diff --git a/api/v1beta1/auth_config_conversion.go b/api/v1beta1/auth_config_conversion.go
index 6b810a0f..f60ec485 100644
--- a/api/v1beta1/auth_config_conversion.go
+++ b/api/v1beta1/auth_config_conversion.go
@@ -1,4 +1,1079 @@
 package v1beta1
 
-// Hub marks this version as a conversion hub.
-func (a *AuthConfig) Hub() {}
+import (
+	"encoding/json"
+
+	"github.com/kuadrant/authorino/api/v1beta2"
+	"github.com/kuadrant/authorino/pkg/utils"
+	"github.com/tidwall/gjson"
+	k8sruntime "k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/conversion"
+)
+
+func (src *AuthConfig) ConvertTo(dstRaw conversion.Hub) error {
+	dst := dstRaw.(*v1beta2.AuthConfig)
+
+	logger := ctrl.Log.WithName("webhook").WithName("authconfig").WithName("converto").WithValues("src", src)
+	logger.V(1).Info("starting converting resource")
+
+	// metadata
+	dst.ObjectMeta = src.ObjectMeta
+
+	// hosts
+	dst.Spec.Hosts = src.Spec.Hosts
+
+	// named patterns
+	if src.Spec.Patterns != nil {
+		dst.Spec.NamedPatterns = make(map[string]v1beta2.PatternExpressions, len(src.Spec.Patterns))
+		for name, patterns := range src.Spec.Patterns {
+			dst.Spec.NamedPatterns[name] = utils.Map(patterns, convertPatternExpressionTo)
+		}
+	}
+
+	// conditions
+	dst.Spec.Conditions = utils.Map(src.Spec.Conditions, convertPatternExpressionOrRefTo)
+
+	// authentication
+	if src.Spec.Identity != nil {
+		dst.Spec.Authentication = make(map[string]v1beta2.AuthenticationSpec, len(src.Spec.Identity))
+		for _, identity := range src.Spec.Identity {
+			name, authentication := convertAuthenticationTo(identity)
+			dst.Spec.Authentication[name] = authentication
+		}
+	}
+
+	// metadata
+	if src.Spec.Metadata != nil {
+		dst.Spec.Metadata = make(map[string]v1beta2.MetadataSpec, len(src.Spec.Metadata))
+		for _, metadataSrc := range src.Spec.Metadata {
+			name, metadata := convertMetadataTo(metadataSrc)
+			dst.Spec.Metadata[name] = metadata
+		}
+	}
+
+	// authorization
+	if src.Spec.Authorization != nil {
+		dst.Spec.Authorization = make(map[string]v1beta2.AuthorizationSpec, len(src.Spec.Authorization))
+		for _, authorizationSrc := range src.Spec.Authorization {
+			name, authorization := convertAuthorizationTo(authorizationSrc)
+			dst.Spec.Authorization[name] = authorization
+		}
+	}
+
+	// response
+	denyWith := src.Spec.DenyWith
+
+	if denyWith != nil || len(src.Spec.Response) > 0 {
+		dst.Spec.Response = &v1beta2.ResponseSpec{}
+	}
+
+	if denyWith != nil && denyWith.Unauthenticated != nil {
+		dst.Spec.Response.Unauthenticated = convertDenyWithSpecTo(denyWith.Unauthenticated)
+	}
+
+	if denyWith != nil && denyWith.Unauthorized != nil {
+		dst.Spec.Response.Unauthorized = convertDenyWithSpecTo(denyWith.Unauthorized)
+	}
+
+	for _, responseSrc := range src.Spec.Response {
+		if responseSrc.Wrapper != "httpHeader" && responseSrc.Wrapper != "" {
+			continue
+		}
+		if dst.Spec.Response.Success.Headers == nil {
+			dst.Spec.Response.Success.Headers = make(map[string]v1beta2.HeaderSuccessResponseSpec)
+		}
+		name, response := convertSuccessResponseTo(responseSrc)
+		dst.Spec.Response.Success.Headers[name] = v1beta2.HeaderSuccessResponseSpec{
+			SuccessResponseSpec: response,
+		}
+	}
+
+	for _, responseSrc := range src.Spec.Response {
+		if responseSrc.Wrapper != "envoyDynamicMetadata" {
+			continue
+		}
+		if dst.Spec.Response.Success.DynamicMetadata == nil {
+			dst.Spec.Response.Success.DynamicMetadata = make(map[string]v1beta2.SuccessResponseSpec)
+		}
+		name, response := convertSuccessResponseTo(responseSrc)
+		dst.Spec.Response.Success.DynamicMetadata[name] = response
+	}
+
+	// callbacks
+	if src.Spec.Callbacks != nil {
+		dst.Spec.Callbacks = make(map[string]v1beta2.CallbackSpec, len(src.Spec.Callbacks))
+		for _, callbackSrc := range src.Spec.Callbacks {
+			name, callback := convertCallbackTo(callbackSrc)
+			dst.Spec.Callbacks[name] = callback
+		}
+	}
+
+	// status
+	dst.Status = convertStatusTo(src.Status)
+
+	logger.V(1).Info("finished converting resource", "dst", dst)
+
+	return nil
+}
+
+func (dst *AuthConfig) ConvertFrom(srcRaw conversion.Hub) error {
+	src := srcRaw.(*v1beta2.AuthConfig)
+
+	logger := ctrl.Log.WithName("webhook").WithName("authconfig").WithName("converfrom").WithValues("src", src)
+	logger.V(1).Info("starting converting resource")
+
+	// metadata
+	dst.ObjectMeta = src.ObjectMeta
+
+	// hosts
+	dst.Spec.Hosts = src.Spec.Hosts
+
+	// named patterns
+	if src.Spec.NamedPatterns != nil {
+		dst.Spec.Patterns = make(map[string]JSONPatternExpressions, len(src.Spec.NamedPatterns))
+		for name, patterns := range src.Spec.NamedPatterns {
+			dst.Spec.Patterns[name] = utils.Map(patterns, convertPatternExpressionFrom)
+		}
+	}
+
+	// conditions
+	dst.Spec.Conditions = utils.Map(src.Spec.Conditions, convertPatternExpressionOrRefFrom)
+
+	// identity
+	for name, authentication := range src.Spec.Authentication {
+		identity := convertAuthenticationFrom(name, authentication)
+		dst.Spec.Identity = append(dst.Spec.Identity, identity)
+	}
+
+	// metadata
+	for name, metadataSrc := range src.Spec.Metadata {
+		metadata := convertMetadataFrom(name, metadataSrc)
+		dst.Spec.Metadata = append(dst.Spec.Metadata, metadata)
+	}
+
+	// authorization
+	for name, authorizationSrc := range src.Spec.Authorization {
+		authorization := convertAuthorizationFrom(name, authorizationSrc)
+		dst.Spec.Authorization = append(dst.Spec.Authorization, authorization)
+	}
+
+	// response
+	if src.Spec.Response != nil {
+		for name, responseSrc := range src.Spec.Response.Success.Headers {
+			response := convertSuccessResponseFrom(name, responseSrc.SuccessResponseSpec, "httpHeader")
+			dst.Spec.Response = append(dst.Spec.Response, response)
+		}
+
+		for name, responseSrc := range src.Spec.Response.Success.DynamicMetadata {
+			response := convertSuccessResponseFrom(name, responseSrc, "envoyDynamicMetadata")
+			dst.Spec.Response = append(dst.Spec.Response, response)
+		}
+
+		// denyWith
+		if src.Spec.Response.Unauthenticated != nil || src.Spec.Response.Unauthorized != nil {
+			dst.Spec.DenyWith = &DenyWith{}
+		}
+
+		if denyWithSrc := src.Spec.Response.Unauthenticated; denyWithSrc != nil {
+			dst.Spec.DenyWith.Unauthenticated = convertDenyWithSpecFrom(denyWithSrc)
+		}
+
+		if denyWithSrc := src.Spec.Response.Unauthorized; denyWithSrc != nil {
+			dst.Spec.DenyWith.Unauthorized = convertDenyWithSpecFrom(denyWithSrc)
+		}
+	}
+
+	// callbacks
+	for name, callbackSrc := range src.Spec.Callbacks {
+		callback := convertCallbackFrom(name, callbackSrc)
+		dst.Spec.Callbacks = append(dst.Spec.Callbacks, callback)
+	}
+
+	// status
+	dst.Status = convertStatusFrom(src.Status)
+
+	logger.V(1).Info("finished converting resource", "dst", dst)
+
+	return nil
+}
+
+func convertPatternExpressionTo(src JSONPatternExpression) v1beta2.PatternExpression {
+	return v1beta2.PatternExpression{
+		Selector: src.Selector,
+		Operator: v1beta2.PatternExpressionOperator(src.Operator),
+		Value:    src.Value,
+	}
+}
+
+func convertPatternExpressionFrom(src v1beta2.PatternExpression) JSONPatternExpression {
+	return JSONPatternExpression{
+		Selector: src.Selector,
+		Operator: JSONPatternOperator(src.Operator),
+		Value:    src.Value,
+	}
+}
+
+func convertPatternExpressionOrRefTo(src JSONPattern) v1beta2.PatternExpressionOrRef {
+	pattern := v1beta2.PatternExpressionOrRef{
+		PatternExpression: convertPatternExpressionTo(src.JSONPatternExpression),
+		PatternRef: v1beta2.PatternRef{
+			Name: src.JSONPatternRef.JSONPatternName,
+		},
+	}
+	if len(src.All) > 0 {
+		pattern.All = make([]v1beta2.UnstructuredPatternExpressionOrRef, len(src.All))
+		for i, p := range src.All {
+			pattern.All[i] = v1beta2.UnstructuredPatternExpressionOrRef{PatternExpressionOrRef: convertPatternExpressionOrRefTo(p.JSONPattern)}
+		}
+	}
+	if len(src.Any) > 0 {
+		pattern.Any = make([]v1beta2.UnstructuredPatternExpressionOrRef, len(src.Any))
+		for i, p := range src.Any {
+			pattern.Any[i] = v1beta2.UnstructuredPatternExpressionOrRef{PatternExpressionOrRef: convertPatternExpressionOrRefTo(p.JSONPattern)}
+		}
+	}
+	return pattern
+}
+
+func convertPatternExpressionOrRefFrom(src v1beta2.PatternExpressionOrRef) JSONPattern {
+	pattern := JSONPattern{
+		JSONPatternExpression: convertPatternExpressionFrom(src.PatternExpression),
+		JSONPatternRef: JSONPatternRef{
+			JSONPatternName: src.PatternRef.Name,
+		},
+	}
+	if len(src.All) > 0 {
+		pattern.All = make([]UnstructuredJSONPattern, len(src.All))
+		for i, p := range src.All {
+			pattern.All[i] = UnstructuredJSONPattern{JSONPattern: convertPatternExpressionOrRefFrom(p.PatternExpressionOrRef)}
+		}
+	}
+	if len(src.Any) > 0 {
+		pattern.Any = make([]UnstructuredJSONPattern, len(src.Any))
+		for i, p := range src.Any {
+			pattern.Any[i] = UnstructuredJSONPattern{JSONPattern: convertPatternExpressionOrRefFrom(p.PatternExpressionOrRef)}
+		}
+	}
+	return pattern
+}
+
+func convertAuthenticationTo(src *Identity) (string, v1beta2.AuthenticationSpec) {
+	authentication := v1beta2.AuthenticationSpec{
+		CommonEvaluatorSpec: v1beta2.CommonEvaluatorSpec{
+			Priority:   src.Priority,
+			Metrics:    src.Metrics,
+			Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefTo),
+			Cache:      convertEvaluatorCachingTo(src.Cache),
+		},
+		Credentials: convertCredentialsTo(src.Credentials),
+	}
+
+	var overrides []JsonProperty
+	for _, extendedProperty := range src.ExtendedProperties {
+		if !extendedProperty.Overwrite {
+			continue
+		}
+		overrides = append(overrides, extendedProperty.JsonProperty)
+	}
+	if len(overrides) > 0 {
+		authentication.Overrides = v1beta2.ExtendedProperties(convertNamedValuesOrSelectorsTo(overrides))
+	}
+
+	var defaults []JsonProperty
+	for _, extendedProperty := range src.ExtendedProperties {
+		if extendedProperty.Overwrite {
+			continue
+		}
+		defaults = append(defaults, extendedProperty.JsonProperty)
+	}
+	if len(defaults) > 0 {
+		authentication.Defaults = v1beta2.ExtendedProperties(convertNamedValuesOrSelectorsTo(defaults))
+	}
+
+	switch src.GetType() {
+	case IdentityApiKey:
+		selector := *src.APIKey.Selector
+		authentication.ApiKey = &v1beta2.ApiKeyAuthenticationSpec{
+			Selector:      &selector,
+			AllNamespaces: src.APIKey.AllNamespaces,
+		}
+	case IdentityOidc:
+		authentication.Jwt = &v1beta2.JwtAuthenticationSpec{
+			IssuerUrl: src.Oidc.Endpoint,
+			TTL:       src.Oidc.TTL,
+		}
+	case IdentityOAuth2:
+		credentials := *src.OAuth2.Credentials
+		authentication.OAuth2TokenIntrospection = &v1beta2.OAuth2TokenIntrospectionSpec{
+			Url:           src.OAuth2.TokenIntrospectionUrl,
+			TokenTypeHint: src.OAuth2.TokenTypeHint,
+			Credentials:   &credentials,
+		}
+	case IdentityKubernetesAuth:
+		authentication.KubernetesTokenReview = &v1beta2.KubernetesTokenReviewSpec{
+			Audiences: src.KubernetesAuth.Audiences,
+		}
+	case IdentityMTLS:
+		selector := *src.MTLS.Selector
+		authentication.X509ClientCertificate = &v1beta2.X509ClientCertificateAuthenticationSpec{
+			Selector:      &selector,
+			AllNamespaces: src.MTLS.AllNamespaces,
+		}
+	case IdentityPlain:
+		authentication.Plain = &v1beta2.PlainIdentitySpec{
+			Selector: src.Plain.AuthJSON,
+		}
+	case IdentityAnonymous:
+		authentication.AnonymousAccess = &v1beta2.AnonymousAccessSpec{}
+	}
+
+	return src.Name, authentication
+}
+
+func convertAuthenticationFrom(name string, src v1beta2.AuthenticationSpec) *Identity {
+	extendedProperties := utils.Map(convertNamedValuesOrSelectorsFrom(v1beta2.NamedValuesOrSelectors(src.Overrides)), func(jsonProperty JsonProperty) ExtendedProperty {
+		return ExtendedProperty{
+			JsonProperty: jsonProperty,
+			Overwrite:    true,
+		}
+	})
+	extendedProperties = append(extendedProperties, utils.Map(convertNamedValuesOrSelectorsFrom(v1beta2.NamedValuesOrSelectors(src.Defaults)), func(jsonProperty JsonProperty) ExtendedProperty {
+		return ExtendedProperty{
+			JsonProperty: jsonProperty,
+			Overwrite:    false,
+		}
+	})...)
+
+	identity := &Identity{
+		Name:               name,
+		Priority:           src.Priority,
+		Metrics:            src.Metrics,
+		Conditions:         utils.Map(src.Conditions, convertPatternExpressionOrRefFrom),
+		Cache:              convertEvaluatorCachingFrom(src.Cache),
+		Credentials:        convertCredentialsFrom(src.Credentials),
+		ExtendedProperties: extendedProperties,
+	}
+
+	switch src.GetMethod() {
+	case v1beta2.ApiKeyAuthentication:
+		selector := *src.ApiKey.Selector
+		identity.APIKey = &Identity_APIKey{
+			Selector:      &selector,
+			AllNamespaces: src.ApiKey.AllNamespaces,
+		}
+	case v1beta2.JwtAuthentication:
+		identity.Oidc = &Identity_OidcConfig{
+			Endpoint: src.Jwt.IssuerUrl,
+			TTL:      src.Jwt.TTL,
+		}
+	case v1beta2.OAuth2TokenIntrospectionAuthentication:
+		credentials := *src.OAuth2TokenIntrospection.Credentials
+		identity.OAuth2 = &Identity_OAuth2Config{
+			TokenIntrospectionUrl: src.OAuth2TokenIntrospection.Url,
+			TokenTypeHint:         src.OAuth2TokenIntrospection.TokenTypeHint,
+			Credentials:           &credentials,
+		}
+	case v1beta2.KubernetesTokenReviewAuthentication:
+		identity.KubernetesAuth = &Identity_KubernetesAuth{
+			Audiences: src.KubernetesTokenReview.Audiences,
+		}
+	case v1beta2.X509ClientCertificateAuthentication:
+		selector := *src.X509ClientCertificate.Selector
+		identity.MTLS = &Identity_MTLS{
+			Selector:      &selector,
+			AllNamespaces: src.X509ClientCertificate.AllNamespaces,
+		}
+	case v1beta2.PlainIdentityAuthentication:
+		selector := Identity_Plain(ValueFrom{
+			AuthJSON: src.Plain.Selector,
+		})
+		identity.Plain = &selector
+	case v1beta2.AnonymousAccessAuthentication:
+		identity.Anonymous = &Identity_Anonymous{}
+	}
+
+	return identity
+}
+
+func convertEvaluatorCachingTo(src *EvaluatorCaching) *v1beta2.EvaluatorCaching {
+	if src == nil {
+		return nil
+	}
+	return &v1beta2.EvaluatorCaching{
+		Key: convertValueOrSelectorTo(src.Key),
+		TTL: src.TTL,
+	}
+}
+
+func convertEvaluatorCachingFrom(src *v1beta2.EvaluatorCaching) *EvaluatorCaching {
+	if src == nil {
+		return nil
+	}
+	return &EvaluatorCaching{
+		Key: convertValueOrSelectorFrom(src.Key),
+		TTL: src.TTL,
+	}
+}
+
+func convertValueOrSelectorTo(src StaticOrDynamicValue) v1beta2.ValueOrSelector {
+	value := k8sruntime.RawExtension{}
+	if src.ValueFrom.AuthJSON == "" {
+		jsonString, err := json.Marshal(src.Value)
+		if err == nil {
+			value.Raw = jsonString
+		}
+	}
+	return v1beta2.ValueOrSelector{
+		Value:    value,
+		Selector: src.ValueFrom.AuthJSON,
+	}
+}
+
+func convertValueOrSelectorFrom(src v1beta2.ValueOrSelector) StaticOrDynamicValue {
+	return StaticOrDynamicValue{
+		Value:     gjson.ParseBytes(src.Value.Raw).String(),
+		ValueFrom: convertSelectorFrom(src),
+	}
+}
+
+func convertCredentialsTo(src Credentials) v1beta2.Credentials {
+	credentials := v1beta2.Credentials{}
+	switch src.In {
+	case "authorization_header":
+		credentials.AuthorizationHeader = &v1beta2.Prefixed{
+			Prefix: src.KeySelector,
+		}
+	case "custom_header":
+		credentials.CustomHeader = &v1beta2.CustomHeader{
+			Named: v1beta2.Named{Name: src.KeySelector},
+		}
+	case "query":
+		credentials.QueryString = &v1beta2.Named{
+			Name: src.KeySelector,
+		}
+	case "cookie":
+		credentials.Cookie = &v1beta2.Named{
+			Name: src.KeySelector,
+		}
+	}
+	return credentials
+}
+
+func convertCredentialsFrom(src v1beta2.Credentials) Credentials {
+	var in, key string
+	switch src.GetType() {
+	case v1beta2.AuthorizationHeaderCredentials:
+		in = "authorization_header"
+		key = src.AuthorizationHeader.Prefix
+	case v1beta2.CustomHeaderCredentials:
+		in = "custom_header"
+		key = src.CustomHeader.Name
+	case v1beta2.QueryStringCredentials:
+		in = "query"
+		key = src.QueryString.Name
+	case v1beta2.CookieCredentials:
+		in = "cookie"
+		key = src.Cookie.Name
+	}
+	return Credentials{
+		In:          Credentials_In(in),
+		KeySelector: key,
+	}
+}
+
+func convertNamedValuesOrSelectorsTo(src []JsonProperty) v1beta2.NamedValuesOrSelectors {
+	if src == nil {
+		return nil
+	}
+	namedValuesOrSelectors := v1beta2.NamedValuesOrSelectors{}
+	for _, jsonProperty := range src {
+		value := k8sruntime.RawExtension{}
+		if jsonProperty.ValueFrom.AuthJSON == "" {
+			value.Raw = jsonProperty.Value.Raw
+		}
+		namedValuesOrSelectors[jsonProperty.Name] = v1beta2.ValueOrSelector{
+			Value:    value,
+			Selector: jsonProperty.ValueFrom.AuthJSON,
+		}
+	}
+	return namedValuesOrSelectors
+}
+
+func convertNamedValuesOrSelectorsFrom(src v1beta2.NamedValuesOrSelectors) []JsonProperty {
+	if src == nil {
+		return nil
+	}
+	jsonProperties := make([]JsonProperty, 0, len(src))
+	for name, valueOrSelector := range src {
+		jsonProperties = append(jsonProperties, JsonProperty{
+			Name:      name,
+			Value:     valueOrSelector.Value,
+			ValueFrom: convertSelectorFrom(valueOrSelector),
+		})
+	}
+	return jsonProperties
+}
+
+func convertSelectorFrom(src v1beta2.ValueOrSelector) ValueFrom {
+	return ValueFrom{
+		AuthJSON: src.Selector,
+	}
+}
+
+func convertMetadataTo(src *Metadata) (string, v1beta2.MetadataSpec) {
+	metadata := v1beta2.MetadataSpec{
+		CommonEvaluatorSpec: v1beta2.CommonEvaluatorSpec{
+			Priority:   src.Priority,
+			Metrics:    src.Metrics,
+			Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefTo),
+			Cache:      convertEvaluatorCachingTo(src.Cache),
+		},
+	}
+
+	switch src.GetType() {
+	case MetadataGenericHTTP:
+		metadata.Http = convertHttpEndpointSpecTo(src.GenericHTTP)
+	case MetadataUserinfo:
+		metadata.UserInfo = &v1beta2.UserInfoMetadataSpec{
+			IdentitySource: src.UserInfo.IdentitySource,
+		}
+	case MetadataUma:
+		credentials := *src.UMA.Credentials
+		metadata.Uma = &v1beta2.UmaMetadataSpec{
+			Endpoint:    src.UMA.Endpoint,
+			Credentials: &credentials,
+		}
+	}
+
+	return src.Name, metadata
+}
+
+func convertMetadataFrom(name string, src v1beta2.MetadataSpec) *Metadata {
+	metadata := &Metadata{
+		Name:       name,
+		Priority:   src.Priority,
+		Metrics:    src.Metrics,
+		Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom),
+		Cache:      convertEvaluatorCachingFrom(src.Cache),
+	}
+
+	switch src.GetMethod() {
+	case v1beta2.HttpMetadata:
+		metadata.GenericHTTP = convertHttpEndpointSpecFrom(src.Http)
+	case v1beta2.UserInfoMetadata:
+		metadata.UserInfo = &Metadata_UserInfo{
+			IdentitySource: src.UserInfo.IdentitySource,
+		}
+	case v1beta2.UmaResourceMetadata:
+		credentials := *src.Uma.Credentials
+		metadata.UMA = &Metadata_UMA{
+			Endpoint:    src.Uma.Endpoint,
+			Credentials: &credentials,
+		}
+	}
+
+	return metadata
+}
+
+func convertHttpEndpointSpecTo(src *Metadata_GenericHTTP) *v1beta2.HttpEndpointSpec {
+	if src == nil {
+		return nil
+	}
+	return &v1beta2.HttpEndpointSpec{
+		Url:          src.Endpoint,
+		Method:       convertMethodTo(src.Method),
+		Body:         convertPtrValueOrSelectorTo(src.Body),
+		Parameters:   convertNamedValuesOrSelectorsTo(src.Parameters),
+		ContentType:  convertContentTypeTo(src.ContentType),
+		Headers:      convertNamedValuesOrSelectorsTo(src.Headers),
+		SharedSecret: convertSecretKeyReferenceTo(src.SharedSecret),
+		OAuth2:       convertOAuth2ClientAuthenticationTo(src.OAuth2),
+		Credentials:  convertCredentialsTo(src.Credentials),
+	}
+}
+
+func convertHttpEndpointSpecFrom(src *v1beta2.HttpEndpointSpec) *Metadata_GenericHTTP {
+	if src == nil {
+		return nil
+	}
+	return &Metadata_GenericHTTP{
+		Endpoint:     src.Url,
+		Method:       convertMethodFrom(src.Method),
+		Body:         convertPtrValueOrSelectorFrom(src.Body),
+		Parameters:   convertNamedValuesOrSelectorsFrom(src.Parameters),
+		ContentType:  convertContentTypeFrom(src.ContentType),
+		Headers:      convertNamedValuesOrSelectorsFrom(src.Headers),
+		SharedSecret: convertSecretKeyReferenceFrom(src.SharedSecret),
+		OAuth2:       convertOAuth2ClientAuthenticationFrom(src.OAuth2),
+		Credentials:  convertCredentialsFrom(src.Credentials),
+	}
+}
+
+func convertMethodTo(src *GenericHTTP_Method) *v1beta2.HttpMethod {
+	if src == nil {
+		return nil
+	}
+	method := v1beta2.HttpMethod(*src)
+	return &method
+}
+
+func convertMethodFrom(src *v1beta2.HttpMethod) *GenericHTTP_Method {
+	if src == nil {
+		return nil
+	}
+	method := GenericHTTP_Method(*src)
+	return &method
+}
+
+func convertPtrValueOrSelectorTo(src *StaticOrDynamicValue) *v1beta2.ValueOrSelector {
+	if src == nil {
+		return nil
+	}
+	v := convertValueOrSelectorTo(*src)
+	return &v
+}
+
+func convertPtrValueOrSelectorFrom(src *v1beta2.ValueOrSelector) *StaticOrDynamicValue {
+	if src == nil {
+		return nil
+	}
+	v := convertValueOrSelectorFrom(*src)
+	return &v
+}
+
+func convertContentTypeTo(src Metadata_GenericHTTP_ContentType) v1beta2.HttpContentType {
+	return v1beta2.HttpContentType(src)
+}
+
+func convertContentTypeFrom(src v1beta2.HttpContentType) Metadata_GenericHTTP_ContentType {
+	return Metadata_GenericHTTP_ContentType(src)
+}
+
+func convertSecretKeyReferenceTo(src *SecretKeyReference) *v1beta2.SecretKeyReference {
+	if src == nil {
+		return nil
+	}
+	return &v1beta2.SecretKeyReference{
+		Name: src.Name,
+		Key:  src.Key,
+	}
+}
+
+func convertSecretKeyReferenceFrom(src *v1beta2.SecretKeyReference) *SecretKeyReference {
+	if src == nil {
+		return nil
+	}
+	return &SecretKeyReference{
+		Name: src.Name,
+		Key:  src.Key,
+	}
+}
+
+func convertOAuth2ClientAuthenticationTo(src *OAuth2ClientAuthentication) *v1beta2.OAuth2ClientAuthentication {
+	if src == nil {
+		return nil
+	}
+	o := &v1beta2.OAuth2ClientAuthentication{
+		TokenUrl:     src.TokenUrl,
+		ClientId:     src.ClientId,
+		ClientSecret: *convertSecretKeyReferenceTo(&src.ClientSecret),
+		Scopes:       src.Scopes,
+		ExtraParams:  src.ExtraParams,
+	}
+	if src.Cache != nil {
+		cache := *src.Cache
+		o.Cache = &cache
+	}
+	return o
+}
+
+func convertOAuth2ClientAuthenticationFrom(src *v1beta2.OAuth2ClientAuthentication) *OAuth2ClientAuthentication {
+	if src == nil {
+		return nil
+	}
+	o := &OAuth2ClientAuthentication{
+		TokenUrl:     src.TokenUrl,
+		ClientId:     src.ClientId,
+		ClientSecret: *convertSecretKeyReferenceFrom(&src.ClientSecret),
+		Scopes:       src.Scopes,
+		ExtraParams:  src.ExtraParams,
+	}
+	if src.Cache != nil {
+		cache := *src.Cache
+		o.Cache = &cache
+	}
+	return o
+}
+
+func convertAuthorizationTo(src *Authorization) (string, v1beta2.AuthorizationSpec) {
+	authorization := v1beta2.AuthorizationSpec{
+		CommonEvaluatorSpec: v1beta2.CommonEvaluatorSpec{
+			Priority:   src.Priority,
+			Metrics:    src.Metrics,
+			Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefTo),
+			Cache:      convertEvaluatorCachingTo(src.Cache),
+		},
+	}
+
+	switch src.GetType() {
+	case AuthorizationJSONPatternMatching:
+		authorization.PatternMatching = &v1beta2.PatternMatchingAuthorizationSpec{
+			Patterns: utils.Map(src.JSON.Rules, convertPatternExpressionOrRefTo),
+		}
+	case AuthorizationOPA:
+		authorization.Opa = &v1beta2.OpaAuthorizationSpec{
+			Rego:      src.OPA.InlineRego,
+			External:  convertOpaExternalRegistryTo(src.OPA.ExternalRegistry),
+			AllValues: src.OPA.AllValues,
+		}
+	case AuthorizationKubernetesAuthz:
+		authorization.KubernetesSubjectAccessReview = &v1beta2.KubernetesSubjectAccessReviewAuthorizationSpec{
+			User:               convertPtrValueOrSelectorTo(&src.KubernetesAuthz.User),
+			Groups:             src.KubernetesAuthz.Groups,
+			ResourceAttributes: convertKubernetesSubjectAccessReviewResourceAttributesTo(src.KubernetesAuthz.ResourceAttributes),
+		}
+	case AuthorizationAuthzed:
+		authorization.SpiceDB = &v1beta2.SpiceDBAuthorizationSpec{
+			Endpoint:     src.Authzed.Endpoint,
+			Insecure:     src.Authzed.Insecure,
+			SharedSecret: convertSecretKeyReferenceTo(src.Authzed.SharedSecret),
+			Subject:      spiceDBObjectTo(src.Authzed.Subject),
+			Resource:     spiceDBObjectTo(src.Authzed.Resource),
+			Permission:   convertValueOrSelectorTo(src.Authzed.Permission),
+		}
+	}
+
+	return src.Name, authorization
+}
+
+func convertAuthorizationFrom(name string, src v1beta2.AuthorizationSpec) *Authorization {
+	authorization := &Authorization{
+		Name:       name,
+		Priority:   src.Priority,
+		Metrics:    src.Metrics,
+		Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom),
+		Cache:      convertEvaluatorCachingFrom(src.Cache),
+	}
+
+	switch src.GetMethod() {
+	case v1beta2.PatternMatchingAuthorization:
+		authorization.JSON = &Authorization_JSONPatternMatching{
+			Rules: utils.Map(src.PatternMatching.Patterns, convertPatternExpressionOrRefFrom),
+		}
+	case v1beta2.OpaAuthorization:
+		authorization.OPA = &Authorization_OPA{
+			InlineRego:       src.Opa.Rego,
+			ExternalRegistry: convertOpaExternalRegistryFrom(src.Opa.External),
+			AllValues:        src.Opa.AllValues,
+		}
+	case v1beta2.KubernetesSubjectAccessReviewAuthorization:
+		authorization.KubernetesAuthz = &Authorization_KubernetesAuthz{
+			Groups:             src.KubernetesSubjectAccessReview.Groups,
+			ResourceAttributes: convertKubernetesSubjectAccessReviewResourceAttributesFrom(src.KubernetesSubjectAccessReview.ResourceAttributes),
+		}
+		if src.KubernetesSubjectAccessReview.User != nil {
+			authorization.KubernetesAuthz.User = convertValueOrSelectorFrom(*src.KubernetesSubjectAccessReview.User)
+		}
+	case v1beta2.SpiceDBAuthorization:
+		authorization.Authzed = &Authorization_Authzed{
+			Endpoint:     src.SpiceDB.Endpoint,
+			Insecure:     src.SpiceDB.Insecure,
+			SharedSecret: convertSecretKeyReferenceFrom(src.SpiceDB.SharedSecret),
+			Subject:      spiceDBObjectFrom(src.SpiceDB.Subject),
+			Resource:     spiceDBObjectFrom(src.SpiceDB.Resource),
+			Permission:   convertValueOrSelectorFrom(src.SpiceDB.Permission),
+		}
+	}
+
+	return authorization
+}
+
+func convertOpaExternalRegistryTo(src ExternalRegistry) *v1beta2.ExternalOpaPolicy {
+	if src.Endpoint == "" {
+		return nil
+	}
+	return &v1beta2.ExternalOpaPolicy{
+		HttpEndpointSpec: &v1beta2.HttpEndpointSpec{
+			Url:          src.Endpoint,
+			SharedSecret: convertSecretKeyReferenceTo(src.SharedSecret),
+			Credentials:  convertCredentialsTo(src.Credentials),
+		},
+		TTL: src.TTL,
+	}
+}
+
+func convertOpaExternalRegistryFrom(src *v1beta2.ExternalOpaPolicy) ExternalRegistry {
+	if src == nil {
+		return ExternalRegistry{}
+	}
+	return ExternalRegistry{
+		Endpoint:     src.Url,
+		SharedSecret: convertSecretKeyReferenceFrom(src.SharedSecret),
+		Credentials:  convertCredentialsFrom(src.Credentials),
+		TTL:          src.TTL,
+	}
+}
+
+func convertKubernetesSubjectAccessReviewResourceAttributesTo(src *Authorization_KubernetesAuthz_ResourceAttributes) *v1beta2.KubernetesSubjectAccessReviewResourceAttributesSpec {
+	if src == nil {
+		return nil
+	}
+	return &v1beta2.KubernetesSubjectAccessReviewResourceAttributesSpec{
+		Namespace:   convertValueOrSelectorTo(src.Namespace),
+		Group:       convertValueOrSelectorTo(src.Group),
+		Resource:    convertValueOrSelectorTo(src.Resource),
+		Name:        convertValueOrSelectorTo(src.Name),
+		SubResource: convertValueOrSelectorTo(src.SubResource),
+		Verb:        convertValueOrSelectorTo(src.Verb),
+	}
+}
+
+func convertKubernetesSubjectAccessReviewResourceAttributesFrom(src *v1beta2.KubernetesSubjectAccessReviewResourceAttributesSpec) *Authorization_KubernetesAuthz_ResourceAttributes {
+	if src == nil {
+		return nil
+	}
+	return &Authorization_KubernetesAuthz_ResourceAttributes{
+		Namespace:   convertValueOrSelectorFrom(src.Namespace),
+		Group:       convertValueOrSelectorFrom(src.Group),
+		Resource:    convertValueOrSelectorFrom(src.Resource),
+		Name:        convertValueOrSelectorFrom(src.Name),
+		SubResource: convertValueOrSelectorFrom(src.SubResource),
+		Verb:        convertValueOrSelectorFrom(src.Verb),
+	}
+}
+
+func spiceDBObjectTo(src *AuthzedObject) *v1beta2.SpiceDBObject {
+	if src == nil {
+		return nil
+	}
+	return &v1beta2.SpiceDBObject{
+		Kind: convertValueOrSelectorTo(src.Kind),
+		Name: convertValueOrSelectorTo(src.Name),
+	}
+}
+
+func spiceDBObjectFrom(src *v1beta2.SpiceDBObject) *AuthzedObject {
+	if src == nil {
+		return nil
+	}
+	return &AuthzedObject{
+		Kind: convertValueOrSelectorFrom(src.Kind),
+		Name: convertValueOrSelectorFrom(src.Name),
+	}
+}
+
+func convertDenyWithSpecTo(src *DenyWithSpec) *v1beta2.DenyWithSpec {
+	if src == nil {
+		return nil
+	}
+	return &v1beta2.DenyWithSpec{
+		Code:    v1beta2.DenyWithCode(src.Code),
+		Headers: convertNamedValuesOrSelectorsTo(src.Headers),
+		Message: convertPtrValueOrSelectorTo(src.Message),
+		Body:    convertPtrValueOrSelectorTo(src.Body),
+	}
+}
+
+func convertDenyWithSpecFrom(src *v1beta2.DenyWithSpec) *DenyWithSpec {
+	if src == nil {
+		return nil
+	}
+	return &DenyWithSpec{
+		Code:    DenyWith_Code(src.Code),
+		Headers: convertNamedValuesOrSelectorsFrom(src.Headers),
+		Message: convertPtrValueOrSelectorFrom(src.Message),
+		Body:    convertPtrValueOrSelectorFrom(src.Body),
+	}
+}
+
+func convertSuccessResponseTo(src *Response) (string, v1beta2.SuccessResponseSpec) {
+	response := v1beta2.SuccessResponseSpec{
+		CommonEvaluatorSpec: v1beta2.CommonEvaluatorSpec{
+			Priority:   src.Priority,
+			Metrics:    src.Metrics,
+			Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefTo),
+			Cache:      convertEvaluatorCachingTo(src.Cache),
+		},
+		Key: src.WrapperKey,
+	}
+
+	switch src.GetType() {
+	case ResponsePlain:
+		selector := v1beta2.PlainAuthResponseSpec(convertValueOrSelectorTo(StaticOrDynamicValue(*src.Plain)))
+		response.Plain = &selector
+	case ResponseDynamicJSON:
+		response.Json = &v1beta2.JsonAuthResponseSpec{
+			Properties: convertNamedValuesOrSelectorsTo(src.JSON.Properties),
+		}
+	case ResponseWristband:
+		response.Wristband = &v1beta2.WristbandAuthResponseSpec{
+			Issuer:       src.Wristband.Issuer,
+			CustomClaims: convertNamedValuesOrSelectorsTo(src.Wristband.CustomClaims),
+		}
+		if src.Wristband.TokenDuration != nil {
+			duration := *src.Wristband.TokenDuration
+			response.Wristband.TokenDuration = &duration
+		}
+		for _, keySrc := range src.Wristband.SigningKeyRefs {
+			if keySrc == nil {
+				continue
+			}
+			key := &v1beta2.WristbandSigningKeyRef{
+				Name:      keySrc.Name,
+				Algorithm: v1beta2.WristbandSigningKeyAlgorithm(keySrc.Algorithm),
+			}
+			response.Wristband.SigningKeyRefs = append(response.Wristband.SigningKeyRefs, key)
+		}
+	}
+
+	return src.Name, response
+}
+
+func convertSuccessResponseFrom(name string, src v1beta2.SuccessResponseSpec, wrapper string) *Response {
+	response := &Response{
+		Name:       name,
+		Priority:   src.Priority,
+		Metrics:    src.Metrics,
+		Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom),
+		Cache:      convertEvaluatorCachingFrom(src.Cache),
+		Wrapper:    Response_Wrapper(wrapper),
+		WrapperKey: src.Key,
+	}
+
+	switch src.GetMethod() {
+	case v1beta2.PlainAuthResponse:
+		selector := Response_Plain(convertValueOrSelectorFrom(v1beta2.ValueOrSelector(*src.Plain)))
+		response.Plain = &selector
+	case v1beta2.JsonAuthResponse:
+		response.JSON = &Response_DynamicJSON{
+			Properties: convertNamedValuesOrSelectorsFrom(src.Json.Properties),
+		}
+	case v1beta2.WristbandAuthResponse:
+		response.Wristband = &Response_Wristband{
+			Issuer:       src.Wristband.Issuer,
+			CustomClaims: convertNamedValuesOrSelectorsFrom(src.Wristband.CustomClaims),
+		}
+		if src.Wristband.TokenDuration != nil {
+			duration := *src.Wristband.TokenDuration
+			response.Wristband.TokenDuration = &duration
+		}
+		for _, keySrc := range src.Wristband.SigningKeyRefs {
+			if keySrc == nil {
+				continue
+			}
+			key := SigningKeyRef{
+				Name:      keySrc.Name,
+				Algorithm: SigningKeyAlgorithm(keySrc.Algorithm),
+			}
+			response.Wristband.SigningKeyRefs = append(response.Wristband.SigningKeyRefs, &key)
+		}
+	}
+
+	return response
+}
+
+func convertCallbackTo(src *Callback) (string, v1beta2.CallbackSpec) {
+	callback := v1beta2.CallbackSpec{
+		CommonEvaluatorSpec: v1beta2.CommonEvaluatorSpec{
+			Priority:   src.Priority,
+			Metrics:    src.Metrics,
+			Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefTo),
+		},
+	}
+
+	switch src.GetType() {
+	case CallbackHTTP:
+		callback.Http = convertHttpEndpointSpecTo(src.HTTP)
+	}
+
+	return src.Name, callback
+}
+
+func convertCallbackFrom(name string, src v1beta2.CallbackSpec) *Callback {
+	callback := &Callback{
+		Name:       name,
+		Priority:   src.Priority,
+		Metrics:    src.Metrics,
+		Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom),
+	}
+
+	switch src.GetMethod() {
+	case v1beta2.HttpCallback:
+		callback.HTTP = convertHttpEndpointSpecFrom(src.Http)
+	}
+
+	return callback
+}
+
+func convertStatusTo(src AuthConfigStatus) v1beta2.AuthConfigStatus {
+	return v1beta2.AuthConfigStatus{
+		Conditions: utils.Map(src.Conditions, func(conditionSrc Condition) v1beta2.AuthConfigStatusCondition {
+			condition := v1beta2.AuthConfigStatusCondition{
+				Type:               v1beta2.StatusConditionType(conditionSrc.Type),
+				Status:             conditionSrc.Status,
+				LastTransitionTime: conditionSrc.LastTransitionTime,
+				Reason:             conditionSrc.Reason,
+				Message:            conditionSrc.Message,
+			}
+			if conditionSrc.LastUpdatedTime != nil {
+				time := *conditionSrc.LastUpdatedTime
+				condition.LastUpdatedTime = &time
+			}
+			return condition
+		}),
+		Summary: convertStatusSummaryTo(src.Summary),
+	}
+}
+
+func convertStatusFrom(src v1beta2.AuthConfigStatus) AuthConfigStatus {
+	return AuthConfigStatus{
+		Conditions: utils.Map(src.Conditions, func(conditionSrc v1beta2.AuthConfigStatusCondition) Condition {
+			condition := Condition{
+				Type:               ConditionType(conditionSrc.Type),
+				Status:             conditionSrc.Status,
+				LastTransitionTime: conditionSrc.LastTransitionTime,
+				Reason:             conditionSrc.Reason,
+				Message:            conditionSrc.Message,
+			}
+			if conditionSrc.LastUpdatedTime != nil {
+				time := *conditionSrc.LastUpdatedTime
+				condition.LastUpdatedTime = &time
+			}
+			return condition
+		}),
+		Summary: convertStatusSummaryFrom(src.Summary),
+	}
+}
+
+func convertStatusSummaryTo(src Summary) v1beta2.AuthConfigStatusSummary {
+	hostsReady := make([]string, len(src.HostsReady))
+	copy(hostsReady, src.HostsReady)
+
+	return v1beta2.AuthConfigStatusSummary{
+		Ready:                    src.Ready,
+		HostsReady:               hostsReady,
+		NumHostsReady:            src.NumHostsReady,
+		NumIdentitySources:       src.NumIdentitySources,
+		NumMetadataSources:       src.NumMetadataSources,
+		NumAuthorizationPolicies: src.NumAuthorizationPolicies,
+		NumResponseItems:         src.NumResponseItems,
+		FestivalWristbandEnabled: src.FestivalWristbandEnabled,
+	}
+}
+
+func convertStatusSummaryFrom(src v1beta2.AuthConfigStatusSummary) Summary {
+	hostsReady := make([]string, len(src.HostsReady))
+	copy(hostsReady, src.HostsReady)
+
+	return Summary{
+		Ready:                    src.Ready,
+		HostsReady:               hostsReady,
+		NumHostsReady:            src.NumHostsReady,
+		NumIdentitySources:       src.NumIdentitySources,
+		NumMetadataSources:       src.NumMetadataSources,
+		NumAuthorizationPolicies: src.NumAuthorizationPolicies,
+		NumResponseItems:         src.NumResponseItems,
+		FestivalWristbandEnabled: src.FestivalWristbandEnabled,
+	}
+}
diff --git a/api/v1beta2/auth_config_conversion_test.go b/api/v1beta1/auth_config_conversion_test.go
similarity index 99%
rename from api/v1beta2/auth_config_conversion_test.go
rename to api/v1beta1/auth_config_conversion_test.go
index 3bed4d10..f9c860a6 100644
--- a/api/v1beta2/auth_config_conversion_test.go
+++ b/api/v1beta1/auth_config_conversion_test.go
@@ -1,4 +1,4 @@
-package v1beta2
+package v1beta1
 
 import (
 	"encoding/json"
@@ -7,12 +7,23 @@ import (
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
-	"github.com/kuadrant/authorino/api/v1beta1"
+	"github.com/kuadrant/authorino/api/v1beta2"
 )
 
 func TestConvertTo(t *testing.T) {
-	converted := &v1beta1.AuthConfig{}
-	authConfig().ConvertTo(converted)
+	converted := &v1beta2.AuthConfig{}
+	config := authConfig()
+	config.ConvertTo(converted)
+
+	expected := hubAuthConfig()
+	if !reflect.DeepEqual(expected, converted) {
+		t.Error(cmp.Diff(expected, converted))
+	}
+}
+
+func TestConvertFrom(t *testing.T) {
+	converted := &AuthConfig{}
+	converted.ConvertFrom(hubAuthConfig())
 
 	sort.Slice(converted.Spec.Identity, func(i, j int) bool {
 		return converted.Spec.Identity[i].Name < converted.Spec.Identity[j].Name
@@ -48,23 +59,14 @@ func TestConvertTo(t *testing.T) {
 		return converted.Spec.DenyWith.Unauthorized.Headers[i].Name < converted.Spec.DenyWith.Unauthorized.Headers[j].Name
 	})
 
-	expected := hubAuthConfig()
-	if !reflect.DeepEqual(expected, converted) {
-		t.Error(cmp.Diff(expected, converted))
-	}
-}
-
-func TestConvertFrom(t *testing.T) {
-	converted := &AuthConfig{}
-	converted.ConvertFrom(hubAuthConfig())
 	expected := authConfig()
 	if !reflect.DeepEqual(expected, converted) {
 		t.Error(cmp.Diff(expected, converted))
 	}
 }
 
-func authConfig() *AuthConfig {
-	authConfig := &AuthConfig{}
+func hubAuthConfig() *v1beta2.AuthConfig {
+	authConfig := &v1beta2.AuthConfig{}
 	err := json.Unmarshal([]byte(`
 	{
 		"metadata": {
@@ -477,8 +479,8 @@ func authConfig() *AuthConfig {
 	return authConfig
 }
 
-func hubAuthConfig() *v1beta1.AuthConfig {
-	authConfig := &v1beta1.AuthConfig{}
+func authConfig() *AuthConfig {
+	authConfig := &AuthConfig{}
 	err := json.Unmarshal([]byte(`
 	{
 		"metadata": {
diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
index c70bb9df..3fe74ccf 100644
--- a/api/v1beta1/zz_generated.deepcopy.go
+++ b/api/v1beta1/zz_generated.deepcopy.go
@@ -1,5 +1,4 @@
 //go:build !ignore_autogenerated
-// +build !ignore_autogenerated
 
 /*
 Copyright 2020 Red Hat, Inc.
@@ -123,7 +122,8 @@ func (in *AuthConfigSpec) DeepCopyInto(out *AuthConfigSpec) {
 			if val == nil {
 				(*out)[key] = nil
 			} else {
-				in, out := &val, &outVal
+				inVal := (*in)[key]
+				in, out := &inVal, &outVal
 				*out = make(JSONPatternExpressions, len(*in))
 				copy(*out, *in)
 			}
diff --git a/api/v1beta2/auth_config_conversion.go b/api/v1beta2/auth_config_conversion.go
index b46b1bad..a66d1434 100644
--- a/api/v1beta2/auth_config_conversion.go
+++ b/api/v1beta2/auth_config_conversion.go
@@ -1,1080 +1,4 @@
 package v1beta2
 
-import (
-	"encoding/json"
-
-	"github.com/kuadrant/authorino/api/v1beta1"
-	"github.com/kuadrant/authorino/pkg/utils"
-
-	"github.com/tidwall/gjson"
-	k8sruntime "k8s.io/apimachinery/pkg/runtime"
-	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/conversion"
-)
-
-func (src *AuthConfig) ConvertTo(dstRaw conversion.Hub) error {
-	dst := dstRaw.(*v1beta1.AuthConfig)
-
-	logger := ctrl.Log.WithName("webhook").WithName("authconfig").WithName("converto").WithValues("src", src)
-	logger.V(1).Info("starting converting resource")
-
-	// metadata
-	dst.ObjectMeta = src.ObjectMeta
-
-	// hosts
-	dst.Spec.Hosts = src.Spec.Hosts
-
-	// named patterns
-	if src.Spec.NamedPatterns != nil {
-		dst.Spec.Patterns = make(map[string]v1beta1.JSONPatternExpressions, len(src.Spec.NamedPatterns))
-		for name, patterns := range src.Spec.NamedPatterns {
-			dst.Spec.Patterns[name] = utils.Map(patterns, convertPatternExpressionTo)
-		}
-	}
-
-	// conditions
-	dst.Spec.Conditions = utils.Map(src.Spec.Conditions, convertPatternExpressionOrRefTo)
-
-	// identity
-	for name, authentication := range src.Spec.Authentication {
-		identity := convertAuthenticationTo(name, authentication)
-		dst.Spec.Identity = append(dst.Spec.Identity, identity)
-	}
-
-	// metadata
-	for name, metadataSrc := range src.Spec.Metadata {
-		metadata := convertMetadataTo(name, metadataSrc)
-		dst.Spec.Metadata = append(dst.Spec.Metadata, metadata)
-	}
-
-	// authorization
-	for name, authorizationSrc := range src.Spec.Authorization {
-		authorization := convertAuthorizationTo(name, authorizationSrc)
-		dst.Spec.Authorization = append(dst.Spec.Authorization, authorization)
-	}
-
-	// response
-	if src.Spec.Response != nil {
-		for name, responseSrc := range src.Spec.Response.Success.Headers {
-			response := convertSuccessResponseTo(name, responseSrc.SuccessResponseSpec, "httpHeader")
-			dst.Spec.Response = append(dst.Spec.Response, response)
-		}
-
-		for name, responseSrc := range src.Spec.Response.Success.DynamicMetadata {
-			response := convertSuccessResponseTo(name, responseSrc, "envoyDynamicMetadata")
-			dst.Spec.Response = append(dst.Spec.Response, response)
-		}
-
-		// denyWith
-		if src.Spec.Response.Unauthenticated != nil || src.Spec.Response.Unauthorized != nil {
-			dst.Spec.DenyWith = &v1beta1.DenyWith{}
-		}
-
-		if denyWithSrc := src.Spec.Response.Unauthenticated; denyWithSrc != nil {
-			dst.Spec.DenyWith.Unauthenticated = convertDenyWithSpecTo(denyWithSrc)
-		}
-
-		if denyWithSrc := src.Spec.Response.Unauthorized; denyWithSrc != nil {
-			dst.Spec.DenyWith.Unauthorized = convertDenyWithSpecTo(denyWithSrc)
-		}
-	}
-
-	// callbacks
-	for name, callbackSrc := range src.Spec.Callbacks {
-		callback := convertCallbackTo(name, callbackSrc)
-		dst.Spec.Callbacks = append(dst.Spec.Callbacks, callback)
-	}
-
-	// status
-	dst.Status = convertStatusTo(src.Status)
-
-	logger.V(1).Info("finished converting resource", "dst", dst)
-
-	return nil
-}
-
-func (dst *AuthConfig) ConvertFrom(srcRaw conversion.Hub) error {
-	src := srcRaw.(*v1beta1.AuthConfig)
-
-	logger := ctrl.Log.WithName("webhook").WithName("authconfig").WithName("converfrom").WithValues("src", src)
-	logger.V(1).Info("starting converting resource")
-
-	// metadata
-	dst.ObjectMeta = src.ObjectMeta
-
-	// hosts
-	dst.Spec.Hosts = src.Spec.Hosts
-
-	// named patterns
-	if src.Spec.Patterns != nil {
-		dst.Spec.NamedPatterns = make(map[string]PatternExpressions, len(src.Spec.Patterns))
-		for name, patterns := range src.Spec.Patterns {
-			dst.Spec.NamedPatterns[name] = utils.Map(patterns, convertPatternExpressionFrom)
-		}
-	}
-
-	// conditions
-	dst.Spec.Conditions = utils.Map(src.Spec.Conditions, convertPatternExpressionOrRefFrom)
-
-	// authentication
-	if src.Spec.Identity != nil {
-		dst.Spec.Authentication = make(map[string]AuthenticationSpec, len(src.Spec.Identity))
-		for _, identity := range src.Spec.Identity {
-			name, authentication := convertAuthenticationFrom(identity)
-			dst.Spec.Authentication[name] = authentication
-		}
-	}
-
-	// metadata
-	if src.Spec.Metadata != nil {
-		dst.Spec.Metadata = make(map[string]MetadataSpec, len(src.Spec.Metadata))
-		for _, metadataSrc := range src.Spec.Metadata {
-			name, metadata := convertMetadataFrom(metadataSrc)
-			dst.Spec.Metadata[name] = metadata
-		}
-	}
-
-	// authorization
-	if src.Spec.Authorization != nil {
-		dst.Spec.Authorization = make(map[string]AuthorizationSpec, len(src.Spec.Authorization))
-		for _, authorizationSrc := range src.Spec.Authorization {
-			name, authorization := convertAuthorizationFrom(authorizationSrc)
-			dst.Spec.Authorization[name] = authorization
-		}
-	}
-
-	// response
-	denyWith := src.Spec.DenyWith
-
-	if denyWith != nil || len(src.Spec.Response) > 0 {
-		dst.Spec.Response = &ResponseSpec{}
-	}
-
-	if denyWith != nil && denyWith.Unauthenticated != nil {
-		dst.Spec.Response.Unauthenticated = convertDenyWithSpecFrom(denyWith.Unauthenticated)
-	}
-
-	if denyWith != nil && denyWith.Unauthorized != nil {
-		dst.Spec.Response.Unauthorized = convertDenyWithSpecFrom(denyWith.Unauthorized)
-	}
-
-	for _, responseSrc := range src.Spec.Response {
-		if responseSrc.Wrapper != "httpHeader" && responseSrc.Wrapper != "" {
-			continue
-		}
-		if dst.Spec.Response.Success.Headers == nil {
-			dst.Spec.Response.Success.Headers = make(map[string]HeaderSuccessResponseSpec)
-		}
-		name, response := convertSuccessResponseFrom(responseSrc)
-		dst.Spec.Response.Success.Headers[name] = HeaderSuccessResponseSpec{
-			SuccessResponseSpec: response,
-		}
-	}
-
-	for _, responseSrc := range src.Spec.Response {
-		if responseSrc.Wrapper != "envoyDynamicMetadata" {
-			continue
-		}
-		if dst.Spec.Response.Success.DynamicMetadata == nil {
-			dst.Spec.Response.Success.DynamicMetadata = make(map[string]SuccessResponseSpec)
-		}
-		name, response := convertSuccessResponseFrom(responseSrc)
-		dst.Spec.Response.Success.DynamicMetadata[name] = response
-	}
-
-	// callbacks
-	if src.Spec.Callbacks != nil {
-		dst.Spec.Callbacks = make(map[string]CallbackSpec, len(src.Spec.Callbacks))
-		for _, callbackSrc := range src.Spec.Callbacks {
-			name, callback := convertCallbackFrom(callbackSrc)
-			dst.Spec.Callbacks[name] = callback
-		}
-	}
-
-	// status
-	dst.Status = convertStatusFrom(src.Status)
-
-	logger.V(1).Info("finished converting resource", "dst", dst)
-
-	return nil
-}
-
-func convertPatternExpressionTo(src PatternExpression) v1beta1.JSONPatternExpression {
-	return v1beta1.JSONPatternExpression{
-		Selector: src.Selector,
-		Operator: v1beta1.JSONPatternOperator(src.Operator),
-		Value:    src.Value,
-	}
-}
-
-func convertPatternExpressionFrom(src v1beta1.JSONPatternExpression) PatternExpression {
-	return PatternExpression{
-		Selector: src.Selector,
-		Operator: PatternExpressionOperator(src.Operator),
-		Value:    src.Value,
-	}
-}
-
-func convertPatternExpressionOrRefTo(src PatternExpressionOrRef) v1beta1.JSONPattern {
-	pattern := v1beta1.JSONPattern{
-		JSONPatternExpression: convertPatternExpressionTo(src.PatternExpression),
-		JSONPatternRef: v1beta1.JSONPatternRef{
-			JSONPatternName: src.PatternRef.Name,
-		},
-	}
-	if len(src.All) > 0 {
-		pattern.All = make([]v1beta1.UnstructuredJSONPattern, len(src.All))
-		for i, p := range src.All {
-			pattern.All[i] = v1beta1.UnstructuredJSONPattern{JSONPattern: convertPatternExpressionOrRefTo(p.PatternExpressionOrRef)}
-		}
-	}
-	if len(src.Any) > 0 {
-		pattern.Any = make([]v1beta1.UnstructuredJSONPattern, len(src.Any))
-		for i, p := range src.Any {
-			pattern.Any[i] = v1beta1.UnstructuredJSONPattern{JSONPattern: convertPatternExpressionOrRefTo(p.PatternExpressionOrRef)}
-		}
-	}
-	return pattern
-}
-
-func convertPatternExpressionOrRefFrom(src v1beta1.JSONPattern) PatternExpressionOrRef {
-	pattern := PatternExpressionOrRef{
-		PatternExpression: convertPatternExpressionFrom(src.JSONPatternExpression),
-		PatternRef: PatternRef{
-			Name: src.JSONPatternRef.JSONPatternName,
-		},
-	}
-	if len(src.All) > 0 {
-		pattern.All = make([]UnstructuredPatternExpressionOrRef, len(src.All))
-		for i, p := range src.All {
-			pattern.All[i] = UnstructuredPatternExpressionOrRef{convertPatternExpressionOrRefFrom(p.JSONPattern)}
-		}
-	}
-	if len(src.Any) > 0 {
-		pattern.Any = make([]UnstructuredPatternExpressionOrRef, len(src.Any))
-		for i, p := range src.Any {
-			pattern.Any[i] = UnstructuredPatternExpressionOrRef{convertPatternExpressionOrRefFrom(p.JSONPattern)}
-		}
-	}
-	return pattern
-}
-
-func convertEvaluatorCachingTo(src *EvaluatorCaching) *v1beta1.EvaluatorCaching {
-	if src == nil {
-		return nil
-	}
-	return &v1beta1.EvaluatorCaching{
-		Key: convertValueOrSelectorTo(src.Key),
-		TTL: src.TTL,
-	}
-}
-
-func convertEvaluatorCachingFrom(src *v1beta1.EvaluatorCaching) *EvaluatorCaching {
-	if src == nil {
-		return nil
-	}
-	return &EvaluatorCaching{
-		Key: convertValueOrSelectorFrom(src.Key),
-		TTL: src.TTL,
-	}
-}
-
-func convertValueOrSelectorTo(src ValueOrSelector) v1beta1.StaticOrDynamicValue {
-	return v1beta1.StaticOrDynamicValue{
-		Value:     gjson.ParseBytes(src.Value.Raw).String(),
-		ValueFrom: convertSelectorTo(src),
-	}
-}
-
-func convertValueOrSelectorFrom(src v1beta1.StaticOrDynamicValue) ValueOrSelector {
-	value := k8sruntime.RawExtension{}
-	if src.ValueFrom.AuthJSON == "" {
-		jsonString, err := json.Marshal(src.Value)
-		if err == nil {
-			value.Raw = jsonString
-		}
-	}
-	return ValueOrSelector{
-		Value:    value,
-		Selector: src.ValueFrom.AuthJSON,
-	}
-}
-
-func convertPtrValueOrSelectorTo(src *ValueOrSelector) *v1beta1.StaticOrDynamicValue {
-	if src == nil {
-		return nil
-	}
-	v := convertValueOrSelectorTo(*src)
-	return &v
-}
-
-func convertPtrValueOrSelectorFrom(src *v1beta1.StaticOrDynamicValue) *ValueOrSelector {
-	if src == nil {
-		return nil
-	}
-	v := convertValueOrSelectorFrom(*src)
-	return &v
-}
-
-func convertNamedValuesOrSelectorsTo(src NamedValuesOrSelectors) []v1beta1.JsonProperty {
-	if src == nil {
-		return nil
-	}
-	jsonProperties := make([]v1beta1.JsonProperty, 0, len(src))
-	for name, valueOrSelector := range src {
-		jsonProperties = append(jsonProperties, v1beta1.JsonProperty{
-			Name:      name,
-			Value:     valueOrSelector.Value,
-			ValueFrom: convertSelectorTo(valueOrSelector),
-		})
-	}
-	return jsonProperties
-}
-
-func convertNamedValuesOrSelectorsFrom(src []v1beta1.JsonProperty) NamedValuesOrSelectors {
-	if src == nil {
-		return nil
-	}
-	namedValuesOrSelectors := NamedValuesOrSelectors{}
-	for _, jsonProperty := range src {
-		value := k8sruntime.RawExtension{}
-		if jsonProperty.ValueFrom.AuthJSON == "" {
-			value.Raw = jsonProperty.Value.Raw
-		}
-		namedValuesOrSelectors[jsonProperty.Name] = ValueOrSelector{
-			Value:    value,
-			Selector: jsonProperty.ValueFrom.AuthJSON,
-		}
-	}
-	return namedValuesOrSelectors
-}
-
-func convertSelectorTo(src ValueOrSelector) v1beta1.ValueFrom {
-	return v1beta1.ValueFrom{
-		AuthJSON: src.Selector,
-	}
-}
-
-func convertCredentialsTo(src Credentials) v1beta1.Credentials {
-	var in, key string
-	switch src.GetType() {
-	case AuthorizationHeaderCredentials:
-		in = "authorization_header"
-		key = src.AuthorizationHeader.Prefix
-	case CustomHeaderCredentials:
-		in = "custom_header"
-		key = src.CustomHeader.Name
-	case QueryStringCredentials:
-		in = "query"
-		key = src.QueryString.Name
-	case CookieCredentials:
-		in = "cookie"
-		key = src.Cookie.Name
-	}
-	return v1beta1.Credentials{
-		In:          v1beta1.Credentials_In(in),
-		KeySelector: key,
-	}
-}
-
-func convertCredentialsFrom(src v1beta1.Credentials) Credentials {
-	credentials := Credentials{}
-	switch src.In {
-	case "authorization_header":
-		credentials.AuthorizationHeader = &Prefixed{
-			Prefix: src.KeySelector,
-		}
-	case "custom_header":
-		credentials.CustomHeader = &CustomHeader{
-			Named: Named{Name: src.KeySelector},
-		}
-	case "query":
-		credentials.QueryString = &Named{
-			Name: src.KeySelector,
-		}
-	case "cookie":
-		credentials.Cookie = &Named{
-			Name: src.KeySelector,
-		}
-	}
-	return credentials
-}
-
-func convertAuthenticationTo(name string, src AuthenticationSpec) *v1beta1.Identity {
-	extendedProperties := utils.Map(convertNamedValuesOrSelectorsTo(NamedValuesOrSelectors(src.Overrides)), func(jsonProperty v1beta1.JsonProperty) v1beta1.ExtendedProperty {
-		return v1beta1.ExtendedProperty{
-			JsonProperty: jsonProperty,
-			Overwrite:    true,
-		}
-	})
-	extendedProperties = append(extendedProperties, utils.Map(convertNamedValuesOrSelectorsTo(NamedValuesOrSelectors(src.Defaults)), func(jsonProperty v1beta1.JsonProperty) v1beta1.ExtendedProperty {
-		return v1beta1.ExtendedProperty{
-			JsonProperty: jsonProperty,
-			Overwrite:    false,
-		}
-	})...)
-
-	identity := &v1beta1.Identity{
-		Name:               name,
-		Priority:           src.Priority,
-		Metrics:            src.Metrics,
-		Conditions:         utils.Map(src.Conditions, convertPatternExpressionOrRefTo),
-		Cache:              convertEvaluatorCachingTo(src.Cache),
-		Credentials:        convertCredentialsTo(src.Credentials),
-		ExtendedProperties: extendedProperties,
-	}
-
-	switch src.GetMethod() {
-	case ApiKeyAuthentication:
-		selector := *src.ApiKey.Selector
-		identity.APIKey = &v1beta1.Identity_APIKey{
-			Selector:      &selector,
-			AllNamespaces: src.ApiKey.AllNamespaces,
-		}
-	case JwtAuthentication:
-		identity.Oidc = &v1beta1.Identity_OidcConfig{
-			Endpoint: src.Jwt.IssuerUrl,
-			TTL:      src.Jwt.TTL,
-		}
-	case OAuth2TokenIntrospectionAuthentication:
-		credentials := *src.OAuth2TokenIntrospection.Credentials
-		identity.OAuth2 = &v1beta1.Identity_OAuth2Config{
-			TokenIntrospectionUrl: src.OAuth2TokenIntrospection.Url,
-			TokenTypeHint:         src.OAuth2TokenIntrospection.TokenTypeHint,
-			Credentials:           &credentials,
-		}
-	case KubernetesTokenReviewAuthentication:
-		identity.KubernetesAuth = &v1beta1.Identity_KubernetesAuth{
-			Audiences: src.KubernetesTokenReview.Audiences,
-		}
-	case X509ClientCertificateAuthentication:
-		selector := *src.X509ClientCertificate.Selector
-		identity.MTLS = &v1beta1.Identity_MTLS{
-			Selector:      &selector,
-			AllNamespaces: src.X509ClientCertificate.AllNamespaces,
-		}
-	case PlainIdentityAuthentication:
-		selector := v1beta1.Identity_Plain(v1beta1.ValueFrom{
-			AuthJSON: src.Plain.Selector,
-		})
-		identity.Plain = &selector
-	case AnonymousAccessAuthentication:
-		identity.Anonymous = &v1beta1.Identity_Anonymous{}
-	}
-
-	return identity
-}
-
-func convertAuthenticationFrom(src *v1beta1.Identity) (string, AuthenticationSpec) {
-	authentication := AuthenticationSpec{
-		CommonEvaluatorSpec: CommonEvaluatorSpec{
-			Priority:   src.Priority,
-			Metrics:    src.Metrics,
-			Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom),
-			Cache:      convertEvaluatorCachingFrom(src.Cache),
-		},
-		Credentials: convertCredentialsFrom(src.Credentials),
-	}
-
-	var overrides []v1beta1.JsonProperty
-	for _, extendedProperty := range src.ExtendedProperties {
-		if !extendedProperty.Overwrite {
-			continue
-		}
-		overrides = append(overrides, extendedProperty.JsonProperty)
-	}
-	if len(overrides) > 0 {
-		authentication.Overrides = ExtendedProperties(convertNamedValuesOrSelectorsFrom(overrides))
-	}
-
-	var defaults []v1beta1.JsonProperty
-	for _, extendedProperty := range src.ExtendedProperties {
-		if extendedProperty.Overwrite {
-			continue
-		}
-		defaults = append(defaults, extendedProperty.JsonProperty)
-	}
-	if len(defaults) > 0 {
-		authentication.Defaults = ExtendedProperties(convertNamedValuesOrSelectorsFrom(defaults))
-	}
-
-	switch src.GetType() {
-	case v1beta1.IdentityApiKey:
-		selector := *src.APIKey.Selector
-		authentication.ApiKey = &ApiKeyAuthenticationSpec{
-			Selector:      &selector,
-			AllNamespaces: src.APIKey.AllNamespaces,
-		}
-	case v1beta1.IdentityOidc:
-		authentication.Jwt = &JwtAuthenticationSpec{
-			IssuerUrl: src.Oidc.Endpoint,
-			TTL:       src.Oidc.TTL,
-		}
-	case v1beta1.IdentityOAuth2:
-		credentials := *src.OAuth2.Credentials
-		authentication.OAuth2TokenIntrospection = &OAuth2TokenIntrospectionSpec{
-			Url:           src.OAuth2.TokenIntrospectionUrl,
-			TokenTypeHint: src.OAuth2.TokenTypeHint,
-			Credentials:   &credentials,
-		}
-	case v1beta1.IdentityKubernetesAuth:
-		authentication.KubernetesTokenReview = &KubernetesTokenReviewSpec{
-			Audiences: src.KubernetesAuth.Audiences,
-		}
-	case v1beta1.IdentityMTLS:
-		selector := *src.MTLS.Selector
-		authentication.X509ClientCertificate = &X509ClientCertificateAuthenticationSpec{
-			Selector:      &selector,
-			AllNamespaces: src.MTLS.AllNamespaces,
-		}
-	case v1beta1.IdentityPlain:
-		authentication.Plain = &PlainIdentitySpec{
-			Selector: src.Plain.AuthJSON,
-		}
-	case v1beta1.IdentityAnonymous:
-		authentication.AnonymousAccess = &AnonymousAccessSpec{}
-	}
-
-	return src.Name, authentication
-}
-
-func convertMetadataTo(name string, src MetadataSpec) *v1beta1.Metadata {
-	metadata := &v1beta1.Metadata{
-		Name:       name,
-		Priority:   src.Priority,
-		Metrics:    src.Metrics,
-		Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefTo),
-		Cache:      convertEvaluatorCachingTo(src.Cache),
-	}
-
-	switch src.GetMethod() {
-	case HttpMetadata:
-		metadata.GenericHTTP = convertHttpEndpointSpecTo(src.Http)
-	case UserInfoMetadata:
-		metadata.UserInfo = &v1beta1.Metadata_UserInfo{
-			IdentitySource: src.UserInfo.IdentitySource,
-		}
-	case UmaResourceMetadata:
-		credentials := *src.Uma.Credentials
-		metadata.UMA = &v1beta1.Metadata_UMA{
-			Endpoint:    src.Uma.Endpoint,
-			Credentials: &credentials,
-		}
-	}
-
-	return metadata
-}
-
-func convertMetadataFrom(src *v1beta1.Metadata) (string, MetadataSpec) {
-	metadata := MetadataSpec{
-		CommonEvaluatorSpec: CommonEvaluatorSpec{
-			Priority:   src.Priority,
-			Metrics:    src.Metrics,
-			Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom),
-			Cache:      convertEvaluatorCachingFrom(src.Cache),
-		},
-	}
-
-	switch src.GetType() {
-	case v1beta1.MetadataGenericHTTP:
-		metadata.Http = convertHttpEndpointSpecFrom(src.GenericHTTP)
-	case v1beta1.MetadataUserinfo:
-		metadata.UserInfo = &UserInfoMetadataSpec{
-			IdentitySource: src.UserInfo.IdentitySource,
-		}
-	case v1beta1.MetadataUma:
-		credentials := *src.UMA.Credentials
-		metadata.Uma = &UmaMetadataSpec{
-			Endpoint:    src.UMA.Endpoint,
-			Credentials: &credentials,
-		}
-	}
-
-	return src.Name, metadata
-}
-
-func convertHttpEndpointSpecTo(src *HttpEndpointSpec) *v1beta1.Metadata_GenericHTTP {
-	if src == nil {
-		return nil
-	}
-	return &v1beta1.Metadata_GenericHTTP{
-		Endpoint:     src.Url,
-		Method:       convertMethodTo(src.Method),
-		Body:         convertPtrValueOrSelectorTo(src.Body),
-		Parameters:   convertNamedValuesOrSelectorsTo(src.Parameters),
-		ContentType:  convertContentTypeTo(src.ContentType),
-		Headers:      convertNamedValuesOrSelectorsTo(src.Headers),
-		SharedSecret: convertSecretKeyReferenceTo(src.SharedSecret),
-		OAuth2:       convertOAuth2ClientAuthenticationTo(src.OAuth2),
-		Credentials:  convertCredentialsTo(src.Credentials),
-	}
-}
-
-func convertHttpEndpointSpecFrom(src *v1beta1.Metadata_GenericHTTP) *HttpEndpointSpec {
-	if src == nil {
-		return nil
-	}
-	return &HttpEndpointSpec{
-		Url:          src.Endpoint,
-		Method:       convertMethodFrom(src.Method),
-		Body:         convertPtrValueOrSelectorFrom(src.Body),
-		Parameters:   convertNamedValuesOrSelectorsFrom(src.Parameters),
-		ContentType:  convertContentTypeFrom(src.ContentType),
-		Headers:      convertNamedValuesOrSelectorsFrom(src.Headers),
-		SharedSecret: convertSecretKeyReferenceFrom(src.SharedSecret),
-		OAuth2:       convertOAuth2ClientAuthenticationFrom(src.OAuth2),
-		Credentials:  convertCredentialsFrom(src.Credentials),
-	}
-}
-
-func convertMethodTo(src *HttpMethod) *v1beta1.GenericHTTP_Method {
-	if src == nil {
-		return nil
-	}
-	method := v1beta1.GenericHTTP_Method(*src)
-	return &method
-}
-
-func convertMethodFrom(src *v1beta1.GenericHTTP_Method) *HttpMethod {
-	if src == nil {
-		return nil
-	}
-	method := HttpMethod(*src)
-	return &method
-}
-
-func convertContentTypeTo(src HttpContentType) v1beta1.Metadata_GenericHTTP_ContentType {
-	return v1beta1.Metadata_GenericHTTP_ContentType(src)
-}
-
-func convertContentTypeFrom(src v1beta1.Metadata_GenericHTTP_ContentType) HttpContentType {
-	return HttpContentType(src)
-}
-
-func convertOAuth2ClientAuthenticationTo(src *OAuth2ClientAuthentication) *v1beta1.OAuth2ClientAuthentication {
-	if src == nil {
-		return nil
-	}
-	o := &v1beta1.OAuth2ClientAuthentication{
-		TokenUrl:     src.TokenUrl,
-		ClientId:     src.ClientId,
-		ClientSecret: *convertSecretKeyReferenceTo(&src.ClientSecret),
-		Scopes:       src.Scopes,
-		ExtraParams:  src.ExtraParams,
-	}
-	if src.Cache != nil {
-		cache := *src.Cache
-		o.Cache = &cache
-	}
-	return o
-}
-
-func convertOAuth2ClientAuthenticationFrom(src *v1beta1.OAuth2ClientAuthentication) *OAuth2ClientAuthentication {
-	if src == nil {
-		return nil
-	}
-	o := &OAuth2ClientAuthentication{
-		TokenUrl:     src.TokenUrl,
-		ClientId:     src.ClientId,
-		ClientSecret: *convertSecretKeyReferenceFrom(&src.ClientSecret),
-		Scopes:       src.Scopes,
-		ExtraParams:  src.ExtraParams,
-	}
-	if src.Cache != nil {
-		cache := *src.Cache
-		o.Cache = &cache
-	}
-	return o
-}
-
-func convertSecretKeyReferenceTo(src *SecretKeyReference) *v1beta1.SecretKeyReference {
-	if src == nil {
-		return nil
-	}
-	return &v1beta1.SecretKeyReference{
-		Name: src.Name,
-		Key:  src.Key,
-	}
-}
-
-func convertSecretKeyReferenceFrom(src *v1beta1.SecretKeyReference) *SecretKeyReference {
-	if src == nil {
-		return nil
-	}
-	return &SecretKeyReference{
-		Name: src.Name,
-		Key:  src.Key,
-	}
-}
-
-func convertAuthorizationTo(name string, src AuthorizationSpec) *v1beta1.Authorization {
-	authorization := &v1beta1.Authorization{
-		Name:       name,
-		Priority:   src.Priority,
-		Metrics:    src.Metrics,
-		Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefTo),
-		Cache:      convertEvaluatorCachingTo(src.Cache),
-	}
-
-	switch src.GetMethod() {
-	case PatternMatchingAuthorization:
-		authorization.JSON = &v1beta1.Authorization_JSONPatternMatching{
-			Rules: utils.Map(src.PatternMatching.Patterns, convertPatternExpressionOrRefTo),
-		}
-	case OpaAuthorization:
-		authorization.OPA = &v1beta1.Authorization_OPA{
-			InlineRego:       src.Opa.Rego,
-			ExternalRegistry: convertOpaExternalRegistryTo(src.Opa.External),
-			AllValues:        src.Opa.AllValues,
-		}
-	case KubernetesSubjectAccessReviewAuthorization:
-		authorization.KubernetesAuthz = &v1beta1.Authorization_KubernetesAuthz{
-			Groups:             src.KubernetesSubjectAccessReview.Groups,
-			ResourceAttributes: convertKubernetesSubjectAccessReviewResourceAttributesTo(src.KubernetesSubjectAccessReview.ResourceAttributes),
-		}
-		if src.KubernetesSubjectAccessReview.User != nil {
-			authorization.KubernetesAuthz.User = convertValueOrSelectorTo(*src.KubernetesSubjectAccessReview.User)
-		}
-	case SpiceDBAuthorization:
-		authorization.Authzed = &v1beta1.Authorization_Authzed{
-			Endpoint:     src.SpiceDB.Endpoint,
-			Insecure:     src.SpiceDB.Insecure,
-			SharedSecret: convertSecretKeyReferenceTo(src.SpiceDB.SharedSecret),
-			Subject:      spiceDBObjectTo(src.SpiceDB.Subject),
-			Resource:     spiceDBObjectTo(src.SpiceDB.Resource),
-			Permission:   convertValueOrSelectorTo(src.SpiceDB.Permission),
-		}
-	}
-
-	return authorization
-}
-
-func convertAuthorizationFrom(src *v1beta1.Authorization) (string, AuthorizationSpec) {
-	authorization := AuthorizationSpec{
-		CommonEvaluatorSpec: CommonEvaluatorSpec{
-			Priority:   src.Priority,
-			Metrics:    src.Metrics,
-			Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom),
-			Cache:      convertEvaluatorCachingFrom(src.Cache),
-		},
-	}
-
-	switch src.GetType() {
-	case v1beta1.AuthorizationJSONPatternMatching:
-		authorization.PatternMatching = &PatternMatchingAuthorizationSpec{
-			Patterns: utils.Map(src.JSON.Rules, convertPatternExpressionOrRefFrom),
-		}
-	case v1beta1.AuthorizationOPA:
-		authorization.Opa = &OpaAuthorizationSpec{
-			Rego:      src.OPA.InlineRego,
-			External:  convertOpaExternalRegistryFrom(src.OPA.ExternalRegistry),
-			AllValues: src.OPA.AllValues,
-		}
-	case v1beta1.AuthorizationKubernetesAuthz:
-		authorization.KubernetesSubjectAccessReview = &KubernetesSubjectAccessReviewAuthorizationSpec{
-			User:               convertPtrValueOrSelectorFrom(&src.KubernetesAuthz.User),
-			Groups:             src.KubernetesAuthz.Groups,
-			ResourceAttributes: convertKubernetesSubjectAccessReviewResourceAttributesFrom(src.KubernetesAuthz.ResourceAttributes),
-		}
-	case v1beta1.AuthorizationAuthzed:
-		authorization.SpiceDB = &SpiceDBAuthorizationSpec{
-			Endpoint:     src.Authzed.Endpoint,
-			Insecure:     src.Authzed.Insecure,
-			SharedSecret: convertSecretKeyReferenceFrom(src.Authzed.SharedSecret),
-			Subject:      spiceDBObjectFrom(src.Authzed.Subject),
-			Resource:     spiceDBObjectFrom(src.Authzed.Resource),
-			Permission:   convertValueOrSelectorFrom(src.Authzed.Permission),
-		}
-	}
-
-	return src.Name, authorization
-}
-
-func convertOpaExternalRegistryTo(src *ExternalOpaPolicy) v1beta1.ExternalRegistry {
-	if src == nil {
-		return v1beta1.ExternalRegistry{}
-	}
-	return v1beta1.ExternalRegistry{
-		Endpoint:     src.Url,
-		SharedSecret: convertSecretKeyReferenceTo(src.SharedSecret),
-		Credentials:  convertCredentialsTo(src.Credentials),
-		TTL:          src.TTL,
-	}
-}
-
-func convertOpaExternalRegistryFrom(src v1beta1.ExternalRegistry) *ExternalOpaPolicy {
-	if src.Endpoint == "" {
-		return nil
-	}
-	return &ExternalOpaPolicy{
-		HttpEndpointSpec: &HttpEndpointSpec{
-			Url:          src.Endpoint,
-			SharedSecret: convertSecretKeyReferenceFrom(src.SharedSecret),
-			Credentials:  convertCredentialsFrom(src.Credentials),
-		},
-		TTL: src.TTL,
-	}
-}
-
-func convertKubernetesSubjectAccessReviewResourceAttributesTo(src *KubernetesSubjectAccessReviewResourceAttributesSpec) *v1beta1.Authorization_KubernetesAuthz_ResourceAttributes {
-	if src == nil {
-		return nil
-	}
-	return &v1beta1.Authorization_KubernetesAuthz_ResourceAttributes{
-		Namespace:   convertValueOrSelectorTo(src.Namespace),
-		Group:       convertValueOrSelectorTo(src.Group),
-		Resource:    convertValueOrSelectorTo(src.Resource),
-		Name:        convertValueOrSelectorTo(src.Name),
-		SubResource: convertValueOrSelectorTo(src.SubResource),
-		Verb:        convertValueOrSelectorTo(src.Verb),
-	}
-}
-
-func convertKubernetesSubjectAccessReviewResourceAttributesFrom(src *v1beta1.Authorization_KubernetesAuthz_ResourceAttributes) *KubernetesSubjectAccessReviewResourceAttributesSpec {
-	if src == nil {
-		return nil
-	}
-	return &KubernetesSubjectAccessReviewResourceAttributesSpec{
-		Namespace:   convertValueOrSelectorFrom(src.Namespace),
-		Group:       convertValueOrSelectorFrom(src.Group),
-		Resource:    convertValueOrSelectorFrom(src.Resource),
-		Name:        convertValueOrSelectorFrom(src.Name),
-		SubResource: convertValueOrSelectorFrom(src.SubResource),
-		Verb:        convertValueOrSelectorFrom(src.Verb),
-	}
-}
-
-func spiceDBObjectTo(src *SpiceDBObject) *v1beta1.AuthzedObject {
-	if src == nil {
-		return nil
-	}
-	return &v1beta1.AuthzedObject{
-		Kind: convertValueOrSelectorTo(src.Kind),
-		Name: convertValueOrSelectorTo(src.Name),
-	}
-}
-
-func spiceDBObjectFrom(src *v1beta1.AuthzedObject) *SpiceDBObject {
-	if src == nil {
-		return nil
-	}
-	return &SpiceDBObject{
-		Kind: convertValueOrSelectorFrom(src.Kind),
-		Name: convertValueOrSelectorFrom(src.Name),
-	}
-}
-
-func convertSuccessResponseTo(name string, src SuccessResponseSpec, wrapper string) *v1beta1.Response {
-	response := &v1beta1.Response{
-		Name:       name,
-		Priority:   src.Priority,
-		Metrics:    src.Metrics,
-		Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefTo),
-		Cache:      convertEvaluatorCachingTo(src.Cache),
-		Wrapper:    v1beta1.Response_Wrapper(wrapper),
-		WrapperKey: src.Key,
-	}
-
-	switch src.GetMethod() {
-	case PlainAuthResponse:
-		selector := v1beta1.Response_Plain(convertValueOrSelectorTo(ValueOrSelector(*src.Plain)))
-		response.Plain = &selector
-	case JsonAuthResponse:
-		response.JSON = &v1beta1.Response_DynamicJSON{
-			Properties: convertNamedValuesOrSelectorsTo(src.Json.Properties),
-		}
-	case WristbandAuthResponse:
-		response.Wristband = &v1beta1.Response_Wristband{
-			Issuer:       src.Wristband.Issuer,
-			CustomClaims: convertNamedValuesOrSelectorsTo(src.Wristband.CustomClaims),
-		}
-		if src.Wristband.TokenDuration != nil {
-			duration := *src.Wristband.TokenDuration
-			response.Wristband.TokenDuration = &duration
-		}
-		for _, keySrc := range src.Wristband.SigningKeyRefs {
-			if keySrc == nil {
-				continue
-			}
-			key := v1beta1.SigningKeyRef{
-				Name:      keySrc.Name,
-				Algorithm: v1beta1.SigningKeyAlgorithm(keySrc.Algorithm),
-			}
-			response.Wristband.SigningKeyRefs = append(response.Wristband.SigningKeyRefs, &key)
-		}
-	}
-
-	return response
-}
-
-func convertSuccessResponseFrom(src *v1beta1.Response) (string, SuccessResponseSpec) {
-	response := SuccessResponseSpec{
-		CommonEvaluatorSpec: CommonEvaluatorSpec{
-			Priority:   src.Priority,
-			Metrics:    src.Metrics,
-			Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom),
-			Cache:      convertEvaluatorCachingFrom(src.Cache),
-		},
-		Key: src.WrapperKey,
-	}
-
-	switch src.GetType() {
-	case v1beta1.ResponsePlain:
-		selector := PlainAuthResponseSpec(convertValueOrSelectorFrom(v1beta1.StaticOrDynamicValue(*src.Plain)))
-		response.Plain = &selector
-	case v1beta1.ResponseDynamicJSON:
-		response.Json = &JsonAuthResponseSpec{
-			Properties: convertNamedValuesOrSelectorsFrom(src.JSON.Properties),
-		}
-	case v1beta1.ResponseWristband:
-		response.Wristband = &WristbandAuthResponseSpec{
-			Issuer:       src.Wristband.Issuer,
-			CustomClaims: convertNamedValuesOrSelectorsFrom(src.Wristband.CustomClaims),
-		}
-		if src.Wristband.TokenDuration != nil {
-			duration := *src.Wristband.TokenDuration
-			response.Wristband.TokenDuration = &duration
-		}
-		for _, keySrc := range src.Wristband.SigningKeyRefs {
-			if keySrc == nil {
-				continue
-			}
-			key := &WristbandSigningKeyRef{
-				Name:      keySrc.Name,
-				Algorithm: WristbandSigningKeyAlgorithm(keySrc.Algorithm),
-			}
-			response.Wristband.SigningKeyRefs = append(response.Wristband.SigningKeyRefs, key)
-		}
-	}
-
-	return src.Name, response
-}
-
-func convertDenyWithSpecTo(src *DenyWithSpec) *v1beta1.DenyWithSpec {
-	if src == nil {
-		return nil
-	}
-	return &v1beta1.DenyWithSpec{
-		Code:    v1beta1.DenyWith_Code(src.Code),
-		Headers: convertNamedValuesOrSelectorsTo(src.Headers),
-		Message: convertPtrValueOrSelectorTo(src.Message),
-		Body:    convertPtrValueOrSelectorTo(src.Body),
-	}
-}
-
-func convertDenyWithSpecFrom(src *v1beta1.DenyWithSpec) *DenyWithSpec {
-	if src == nil {
-		return nil
-	}
-	return &DenyWithSpec{
-		Code:    DenyWithCode(src.Code),
-		Headers: convertNamedValuesOrSelectorsFrom(src.Headers),
-		Message: convertPtrValueOrSelectorFrom(src.Message),
-		Body:    convertPtrValueOrSelectorFrom(src.Body),
-	}
-}
-
-func convertCallbackTo(name string, src CallbackSpec) *v1beta1.Callback {
-	callback := &v1beta1.Callback{
-		Name:       name,
-		Priority:   src.Priority,
-		Metrics:    src.Metrics,
-		Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefTo),
-	}
-
-	switch src.GetMethod() {
-	case HttpCallback:
-		callback.HTTP = convertHttpEndpointSpecTo(src.Http)
-	}
-
-	return callback
-}
-
-func convertCallbackFrom(src *v1beta1.Callback) (string, CallbackSpec) {
-	callback := CallbackSpec{
-		CommonEvaluatorSpec: CommonEvaluatorSpec{
-			Priority:   src.Priority,
-			Metrics:    src.Metrics,
-			Conditions: utils.Map(src.Conditions, convertPatternExpressionOrRefFrom),
-		},
-	}
-
-	switch src.GetType() {
-	case v1beta1.CallbackHTTP:
-		callback.Http = convertHttpEndpointSpecFrom(src.HTTP)
-	}
-
-	return src.Name, callback
-}
-
-func convertStatusTo(src AuthConfigStatus) v1beta1.AuthConfigStatus {
-	return v1beta1.AuthConfigStatus{
-		Conditions: utils.Map(src.Conditions, func(conditionSrc AuthConfigStatusCondition) v1beta1.Condition {
-			condition := v1beta1.Condition{
-				Type:               v1beta1.ConditionType(conditionSrc.Type),
-				Status:             conditionSrc.Status,
-				LastTransitionTime: conditionSrc.LastTransitionTime,
-				Reason:             conditionSrc.Reason,
-				Message:            conditionSrc.Message,
-			}
-			if conditionSrc.LastUpdatedTime != nil {
-				time := *conditionSrc.LastUpdatedTime
-				condition.LastUpdatedTime = &time
-			}
-			return condition
-		}),
-		Summary: convertStatusSummaryTo(src.Summary),
-	}
-}
-
-func convertStatusFrom(src v1beta1.AuthConfigStatus) AuthConfigStatus {
-	return AuthConfigStatus{
-		Conditions: utils.Map(src.Conditions, func(conditionSrc v1beta1.Condition) AuthConfigStatusCondition {
-			condition := AuthConfigStatusCondition{
-				Type:               StatusConditionType(conditionSrc.Type),
-				Status:             conditionSrc.Status,
-				LastTransitionTime: conditionSrc.LastTransitionTime,
-				Reason:             conditionSrc.Reason,
-				Message:            conditionSrc.Message,
-			}
-			if conditionSrc.LastUpdatedTime != nil {
-				time := *conditionSrc.LastUpdatedTime
-				condition.LastUpdatedTime = &time
-			}
-			return condition
-		}),
-		Summary: convertStatusSummaryFrom(src.Summary),
-	}
-}
-
-func convertStatusSummaryTo(src AuthConfigStatusSummary) v1beta1.Summary {
-	hostsReady := make([]string, len(src.HostsReady))
-	copy(hostsReady, src.HostsReady)
-
-	return v1beta1.Summary{
-		Ready:                    src.Ready,
-		HostsReady:               hostsReady,
-		NumHostsReady:            src.NumHostsReady,
-		NumIdentitySources:       src.NumIdentitySources,
-		NumMetadataSources:       src.NumMetadataSources,
-		NumAuthorizationPolicies: src.NumAuthorizationPolicies,
-		NumResponseItems:         src.NumResponseItems,
-		FestivalWristbandEnabled: src.FestivalWristbandEnabled,
-	}
-}
-
-func convertStatusSummaryFrom(src v1beta1.Summary) AuthConfigStatusSummary {
-	hostsReady := make([]string, len(src.HostsReady))
-	copy(hostsReady, src.HostsReady)
-
-	return AuthConfigStatusSummary{
-		Ready:                    src.Ready,
-		HostsReady:               hostsReady,
-		NumHostsReady:            src.NumHostsReady,
-		NumIdentitySources:       src.NumIdentitySources,
-		NumMetadataSources:       src.NumMetadataSources,
-		NumAuthorizationPolicies: src.NumAuthorizationPolicies,
-		NumResponseItems:         src.NumResponseItems,
-		FestivalWristbandEnabled: src.FestivalWristbandEnabled,
-	}
-}
+// Hub marks this version as a conversion hub.
+func (a *AuthConfig) Hub() {}
diff --git a/api/v1beta2/zz_generated.deepcopy.go b/api/v1beta2/zz_generated.deepcopy.go
index 3647917e..29171143 100644
--- a/api/v1beta2/zz_generated.deepcopy.go
+++ b/api/v1beta2/zz_generated.deepcopy.go
@@ -1,5 +1,4 @@
 //go:build !ignore_autogenerated
-// +build !ignore_autogenerated
 
 /*
 Copyright 2020 Red Hat, Inc.
@@ -137,7 +136,8 @@ func (in *AuthConfigSpec) DeepCopyInto(out *AuthConfigSpec) {
 			if val == nil {
 				(*out)[key] = nil
 			} else {
-				in, out := &val, &outVal
+				inVal := (*in)[key]
+				in, out := &inVal, &outVal
 				*out = make(PatternExpressions, len(*in))
 				copy(*out, *in)
 			}