diff --git a/.github/k8s-install.sh b/.github/k8s-install.sh
index d0d2267..a86a9bd 100755
--- a/.github/k8s-install.sh
+++ b/.github/k8s-install.sh
@@ -39,10 +39,19 @@ echo -e "\n##### create keycloak namespace #####\n"
 kubectl create namespace "${NAMESPACE}"
 
 echo -e "\n##### install keycloak #####\n"
-helm upgrade -i keycloak codecentric/keycloak --wait --namespace "${NAMESPACE}" --version "${KEYCLOAK_CHART_VERSION}"
+helm upgrade -i keycloak codecentric/keycloak \
+    --wait \
+    --namespace "${NAMESPACE}" \
+    --version "${KEYCLOAK_CHART_VERSION}" \
+    --values .github/keycloak-values.yaml
 
 echo -e "\n##### install keycloak-controller #####\n"
-helm upgrade -i keycloak-controller kiwigrid/keycloak-controller --wait --namespace "${NAMESPACE}" --version "${KEYCLOAK_CONTROLLER_CHART_VERSION}" --set image.repository=keycloak-controller --set image.tag=ci-snapshot
+helm upgrade -i keycloak-controller kiwigrid/keycloak-controller \
+    --wait \
+    --namespace "${NAMESPACE}" \
+    --version "${KEYCLOAK_CONTROLLER_CHART_VERSION}" \
+    --set image.repository=keycloak-controller \
+    --set image.tag=ci-snapshot
 
 echo -e "\n##### install keycloak-controller crds #####\n"
 while IFS= read -r CRD; do
@@ -71,7 +80,7 @@ kubectl -n "${NAMESPACE}" get keycloaks.k8s.kiwigrid.com
 echo ""
 
 echo -e "\n##### check for errors in keycloak-controller logs #####\n"
-sleep 150
+sleep 20
 if kubectl -n "${NAMESPACE}" logs -l app.kubernetes.io/name=keycloak-controller | grep -q ERROR; then
     echo "errors found in logs :("
     kubectl -n "${NAMESPACE}" logs -l app.kubernetes.io/name=keycloak-controller
diff --git a/.github/keycloak-values.yaml b/.github/keycloak-values.yaml
new file mode 100644
index 0000000..f7c0be3
--- /dev/null
+++ b/.github/keycloak-values.yaml
@@ -0,0 +1,5 @@
+extraEnv: |
+  - name: KEYCLOAK_USER
+    value: keycloak
+  - name: KEYCLOAK_PASSWORD
+    value: keycloak
diff --git a/.github/kind-config.yaml b/.github/kind-config.yaml
index e00d963..13b297c 100644
--- a/.github/kind-config.yaml
+++ b/.github/kind-config.yaml
@@ -1,5 +1,5 @@
 kind: Cluster
-apiVersion: kind.sigs.k8s.io/v1alpha3
+apiVersion: kind.x-k8s.io/v1alpha4
 nodes:
 # the control plane node config
 - role: control-plane
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 7914054..15aa798 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -25,17 +25,13 @@ jobs:
       matrix:
         k8s-version:
          - v1.14.10
-         - v1.15.7
-         - v1.16.9
-         - v1.17.5
-         - v1.18.6
+         - v1.15.12
+         - v1.16.15
+         - v1.17.11
+         - v1.18.8
         keycloak-chart:
-         # keycloak 9.0.0
-         - 7.7.1
-         # keycloak 10.0.0
-         - 8.3.0
-         # keycloak 11.0.0
-         - 9.0.1
+         # keycloak 11.0.2
+         - 9.1.0
         keycloak-controller-chart:
          - 0.6.1
     steps:
@@ -43,13 +39,13 @@ jobs:
         uses: actions/checkout@v2
       - name: Fetch history
         run: git fetch --prune --unshallow
+      - name: mvn build
+        run: .github/mvn-build.sh
       - name: Create kind ${{ matrix.k8s-version }} cluster
         uses: helm/kind-action@master
         with:
           config: .github/kind-config.yaml
           node_image: kindest/node:${{ matrix.k8s-version }}
-      - name: mvn build
-        run: .github/mvn-build.sh
       - name: build docker image & push to kind nodes
         run: .github/docker-build.sh
       - name: test keycloak-controller
diff --git a/examples/client-example.yaml b/examples/client-example.yaml
new file mode 100644
index 0000000..20b8f6c
--- /dev/null
+++ b/examples/client-example.yaml
@@ -0,0 +1,47 @@
+apiVersion: k8s.kiwigrid.com/v1beta1
+kind: KeycloakClient
+metadata:
+  name: client-example
+spec:
+  keycloak: fully-configured-keycloak
+  realm: food-realm
+  clientId: client-example
+  clientType: confidential
+  defaultClientScopes:
+  - email
+  - profile
+  - roles
+  directAccessGrantsEnabled: true
+  standardFlowEnabled: true
+  implicitFlowEnabled: false
+  redirectUris:
+  - http://*
+  - https://*
+  mapper:
+  - name: audience
+    protocolMapper: oidc-audience-mapper
+    config:
+      claim.name: audience
+      access.token.claim: "true"
+      included.client.audience: client-example
+  - name: username
+    protocolMapper: oidc-usermodel-property-mapper
+    config:
+      access.token.claim: "true"
+      claim.name: username
+      jsonType.label: String
+      user.attribute: username
+  - name: clientRoles
+    protocolMapper: oidc-usermodel-client-role-mapper
+    config:
+      access.token.claim: "true"
+      claim.name: clientRoles
+      jsonType.label: String
+      multivalued: "true"
+  - name: roles
+    protocolMapper: oidc-usermodel-realm-role-mapper
+    config:
+      access.token.claim: "true"
+      claim.name: roles
+      jsonType.label: String
+      multivalued: "true"
\ No newline at end of file
diff --git a/examples/client-mappers-roles.yaml b/examples/client-mappers-roles.yaml
index 54404cb..e982a13 100644
--- a/examples/client-mappers-roles.yaml
+++ b/examples/client-mappers-roles.yaml
@@ -1,12 +1,16 @@
 apiVersion: k8s.kiwigrid.com/v1beta1
 kind: KeycloakClient
 metadata:
-  name: customized-client
+  name: pizza-service
 spec:
   keycloak: fully-configured-keycloak
   realm: food-realm
   clientId: pizza-service
   clientType: confidential
+  defaultClientScopes:
+  - email
+  - profile
+  - roles
   directAccessGrantsEnabled: true
   standardFlowEnabled: false
   implicitFlowEnabled: false
diff --git a/examples/keycloak-fully-configured.yaml b/examples/keycloak-fully-configured.yaml
index 2e1ae4a..11d1e37 100644
--- a/examples/keycloak-fully-configured.yaml
+++ b/examples/keycloak-fully-configured.yaml
@@ -3,10 +3,10 @@ kind: Keycloak
 metadata:
   name: fully-configured-keycloak
 spec:
-  url: https://keycloak.example.com/auth
+  url: http://keycloak-http.keycloak.svc.cluster.local/auth
   realm: master
   clientId: admin-cli
-  username: admin
-  passwordSecretNamespace: infrastructure
-  passwordSecretName: keycloak-http
+  username: keycloak
+  passwordSecretNamespace: keycloak
+  passwordSecretName: keycloak-auth
   passwordSecretKey: password
\ No newline at end of file
diff --git a/examples/realm-food.yaml b/examples/realm-food.yaml
new file mode 100644
index 0000000..e15615b
--- /dev/null
+++ b/examples/realm-food.yaml
@@ -0,0 +1,11 @@
+apiVersion: k8s.kiwigrid.com/v1beta1
+kind: KeycloakRealm
+metadata:
+  name: food-realm
+spec:
+  keycloak: fully-configured-keycloak
+  realm: food-realm
+  roles:
+  - admin
+  - member
+  - service
diff --git a/examples/realm.yaml b/examples/realm.yaml
index 02caed2..cf78132 100644
--- a/examples/realm.yaml
+++ b/examples/realm.yaml
@@ -3,8 +3,8 @@ kind: KeycloakRealm
 metadata:
   name: realm-example
 spec:
-  keycloak: keycloak-instance-example
-  realm: my-realm
+  keycloak: fully-configured-keycloak
+  realm: realm-example
   roles:
   - service
   - admin