaml
new file mode 100755
index 00000000..e0a52c71
--- /dev/null
+++ b/dist/chart/templates/rbac/metrics_reader_role.yaml
@@ -0,0 +1,13 @@
+{{- if and .Values.rbac.enable .Values.metrics.enable }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+  name: boot-operator-metrics-reader
+rules:
+- nonResourceURLs:
+  - "/metrics"
+  verbs:
+  - get
+{{- end -}}
diff --git a/dist/chart/values.yaml b/dist/chart/values.yaml
index d354602b..7f871119 100644
--- a/dist/chart/values.yaml
+++ b/dist/chart/values.yaml
@@ -1,5 +1,6 @@
 # [MANAGER]: Manager Deployment Configurations
 controllerManager:
+  enable: true
   replicas: 1
   manager:
     image: