diff --git a/.dockerignore b/.dockerignore
index cb98ac78..b37722de 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,4 +1,6 @@
 Dockerfile
+/.devenv/
+/.direnv/
 /.github/
 /bin/
 build/
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 7005516c..4c835cd3 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -161,6 +161,42 @@ jobs:
       - name: Dependency Review
         uses: actions/dependency-review-action@1360a344ccb0ab6e9475edef90ad2f46bf8003b1 # v3.0.6
 
+  e2e-test:
+    name: E2E test
+    runs-on: ubuntu-latest
+    needs: [artifacts]
+    strategy:
+      matrix:
+        k8s_version: ["v1.24.13", "v1.25.9", "v1.26.4", "v1.27.1" ]
+        # vault_version: ["1.10.11", "1.11.10", "1.12.6", "1.13.2"]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+
+      - name: Set up Nix
+        uses: cachix/install-nix-action@4b933aa7ebcc94a6174cf1364864e957b4910265 # v21
+        with:
+          extra_nix_config: |
+            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
+
+      - name: Prepare Nix shell
+        run: nix develop --impure .#ci
+
+      - name: Download operator docker image
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        with:
+          name: "[container-image] Docker tarball"
+
+      - name: Test
+        run: nix develop --impure .#ci -c make test-e2e
+        env:
+          KIND_K8S_VERSION: ${{ matrix.k8s_version }}
+          LOAD_IMAGE_ARCHIVE: ${{ github.workspace }}/docker.tar
+          # VAULT_VERSION: ${{ matrix.vault_version }}
+          WEBHOOK_VERSION: ${{ needs.artifacts.outputs.container-image-tag }}
+          LOG_VERBOSE: "true"
+
   acceptance-test:
     name: Acceptance test
     runs-on: ubuntu-latest
diff --git a/Makefile b/Makefile
index 1b72543a..1ac5197f 100644
--- a/Makefile
+++ b/Makefile
@@ -2,6 +2,8 @@
 
 export PATH := $(abspath bin/):${PATH}
 
+CONTAINER_IMAGE_REF = ghcr.io/bank-vaults/vault-secrets-webhook:dev
+
 # Dependency versions
 GOLANGCI_VERSION = 1.53.1
 LICENSEI_VERSION = 0.8.0
@@ -52,7 +54,7 @@ artifacts: ## Build artifacts
 
 .PHONY: container-image
 container-image: ## Build container image
-	docker build .
+	docker build -t ${CONTAINER_IMAGE_REF} .
 
 .PHONY: check
 check: test lint ## Run checks (tests and linters)
@@ -65,6 +67,14 @@ test: ## Run tests
 test-acceptance: ## Run acceptance tests
 	go test -race -v -timeout 900s -tags kubeall ./test
 
+.PHONY: test-e2e
+test-e2e: ## Run e2e tests
+	go test -race -v -timeout 900s -tags e2e ./e2e/
+
+.PHONY: test-e2e-local
+test-e2e-local: container-image ## Run e2e tests locally
+	LOAD_IMAGE=${CONTAINER_IMAGE_REF} WEBHOOK_VERSION=dev ${MAKE} test-e2e
+
 .PHONY: lint
 lint: ## Run linter
 	golangci-lint run ${LINT_ARGS}
diff --git a/charts/vault-secrets-webhook/templates/_helpers.tpl b/charts/vault-secrets-webhook/templates/_helpers.tpl
index d5e4b6d8..12d43133 100644
--- a/charts/vault-secrets-webhook/templates/_helpers.tpl
+++ b/charts/vault-secrets-webhook/templates/_helpers.tpl
@@ -57,9 +57,6 @@ Overrideable version for container image tags.
 {{- define "vault-secrets-webhook.bank-vaults.version" -}}
 {{- .Values.image.tag | default (printf "%s" .Chart.AppVersion) -}}
 {{- end -}}
-{{- define "vault-secrets-webhook.vault-env.version" -}}
-{{- .Values.vaultEnv.tag | default (printf "%s" .Chart.AppVersion) -}}
-{{- end -}}
 
 {{/*
 Create the name of the service account to use
diff --git a/charts/vault-secrets-webhook/templates/webhook-deployment.yaml b/charts/vault-secrets-webhook/templates/webhook-deployment.yaml
index 2f6a46bf..b33236b6 100644
--- a/charts/vault-secrets-webhook/templates/webhook-deployment.yaml
+++ b/charts/vault-secrets-webhook/templates/webhook-deployment.yaml
@@ -80,7 +80,7 @@ spec:
               value: "debug"
             {{- end }}
             - name: VAULT_ENV_IMAGE
-              value: "{{ .Values.vaultEnv.repository }}:{{ include "vault-secrets-webhook.vault-env.version" . }}"
+              value: "{{ .Values.vaultEnv.repository }}:{{ .Values.vaultEnv.tag }}"
             {{- range $key, $value := .Values.env }}
             - name: {{ $key }}
               value: {{ $value | quote }}
diff --git a/charts/vault-secrets-webhook/values.yaml b/charts/vault-secrets-webhook/values.yaml
index cbbcc098..b9ca4d2b 100644
--- a/charts/vault-secrets-webhook/values.yaml
+++ b/charts/vault-secrets-webhook/values.yaml
@@ -49,10 +49,10 @@ webhookClientConfig:
 
 vaultEnv:
   repository: ghcr.io/bank-vaults/vault-env
-  # tag: ""
+  tag: "v1.20.1"
 
 env:
-  VAULT_IMAGE: vault:1.6.2
+  VAULT_IMAGE: vault:1.13.2
   # VAULT_CAPATH: /vault/tls
   # # Used when the pod that should get secret injected does not
   # # specify an imagePullSecret
diff --git a/e2e/deploy/vault-secrets-webhook/values.yaml b/e2e/deploy/vault-secrets-webhook/values.yaml
new file mode 100644
index 00000000..674c1126
--- /dev/null
+++ b/e2e/deploy/vault-secrets-webhook/values.yaml
@@ -0,0 +1,12 @@
+replicaCount: 1
+
+image:
+  pullPolicy: Never
+
+configMapMutation: true
+configmapFailurePolicy: "Fail"
+podsFailurePolicy: "Fail"
+secretsFailurePolicy: "Fail"
+
+env:
+  VAULT_IMAGE: vault:1.13.2
diff --git a/e2e/deploy/vault/rbac.yaml b/e2e/deploy/vault/rbac.yaml
new file mode 100644
index 00000000..235cc0d2
--- /dev/null
+++ b/e2e/deploy/vault/rbac.yaml
@@ -0,0 +1,46 @@
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: vault
+
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: vault
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["*"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "update", "patch"]
+
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: vault
+roleRef:
+  kind: Role
+  name: vault
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: vault
+
+---
+# This binding allows the deployed Vault instance to authenticate clients
+# through Kubernetes ServiceAccounts (if configured so).
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: vault-auth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+  - kind: ServiceAccount
+    name: vault
+    namespace: default
diff --git a/e2e/deploy/vault/vault.yaml b/e2e/deploy/vault/vault.yaml
new file mode 100644
index 00000000..6cd91d38
--- /dev/null
+++ b/e2e/deploy/vault/vault.yaml
@@ -0,0 +1,172 @@
+apiVersion: "vault.banzaicloud.com/v1alpha1"
+kind: "Vault"
+metadata:
+  name: "vault"
+spec:
+  size: 1
+  image: vault:1.13.2
+
+  # Specify the ServiceAccount where the Vault Pod and the Bank-Vaults configurer/unsealer is running
+  serviceAccount: vault
+
+  # Specify the Service's type where the Vault Service is exposed
+  # Please note that some Ingress controllers like https://github.com/kubernetes/ingress-gce
+  # forces you to expose your Service on a NodePort
+  serviceType: ClusterIP
+
+  # Use local disk to store Vault file data, see config section.
+  volumes:
+    - name: vault-file
+      persistentVolumeClaim:
+        claimName: vault-file
+
+  volumeMounts:
+    - name: vault-file
+      mountPath: /vault/file
+
+  # Support for distributing the generated CA certificate Secret to other namespaces.
+  # Define a list of namespaces or use ["*"] for all namespaces.
+  caNamespaces:
+    - "vault-secrets-webhook"
+
+  # Describe where you would like to store the Vault unseal keys and root token.
+  unsealConfig:
+    options:
+      # The preFlightChecks flag enables unseal and root token storage tests
+      # This is true by default
+      preFlightChecks: true
+      # The storeRootToken flag enables storing of root token in chosen storage
+      # This is true by default
+      storeRootToken: true
+    kubernetes:
+      secretNamespace: default
+
+  # A YAML representation of a final vault config file.
+  # See https://www.vaultproject.io/docs/configuration/ for more information.
+  config:
+    storage:
+      file:
+        path: "${ .Env.VAULT_STORAGE_FILE }" # An example how Vault config environment interpolation can be used
+    listener:
+      tcp:
+        address: "0.0.0.0:8200"
+        # Uncommenting the following line and deleting tls_cert_file and tls_key_file disables TLS
+        # tls_disable: true
+        tls_cert_file: /vault/tls/server.crt
+        tls_key_file: /vault/tls/server.key
+    telemetry:
+      statsd_address: localhost:9125
+    ui: true
+
+  # See: https://banzaicloud.com/docs/bank-vaults/cli-tool/#example-external-vault-configuration
+  # The repository also contains a lot examples in the test/deploy and operator/deploy directories.
+  externalConfig:
+    policies:
+      - name: allow_secrets
+        rules: path "secret/*" {
+          capabilities = ["create", "read", "update", "delete", "list"]
+          }
+      - name: allow_pki
+        rules: path "pki/*" {
+          capabilities = ["create", "read", "update", "delete", "list"]
+          }
+
+    groups:
+      - name: admin1
+        policies:
+          - allow_secrets
+        metadata:
+          privileged: true
+        type: external
+      - name: admin2
+        policies:
+          - allow_secrets
+        metadata:
+          privileged: true
+        type: external
+
+    group-aliases:
+      - name: admin1
+        mountpath: token
+        group: admin1
+
+
+    auth:
+      - type: kubernetes
+        roles:
+          # Allow every pod in the default namespace to use the secret kv store
+          - name: default
+            bound_service_account_names: ["default", "vault-secrets-webhook", "vault"]
+            bound_service_account_namespaces: ["default", "vault-secrets-webhook"]
+            policies: ["allow_secrets", "allow_pki"]
+            ttl: 1h
+
+    secrets:
+      - path: secret
+        type: kv
+        description: General secrets.
+        options:
+          version: 2
+
+      - path: pki
+        type: pki
+        description: Vault PKI Backend
+        config:
+          default_lease_ttl: 168h
+          max_lease_ttl: 720h
+        configuration:
+          config:
+          - name: urls
+            issuing_certificates: https://vault.default:8200/v1/pki/ca
+            crl_distribution_points: https://vault.default:8200/v1/pki/crl
+          root/generate:
+          - name: internal
+            common_name: vault.default
+          roles:
+          - name: default
+            allowed_domains: localhost,pod,svc,default
+            allow_subdomains: true
+            generate_lease: true
+            ttl: 1m
+
+    # Allows writing some secrets to Vault (useful for development purposes).
+    # See https://www.vaultproject.io/docs/secrets/kv/index.html for more information.
+    startupSecrets:
+      - type: kv
+        path: secret/data/accounts/aws
+        data:
+          data:
+            AWS_ACCESS_KEY_ID: secretId
+            AWS_SECRET_ACCESS_KEY: s3cr3t
+      - type: kv
+        path: secret/data/dockerrepo
+        data:
+          data:
+            DOCKER_REPO_USER: dockerrepouser
+            DOCKER_REPO_PASSWORD: dockerrepopassword
+      - type: kv
+        path: secret/data/mysql
+        data:
+          data:
+            MYSQL_ROOT_PASSWORD: s3cr3t
+            MYSQL_PASSWORD: 3xtr3ms3cr3t
+
+  vaultEnvsConfig:
+    - name: VAULT_LOG_LEVEL
+      value: debug
+    - name: VAULT_STORAGE_FILE
+      value: "/vault/file"
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: vault-file
+spec:
+  # https://kubernetes.io/docs/concepts/storage/persistent-volumes/#class-1
+  # storageClassName: ""
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
diff --git a/e2e/kind.yaml b/e2e/kind.yaml
new file mode 100644
index 00000000..18eb9ae2
--- /dev/null
+++ b/e2e/kind.yaml
@@ -0,0 +1,2 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
diff --git a/e2e/main_test.go b/e2e/main_test.go
new file mode 100644
index 00000000..d0675af3
--- /dev/null
+++ b/e2e/main_test.go
@@ -0,0 +1,295 @@
+// Copyright © 2023 Bank-Vaults Maintainers
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build e2e
+// +build e2e
+
+package e2e
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"os"
+	"testing"
+	"time"
+
+	appsv1 "k8s.io/api/apps/v1"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/klog/v2"
+	"sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/e2e-framework/klient/conf"
+	"sigs.k8s.io/e2e-framework/klient/decoder"
+	"sigs.k8s.io/e2e-framework/klient/k8s/resources"
+	"sigs.k8s.io/e2e-framework/klient/wait"
+	"sigs.k8s.io/e2e-framework/klient/wait/conditions"
+	"sigs.k8s.io/e2e-framework/pkg/env"
+	"sigs.k8s.io/e2e-framework/pkg/envconf"
+	"sigs.k8s.io/e2e-framework/pkg/envfuncs"
+	"sigs.k8s.io/e2e-framework/third_party/helm"
+)
+
+// Upgrade this when a new version is released
+const vaultOperatorVersion = "1.20.0"
+
+var testenv env.Environment
+
+func TestMain(m *testing.M) {
+	// See https://github.com/kubernetes-sigs/e2e-framework/issues/269
+	// testenv = env.New()
+	testenv = &reverseFinishEnvironment{Environment: env.New()}
+
+	if os.Getenv("LOG_VERBOSE") == "true" {
+		flags := flag.NewFlagSet("", flag.ContinueOnError)
+		klog.InitFlags(flags)
+		flags.Parse([]string{"-v", "4"})
+	}
+	log.SetLogger(klog.NewKlogr())
+
+	// Set up cluster
+	if os.Getenv("USE_REAL_CLUSTER") == "true" {
+		path := conf.ResolveKubeConfigFile()
+		cfg := envconf.NewWithKubeConfig(path)
+
+		if context := os.Getenv("USE_CONTEXT"); context != "" {
+			cfg.WithKubeContext(context)
+		}
+
+		// See https://github.com/kubernetes-sigs/e2e-framework/issues/269
+		// testenv = env.NewWithConfig(cfg)
+		testenv = &reverseFinishEnvironment{Environment: env.NewWithConfig(cfg)}
+	} else {
+		clusterName := envconf.RandomName("vault-secrets-webhook-test", 32)
+
+		if v := os.Getenv("KIND_K8S_VERSION"); v != "" {
+			testenv.Setup(envfuncs.CreateKindClusterWithConfig(clusterName, "kindest/node:"+v, "kind.yaml"))
+		} else {
+			testenv.Setup(envfuncs.CreateKindCluster(clusterName))
+		}
+
+		testenv.Finish(envfuncs.DestroyKindCluster(clusterName))
+
+		if image := os.Getenv("LOAD_IMAGE"); image != "" {
+			testenv.Setup(envfuncs.LoadDockerImageToCluster(clusterName, image))
+		}
+
+		if imageArchive := os.Getenv("LOAD_IMAGE_ARCHIVE"); imageArchive != "" {
+			testenv.Setup(envfuncs.LoadImageArchiveToCluster(clusterName, imageArchive))
+		}
+	}
+
+	// Install vault-operator
+	testenv.Setup(installVaultOperator)
+	testenv.Finish(uninstallVaultOperator, envfuncs.DeleteNamespace("vault-operator"))
+
+	testenv.Setup(envfuncs.CreateNamespace("vault-secrets-webhook"), installVaultSecretsWebhook)
+	testenv.Finish(uninstallVaultSecretsWebhook, envfuncs.DeleteNamespace("vault-secrets-webhook"))
+
+	// Set up test namespace
+	// ns := envconf.RandomName("webhook-test", 16)
+	// testenv.Setup(envfuncs.CreateNamespace(ns))
+	// testenv.Finish(envfuncs.DeleteNamespace(ns))
+
+	// Unsealing and Vault access only works in the default namespace at the moment
+	testenv.Setup(useNamespace("default"))
+
+	testenv.Setup(installVault, waitForVaultTLS)
+	testenv.Finish(uninstallVault)
+
+	os.Exit(testenv.Run(m))
+}
+
+func installVaultOperator(ctx context.Context, cfg *envconf.Config) (context.Context, error) {
+	manager := helm.New(cfg.KubeconfigFile())
+
+	err := manager.RunInstall(
+		helm.WithName("vault-operator"), // This is weird that ReleaseName works differently, but it is what it is
+		helm.WithChart("oci://ghcr.io/bank-vaults/helm-charts/vault-operator"),
+		helm.WithNamespace("vault-operator"),
+		helm.WithArgs("--create-namespace"),
+		helm.WithVersion(vaultOperatorVersion),
+		helm.WithWait(),
+		helm.WithTimeout("2m"),
+	)
+	if err != nil {
+		return ctx, fmt.Errorf("installing vault-operator: %w", err)
+	}
+
+	return ctx, nil
+}
+
+func uninstallVaultOperator(ctx context.Context, cfg *envconf.Config) (context.Context, error) {
+	manager := helm.New(cfg.KubeconfigFile())
+
+	err := manager.RunUninstall(
+		helm.WithName("vault-operator"),
+		helm.WithNamespace("vault-operator"),
+		helm.WithWait(),
+		helm.WithTimeout("2m"),
+	)
+	if err != nil {
+		return ctx, fmt.Errorf("uninstalling vault-operator: %w", err)
+	}
+
+	return ctx, nil
+}
+
+func installVaultSecretsWebhook(ctx context.Context, cfg *envconf.Config) (context.Context, error) {
+	manager := helm.New(cfg.KubeconfigFile())
+
+	webhookVersion := "latest"
+	if v := os.Getenv("WEBHOOK_VERSION"); v != "" {
+		webhookVersion = v
+	}
+
+	err := manager.RunInstall(
+		helm.WithName("vault-secrets-webhook"), // This is weird that ReleaseName works differently, but it is what it is
+		helm.WithChart("../charts/vault-secrets-webhook/"),
+		helm.WithNamespace("vault-secrets-webhook"),
+		helm.WithArgs("-f", "deploy/vault-secrets-webhook/values.yaml", "--set", "image.tag="+webhookVersion),
+		helm.WithWait(),
+		helm.WithTimeout("2m"),
+	)
+	if err != nil {
+		return ctx, fmt.Errorf("installing vault-secrets-webhook: %w", err)
+	}
+
+	return ctx, nil
+}
+
+func uninstallVaultSecretsWebhook(ctx context.Context, cfg *envconf.Config) (context.Context, error) {
+	manager := helm.New(cfg.KubeconfigFile())
+
+	err := manager.RunUninstall(
+		helm.WithName("vault-secrets-webhook"),
+		helm.WithNamespace("vault-secrets-webhook"),
+		helm.WithWait(),
+		helm.WithTimeout("2m"),
+	)
+	if err != nil {
+		return ctx, fmt.Errorf("uninstalling vault-secrets-webhook: %w", err)
+	}
+
+	return ctx, nil
+}
+
+func useNamespace(ns string) env.Func {
+	return func(ctx context.Context, cfg *envconf.Config) (context.Context, error) {
+		cfg.WithNamespace(ns)
+
+		return ctx, nil
+	}
+}
+
+func installVault(ctx context.Context, cfg *envconf.Config) (context.Context, error) {
+	r, err := resources.New(cfg.Client().RESTConfig())
+	if err != nil {
+		return ctx, err
+	}
+
+	err = decoder.DecodeEachFile(
+		ctx, os.DirFS("deploy/vault"), "*",
+		decoder.CreateHandler(r),
+		decoder.MutateNamespace(cfg.Namespace()),
+	)
+	if err != nil {
+		return ctx, err
+	}
+
+	statefulSets := &appsv1.StatefulSetList{
+		Items: []appsv1.StatefulSet{
+			{
+				ObjectMeta: metav1.ObjectMeta{Name: "vault", Namespace: cfg.Namespace()},
+			},
+		},
+	}
+
+	// wait for the statefulSet to become available
+	err = wait.For(conditions.New(r).ResourcesFound(statefulSets), wait.WithTimeout(1*time.Minute))
+	if err != nil {
+		return ctx, err
+	}
+
+	time.Sleep(5 * time.Second)
+
+	pod := v1.Pod{
+		ObjectMeta: metav1.ObjectMeta{Name: "vault-0", Namespace: cfg.Namespace()},
+	}
+
+	// wait for the pod to become available
+	err = wait.For(conditions.New(r).PodReady(&pod), wait.WithTimeout(1*time.Minute))
+	if err != nil {
+		return ctx, err
+	}
+
+	return ctx, nil
+}
+
+func waitForVaultTLS(ctx context.Context, cfg *envconf.Config) (context.Context, error) {
+	vaultTLSSecrets := &v1.SecretList{
+		Items: []v1.Secret{
+			{
+				ObjectMeta: metav1.ObjectMeta{Name: "vault-tls", Namespace: cfg.Namespace()},
+			},
+		},
+	}
+
+	// wait for the vault-tls secret to become available
+	err := wait.For(conditions.New(cfg.Client().Resources()).ResourcesFound(vaultTLSSecrets), wait.WithTimeout(1*time.Minute))
+	if err != nil {
+		return ctx, err
+	}
+
+	return ctx, nil
+}
+
+func uninstallVault(ctx context.Context, cfg *envconf.Config) (context.Context, error) {
+	r, err := resources.New(cfg.Client().RESTConfig())
+	if err != nil {
+		return ctx, err
+	}
+
+	err = decoder.DecodeEachFile(
+		ctx, os.DirFS("deploy/vault"), "*",
+		decoder.DeleteHandler(r),
+		decoder.MutateNamespace(cfg.Namespace()),
+	)
+
+	if err != nil {
+		return ctx, err
+	}
+
+	return ctx, nil
+}
+
+type reverseFinishEnvironment struct {
+	env.Environment
+
+	finishFuncs []env.Func
+}
+
+// Finish registers funcs that are executed at the end of the test suite in a reverse order.
+func (e *reverseFinishEnvironment) Finish(f ...env.Func) env.Environment {
+	e.finishFuncs = append(f[:], e.finishFuncs...)
+
+	return e
+}
+
+// Run launches the test suite from within a TestMain.
+func (e *reverseFinishEnvironment) Run(m *testing.M) int {
+	e.Environment.Finish(e.finishFuncs...)
+
+	return e.Environment.Run(m)
+}
diff --git a/e2e/test/configmap.yaml b/e2e/test/configmap.yaml
new file mode 100644
index 00000000..6e264bb6
--- /dev/null
+++ b/e2e/test/configmap.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: test-configmap
+  annotations:
+    vault.security.banzaicloud.io/vault-addr: "https://vault.default.svc.cluster.local:8200"
+    vault.security.banzaicloud.io/vault-role: "default"
+    vault.security.banzaicloud.io/vault-tls-secret: vault-tls
+    # vault.security.banzaicloud.io/vault-skip-verify: "true"
+    vault.security.banzaicloud.io/vault-path: "kubernetes"
+data:
+  aws-access-key-id: vault:secret/data/accounts/aws#AWS_ACCESS_KEY_ID
+  aws-access-key-id-formatted: "vault:secret/data/accounts/aws#AWS key in base64: ${.AWS_ACCESS_KEY_ID | b64enc}"
+  aws-access-key-id-inline: "AWS_ACCESS_KEY_ID: ${vault:secret/data/accounts/aws#AWS_ACCESS_KEY_ID} AWS_SECRET_ACCESS_KEY: ${vault:secret/data/accounts/aws#AWS_SECRET_ACCESS_KEY}"
+binaryData:
+  aws-access-key-id-binary: dmF1bHQ6c2VjcmV0L2RhdGEvYWNjb3VudHMvYXdzI0FXU19BQ0NFU1NfS0VZX0lE
diff --git a/e2e/test/deployment-seccontext.yaml b/e2e/test/deployment-seccontext.yaml
new file mode 100644
index 00000000..d3fb96ae
--- /dev/null
+++ b/e2e/test/deployment-seccontext.yaml
@@ -0,0 +1,45 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: test-deployment-seccontext
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: test-deployment-seccontext
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: test-deployment-seccontext
+      annotations:
+        vault.security.banzaicloud.io/vault-addr: "https://vault.default.svc.cluster.local:8200"
+        vault.security.banzaicloud.io/vault-role: "default"
+        vault.security.banzaicloud.io/vault-tls-secret: vault-tls
+        # vault.security.banzaicloud.io/vault-skip-verify: "true"
+        vault.security.banzaicloud.io/vault-path: "kubernetes"
+        # vault.security.banzaicloud.io/vault-agent: "true"
+    spec:
+      securityContext:
+        runAsUser: 1000
+      initContainers:
+      - name: init-ubuntu
+        image: ubuntu
+        command: ["sh", "-c", "echo $AWS_SECRET_ACCESS_KEY && echo initContainers ready"]
+        env:
+        - name: AWS_SECRET_ACCESS_KEY
+          value: vault:secret/data/accounts/aws#AWS_SECRET_ACCESS_KEY
+        resources:
+          limits:
+            memory: "128Mi"
+            cpu: "100m"
+      containers:
+      - name: alpine
+        image: alpine
+        command: ["sh", "-c", "echo $AWS_SECRET_ACCESS_KEY && echo going to sleep... && sleep 10000"]
+        env:
+        - name: AWS_SECRET_ACCESS_KEY
+          value: vault:secret/data/accounts/aws#AWS_SECRET_ACCESS_KEY
+        resources:
+          limits:
+            memory: "128Mi"
+            cpu: "100m"
diff --git a/e2e/test/deployment-template.yaml b/e2e/test/deployment-template.yaml
new file mode 100644
index 00000000..09b8bdd6
--- /dev/null
+++ b/e2e/test/deployment-template.yaml
@@ -0,0 +1,75 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/name: my-app
+    my-app.kubernetes.io/name: my-app-vault-agent
+    branches: "true"
+  name: my-app-vault-agent
+data:
+  config.hcl: |
+    vault {
+      // This is needed until https://github.com/hashicorp/vault/issues/7889
+      // gets fixed, otherwise it is automated by the webhook.
+      ca_cert = "/vault/tls/ca.crt"
+    }
+    auto_auth {
+      method "kubernetes" {
+        mount_path = "auth/kubernetes"
+        config = {
+          role = "default"
+        }
+      }
+      sink "file" {
+        config = {
+          path = "/vault/.vault-token"
+        }
+      }
+    }
+    template {
+      contents = <<EOH
+        {{- with secret "secret/accounts/aws" }}
+        {
+          "id": "{{ .Data.data.AWS_ACCESS_KEY_ID }}",
+          "key": "{{ .Data.data.AWS_SECRET_ACCESS_KEY }}"
+        }
+        {{ end }}
+      EOH
+      destination = "/vault/secrets/config.yaml"
+      command     = "/bin/sh -c \"kill -HUP $(pidof vault-demo-app) || true\""
+    }
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: test-deployment-template
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: test-deployment-template
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: test-deployment-template
+      annotations:
+        vault.security.banzaicloud.io/vault-addr: "https://vault:8200" # optional, the address of the Vault service, default values is https://vault:8200
+        vault.security.banzaicloud.io/vault-role: "default" # optional, the default value is the name of the ServiceAccount the Pod runs in, in case of Secrets and ConfigMaps it is "default"
+        vault.security.banzaicloud.io/vault-skip-verify: "false" # optional, skip TLS verification of the Vault server certificate
+        vault.security.banzaicloud.io/vault-tls-secret: "vault-tls" # optional, the name of the Secret where the Vault CA cert is, if not defined it is not mounted
+        vault.security.banzaicloud.io/vault-agent: "false" # optional, if true, a Vault Agent will be started to do Vault authentication, by default not needed and vault-env will do Kubernetes Service Account based Vault authentication
+        vault.security.banzaicloud.io/vault-path: "kubernetes" # optional, the Kubernetes Auth mount path in Vault the default value is "kubernetes"
+        vault.security.banzaicloud.io/vault-agent-configmap: "my-app-vault-agent"
+    spec:
+      serviceAccountName: default
+      containers:
+      - name: alpine
+        image: alpine
+        command: ["sh", "-c", "cat /vault/secrets/config.yaml && echo going to sleep... && sleep 1000"]
+        resources:
+          limits:
+            cpu: 20m
+            memory: 10Mi
+          requests:
+            cpu: 20m
+            memory: 10Mi
diff --git a/e2e/test/deployment.yaml b/e2e/test/deployment.yaml
new file mode 100644
index 00000000..a1c446f6
--- /dev/null
+++ b/e2e/test/deployment.yaml
@@ -0,0 +1,52 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: test-deployment
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: test-deployment
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: test-deployment
+      annotations:
+        vault.security.banzaicloud.io/vault-addr: "https://vault.default.svc.cluster.local:8200"
+        vault.security.banzaicloud.io/vault-role: "default"
+        vault.security.banzaicloud.io/vault-tls-secret: vault-tls
+        # vault.security.banzaicloud.io/vault-skip-verify: "true"
+        vault.security.banzaicloud.io/vault-path: "kubernetes"
+    spec:
+      initContainers:
+      - name: init-ubuntu
+        image: ubuntu
+        command: ["sh", "-c", "echo $AWS_SECRET_ACCESS_KEY && echo initContainers ready"]
+        env:
+        - name: AWS_SECRET_ACCESS_KEY
+          value: vault:secret/data/accounts/aws#${.AWS_SECRET_ACCESS_KEY} # Go templates are also supported with ${} delimiters
+        resources:
+          limits:
+            memory: "128Mi"
+            cpu: "100m"
+      containers:
+      - name: alpine
+        image: alpine
+        command: ["sh", "-c", "echo $AWS_SECRET_ACCESS_KEY && echo going to sleep... && sleep 10000"]
+        env:
+        - name: AWS_SECRET_ACCESS_KEY
+          value: vault:secret/data/accounts/aws#AWS_SECRET_ACCESS_KEY
+        resources:
+          limits:
+            memory: "128Mi"
+            cpu: "100m"
+      # Try a container without explicit command to exercise the registry lookup feature
+      - name: redis
+        image: redis
+        env:
+          - name: AWS_SECRET_ACCESS_KEY
+            value: vault:secret/data/accounts/aws#AWS_SECRET_ACCESS_KEY
+        resources:
+          limits:
+            memory: "128Mi"
+            cpu: "100m"
diff --git a/e2e/test/secret.yaml b/e2e/test/secret.yaml
new file mode 100644
index 00000000..cd04247d
--- /dev/null
+++ b/e2e/test/secret.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: test-secret
+  annotations:
+    vault.security.banzaicloud.io/vault-addr: "https://vault.default.svc.cluster.local:8200"
+    vault.security.banzaicloud.io/vault-role: "default"
+    vault.security.banzaicloud.io/vault-tls-secret: vault-tls
+    # vault.security.banzaicloud.io/vault-skip-verify: "true"
+    vault.security.banzaicloud.io/vault-path: "kubernetes"
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: eyJhdXRocyI6eyJodHRwczovL2luZGV4LmRvY2tlci5pby92MS8iOnsidXNlcm5hbWUiOiJ2YXVsdDpzZWNyZXQvZGF0YS9kb2NrZXJyZXBvI0RPQ0tFUl9SRVBPX1VTRVIiLCJwYXNzd29yZCI6InZhdWx0OnNlY3JldC9kYXRhL2RvY2tlcnJlcG8jRE9DS0VSX1JFUE9fUEFTU1dPUkQiLCJhdXRoIjoiZG1GMWJIUTZjMlZqY21WMEwyUmhkR0V2Wkc5amEyVnljbVZ3YnlORVQwTkxSVkpmVWtWUVQxOVZVMFZTT25aaGRXeDBPbk5sWTNKbGRDOWtZWFJoTDJSdlkydGxjbkpsY0c4alJFOURTMFZTWDFKRlVFOWZVRUZUVTFkUFVrUT0ifX19
+  vaultdata: dmF1bHQ6c2VjcmV0L2RhdGEvYWNjb3VudHMvYXdzI0FXU19BQ0NFU1NfS0VZX0lE
+  inline: SW5saW5lOiAke3ZhdWx0OnNlY3JldC9kYXRhL2FjY291bnRzL2F3cyNBV1NfQUNDRVNTX0tFWV9JRH0gQVdTX0FDQ0VTU19LRVlfSUQ=
diff --git a/e2e/webhook_test.go b/e2e/webhook_test.go
new file mode 100644
index 00000000..05ed89e9
--- /dev/null
+++ b/e2e/webhook_test.go
@@ -0,0 +1,221 @@
+// Copyright © 2023 Bank-Vaults Maintainers
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build e2e
+// +build e2e
+
+package e2e
+
+import (
+	"bytes"
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	appsv1 "k8s.io/api/apps/v1"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/e2e-framework/klient/decoder"
+	"sigs.k8s.io/e2e-framework/klient/k8s/resources"
+	"sigs.k8s.io/e2e-framework/klient/wait"
+	"sigs.k8s.io/e2e-framework/klient/wait/conditions"
+	"sigs.k8s.io/e2e-framework/pkg/envconf"
+	"sigs.k8s.io/e2e-framework/pkg/features"
+)
+
+func TestSecretValueInjection(t *testing.T) {
+	secret := applyResource(features.New("secret"), "secret.yaml").
+		Assess("object created", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
+			secrets := &v1.SecretList{
+				Items: []v1.Secret{
+					{
+						ObjectMeta: metav1.ObjectMeta{Name: "test-secret", Namespace: cfg.Namespace()},
+					},
+				},
+			}
+
+			// wait for the secret to become available
+			err := wait.For(conditions.New(cfg.Client().Resources()).ResourcesFound(secrets), wait.WithTimeout(1*time.Minute))
+			require.NoError(t, err)
+
+			return ctx
+		}).
+		Assess("secret values are injected", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
+			var secret v1.Secret
+
+			err := cfg.Client().Resources(cfg.Namespace()).Get(ctx, "test-secret", cfg.Namespace(), &secret)
+			require.NoError(t, err)
+
+			type v1 struct {
+				Username string `json:"username"`
+				Password string `json:"password"`
+				Auth     string `json:"auth"`
+			}
+
+			type auths struct {
+				V1 v1 `json:"https://index.docker.io/v1/"`
+			}
+
+			type dockerconfig struct {
+				Auths auths `json:"auths"`
+			}
+
+			var dockerconfigjson dockerconfig
+
+			err = json.Unmarshal(secret.Data[".dockerconfigjson"], &dockerconfigjson)
+			require.NoError(t, err)
+
+			assert.Equal(t, "dockerrepouser", dockerconfigjson.Auths.V1.Username)
+			assert.Equal(t, "dockerrepopassword", dockerconfigjson.Auths.V1.Password)
+			assert.Equal(t, "Inline: secretId AWS_ACCESS_KEY_ID", string(secret.Data["inline"]))
+
+			return ctx
+		}).
+		Feature()
+
+	configMap := applyResource(features.New("configmap"), "configmap.yaml").
+		Assess("object created", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
+			configMaps := &v1.ConfigMapList{
+				Items: []v1.ConfigMap{
+					{
+						ObjectMeta: metav1.ObjectMeta{Name: "test-configmap", Namespace: cfg.Namespace()},
+					},
+				},
+			}
+
+			// wait for the secret to become available
+			err := wait.For(conditions.New(cfg.Client().Resources()).ResourcesFound(configMaps), wait.WithTimeout(1*time.Minute))
+			require.NoError(t, err)
+
+			return ctx
+		}).
+		Assess("secret values are injected", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
+			var configMap v1.ConfigMap
+
+			err := cfg.Client().Resources(cfg.Namespace()).Get(ctx, "test-configmap", cfg.Namespace(), &configMap)
+			require.NoError(t, err)
+
+			assert.Equal(t, "secretId", string(configMap.Data["aws-access-key-id"]))
+			assert.Equal(t, "AWS key in base64: c2VjcmV0SWQ=", string(configMap.Data["aws-access-key-id-formatted"]))
+			assert.Equal(t, "AWS_ACCESS_KEY_ID: secretId AWS_SECRET_ACCESS_KEY: s3cr3t", string(configMap.Data["aws-access-key-id-inline"]))
+			assert.Equal(t, "secretId", base64.StdEncoding.EncodeToString(configMap.BinaryData["aws-access-key-id-binary"]))
+
+			return ctx
+		}).
+		Feature()
+
+	testenv.Test(t, secret, configMap)
+}
+
+func TestPodMutation(t *testing.T) {
+	deployment := applyResource(features.New("deployment"), "deployment.yaml").
+		Assess("available", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
+			deployment := &appsv1.Deployment{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-deployment", Namespace: cfg.Namespace()},
+			}
+
+			// wait for the deployment to become available
+			err := wait.For(conditions.New(cfg.Client().Resources()).DeploymentConditionMatch(deployment, appsv1.DeploymentAvailable, v1.ConditionTrue), wait.WithTimeout(2*time.Minute))
+			require.NoError(t, err)
+
+			return ctx
+		}).
+		Feature()
+
+	deploymentSeccontext := applyResource(features.New("deployment-seccontext"), "deployment-seccontext.yaml").
+		Assess("available", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
+			deployment := &appsv1.Deployment{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-deployment-seccontext", Namespace: cfg.Namespace()},
+			}
+
+			// wait for the deployment to become available
+			err := wait.For(conditions.New(cfg.Client().Resources()).DeploymentConditionMatch(deployment, appsv1.DeploymentAvailable, v1.ConditionTrue), wait.WithTimeout(2*time.Minute))
+			require.NoError(t, err)
+
+			return ctx
+		}).
+		Feature()
+
+	deploymentTemplating := applyResource(features.New("deployment-template"), "deployment-template.yaml").
+		Assess("available", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
+			r := cfg.Client().Resources()
+
+			deployment := &appsv1.Deployment{
+				ObjectMeta: metav1.ObjectMeta{Name: "test-deployment-template", Namespace: cfg.Namespace()},
+			}
+
+			// wait for the deployment to become available
+			err := wait.For(conditions.New(r).DeploymentConditionMatch(deployment, appsv1.DeploymentAvailable, v1.ConditionTrue), wait.WithTimeout(2*time.Minute))
+			require.NoError(t, err)
+
+			return ctx
+		}).
+		Assess("config template", func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
+			r := cfg.Client().Resources()
+
+			pods := &v1.PodList{}
+
+			err := r.List(ctx, pods, resources.WithLabelSelector("app.kubernetes.io/name=test-deployment-template"))
+			require.NoError(t, err)
+
+			if pods == nil || len(pods.Items) == 0 {
+				t.Fatal("no pods found")
+			}
+
+			var stdout, stderr bytes.Buffer
+			podName := pods.Items[0].Name
+			command := []string{"cat", "/vault/secrets/config.yaml"}
+
+			if err := r.ExecInPod(context.TODO(), cfg.Namespace(), podName, "alpine", command, &stdout, &stderr); err != nil {
+				t.Log(stderr.String())
+				t.Fatal(err)
+			}
+
+			assert.Equal(t, "\n    {\n      \"id\": \"secretId\",\n      \"key\": \"s3cr3t\"\n    }\n    \n  ", stdout.String())
+
+			return ctx
+		}).
+		Feature()
+
+	testenv.Test(t, deployment, deploymentSeccontext, deploymentTemplating)
+}
+
+func applyResource(builder *features.FeatureBuilder, file string) *features.FeatureBuilder {
+	return builder.
+		Setup(func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
+			err := decoder.DecodeEachFile(
+				ctx, os.DirFS("test"), file,
+				decoder.CreateHandler(cfg.Client().Resources()),
+				decoder.MutateNamespace(cfg.Namespace()),
+			)
+			require.NoError(t, err)
+
+			return ctx
+		}).
+		Teardown(func(ctx context.Context, t *testing.T, cfg *envconf.Config) context.Context {
+			err := decoder.DecodeEachFile(
+				ctx, os.DirFS("test"), file,
+				decoder.DeleteHandler(cfg.Client().Resources()),
+				decoder.MutateNamespace(cfg.Namespace()),
+			)
+			require.NoError(t, err)
+
+			return ctx
+		})
+}
diff --git a/go.mod b/go.mod
index b34ce7a6..c9656171 100644
--- a/go.mod
+++ b/go.mod
@@ -28,6 +28,7 @@ require (
 	k8s.io/client-go v0.27.2
 	logur.dev/adapter/logrus v0.5.0
 	sigs.k8s.io/controller-runtime v0.15.0
+	sigs.k8s.io/e2e-framework v0.2.0
 )
 
 require (
@@ -90,6 +91,7 @@ require (
 	github.com/docker/docker-credential-helpers v0.7.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.10.2 // indirect
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
+	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0 // indirect
 	github.com/go-jose/go-jose/v3 v3.0.0 // indirect
@@ -159,6 +161,7 @@ require (
 	github.com/subosito/gotenv v1.4.2 // indirect
 	github.com/urfave/cli v1.22.12 // indirect
 	github.com/vbatts/tar-split v0.11.3 // indirect
+	github.com/vladimirvivien/gexe v0.2.0 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.uber.org/atomic v1.10.0 // indirect
 	go.uber.org/multierr v1.9.0 // indirect
diff --git a/go.sum b/go.sum
index 099d0616..7f212006 100644
--- a/go.sum
+++ b/go.sum
@@ -928,6 +928,8 @@ github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLi
 github.com/evanphx/json-patch v4.11.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84=
 github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww=
+github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
 github.com/fatih/color v1.10.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM=
@@ -1429,6 +1431,7 @@ github.com/jcmturner/gofork v1.0.0/go.mod h1:MK8+TM0La+2rjBD4jE12Kj1pCCxK7d2LK/U
 github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg=
 github.com/jcmturner/gokrb5/v8 v8.4.2/go.mod h1:sb+Xq/fTY5yktf/VxLsE3wlfPqQjp0aWNYyvBVK62bc=
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
+github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/jessevdk/go-flags v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c2EWnYs/m4=
 github.com/jmespath/go-jmespath v0.0.0-20160202185014-0b12d6b521d8/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
 github.com/jmespath/go-jmespath v0.0.0-20160803190731-bd40a432e4c7/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
@@ -1956,6 +1959,8 @@ github.com/vishvananda/netns v0.0.0-20180720170159-13995c7128cc/go.mod h1:ZjcWmF
 github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU=
 github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
 github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
+github.com/vladimirvivien/gexe v0.2.0 h1:nbdAQ6vbZ+ZNsolCgSVb9Fno60kzSuvtzVh6Ytqi/xY=
+github.com/vladimirvivien/gexe v0.2.0/go.mod h1:LHQL00w/7gDUKIak24n801ABp8C+ni6eBht9vGVst8w=
 github.com/vultr/govultr/v2 v2.17.2/go.mod h1:ZFOKGWmgjytfyjeyAdhQlSWwTjh2ig+X49cAp50dzXI=
 github.com/willf/bitset v1.1.11-0.20200630133818-d5bec3311243/go.mod h1:RjeCKbqT1RxIR/KWY6phxZiaY1IyutSBfGjNPySAYV4=
 github.com/willf/bitset v1.1.11/go.mod h1:83CECat5yLh5zVOf4P1ErAgKA5UDvKtgyUABdr3+MjI=
@@ -2629,6 +2634,7 @@ golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNq
 golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
 golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3jS9O0/s90v0rJh3X/OLHEUk=
 golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
+gomodules.xyz/jsonpatch/v2 v2.3.0 h1:8NFhfS6gzxNqjLIYnZxg319wZ5Qjnx4m/CcX+Klzazc=
 gomodules.xyz/jsonpatch/v3 v3.0.1 h1:Te7hKxV52TKCbNYq3t84tzKav3xhThdvSsSp/W89IyI=
 gomodules.xyz/jsonpatch/v3 v3.0.1/go.mod h1:CBhndykehEwTOlEfnsfJwvkFQbSN8YZFr9M+cIHAJto=
 gomodules.xyz/orderedmap v0.1.0 h1:fM/+TGh/O1KkqGR5xjTKg6bU8OKBkg7p0Y+x/J9m8Os=
@@ -2983,6 +2989,7 @@ k8s.io/api v0.23.5/go.mod h1:Na4XuKng8PXJ2JsploYYrivXrINeTaycCGcYgF91Xm8=
 k8s.io/api v0.26.1/go.mod h1:xd/GBNgR0f707+ATNyPmQ1oyKSgndzXij81FzWGsejg=
 k8s.io/api v0.27.2 h1:+H17AJpUMvl+clT+BPnKf0E3ksMAzoBBg7CntpSuADo=
 k8s.io/api v0.27.2/go.mod h1:ENmbocXfBT2ADujUXcBhHV55RIT31IIEvkntP6vZKS4=
+k8s.io/apiextensions-apiserver v0.27.2 h1:iwhyoeS4xj9Y7v8YExhUwbVuBhMr3Q4bd/laClBV6Bo=
 k8s.io/apimachinery v0.20.1/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
 k8s.io/apimachinery v0.20.4/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
 k8s.io/apimachinery v0.20.6/go.mod h1:ejZXtW1Ra6V1O5H8xPBGz+T3+4gfkTCeExAHKU57MAc=
@@ -3061,6 +3068,8 @@ sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.15/go.mod h1:LEScyz
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.22/go.mod h1:LEScyzhFmoF5pso/YSeBstl57mOzx9xlU9n85RGrDQg=
 sigs.k8s.io/controller-runtime v0.15.0 h1:ML+5Adt3qZnMSYxZ7gAverBLNPSMQEibtzAgp0UPojU=
 sigs.k8s.io/controller-runtime v0.15.0/go.mod h1:7ngYvp1MLT+9GeZ+6lH3LOlcHkp/+tzA/fmHa4iq9kk=
+sigs.k8s.io/e2e-framework v0.2.0 h1:gD6AWWAHFcHibI69E9TgkNFhh0mVwWtRCHy2RU057jQ=
+sigs.k8s.io/e2e-framework v0.2.0/go.mod h1:E6JXj/V4PIlb95jsn2WrNKG+Shb45xaaI7C0+BH4PL8=
 sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs=
 sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=