diff --git a/api/v1beta1/auth_config_conversion.go b/api/v1beta1/auth_config_conversion.go
index b5fd2088..1d9168ec 100644
--- a/api/v1beta1/auth_config_conversion.go
+++ b/api/v1beta1/auth_config_conversion.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"github.com/kuadrant/authorino/api/v1beta2"
 	"github.com/kuadrant/authorino/pkg/utils"
+	"github.com/tidwall/gjson"
 	k8sruntime "k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/conversion"
@@ -127,6 +128,72 @@ func (dst *AuthConfig) ConvertFrom(srcRaw conversion.Hub) error {
 	// hosts
 	dst.Spec.Hosts = src.Spec.Hosts
 
+	// named patterns
+	if src.Spec.NamedPatterns != nil {
+		dst.Spec.Patterns = make(map[string]JSONPatternExpressions, len(src.Spec.NamedPatterns))
+		for name, patterns := range src.Spec.NamedPatterns {
+			dst.Spec.Patterns[name] = utils.Map(patterns, convertPatternExpressionFrom)
+		}
+	}
+
+	// conditions
+	dst.Spec.Conditions = utils.Map(src.Spec.Conditions, convertPatternExpressionOrRefFrom)
+
+	// identity
+	for name, authentication := range src.Spec.Authentication {
+		identity := convertAuthenticationFrom(name, authentication)
+		dst.Spec.Identity = append(dst.Spec.Identity, identity)
+	}
+
+	// metadata
+	for name, metadataSrc := range src.Spec.Metadata {
+		metadata := convertMetadataFrom(name, metadataSrc)
+		dst.Spec.Metadata = append(dst.Spec.Metadata, metadata)
+	}
+
+	// authorization
+	for name, authorizationSrc := range src.Spec.Authorization {
+		authorization := convertAuthorizationFrom(name, authorizationSrc)
+		dst.Spec.Authorization = append(dst.Spec.Authorization, authorization)
+	}
+
+	// response
+	if src.Spec.Response != nil {
+		for name, responseSrc := range src.Spec.Response.Success.Headers {
+			response := convertSuccessResponseFrom(name, responseSrc.SuccessResponseSpec, "httpHeader")
+			dst.Spec.Response = append(dst.Spec.Response, response)
+		}
+
+		for name, responseSrc := range src.Spec.Response.Success.DynamicMetadata {
+			response := convertSuccessResponseFrom(name, responseSrc, "envoyDynamicMetadata")
+			dst.Spec.Response = append(dst.Spec.Response, response)
+		}
+
+		// denyWith
+		if src.Spec.Response.Unauthenticated != nil || src.Spec.Response.Unauthorized != nil {
+			dst.Spec.DenyWith = &DenyWith{}
+		}
+
+		if denyWithSrc := src.Spec.Response.Unauthenticated; denyWithSrc != nil {
+			dst.Spec.DenyWith.Unauthenticated = convertDenyWithSpecFrom(denyWithSrc)
+		}
+
+		if denyWithSrc := src.Spec.Response.Unauthorized; denyWithSrc != nil {
+			dst.Spec.DenyWith.Unauthorized = convertDenyWithSpecFrom(denyWithSrc)
+		}
+	}
+
+	// callbacks
+	for name, callbackSrc := range src.Spec.Callbacks {
+		callback := convertCallbackFrom(name, callbackSrc)
+		dst.Spec.Callbacks = append(dst.Spec.Callbacks, callback)
+	}
+
+	// status
+	dst.Status = convertStatusFrom(src.Status)
+
+	logger.V(1).Info("finished converting resource", "dst", dst)
+
 	return nil
 }
 
@@ -138,6 +205,14 @@ func convertPatternExpressionTo(src JSONPatternExpression) v1beta2.PatternExpres
 	}
 }
 
+func convertPatternExpressionFrom(src v1beta2.PatternExpression) JSONPatternExpression {
+	return JSONPatternExpression{
+		Selector: src.Selector,
+		Operator: JSONPatternOperator(src.Operator),
+		Value:    src.Value,
+	}
+}
+
 func convertPatternExpressionOrRefTo(src JSONPattern) v1beta2.PatternExpressionOrRef {
 	pattern := v1beta2.PatternExpressionOrRef{
 		PatternExpression: convertPatternExpressionTo(src.JSONPatternExpression),
@@ -160,6 +235,28 @@ func convertPatternExpressionOrRefTo(src JSONPattern) v1beta2.PatternExpressionO
 	return pattern
 }
 
+func convertPatternExpressionOrRefFrom(src v1beta2.PatternExpressionOrRef) JSONPattern {
+	pattern := JSONPattern{
+		JSONPatternExpression: convertPatternExpressionFrom(src.PatternExpression),
+		JSONPatternRef: JSONPatternRef{
+			JSONPatternName: src.PatternRef.Name,
+		},
+	}
+	if len(src.All) > 0 {
+		pattern.All = make([]UnstructuredJSONPattern, len(src.All))
+		for i, p := range src.All {
+			pattern.All[i] = UnstructuredJSONPattern{JSONPattern: convertPatternExpressionOrRefFrom(p.PatternExpressionOrRef)}
+		}
+	}
+	if len(src.Any) > 0 {
+		pattern.Any = make([]UnstructuredJSONPattern, len(src.Any))
+		for i, p := range src.Any {
+			pattern.Any[i] = UnstructuredJSONPattern{JSONPattern: convertPatternExpressionOrRefFrom(p.PatternExpressionOrRef)}
+		}
+	}
+	return pattern
+}
+
 func convertAuthenticationTo(src *Identity) (string, v1beta2.AuthenticationSpec) {
 	authentication := v1beta2.AuthenticationSpec{
 		CommonEvaluatorSpec: v1beta2.CommonEvaluatorSpec{
@@ -233,6 +330,71 @@ func convertAuthenticationTo(src *Identity) (string, v1beta2.AuthenticationSpec)
 	return src.Name, authentication
 }
 
+func convertAuthenticationFrom(name string, src v1beta2.AuthenticationSpec) *Identity {
+	extendedProperties := utils.Map(convertNamedValuesOrSelectorsFrom(v1beta2.NamedValuesOrSelectors(src.Overrides)), func(jsonProperty JsonProperty) ExtendedProperty {
+		return ExtendedProperty{
+			JsonProperty: jsonProperty,
+			Overwrite:    true,
+		}
+	})
+	extendedProperties = append(extendedProperties, utils.Map(convertNamedValuesOrSelectorsFrom(v1beta2.NamedValuesOrSelectors(src.Defaults)), func(jsonProperty JsonProperty) ExtendedProperty {
+		return ExtendedProperty{
+			JsonProperty: jsonProperty,
+			Overwrite:    false,
+		}
+	})...)
+
+	identity := &Identity{
+		Name:               name,
+		Priority:           src.Priority,
+		Metrics:            src.Metrics,
+		Conditions:         utils.Map(src.Conditions, convertPatternExpressionOrRefFrom),
+		Cache:              convertEvaluatorCachingFrom(src.Cache),
+		Credentials:        convertCredentialsFrom(src.Credentials),
+		ExtendedProperties: extendedProperties,
+	}
+
+	switch src.GetMethod() {
+	case v1beta2.ApiKeyAuthentication:
+		selector := *src.ApiKey.Selector
+		identity.APIKey = &Identity_APIKey{
+			Selector:      &selector,
+			AllNamespaces: src.ApiKey.AllNamespaces,
+		}
+	case v1beta2.JwtAuthentication:
+		identity.Oidc = &Identity_OidcConfig{
+			Endpoint: src.Jwt.IssuerUrl,
+			TTL:      src.Jwt.TTL,
+		}
+	case v1beta2.OAuth2TokenIntrospectionAuthentication:
+		credentials := *src.OAuth2TokenIntrospection.Credentials
+		identity.OAuth2 = &Identity_OAuth2Config{
+			TokenIntrospectionUrl: src.OAuth2TokenIntrospection.Url,
+			TokenTypeHint:         src.OAuth2TokenIntrospection.TokenTypeHint,
+			Credentials:           &credentials,
+		}
+	case v1beta2.KubernetesTokenReviewAuthentication:
+		identity.KubernetesAuth = &Identity_KubernetesAuth{
+			Audiences: src.KubernetesTokenReview.Audiences,
+		}
+	case v1beta2.X509ClientCertificateAuthentication:
+		selector := *src.X509ClientCertificate.Selector
+		identity.MTLS = &Identity_MTLS{
+			Selector:      &selector,
+			AllNamespaces: src.X509ClientCertificate.AllNamespaces,
+		}
+	case v1beta2.PlainIdentityAuthentication:
+		selector := Identity_Plain(ValueFrom{
+			AuthJSON: src.Plain.Selector,
+		})
+		identity.Plain = &selector
+	case v1beta2.AnonymousAccessAuthentication:
+		identity.Anonymous = &Identity_Anonymous{}
+	}
+
+	return identity
+}
+
 func convertEvaluatorCachingTo(src *EvaluatorCaching) *v1beta2.EvaluatorCaching {
 	if src == nil {
 		return nil
@@ -243,6 +405,16 @@ func convertEvaluatorCachingTo(src *EvaluatorCaching) *v1beta2.EvaluatorCaching
 	}
 }
 
+func convertEvaluatorCachingFrom(src *v1beta2.EvaluatorCaching) *EvaluatorCaching {
+	if src == nil {
+		return nil
+	}
+	return &EvaluatorCaching{
+		Key: convertValueOrSelectorFrom(src.Key),
+		TTL: src.TTL,
+	}
+}
+
 func convertValueOrSelectorTo(src StaticOrDynamicValue) v1beta2.ValueOrSelector {
 	value := k8sruntime.RawExtension{}
 	if src.ValueFrom.AuthJSON == "" {
@@ -257,6 +429,13 @@ func convertValueOrSelectorTo(src StaticOrDynamicValue) v1beta2.ValueOrSelector
 	}
 }
 
+func convertValueOrSelectorFrom(src v1beta2.ValueOrSelector) StaticOrDynamicValue {
+	return StaticOrDynamicValue{
+		Value:     gjson.ParseBytes(src.Value.Raw).String(),
+		ValueFrom: convertSelectorFrom(src),
+	}
+}
+
 func convertCredentialsTo(src Credentials) v1beta2.Credentials {
 	credentials := v1beta2.Credentials{}
 	switch src.In {
@@ -280,6 +459,28 @@ func convertCredentialsTo(src Credentials) v1beta2.Credentials {
 	return credentials
 }
 
+func convertCredentialsFrom(src v1beta2.Credentials) Credentials {
+	var in, key string
+	switch src.GetType() {
+	case v1beta2.AuthorizationHeaderCredentials:
+		in = "authorization_header"
+		key = src.AuthorizationHeader.Prefix
+	case v1beta2.CustomHeaderCredentials:
+		in = "custom_header"
+		key = src.CustomHeader.Name
+	case v1beta2.QueryStringCredentials:
+		in = "query"
+		key = src.QueryString.Name
+	case v1beta2.CookieCredentials:
+		in = "cookie"
+		key = src.Cookie.Name
+	}
+	return Credentials{
+		In:          Credentials_In(in),
+		KeySelector: key,
+	}
+}
+
 func convertNamedValuesOrSelectorsTo(src []JsonProperty) v1beta2.NamedValuesOrSelectors {
 	if src == nil {
 		return nil
@@ -298,6 +499,27 @@ func convertNamedValuesOrSelectorsTo(src []JsonProperty) v1beta2.NamedValuesOrSe
 	return namedValuesOrSelectors
 }
 
+func convertNamedValuesOrSelectorsFrom(src v1beta2.NamedValuesOrSelectors) []JsonProperty {
+	if src == nil {
+		return nil
+	}
+	jsonProperties := make([]JsonProperty, 0, len(src))
+	for name, valueOrSelector := range src {
+		jsonProperties = append(jsonProperties, JsonProperty{
+			Name:      name,
+			Value:     valueOrSelector.Value,
+			ValueFrom: convertSelectorFrom(valueOrSelector),
+		})
+	}
+	return jsonProperties
+}
+
+func convertSelectorFrom(src v1beta2.ValueOrSelector) ValueFrom {
+	return ValueFrom{
+		AuthJSON: src.Selector,
+	}
+}
+
 func convertMetadataTo(src *Metadata) (string, v1beta2.MetadataSpec) {
 	metadata := v1beta2.MetadataSpec{
 		CommonEvaluatorSpec: v1beta2.CommonEvaluatorSpec{
@@ -326,6 +548,33 @@ func convertMetadataTo(src *Metadata) (string, v1beta2.MetadataSpec) {
 	return src.Name, metadata
 }
 
+func convertMetadataFrom(name string, src v1beta2.MetadataSpec) *Metadata {
+	metadata := &Metadata{
+		Name:       name,
+		Priority:   src.Priority,
+		Metrics:    src.Metrics,
+		Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom),
+		Cache:      convertEvaluatorCachingFrom(src.Cache),
+	}
+
+	switch src.GetMethod() {
+	case v1beta2.HttpMetadata:
+		metadata.GenericHTTP = convertHttpEndpointSpecFrom(src.Http)
+	case v1beta2.UserInfoMetadata:
+		metadata.UserInfo = &Metadata_UserInfo{
+			IdentitySource: src.UserInfo.IdentitySource,
+		}
+	case v1beta2.UmaResourceMetadata:
+		credentials := *src.Uma.Credentials
+		metadata.UMA = &Metadata_UMA{
+			Endpoint:    src.Uma.Endpoint,
+			Credentials: &credentials,
+		}
+	}
+
+	return metadata
+}
+
 func convertHttpEndpointSpecTo(src *Metadata_GenericHTTP) *v1beta2.HttpEndpointSpec {
 	if src == nil {
 		return nil
@@ -343,6 +592,23 @@ func convertHttpEndpointSpecTo(src *Metadata_GenericHTTP) *v1beta2.HttpEndpointS
 	}
 }
 
+func convertHttpEndpointSpecFrom(src *v1beta2.HttpEndpointSpec) *Metadata_GenericHTTP {
+	if src == nil {
+		return nil
+	}
+	return &Metadata_GenericHTTP{
+		Endpoint:     src.Url,
+		Method:       convertMethodFrom(src.Method),
+		Body:         convertPtrValueOrSelectorFrom(src.Body),
+		Parameters:   convertNamedValuesOrSelectorsFrom(src.Parameters),
+		ContentType:  convertContentTypeFrom(src.ContentType),
+		Headers:      convertNamedValuesOrSelectorsFrom(src.Headers),
+		SharedSecret: convertSecretKeyReferenceFrom(src.SharedSecret),
+		OAuth2:       convertOAuth2ClientAuthenticationFrom(src.OAuth2),
+		Credentials:  convertCredentialsFrom(src.Credentials),
+	}
+}
+
 func convertMethodTo(src *GenericHTTP_Method) *v1beta2.HttpMethod {
 	if src == nil {
 		return nil
@@ -351,6 +617,14 @@ func convertMethodTo(src *GenericHTTP_Method) *v1beta2.HttpMethod {
 	return &method
 }
 
+func convertMethodFrom(src *v1beta2.HttpMethod) *GenericHTTP_Method {
+	if src == nil {
+		return nil
+	}
+	method := GenericHTTP_Method(*src)
+	return &method
+}
+
 func convertPtrValueOrSelectorTo(src *StaticOrDynamicValue) *v1beta2.ValueOrSelector {
 	if src == nil {
 		return nil
@@ -359,10 +633,22 @@ func convertPtrValueOrSelectorTo(src *StaticOrDynamicValue) *v1beta2.ValueOrSele
 	return &v
 }
 
+func convertPtrValueOrSelectorFrom(src *v1beta2.ValueOrSelector) *StaticOrDynamicValue {
+	if src == nil {
+		return nil
+	}
+	v := convertValueOrSelectorFrom(*src)
+	return &v
+}
+
 func convertContentTypeTo(src Metadata_GenericHTTP_ContentType) v1beta2.HttpContentType {
 	return v1beta2.HttpContentType(src)
 }
 
+func convertContentTypeFrom(src v1beta2.HttpContentType) Metadata_GenericHTTP_ContentType {
+	return Metadata_GenericHTTP_ContentType(src)
+}
+
 func convertSecretKeyReferenceTo(src *SecretKeyReference) *v1beta2.SecretKeyReference {
 	if src == nil {
 		return nil
@@ -373,6 +659,16 @@ func convertSecretKeyReferenceTo(src *SecretKeyReference) *v1beta2.SecretKeyRefe
 	}
 }
 
+func convertSecretKeyReferenceFrom(src *v1beta2.SecretKeyReference) *SecretKeyReference {
+	if src == nil {
+		return nil
+	}
+	return &SecretKeyReference{
+		Name: src.Name,
+		Key:  src.Key,
+	}
+}
+
 func convertOAuth2ClientAuthenticationTo(src *OAuth2ClientAuthentication) *v1beta2.OAuth2ClientAuthentication {
 	if src == nil {
 		return nil
@@ -391,6 +687,24 @@ func convertOAuth2ClientAuthenticationTo(src *OAuth2ClientAuthentication) *v1bet
 	return o
 }
 
+func convertOAuth2ClientAuthenticationFrom(src *v1beta2.OAuth2ClientAuthentication) *OAuth2ClientAuthentication {
+	if src == nil {
+		return nil
+	}
+	o := &OAuth2ClientAuthentication{
+		TokenUrl:     src.TokenUrl,
+		ClientId:     src.ClientId,
+		ClientSecret: *convertSecretKeyReferenceFrom(&src.ClientSecret),
+		Scopes:       src.Scopes,
+		ExtraParams:  src.ExtraParams,
+	}
+	if src.Cache != nil {
+		cache := *src.Cache
+		o.Cache = &cache
+	}
+	return o
+}
+
 func convertAuthorizationTo(src *Authorization) (string, v1beta2.AuthorizationSpec) {
 	authorization := v1beta2.AuthorizationSpec{
 		CommonEvaluatorSpec: v1beta2.CommonEvaluatorSpec{
@@ -432,6 +746,48 @@ func convertAuthorizationTo(src *Authorization) (string, v1beta2.AuthorizationSp
 	return src.Name, authorization
 }
 
+func convertAuthorizationFrom(name string, src v1beta2.AuthorizationSpec) *Authorization {
+	authorization := &Authorization{
+		Name:       name,
+		Priority:   src.Priority,
+		Metrics:    src.Metrics,
+		Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom),
+		Cache:      convertEvaluatorCachingFrom(src.Cache),
+	}
+
+	switch src.GetMethod() {
+	case v1beta2.PatternMatchingAuthorization:
+		authorization.JSON = &Authorization_JSONPatternMatching{
+			Rules: utils.Map(src.PatternMatching.Patterns, convertPatternExpressionOrRefFrom),
+		}
+	case v1beta2.OpaAuthorization:
+		authorization.OPA = &Authorization_OPA{
+			InlineRego:       src.Opa.Rego,
+			ExternalRegistry: convertOpaExternalRegistryFrom(src.Opa.External),
+			AllValues:        src.Opa.AllValues,
+		}
+	case v1beta2.KubernetesSubjectAccessReviewAuthorization:
+		authorization.KubernetesAuthz = &Authorization_KubernetesAuthz{
+			Groups:             src.KubernetesSubjectAccessReview.Groups,
+			ResourceAttributes: convertKubernetesSubjectAccessReviewResourceAttributesFrom(src.KubernetesSubjectAccessReview.ResourceAttributes),
+		}
+		if src.KubernetesSubjectAccessReview.User != nil {
+			authorization.KubernetesAuthz.User = convertValueOrSelectorFrom(*src.KubernetesSubjectAccessReview.User)
+		}
+	case v1beta2.SpiceDBAuthorization:
+		authorization.Authzed = &Authorization_Authzed{
+			Endpoint:     src.SpiceDB.Endpoint,
+			Insecure:     src.SpiceDB.Insecure,
+			SharedSecret: convertSecretKeyReferenceFrom(src.SpiceDB.SharedSecret),
+			Subject:      spiceDBObjectFrom(src.SpiceDB.Subject),
+			Resource:     spiceDBObjectFrom(src.SpiceDB.Resource),
+			Permission:   convertValueOrSelectorFrom(src.SpiceDB.Permission),
+		}
+	}
+
+	return authorization
+}
+
 func convertOpaExternalRegistryTo(src ExternalRegistry) *v1beta2.ExternalOpaPolicy {
 	if src.Endpoint == "" {
 		return nil
@@ -446,6 +802,18 @@ func convertOpaExternalRegistryTo(src ExternalRegistry) *v1beta2.ExternalOpaPoli
 	}
 }
 
+func convertOpaExternalRegistryFrom(src *v1beta2.ExternalOpaPolicy) ExternalRegistry {
+	if src == nil {
+		return ExternalRegistry{}
+	}
+	return ExternalRegistry{
+		Endpoint:     src.Url,
+		SharedSecret: convertSecretKeyReferenceFrom(src.SharedSecret),
+		Credentials:  convertCredentialsFrom(src.Credentials),
+		TTL:          src.TTL,
+	}
+}
+
 func convertKubernetesSubjectAccessReviewResourceAttributesTo(src *Authorization_KubernetesAuthz_ResourceAttributes) *v1beta2.KubernetesSubjectAccessReviewResourceAttributesSpec {
 	if src == nil {
 		return nil
@@ -460,6 +828,20 @@ func convertKubernetesSubjectAccessReviewResourceAttributesTo(src *Authorization
 	}
 }
 
+func convertKubernetesSubjectAccessReviewResourceAttributesFrom(src *v1beta2.KubernetesSubjectAccessReviewResourceAttributesSpec) *Authorization_KubernetesAuthz_ResourceAttributes {
+	if src == nil {
+		return nil
+	}
+	return &Authorization_KubernetesAuthz_ResourceAttributes{
+		Namespace:   convertValueOrSelectorFrom(src.Namespace),
+		Group:       convertValueOrSelectorFrom(src.Group),
+		Resource:    convertValueOrSelectorFrom(src.Resource),
+		Name:        convertValueOrSelectorFrom(src.Name),
+		SubResource: convertValueOrSelectorFrom(src.SubResource),
+		Verb:        convertValueOrSelectorFrom(src.Verb),
+	}
+}
+
 func spiceDBObjectTo(src *AuthzedObject) *v1beta2.SpiceDBObject {
 	if src == nil {
 		return nil
@@ -470,6 +852,16 @@ func spiceDBObjectTo(src *AuthzedObject) *v1beta2.SpiceDBObject {
 	}
 }
 
+func spiceDBObjectFrom(src *v1beta2.SpiceDBObject) *AuthzedObject {
+	if src == nil {
+		return nil
+	}
+	return &AuthzedObject{
+		Kind: convertValueOrSelectorFrom(src.Kind),
+		Name: convertValueOrSelectorFrom(src.Name),
+	}
+}
+
 func convertDenyWithSpecTo(src *DenyWithSpec) *v1beta2.DenyWithSpec {
 	if src == nil {
 		return nil
@@ -482,6 +874,18 @@ func convertDenyWithSpecTo(src *DenyWithSpec) *v1beta2.DenyWithSpec {
 	}
 }
 
+func convertDenyWithSpecFrom(src *v1beta2.DenyWithSpec) *DenyWithSpec {
+	if src == nil {
+		return nil
+	}
+	return &DenyWithSpec{
+		Code:    DenyWith_Code(src.Code),
+		Headers: convertNamedValuesOrSelectorsFrom(src.Headers),
+		Message: convertPtrValueOrSelectorFrom(src.Message),
+		Body:    convertPtrValueOrSelectorFrom(src.Body),
+	}
+}
+
 func convertSuccessResponseTo(src *Response) (string, v1beta2.SuccessResponseSpec) {
 	response := v1beta2.SuccessResponseSpec{
 		CommonEvaluatorSpec: v1beta2.CommonEvaluatorSpec{
@@ -525,6 +929,49 @@ func convertSuccessResponseTo(src *Response) (string, v1beta2.SuccessResponseSpe
 	return src.Name, response
 }
 
+func convertSuccessResponseFrom(name string, src v1beta2.SuccessResponseSpec, wrapper string) *Response {
+	response := &Response{
+		Name:       name,
+		Priority:   src.Priority,
+		Metrics:    src.Metrics,
+		Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom),
+		Cache:      convertEvaluatorCachingFrom(src.Cache),
+		Wrapper:    Response_Wrapper(wrapper),
+		WrapperKey: src.Key,
+	}
+
+	switch src.GetMethod() {
+	case v1beta2.PlainAuthResponse:
+		selector := Response_Plain(convertValueOrSelectorFrom(v1beta2.ValueOrSelector(*src.Plain)))
+		response.Plain = &selector
+	case v1beta2.JsonAuthResponse:
+		response.JSON = &Response_DynamicJSON{
+			Properties: convertNamedValuesOrSelectorsFrom(src.Json.Properties),
+		}
+	case v1beta2.WristbandAuthResponse:
+		response.Wristband = &Response_Wristband{
+			Issuer:       src.Wristband.Issuer,
+			CustomClaims: convertNamedValuesOrSelectorsFrom(src.Wristband.CustomClaims),
+		}
+		if src.Wristband.TokenDuration != nil {
+			duration := *src.Wristband.TokenDuration
+			response.Wristband.TokenDuration = &duration
+		}
+		for _, keySrc := range src.Wristband.SigningKeyRefs {
+			if keySrc == nil {
+				continue
+			}
+			key := SigningKeyRef{
+				Name:      keySrc.Name,
+				Algorithm: SigningKeyAlgorithm(keySrc.Algorithm),
+			}
+			response.Wristband.SigningKeyRefs = append(response.Wristband.SigningKeyRefs, &key)
+		}
+	}
+
+	return response
+}
+
 func convertCallbackTo(src *Callback) (string, v1beta2.CallbackSpec) {
 	callback := v1beta2.CallbackSpec{
 		CommonEvaluatorSpec: v1beta2.CommonEvaluatorSpec{
@@ -542,6 +989,22 @@ func convertCallbackTo(src *Callback) (string, v1beta2.CallbackSpec) {
 	return src.Name, callback
 }
 
+func convertCallbackFrom(name string, src v1beta2.CallbackSpec) *Callback {
+	callback := &Callback{
+		Name:       name,
+		Priority:   src.Priority,
+		Metrics:    src.Metrics,
+		Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom),
+	}
+
+	switch src.GetMethod() {
+	case v1beta2.HttpCallback:
+		callback.HTTP = convertHttpEndpointSpecFrom(src.Http)
+	}
+
+	return callback
+}
+
 func convertStatusTo(src AuthConfigStatus) v1beta2.AuthConfigStatus {
 	return v1beta2.AuthConfigStatus{
 		Conditions: utils.Map(src.Conditions, func(conditionSrc Condition) v1beta2.AuthConfigStatusCondition {
@@ -562,6 +1025,26 @@ func convertStatusTo(src AuthConfigStatus) v1beta2.AuthConfigStatus {
 	}
 }
 
+func convertStatusFrom(src v1beta2.AuthConfigStatus) AuthConfigStatus {
+	return AuthConfigStatus{
+		Conditions: utils.Map(src.Conditions, func(conditionSrc v1beta2.AuthConfigStatusCondition) Condition {
+			condition := Condition{
+				Type:               ConditionType(conditionSrc.Type),
+				Status:             conditionSrc.Status,
+				LastTransitionTime: conditionSrc.LastTransitionTime,
+				Reason:             conditionSrc.Reason,
+				Message:            conditionSrc.Message,
+			}
+			if conditionSrc.LastUpdatedTime != nil {
+				time := *conditionSrc.LastUpdatedTime
+				condition.LastUpdatedTime = &time
+			}
+			return condition
+		}),
+		Summary: convertStatusSummaryFrom(src.Summary),
+	}
+}
+
 func convertStatusSummaryTo(src Summary) v1beta2.AuthConfigStatusSummary {
 	hostsReady := make([]string, len(src.HostsReady))
 	copy(hostsReady, src.HostsReady)
@@ -577,3 +1060,19 @@ func convertStatusSummaryTo(src Summary) v1beta2.AuthConfigStatusSummary {
 		FestivalWristbandEnabled: src.FestivalWristbandEnabled,
 	}
 }
+
+func convertStatusSummaryFrom(src v1beta2.AuthConfigStatusSummary) Summary {
+	hostsReady := make([]string, len(src.HostsReady))
+	copy(hostsReady, src.HostsReady)
+
+	return Summary{
+		Ready:                    src.Ready,
+		HostsReady:               hostsReady,
+		NumHostsReady:            src.NumHostsReady,
+		NumIdentitySources:       src.NumIdentitySources,
+		NumMetadataSources:       src.NumMetadataSources,
+		NumAuthorizationPolicies: src.NumAuthorizationPolicies,
+		NumResponseItems:         src.NumResponseItems,
+		FestivalWristbandEnabled: src.FestivalWristbandEnabled,
+	}
+}
diff --git a/api/v1beta2/auth_config_conversion.go b/api/v1beta2/auth_config_conversion.go
index f07163e8..a66d1434 100644
--- a/api/v1beta2/auth_config_conversion.go
+++ b/api/v1beta2/auth_config_conversion.go
@@ -2,1086 +2,3 @@ package v1beta2
 
 // Hub marks this version as a conversion hub.
 func (a *AuthConfig) Hub() {}
-
-/**
-
-import (
-	"encoding/json"
-
-	"github.com/kuadrant/authorino/api/v1beta1"
-	"github.com/kuadrant/authorino/pkg/utils"
-
-	"github.com/tidwall/gjson"
-	k8sruntime "k8s.io/apimachinery/pkg/runtime"
-	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/conversion"
-)
-
-func (src *AuthConfig) ConvertTo(dstRaw conversion.Hub) error {
-	dst := dstRaw.(*v1beta1.AuthConfig)
-
-	logger := ctrl.Log.WithName("webhook").WithName("authconfig").WithName("converto").WithValues("src", src)
-	logger.V(1).Info("starting converting resource")
-
-	// metadata
-	dst.ObjectMeta = src.ObjectMeta
-
-	// hosts
-	dst.Spec.Hosts = src.Spec.Hosts
-
-	// named patterns
-	if src.Spec.NamedPatterns != nil {
-		dst.Spec.Patterns = make(map[string]v1beta1.JSONPatternExpressions, len(src.Spec.NamedPatterns))
-		for name, patterns := range src.Spec.NamedPatterns {
-			dst.Spec.Patterns[name] = utils.Map(patterns, convertPatternExpressionTo)
-		}
-	}
-
-	// conditions
-	dst.Spec.Conditions = utils.Map(src.Spec.Conditions, convertPatternExpressionOrRefTo)
-
-	// identity
-	for name, authentication := range src.Spec.Authentication {
-		identity := convertAuthenticationTo(name, authentication)
-		dst.Spec.Identity = append(dst.Spec.Identity, identity)
-	}
-
-	// metadata
-	for name, metadataSrc := range src.Spec.Metadata {
-		metadata := convertMetadataTo(name, metadataSrc)
-		dst.Spec.Metadata = append(dst.Spec.Metadata, metadata)
-	}
-
-	// authorization
-	for name, authorizationSrc := range src.Spec.Authorization {
-		authorization := convertAuthorizationTo(name, authorizationSrc)
-		dst.Spec.Authorization = append(dst.Spec.Authorization, authorization)
-	}
-
-	// response
-	if src.Spec.Response != nil {
-		for name, responseSrc := range src.Spec.Response.Success.Headers {
-			response := convertSuccessResponseTo(name, responseSrc.SuccessResponseSpec, "httpHeader")
-			dst.Spec.Response = append(dst.Spec.Response, response)
-		}
-
-		for name, responseSrc := range src.Spec.Response.Success.DynamicMetadata {
-			response := convertSuccessResponseTo(name, responseSrc, "envoyDynamicMetadata")
-			dst.Spec.Response = append(dst.Spec.Response, response)
-		}
-
-		// denyWith
-		if src.Spec.Response.Unauthenticated != nil || src.Spec.Response.Unauthorized != nil {
-			dst.Spec.DenyWith = &v1beta1.DenyWith{}
-		}
-
-		if denyWithSrc := src.Spec.Response.Unauthenticated; denyWithSrc != nil {
-			dst.Spec.DenyWith.Unauthenticated = convertDenyWithSpecTo(denyWithSrc)
-		}
-
-		if denyWithSrc := src.Spec.Response.Unauthorized; denyWithSrc != nil {
-			dst.Spec.DenyWith.Unauthorized = convertDenyWithSpecTo(denyWithSrc)
-		}
-	}
-
-	// callbacks
-	for name, callbackSrc := range src.Spec.Callbacks {
-		callback := convertCallbackTo(name, callbackSrc)
-		dst.Spec.Callbacks = append(dst.Spec.Callbacks, callback)
-	}
-
-	// status
-	dst.Status = convertStatusTo(src.Status)
-
-	logger.V(1).Info("finished converting resource", "dst", dst)
-
-	return nil
-}
-
-func (dst *AuthConfig) ConvertFrom(srcRaw conversion.Hub) error {
-	src := srcRaw.(*v1beta1.AuthConfig)
-
-	logger := ctrl.Log.WithName("webhook").WithName("authconfig").WithName("converfrom").WithValues("src", src)
-	logger.V(1).Info("starting converting resource")
-
-	// metadata
-	dst.ObjectMeta = src.ObjectMeta
-
-	// hosts
-	dst.Spec.Hosts = src.Spec.Hosts
-
-	// named patterns
-	if src.Spec.Patterns != nil {
-		dst.Spec.NamedPatterns = make(map[string]PatternExpressions, len(src.Spec.Patterns))
-		for name, patterns := range src.Spec.Patterns {
-			dst.Spec.NamedPatterns[name] = utils.Map(patterns, convertPatternExpressionFrom)
-		}
-	}
-
-	// conditions
-	dst.Spec.Conditions = utils.Map(src.Spec.Conditions, convertPatternExpressionOrRefFrom)
-
-	// authentication
-	if src.Spec.Identity != nil {
-		dst.Spec.Authentication = make(map[string]AuthenticationSpec, len(src.Spec.Identity))
-		for _, identity := range src.Spec.Identity {
-			name, authentication := convertAuthenticationFrom(identity)
-			dst.Spec.Authentication[name] = authentication
-		}
-	}
-
-	// metadata
-	if src.Spec.Metadata != nil {
-		dst.Spec.Metadata = make(map[string]MetadataSpec, len(src.Spec.Metadata))
-		for _, metadataSrc := range src.Spec.Metadata {
-			name, metadata := convertMetadataFrom(metadataSrc)
-			dst.Spec.Metadata[name] = metadata
-		}
-	}
-
-	// authorization
-	if src.Spec.Authorization != nil {
-		dst.Spec.Authorization = make(map[string]AuthorizationSpec, len(src.Spec.Authorization))
-		for _, authorizationSrc := range src.Spec.Authorization {
-			name, authorization := convertAuthorizationFrom(authorizationSrc)
-			dst.Spec.Authorization[name] = authorization
-		}
-	}
-
-	// response
-	denyWith := src.Spec.DenyWith
-
-	if denyWith != nil || len(src.Spec.Response) > 0 {
-		dst.Spec.Response = &ResponseSpec{}
-	}
-
-	if denyWith != nil && denyWith.Unauthenticated != nil {
-		dst.Spec.Response.Unauthenticated = convertDenyWithSpecFrom(denyWith.Unauthenticated)
-	}
-
-	if denyWith != nil && denyWith.Unauthorized != nil {
-		dst.Spec.Response.Unauthorized = convertDenyWithSpecFrom(denyWith.Unauthorized)
-	}
-
-	for _, responseSrc := range src.Spec.Response {
-		if responseSrc.Wrapper != "httpHeader" && responseSrc.Wrapper != "" {
-			continue
-		}
-		if dst.Spec.Response.Success.Headers == nil {
-			dst.Spec.Response.Success.Headers = make(map[string]HeaderSuccessResponseSpec)
-		}
-		name, response := convertSuccessResponseFrom(responseSrc)
-		dst.Spec.Response.Success.Headers[name] = HeaderSuccessResponseSpec{
-			SuccessResponseSpec: response,
-		}
-	}
-
-	for _, responseSrc := range src.Spec.Response {
-		if responseSrc.Wrapper != "envoyDynamicMetadata" {
-			continue
-		}
-		if dst.Spec.Response.Success.DynamicMetadata == nil {
-			dst.Spec.Response.Success.DynamicMetadata = make(map[string]SuccessResponseSpec)
-		}
-		name, response := convertSuccessResponseFrom(responseSrc)
-		dst.Spec.Response.Success.DynamicMetadata[name] = response
-	}
-
-	// callbacks
-	if src.Spec.Callbacks != nil {
-		dst.Spec.Callbacks = make(map[string]CallbackSpec, len(src.Spec.Callbacks))
-		for _, callbackSrc := range src.Spec.Callbacks {
-			name, callback := convertCallbackFrom(callbackSrc)
-			dst.Spec.Callbacks[name] = callback
-		}
-	}
-
-	// status
-	dst.Status = convertStatusFrom(src.Status)
-
-	logger.V(1).Info("finished converting resource", "dst", dst)
-
-	return nil
-}
-
-func convertPatternExpressionTo(src PatternExpression) v1beta1.JSONPatternExpression {
-	return v1beta1.JSONPatternExpression{
-		Selector: src.Selector,
-		Operator: v1beta1.JSONPatternOperator(src.Operator),
-		Value:    src.Value,
-	}
-}
-
-func convertPatternExpressionFrom(src v1beta1.JSONPatternExpression) PatternExpression {
-	return PatternExpression{
-		Selector: src.Selector,
-		Operator: PatternExpressionOperator(src.Operator),
-		Value:    src.Value,
-	}
-}
-
-func convertPatternExpressionOrRefTo(src PatternExpressionOrRef) v1beta1.JSONPattern {
-	pattern := v1beta1.JSONPattern{
-		JSONPatternExpression: convertPatternExpressionTo(src.PatternExpression),
-		JSONPatternRef: v1beta1.JSONPatternRef{
-			JSONPatternName: src.PatternRef.Name,
-		},
-	}
-	if len(src.All) > 0 {
-		pattern.All = make([]v1beta1.UnstructuredJSONPattern, len(src.All))
-		for i, p := range src.All {
-			pattern.All[i] = v1beta1.UnstructuredJSONPattern{JSONPattern: convertPatternExpressionOrRefTo(p.PatternExpressionOrRef)}
-		}
-	}
-	if len(src.Any) > 0 {
-		pattern.Any = make([]v1beta1.UnstructuredJSONPattern, len(src.Any))
-		for i, p := range src.Any {
-			pattern.Any[i] = v1beta1.UnstructuredJSONPattern{JSONPattern: convertPatternExpressionOrRefTo(p.PatternExpressionOrRef)}
-		}
-	}
-	return pattern
-}
-
-func convertPatternExpressionOrRefFrom(src v1beta1.JSONPattern) PatternExpressionOrRef {
-	pattern := PatternExpressionOrRef{
-		PatternExpression: convertPatternExpressionFrom(src.JSONPatternExpression),
-		PatternRef: PatternRef{
-			Name: src.JSONPatternRef.JSONPatternName,
-		},
-	}
-	if len(src.All) > 0 {
-		pattern.All = make([]UnstructuredPatternExpressionOrRef, len(src.All))
-		for i, p := range src.All {
-			pattern.All[i] = UnstructuredPatternExpressionOrRef{convertPatternExpressionOrRefFrom(p.JSONPattern)}
-		}
-	}
-	if len(src.Any) > 0 {
-		pattern.Any = make([]UnstructuredPatternExpressionOrRef, len(src.Any))
-		for i, p := range src.Any {
-			pattern.Any[i] = UnstructuredPatternExpressionOrRef{convertPatternExpressionOrRefFrom(p.JSONPattern)}
-		}
-	}
-	return pattern
-}
-
-func convertEvaluatorCachingTo(src *EvaluatorCaching) *v1beta1.EvaluatorCaching {
-	if src == nil {
-		return nil
-	}
-	return &v1beta1.EvaluatorCaching{
-		Key: convertValueOrSelectorTo(src.Key),
-		TTL: src.TTL,
-	}
-}
-
-func convertEvaluatorCachingFrom(src *v1beta1.EvaluatorCaching) *EvaluatorCaching {
-	if src == nil {
-		return nil
-	}
-	return &EvaluatorCaching{
-		Key: convertValueOrSelectorFrom(src.Key),
-		TTL: src.TTL,
-	}
-}
-
-func convertValueOrSelectorTo(src ValueOrSelector) v1beta1.StaticOrDynamicValue {
-	return v1beta1.StaticOrDynamicValue{
-		Value:     gjson.ParseBytes(src.Value.Raw).String(),
-		ValueFrom: convertSelectorTo(src),
-	}
-}
-
-func convertValueOrSelectorFrom(src v1beta1.StaticOrDynamicValue) ValueOrSelector {
-	value := k8sruntime.RawExtension{}
-	if src.ValueFrom.AuthJSON == "" {
-		jsonString, err := json.Marshal(src.Value)
-		if err == nil {
-			value.Raw = jsonString
-		}
-	}
-	return ValueOrSelector{
-		Value:    value,
-		Selector: src.ValueFrom.AuthJSON,
-	}
-}
-
-func convertPtrValueOrSelectorTo(src *ValueOrSelector) *v1beta1.StaticOrDynamicValue {
-	if src == nil {
-		return nil
-	}
-	v := convertValueOrSelectorTo(*src)
-	return &v
-}
-
-func convertPtrValueOrSelectorFrom(src *v1beta1.StaticOrDynamicValue) *ValueOrSelector {
-	if src == nil {
-		return nil
-	}
-	v := convertValueOrSelectorFrom(*src)
-	return &v
-}
-
-func convertNamedValuesOrSelectorsTo(src NamedValuesOrSelectors) []v1beta1.JsonProperty {
-	if src == nil {
-		return nil
-	}
-	jsonProperties := make([]v1beta1.JsonProperty, 0, len(src))
-	for name, valueOrSelector := range src {
-		jsonProperties = append(jsonProperties, v1beta1.JsonProperty{
-			Name:      name,
-			Value:     valueOrSelector.Value,
-			ValueFrom: convertSelectorTo(valueOrSelector),
-		})
-	}
-	return jsonProperties
-}
-
-func convertNamedValuesOrSelectorsFrom(src []v1beta1.JsonProperty) NamedValuesOrSelectors {
-	if src == nil {
-		return nil
-	}
-	namedValuesOrSelectors := NamedValuesOrSelectors{}
-	for _, jsonProperty := range src {
-		value := k8sruntime.RawExtension{}
-		if jsonProperty.ValueFrom.AuthJSON == "" {
-			value.Raw = jsonProperty.Value.Raw
-		}
-		namedValuesOrSelectors[jsonProperty.Name] = ValueOrSelector{
-			Value:    value,
-			Selector: jsonProperty.ValueFrom.AuthJSON,
-		}
-	}
-	return namedValuesOrSelectors
-}
-
-func convertSelectorTo(src ValueOrSelector) v1beta1.ValueFrom {
-	return v1beta1.ValueFrom{
-		AuthJSON: src.Selector,
-	}
-}
-
-func convertCredentialsTo(src Credentials) v1beta1.Credentials {
-	var in, key string
-	switch src.GetType() {
-	case AuthorizationHeaderCredentials:
-		in = "authorization_header"
-		key = src.AuthorizationHeader.Prefix
-	case CustomHeaderCredentials:
-		in = "custom_header"
-		key = src.CustomHeader.Name
-	case QueryStringCredentials:
-		in = "query"
-		key = src.QueryString.Name
-	case CookieCredentials:
-		in = "cookie"
-		key = src.Cookie.Name
-	}
-	return v1beta1.Credentials{
-		In:          v1beta1.Credentials_In(in),
-		KeySelector: key,
-	}
-}
-
-func convertCredentialsFrom(src v1beta1.Credentials) Credentials {
-	credentials := Credentials{}
-	switch src.In {
-	case "authorization_header":
-		credentials.AuthorizationHeader = &Prefixed{
-			Prefix: src.KeySelector,
-		}
-	case "custom_header":
-		credentials.CustomHeader = &CustomHeader{
-			Named: Named{Name: src.KeySelector},
-		}
-	case "query":
-		credentials.QueryString = &Named{
-			Name: src.KeySelector,
-		}
-	case "cookie":
-		credentials.Cookie = &Named{
-			Name: src.KeySelector,
-		}
-	}
-	return credentials
-}
-
-func convertAuthenticationTo(name string, src AuthenticationSpec) *v1beta1.Identity {
-	extendedProperties := utils.Map(convertNamedValuesOrSelectorsTo(NamedValuesOrSelectors(src.Overrides)), func(jsonProperty v1beta1.JsonProperty) v1beta1.ExtendedProperty {
-		return v1beta1.ExtendedProperty{
-			JsonProperty: jsonProperty,
-			Overwrite:    true,
-		}
-	})
-	extendedProperties = append(extendedProperties, utils.Map(convertNamedValuesOrSelectorsTo(NamedValuesOrSelectors(src.Defaults)), func(jsonProperty v1beta1.JsonProperty) v1beta1.ExtendedProperty {
-		return v1beta1.ExtendedProperty{
-			JsonProperty: jsonProperty,
-			Overwrite:    false,
-		}
-	})...)
-
-	identity := &v1beta1.Identity{
-		Name:               name,
-		Priority:           src.Priority,
-		Metrics:            src.Metrics,
-		Conditions:         utils.Map(src.Conditions, convertPatternExpressionOrRefTo),
-		Cache:              convertEvaluatorCachingTo(src.Cache),
-		Credentials:        convertCredentialsTo(src.Credentials),
-		ExtendedProperties: extendedProperties,
-	}
-
-	switch src.GetMethod() {
-	case ApiKeyAuthentication:
-		selector := *src.ApiKey.Selector
-		identity.APIKey = &v1beta1.Identity_APIKey{
-			Selector:      &selector,
-			AllNamespaces: src.ApiKey.AllNamespaces,
-		}
-	case JwtAuthentication:
-		identity.Oidc = &v1beta1.Identity_OidcConfig{
-			Endpoint: src.Jwt.IssuerUrl,
-			TTL:      src.Jwt.TTL,
-		}
-	case OAuth2TokenIntrospectionAuthentication:
-		credentials := *src.OAuth2TokenIntrospection.Credentials
-		identity.OAuth2 = &v1beta1.Identity_OAuth2Config{
-			TokenIntrospectionUrl: src.OAuth2TokenIntrospection.Url,
-			TokenTypeHint:         src.OAuth2TokenIntrospection.TokenTypeHint,
-			Credentials:           &credentials,
-		}
-	case KubernetesTokenReviewAuthentication:
-		identity.KubernetesAuth = &v1beta1.Identity_KubernetesAuth{
-			Audiences: src.KubernetesTokenReview.Audiences,
-		}
-	case X509ClientCertificateAuthentication:
-		selector := *src.X509ClientCertificate.Selector
-		identity.MTLS = &v1beta1.Identity_MTLS{
-			Selector:      &selector,
-			AllNamespaces: src.X509ClientCertificate.AllNamespaces,
-		}
-	case PlainIdentityAuthentication:
-		selector := v1beta1.Identity_Plain(v1beta1.ValueFrom{
-			AuthJSON: src.Plain.Selector,
-		})
-		identity.Plain = &selector
-	case AnonymousAccessAuthentication:
-		identity.Anonymous = &v1beta1.Identity_Anonymous{}
-	}
-
-	return identity
-}
-
-func convertAuthenticationFrom(src *v1beta1.Identity) (string, AuthenticationSpec) {
-	authentication := AuthenticationSpec{
-		CommonEvaluatorSpec: CommonEvaluatorSpec{
-			Priority:   src.Priority,
-			Metrics:    src.Metrics,
-			Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom),
-			Cache:      convertEvaluatorCachingFrom(src.Cache),
-		},
-		Credentials: convertCredentialsFrom(src.Credentials),
-	}
-
-	var overrides []v1beta1.JsonProperty
-	for _, extendedProperty := range src.ExtendedProperties {
-		if !extendedProperty.Overwrite {
-			continue
-		}
-		overrides = append(overrides, extendedProperty.JsonProperty)
-	}
-	if len(overrides) > 0 {
-		authentication.Overrides = ExtendedProperties(convertNamedValuesOrSelectorsFrom(overrides))
-	}
-
-	var defaults []v1beta1.JsonProperty
-	for _, extendedProperty := range src.ExtendedProperties {
-		if extendedProperty.Overwrite {
-			continue
-		}
-		defaults = append(defaults, extendedProperty.JsonProperty)
-	}
-	if len(defaults) > 0 {
-		authentication.Defaults = ExtendedProperties(convertNamedValuesOrSelectorsFrom(defaults))
-	}
-
-	switch src.GetType() {
-	case v1beta1.IdentityApiKey:
-		selector := *src.APIKey.Selector
-		authentication.ApiKey = &ApiKeyAuthenticationSpec{
-			Selector:      &selector,
-			AllNamespaces: src.APIKey.AllNamespaces,
-		}
-	case v1beta1.IdentityOidc:
-		authentication.Jwt = &JwtAuthenticationSpec{
-			IssuerUrl: src.Oidc.Endpoint,
-			TTL:       src.Oidc.TTL,
-		}
-	case v1beta1.IdentityOAuth2:
-		credentials := *src.OAuth2.Credentials
-		authentication.OAuth2TokenIntrospection = &OAuth2TokenIntrospectionSpec{
-			Url:           src.OAuth2.TokenIntrospectionUrl,
-			TokenTypeHint: src.OAuth2.TokenTypeHint,
-			Credentials:   &credentials,
-		}
-	case v1beta1.IdentityKubernetesAuth:
-		authentication.KubernetesTokenReview = &KubernetesTokenReviewSpec{
-			Audiences: src.KubernetesAuth.Audiences,
-		}
-	case v1beta1.IdentityMTLS:
-		selector := *src.MTLS.Selector
-		authentication.X509ClientCertificate = &X509ClientCertificateAuthenticationSpec{
-			Selector:      &selector,
-			AllNamespaces: src.MTLS.AllNamespaces,
-		}
-	case v1beta1.IdentityPlain:
-		authentication.Plain = &PlainIdentitySpec{
-			Selector: src.Plain.AuthJSON,
-		}
-	case v1beta1.IdentityAnonymous:
-		authentication.AnonymousAccess = &AnonymousAccessSpec{}
-	}
-
-	return src.Name, authentication
-}
-
-func convertMetadataTo(name string, src MetadataSpec) *v1beta1.Metadata {
-	metadata := &v1beta1.Metadata{
-		Name:       name,
-		Priority:   src.Priority,
-		Metrics:    src.Metrics,
-		Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefTo),
-		Cache:      convertEvaluatorCachingTo(src.Cache),
-	}
-
-	switch src.GetMethod() {
-	case HttpMetadata:
-		metadata.GenericHTTP = convertHttpEndpointSpecTo(src.Http)
-	case UserInfoMetadata:
-		metadata.UserInfo = &v1beta1.Metadata_UserInfo{
-			IdentitySource: src.UserInfo.IdentitySource,
-		}
-	case UmaResourceMetadata:
-		credentials := *src.Uma.Credentials
-		metadata.UMA = &v1beta1.Metadata_UMA{
-			Endpoint:    src.Uma.Endpoint,
-			Credentials: &credentials,
-		}
-	}
-
-	return metadata
-}
-
-func convertMetadataFrom(src *v1beta1.Metadata) (string, MetadataSpec) {
-	metadata := MetadataSpec{
-		CommonEvaluatorSpec: CommonEvaluatorSpec{
-			Priority:   src.Priority,
-			Metrics:    src.Metrics,
-			Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom),
-			Cache:      convertEvaluatorCachingFrom(src.Cache),
-		},
-	}
-
-	switch src.GetType() {
-	case v1beta1.MetadataGenericHTTP:
-		metadata.Http = convertHttpEndpointSpecFrom(src.GenericHTTP)
-	case v1beta1.MetadataUserinfo:
-		metadata.UserInfo = &UserInfoMetadataSpec{
-			IdentitySource: src.UserInfo.IdentitySource,
-		}
-	case v1beta1.MetadataUma:
-		credentials := *src.UMA.Credentials
-		metadata.Uma = &UmaMetadataSpec{
-			Endpoint:    src.UMA.Endpoint,
-			Credentials: &credentials,
-		}
-	}
-
-	return src.Name, metadata
-}
-
-func convertHttpEndpointSpecTo(src *HttpEndpointSpec) *v1beta1.Metadata_GenericHTTP {
-	if src == nil {
-		return nil
-	}
-	return &v1beta1.Metadata_GenericHTTP{
-		Endpoint:     src.Url,
-		Method:       convertMethodTo(src.Method),
-		Body:         convertPtrValueOrSelectorTo(src.Body),
-		Parameters:   convertNamedValuesOrSelectorsTo(src.Parameters),
-		ContentType:  convertContentTypeTo(src.ContentType),
-		Headers:      convertNamedValuesOrSelectorsTo(src.Headers),
-		SharedSecret: convertSecretKeyReferenceTo(src.SharedSecret),
-		OAuth2:       convertOAuth2ClientAuthenticationTo(src.OAuth2),
-		Credentials:  convertCredentialsTo(src.Credentials),
-	}
-}
-
-func convertHttpEndpointSpecFrom(src *v1beta1.Metadata_GenericHTTP) *HttpEndpointSpec {
-	if src == nil {
-		return nil
-	}
-	return &HttpEndpointSpec{
-		Url:          src.Endpoint,
-		Method:       convertMethodFrom(src.Method),
-		Body:         convertPtrValueOrSelectorFrom(src.Body),
-		Parameters:   convertNamedValuesOrSelectorsFrom(src.Parameters),
-		ContentType:  convertContentTypeFrom(src.ContentType),
-		Headers:      convertNamedValuesOrSelectorsFrom(src.Headers),
-		SharedSecret: convertSecretKeyReferenceFrom(src.SharedSecret),
-		OAuth2:       convertOAuth2ClientAuthenticationFrom(src.OAuth2),
-		Credentials:  convertCredentialsFrom(src.Credentials),
-	}
-}
-
-func convertMethodTo(src *HttpMethod) *v1beta1.GenericHTTP_Method {
-	if src == nil {
-		return nil
-	}
-	method := v1beta1.GenericHTTP_Method(*src)
-	return &method
-}
-
-func convertMethodFrom(src *v1beta1.GenericHTTP_Method) *HttpMethod {
-	if src == nil {
-		return nil
-	}
-	method := HttpMethod(*src)
-	return &method
-}
-
-func convertContentTypeTo(src HttpContentType) v1beta1.Metadata_GenericHTTP_ContentType {
-	return v1beta1.Metadata_GenericHTTP_ContentType(src)
-}
-
-func convertContentTypeFrom(src v1beta1.Metadata_GenericHTTP_ContentType) HttpContentType {
-	return HttpContentType(src)
-}
-
-func convertOAuth2ClientAuthenticationTo(src *OAuth2ClientAuthentication) *v1beta1.OAuth2ClientAuthentication {
-	if src == nil {
-		return nil
-	}
-	o := &v1beta1.OAuth2ClientAuthentication{
-		TokenUrl:     src.TokenUrl,
-		ClientId:     src.ClientId,
-		ClientSecret: *convertSecretKeyReferenceTo(&src.ClientSecret),
-		Scopes:       src.Scopes,
-		ExtraParams:  src.ExtraParams,
-	}
-	if src.Cache != nil {
-		cache := *src.Cache
-		o.Cache = &cache
-	}
-	return o
-}
-
-func convertOAuth2ClientAuthenticationFrom(src *v1beta1.OAuth2ClientAuthentication) *OAuth2ClientAuthentication {
-	if src == nil {
-		return nil
-	}
-	o := &OAuth2ClientAuthentication{
-		TokenUrl:     src.TokenUrl,
-		ClientId:     src.ClientId,
-		ClientSecret: *convertSecretKeyReferenceFrom(&src.ClientSecret),
-		Scopes:       src.Scopes,
-		ExtraParams:  src.ExtraParams,
-	}
-	if src.Cache != nil {
-		cache := *src.Cache
-		o.Cache = &cache
-	}
-	return o
-}
-
-func convertSecretKeyReferenceTo(src *SecretKeyReference) *v1beta1.SecretKeyReference {
-	if src == nil {
-		return nil
-	}
-	return &v1beta1.SecretKeyReference{
-		Name: src.Name,
-		Key:  src.Key,
-	}
-}
-
-func convertSecretKeyReferenceFrom(src *v1beta1.SecretKeyReference) *SecretKeyReference {
-	if src == nil {
-		return nil
-	}
-	return &SecretKeyReference{
-		Name: src.Name,
-		Key:  src.Key,
-	}
-}
-
-func convertAuthorizationTo(name string, src AuthorizationSpec) *v1beta1.Authorization {
-	authorization := &v1beta1.Authorization{
-		Name:       name,
-		Priority:   src.Priority,
-		Metrics:    src.Metrics,
-		Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefTo),
-		Cache:      convertEvaluatorCachingTo(src.Cache),
-	}
-
-	switch src.GetMethod() {
-	case PatternMatchingAuthorization:
-		authorization.JSON = &v1beta1.Authorization_JSONPatternMatching{
-			Rules: utils.Map(src.PatternMatching.Patterns, convertPatternExpressionOrRefTo),
-		}
-	case OpaAuthorization:
-		authorization.OPA = &v1beta1.Authorization_OPA{
-			InlineRego:       src.Opa.Rego,
-			ExternalRegistry: convertOpaExternalRegistryTo(src.Opa.External),
-			AllValues:        src.Opa.AllValues,
-		}
-	case KubernetesSubjectAccessReviewAuthorization:
-		authorization.KubernetesAuthz = &v1beta1.Authorization_KubernetesAuthz{
-			Groups:             src.KubernetesSubjectAccessReview.Groups,
-			ResourceAttributes: convertKubernetesSubjectAccessReviewResourceAttributesTo(src.KubernetesSubjectAccessReview.ResourceAttributes),
-		}
-		if src.KubernetesSubjectAccessReview.User != nil {
-			authorization.KubernetesAuthz.User = convertValueOrSelectorTo(*src.KubernetesSubjectAccessReview.User)
-		}
-	case SpiceDBAuthorization:
-		authorization.Authzed = &v1beta1.Authorization_Authzed{
-			Endpoint:     src.SpiceDB.Endpoint,
-			Insecure:     src.SpiceDB.Insecure,
-			SharedSecret: convertSecretKeyReferenceTo(src.SpiceDB.SharedSecret),
-			Subject:      spiceDBObjectTo(src.SpiceDB.Subject),
-			Resource:     spiceDBObjectTo(src.SpiceDB.Resource),
-			Permission:   convertValueOrSelectorTo(src.SpiceDB.Permission),
-		}
-	}
-
-	return authorization
-}
-
-func convertAuthorizationFrom(src *v1beta1.Authorization) (string, AuthorizationSpec) {
-	authorization := AuthorizationSpec{
-		CommonEvaluatorSpec: CommonEvaluatorSpec{
-			Priority:   src.Priority,
-			Metrics:    src.Metrics,
-			Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom),
-			Cache:      convertEvaluatorCachingFrom(src.Cache),
-		},
-	}
-
-	switch src.GetType() {
-	case v1beta1.AuthorizationJSONPatternMatching:
-		authorization.PatternMatching = &PatternMatchingAuthorizationSpec{
-			Patterns: utils.Map(src.JSON.Rules, convertPatternExpressionOrRefFrom),
-		}
-	case v1beta1.AuthorizationOPA:
-		authorization.Opa = &OpaAuthorizationSpec{
-			Rego:      src.OPA.InlineRego,
-			External:  convertOpaExternalRegistryFrom(src.OPA.ExternalRegistry),
-			AllValues: src.OPA.AllValues,
-		}
-	case v1beta1.AuthorizationKubernetesAuthz:
-		authorization.KubernetesSubjectAccessReview = &KubernetesSubjectAccessReviewAuthorizationSpec{
-			User:               convertPtrValueOrSelectorFrom(&src.KubernetesAuthz.User),
-			Groups:             src.KubernetesAuthz.Groups,
-			ResourceAttributes: convertKubernetesSubjectAccessReviewResourceAttributesFrom(src.KubernetesAuthz.ResourceAttributes),
-		}
-	case v1beta1.AuthorizationAuthzed:
-		authorization.SpiceDB = &SpiceDBAuthorizationSpec{
-			Endpoint:     src.Authzed.Endpoint,
-			Insecure:     src.Authzed.Insecure,
-			SharedSecret: convertSecretKeyReferenceFrom(src.Authzed.SharedSecret),
-			Subject:      spiceDBObjectFrom(src.Authzed.Subject),
-			Resource:     spiceDBObjectFrom(src.Authzed.Resource),
-			Permission:   convertValueOrSelectorFrom(src.Authzed.Permission),
-		}
-	}
-
-	return src.Name, authorization
-}
-
-func convertOpaExternalRegistryTo(src *ExternalOpaPolicy) v1beta1.ExternalRegistry {
-	if src == nil {
-		return v1beta1.ExternalRegistry{}
-	}
-	return v1beta1.ExternalRegistry{
-		Endpoint:     src.Url,
-		SharedSecret: convertSecretKeyReferenceTo(src.SharedSecret),
-		Credentials:  convertCredentialsTo(src.Credentials),
-		TTL:          src.TTL,
-	}
-}
-
-func convertOpaExternalRegistryFrom(src v1beta1.ExternalRegistry) *ExternalOpaPolicy {
-	if src.Endpoint == "" {
-		return nil
-	}
-	return &ExternalOpaPolicy{
-		HttpEndpointSpec: &HttpEndpointSpec{
-			Url:          src.Endpoint,
-			SharedSecret: convertSecretKeyReferenceFrom(src.SharedSecret),
-			Credentials:  convertCredentialsFrom(src.Credentials),
-		},
-		TTL: src.TTL,
-	}
-}
-
-func convertKubernetesSubjectAccessReviewResourceAttributesTo(src *KubernetesSubjectAccessReviewResourceAttributesSpec) *v1beta1.Authorization_KubernetesAuthz_ResourceAttributes {
-	if src == nil {
-		return nil
-	}
-	return &v1beta1.Authorization_KubernetesAuthz_ResourceAttributes{
-		Namespace:   convertValueOrSelectorTo(src.Namespace),
-		Group:       convertValueOrSelectorTo(src.Group),
-		Resource:    convertValueOrSelectorTo(src.Resource),
-		Name:        convertValueOrSelectorTo(src.Name),
-		SubResource: convertValueOrSelectorTo(src.SubResource),
-		Verb:        convertValueOrSelectorTo(src.Verb),
-	}
-}
-
-func convertKubernetesSubjectAccessReviewResourceAttributesFrom(src *v1beta1.Authorization_KubernetesAuthz_ResourceAttributes) *KubernetesSubjectAccessReviewResourceAttributesSpec {
-	if src == nil {
-		return nil
-	}
-	return &KubernetesSubjectAccessReviewResourceAttributesSpec{
-		Namespace:   convertValueOrSelectorFrom(src.Namespace),
-		Group:       convertValueOrSelectorFrom(src.Group),
-		Resource:    convertValueOrSelectorFrom(src.Resource),
-		Name:        convertValueOrSelectorFrom(src.Name),
-		SubResource: convertValueOrSelectorFrom(src.SubResource),
-		Verb:        convertValueOrSelectorFrom(src.Verb),
-	}
-}
-
-func spiceDBObjectTo(src *SpiceDBObject) *v1beta1.AuthzedObject {
-	if src == nil {
-		return nil
-	}
-	return &v1beta1.AuthzedObject{
-		Kind: convertValueOrSelectorTo(src.Kind),
-		Name: convertValueOrSelectorTo(src.Name),
-	}
-}
-
-func spiceDBObjectFrom(src *v1beta1.AuthzedObject) *SpiceDBObject {
-	if src == nil {
-		return nil
-	}
-	return &SpiceDBObject{
-		Kind: convertValueOrSelectorFrom(src.Kind),
-		Name: convertValueOrSelectorFrom(src.Name),
-	}
-}
-
-func convertSuccessResponseTo(name string, src SuccessResponseSpec, wrapper string) *v1beta1.Response {
-	response := &v1beta1.Response{
-		Name:       name,
-		Priority:   src.Priority,
-		Metrics:    src.Metrics,
-		Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefTo),
-		Cache:      convertEvaluatorCachingTo(src.Cache),
-		Wrapper:    v1beta1.Response_Wrapper(wrapper),
-		WrapperKey: src.Key,
-	}
-
-	switch src.GetMethod() {
-	case PlainAuthResponse:
-		selector := v1beta1.Response_Plain(convertValueOrSelectorTo(ValueOrSelector(*src.Plain)))
-		response.Plain = &selector
-	case JsonAuthResponse:
-		response.JSON = &v1beta1.Response_DynamicJSON{
-			Properties: convertNamedValuesOrSelectorsTo(src.Json.Properties),
-		}
-	case WristbandAuthResponse:
-		response.Wristband = &v1beta1.Response_Wristband{
-			Issuer:       src.Wristband.Issuer,
-			CustomClaims: convertNamedValuesOrSelectorsTo(src.Wristband.CustomClaims),
-		}
-		if src.Wristband.TokenDuration != nil {
-			duration := *src.Wristband.TokenDuration
-			response.Wristband.TokenDuration = &duration
-		}
-		for _, keySrc := range src.Wristband.SigningKeyRefs {
-			if keySrc == nil {
-				continue
-			}
-			key := v1beta1.SigningKeyRef{
-				Name:      keySrc.Name,
-				Algorithm: v1beta1.SigningKeyAlgorithm(keySrc.Algorithm),
-			}
-			response.Wristband.SigningKeyRefs = append(response.Wristband.SigningKeyRefs, &key)
-		}
-	}
-
-	return response
-}
-
-func convertSuccessResponseFrom(src *v1beta1.Response) (string, SuccessResponseSpec) {
-	response := SuccessResponseSpec{
-		CommonEvaluatorSpec: CommonEvaluatorSpec{
-			Priority:   src.Priority,
-			Metrics:    src.Metrics,
-			Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom),
-			Cache:      convertEvaluatorCachingFrom(src.Cache),
-		},
-		Key: src.WrapperKey,
-	}
-
-	switch src.GetType() {
-	case v1beta1.ResponsePlain:
-		selector := PlainAuthResponseSpec(convertValueOrSelectorFrom(v1beta1.StaticOrDynamicValue(*src.Plain)))
-		response.Plain = &selector
-	case v1beta1.ResponseDynamicJSON:
-		response.Json = &JsonAuthResponseSpec{
-			Properties: convertNamedValuesOrSelectorsFrom(src.JSON.Properties),
-		}
-	case v1beta1.ResponseWristband:
-		response.Wristband = &WristbandAuthResponseSpec{
-			Issuer:       src.Wristband.Issuer,
-			CustomClaims: convertNamedValuesOrSelectorsFrom(src.Wristband.CustomClaims),
-		}
-		if src.Wristband.TokenDuration != nil {
-			duration := *src.Wristband.TokenDuration
-			response.Wristband.TokenDuration = &duration
-		}
-		for _, keySrc := range src.Wristband.SigningKeyRefs {
-			if keySrc == nil {
-				continue
-			}
-			key := &WristbandSigningKeyRef{
-				Name:      keySrc.Name,
-				Algorithm: WristbandSigningKeyAlgorithm(keySrc.Algorithm),
-			}
-			response.Wristband.SigningKeyRefs = append(response.Wristband.SigningKeyRefs, key)
-		}
-	}
-
-	return src.Name, response
-}
-
-func convertDenyWithSpecTo(src *DenyWithSpec) *v1beta1.DenyWithSpec {
-	if src == nil {
-		return nil
-	}
-	return &v1beta1.DenyWithSpec{
-		Code:    v1beta1.DenyWith_Code(src.Code),
-		Headers: convertNamedValuesOrSelectorsTo(src.Headers),
-		Message: convertPtrValueOrSelectorTo(src.Message),
-		Body:    convertPtrValueOrSelectorTo(src.Body),
-	}
-}
-
-func convertDenyWithSpecFrom(src *v1beta1.DenyWithSpec) *DenyWithSpec {
-	if src == nil {
-		return nil
-	}
-	return &DenyWithSpec{
-		Code:    DenyWithCode(src.Code),
-		Headers: convertNamedValuesOrSelectorsFrom(src.Headers),
-		Message: convertPtrValueOrSelectorFrom(src.Message),
-		Body:    convertPtrValueOrSelectorFrom(src.Body),
-	}
-}
-
-func convertCallbackTo(name string, src CallbackSpec) *v1beta1.Callback {
-	callback := &v1beta1.Callback{
-		Name:       name,
-		Priority:   src.Priority,
-		Metrics:    src.Metrics,
-		Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefTo),
-	}
-
-	switch src.GetMethod() {
-	case HttpCallback:
-		callback.HTTP = convertHttpEndpointSpecTo(src.Http)
-	}
-
-	return callback
-}
-
-func convertCallbackFrom(src *v1beta1.Callback) (string, CallbackSpec) {
-	callback := CallbackSpec{
-		CommonEvaluatorSpec: CommonEvaluatorSpec{
-			Priority:   src.Priority,
-			Metrics:    src.Metrics,
-			Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom),
-		},
-	}
-
-	switch src.GetType() {
-	case v1beta1.CallbackHTTP:
-		callback.Http = convertHttpEndpointSpecFrom(src.HTTP)
-	}
-
-	return src.Name, callback
-}
-
-func convertStatusTo(src AuthConfigStatus) v1beta1.AuthConfigStatus {
-	return v1beta1.AuthConfigStatus{
-		Conditions: utils.Map(src.Conditions, func(conditionSrc AuthConfigStatusCondition) v1beta1.Condition {
-			condition := v1beta1.Condition{
-				Type:               v1beta1.ConditionType(conditionSrc.Type),
-				Status:             conditionSrc.Status,
-				LastTransitionTime: conditionSrc.LastTransitionTime,
-				Reason:             conditionSrc.Reason,
-				Message:            conditionSrc.Message,
-			}
-			if conditionSrc.LastUpdatedTime != nil {
-				time := *conditionSrc.LastUpdatedTime
-				condition.LastUpdatedTime = &time
-			}
-			return condition
-		}),
-		Summary: convertStatusSummaryTo(src.Summary),
-	}
-}
-
-func convertStatusFrom(src v1beta1.AuthConfigStatus) AuthConfigStatus {
-	return AuthConfigStatus{
-		Conditions: utils.Map(src.Conditions, func(conditionSrc v1beta1.Condition) AuthConfigStatusCondition {
-			condition := AuthConfigStatusCondition{
-				Type:               StatusConditionType(conditionSrc.Type),
-				Status:             conditionSrc.Status,
-				LastTransitionTime: conditionSrc.LastTransitionTime,
-				Reason:             conditionSrc.Reason,
-				Message:            conditionSrc.Message,
-			}
-			if conditionSrc.LastUpdatedTime != nil {
-				time := *conditionSrc.LastUpdatedTime
-				condition.LastUpdatedTime = &time
-			}
-			return condition
-		}),
-		Summary: convertStatusSummaryFrom(src.Summary),
-	}
-}
-
-func convertStatusSummaryTo(src AuthConfigStatusSummary) v1beta1.Summary {
-	hostsReady := make([]string, len(src.HostsReady))
-	copy(hostsReady, src.HostsReady)
-
-	return v1beta1.Summary{
-		Ready:                    src.Ready,
-		HostsReady:               hostsReady,
-		NumHostsReady:            src.NumHostsReady,
-		NumIdentitySources:       src.NumIdentitySources,
-		NumMetadataSources:       src.NumMetadataSources,
-		NumAuthorizationPolicies: src.NumAuthorizationPolicies,
-		NumResponseItems:         src.NumResponseItems,
-		FestivalWristbandEnabled: src.FestivalWristbandEnabled,
-	}
-}
-
-func convertStatusSummaryFrom(src v1beta1.Summary) AuthConfigStatusSummary {
-	hostsReady := make([]string, len(src.HostsReady))
-	copy(hostsReady, src.HostsReady)
-
-	return AuthConfigStatusSummary{
-		Ready:                    src.Ready,
-		HostsReady:               hostsReady,
-		NumHostsReady:            src.NumHostsReady,
-		NumIdentitySources:       src.NumIdentitySources,
-		NumMetadataSources:       src.NumMetadataSources,
-		NumAuthorizationPolicies: src.NumAuthorizationPolicies,
-		NumResponseItems:         src.NumResponseItems,
-		FestivalWristbandEnabled: src.FestivalWristbandEnabled,
-	}
-}
-
-*/