diff --git a/config/crd/patches/cainjection_in_servicebindings.yaml b/config/crd/patches/cainjection_in_servicebindings.yaml
deleted file mode 100644
index 169e95c7..00000000
--- a/config/crd/patches/cainjection_in_servicebindings.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-# The following patch adds a directive for certmanager to inject CA into the CRD
-# CRD conversion requires k8s 1.13 or later.
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
-  name: servicebindings.services.cloud.sap.com
diff --git a/config/crd/patches/cainjection_in_serviceinstances.yaml b/config/crd/patches/cainjection_in_serviceinstances.yaml
deleted file mode 100644
index 7f500213..00000000
--- a/config/crd/patches/cainjection_in_serviceinstances.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-# The following patch adds a directive for certmanager to inject CA into the CRD
-# CRD conversion requires k8s 1.13 or later.
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
-  name: serviceinstances.services.cloud.sap.com
diff --git a/config/crd/patches/webhook_in_servicebindings.yaml b/config/crd/patches/webhook_in_servicebindings.yaml
deleted file mode 100644
index 834a4594..00000000
--- a/config/crd/patches/webhook_in_servicebindings.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-# The following patch enables conversion webhook for CRD
-# CRD conversion requires k8s 1.13 or later.
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  name: servicebindings.services.cloud.sap.com
-spec:
-  conversion:
-    strategy: Webhook
-    webhookClientConfig:
-      # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank,
-      # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager)
-      caBundle: Cg==
-      service:
-        namespace: system
-        name: webhook-service
-        path: /convert
diff --git a/config/crd/patches/webhook_in_serviceinstances.yaml b/config/crd/patches/webhook_in_serviceinstances.yaml
deleted file mode 100644
index 2615f29b..00000000
--- a/config/crd/patches/webhook_in_serviceinstances.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-# The following patch enables conversion webhook for CRD
-# CRD conversion requires k8s 1.13 or later.
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  name: serviceinstances.services.cloud.sap.com
-spec:
-  conversion:
-    strategy: Webhook
-    webhookClientConfig:
-      # this is "\n" used as a placeholder, otherwise it will be rejected by the apiserver for being blank,
-      # but we're going to set it later using the cert-manager (or potentially a patch if not using cert-manager)
-      caBundle: Cg==
-      service:
-        namespace: system
-        name: webhook-service
-        path: /convert
diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
index 20e86c0a..d894b51d 100644
--- a/config/default/kustomization.yaml
+++ b/config/default/kustomization.yaml
@@ -8,64 +8,8 @@ namespace: releasenamespace
 # field above.
 namePrefix: sap-btp-operator-
 
-# Labels to add to all resources and selectors.
-#commonLabels:
-#  someName: someValue
-
-# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in 
-# crd/kustomization.yaml
-# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required.
-# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. 
-#- ../prometheus
-
-  # Protect the /metrics endpoint by putting it behind auth.
-  # If you want your controller-manager to expose the /metrics
-  # endpoint w/o any authn/z, please comment the following line.
-
-# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in 
-# crd/kustomization.yaml
-
-# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'.
-# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
-# 'CERTMANAGER' needs to be enabled to use ca injection
-patchesStrategicMerge:
-- webhookcainjection_patch.yaml
-
-# the following config is for teaching kustomize how to do var substitution
-# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
-vars:
-- fieldref:
-    fieldPath: metadata.namespace
-  name: CERTIFICATE_NAMESPACE
-  objref:
-    group: cert-manager.io
-    kind: Certificate
-    name: serving-cert
-    version: v1
-- fieldref: {}
-  name: CERTIFICATE_NAME
-  objref:
-    group: cert-manager.io
-    kind: Certificate
-    name: serving-cert
-    version: v1
-- fieldref:
-    fieldPath: metadata.namespace
-  name: SERVICE_NAMESPACE
-  objref:
-    kind: Service
-    name: webhook-service
-    version: v1
-- fieldref: {}
-  name: SERVICE_NAME
-  objref:
-    kind: Service
-    name: webhook-service
-    version: v1
-apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../crd
 - ../rbac
-- ../webhook
-- ../certmanager
+apiVersion: kustomize.config.k8s.io/v1beta1
diff --git a/config/default/webhookcainjection_patch.yaml b/config/default/webhookcainjection_patch.yaml
deleted file mode 100644
index 02ab515d..00000000
--- a/config/default/webhookcainjection_patch.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-# This patch add annotation to admission webhook config and
-# the variables $(CERTIFICATE_NAMESPACE) and $(CERTIFICATE_NAME) will be substituted by kustomize.
-apiVersion: admissionregistration.k8s.io/v1
-kind: MutatingWebhookConfiguration
-metadata:
-  name: mutating-webhook-configuration
-  annotations:
-    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
----
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
-  name: validating-webhook-configuration
-  annotations:
-    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
diff --git a/config/rbac/auth_proxy_service.yaml b/config/rbac/auth_proxy_service.yaml
deleted file mode 100644
index 6cf656be..00000000
--- a/config/rbac/auth_proxy_service.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    control-plane: controller-manager
-  name: controller-manager-metrics-service
-  namespace: system
-spec:
-  ports:
-  - name: https
-    port: 8443
-    targetPort: https
-  selector:
-    control-plane: controller-manager
diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
index 66c28338..6e839457 100644
--- a/config/rbac/kustomization.yaml
+++ b/config/rbac/kustomization.yaml
@@ -6,7 +6,6 @@ resources:
 # Comment the following 4 lines if you want to disable
 # the auth proxy (https://github.com/brancz/kube-rbac-proxy)
 # which protects your /metrics endpoint.
-- auth_proxy_service.yaml
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml
 - auth_proxy_client_clusterrole.yaml
diff --git a/sapbtp-operator-charts/templates/cert-manager-certificate.yml b/sapbtp-operator-charts/templates/cert-manager-certificate.yml
new file mode 100644
index 00000000..29d130ab
--- /dev/null
+++ b/sapbtp-operator-charts/templates/cert-manager-certificate.yml
@@ -0,0 +1,16 @@
+{{- if .Values.manager.certificates.certManager }}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: sap-btp-operator-serving-cert
+  namespace: {{.Release.Namespace}}
+spec:
+  dnsNames:
+    - sap-btp-operator-webhook-service.{{.Release.Namespace}}.svc
+    - sap-btp-operator-webhook-service.{{.Release.Namespace}}.svc.cluster.local
+  issuerRef:
+    kind: Issuer
+    name: sap-btp-operator-selfsigned-issuer
+  secretName: webhook-server-cert
+{{- end}}
\ No newline at end of file
diff --git a/sapbtp-operator-charts/templates/cert-manager-issuer.yml b/sapbtp-operator-charts/templates/cert-manager-issuer.yml
new file mode 100644
index 00000000..15cb72c1
--- /dev/null
+++ b/sapbtp-operator-charts/templates/cert-manager-issuer.yml
@@ -0,0 +1,10 @@
+{{- if .Values.manager.certificates.certManager }}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: sap-btp-operator-selfsigned-issuer
+  namespace: {{.Release.Namespace}}
+spec:
+  selfSigned: {}
+{{- end}}
\ No newline at end of file
diff --git a/sapbtp-operator-charts/templates/gardener-cert-manager-certificate.yml b/sapbtp-operator-charts/templates/gardener-cert-manager-certificate.yml
new file mode 100644
index 00000000..b7bcf15a
--- /dev/null
+++ b/sapbtp-operator-charts/templates/gardener-cert-manager-certificate.yml
@@ -0,0 +1,23 @@
+{{- if .Values.manager.certificates.gardenerCertManager }}
+---
+apiVersion: cert.gardener.cloud/v1alpha1
+kind: Certificate
+metadata:
+  name: sap-btp-operator-serving-cert
+  namespace: {{.Release.Namespace}}
+spec:
+  commonName: Kubernetes
+  dnsNames:
+  - sap-btp-operator-webhook-service.{{.Release.Namespace}}.svc
+  - sap-btp-operator-webhook-service.{{.Release.Namespace}}.svc.cluster.local
+  # if issuer is not specified, the default issuer is used
+  issuerRef:
+{{- if .Values.manager.certificates.gardenerCertManager.issuer }}
+    name: {{ .Values.manager.certificates.gardenerCertManager.issuer }}
+{{- else }}
+    name: issuer-ca
+{{- end}}
+  secretRef:
+    name: webhook-server-cert
+    namespace: {{.Release.Namespace}}
+{{- end}}
diff --git a/sapbtp-operator-charts/templates/gardener-cert-manager-issuer-secret.yml b/sapbtp-operator-charts/templates/gardener-cert-manager-issuer-secret.yml
new file mode 100644
index 00000000..6cca1147
--- /dev/null
+++ b/sapbtp-operator-charts/templates/gardener-cert-manager-issuer-secret.yml
@@ -0,0 +1,14 @@
+{{- if .Values.manager.certificates.gardenerCertManager }}
+{{- if not .Values.manager.certificates.gardenerCertManager.issuer }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: issuer-ca-secret
+  namespace: {{.Release.Namespace}}
+type: kubernetes.io/tls
+data:
+  tls.crt: {{ .Values.manager.certificates.gardenerCertManager.crt }}
+  tls.key: {{ .Values.manager.certificates.gardenerCertManager.key }}
+{{- end}}
+{{- end}}
diff --git a/sapbtp-operator-charts/templates/gardener-cert-manager-issuer.yml b/sapbtp-operator-charts/templates/gardener-cert-manager-issuer.yml
new file mode 100644
index 00000000..52076c63
--- /dev/null
+++ b/sapbtp-operator-charts/templates/gardener-cert-manager-issuer.yml
@@ -0,0 +1,15 @@
+{{- if .Values.manager.certificates.gardenerCertManager }}
+{{- if not .Values.manager.certificates.gardenerCertManager.issuer }}
+---
+apiVersion: cert.gardener.cloud/v1alpha1
+kind: Issuer
+metadata:
+  name: issuer-ca
+  namespace: {{.Release.Namespace}}
+spec:
+  ca:
+    privateKeySecretRef:
+      name: issuer-ca-secret
+      namespace: default
+{{- end}}
+{{- end}}
diff --git a/sapbtp-operator-charts/templates/service.yml b/sapbtp-operator-charts/templates/service.yml
new file mode 100644
index 00000000..7a312d4f
--- /dev/null
+++ b/sapbtp-operator-charts/templates/service.yml
@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: sap-btp-operator-webhook-service
+  namespace: {{.Release.Namespace}}
+spec:
+  ports:
+    - port: 443
+      targetPort: 9443
+  selector:
+    control-plane: controller-manager
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    control-plane: controller-manager
+  name: sap-btp-operator-controller-manager-metrics-service
+  namespace: {{.Release.Namespace}}
+spec:
+  ports:
+    - name: https
+      port: 8443
+      targetPort: https
+  selector:
+    control-plane: controller-manager
\ No newline at end of file
diff --git a/sapbtp-operator-charts/templates/webhook.yml b/sapbtp-operator-charts/templates/webhook.yml
new file mode 100644
index 00000000..677a41c2
--- /dev/null
+++ b/sapbtp-operator-charts/templates/webhook.yml
@@ -0,0 +1,94 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  {{- if .Values.manager.certificates.certManager }}
+  annotations:
+    cert-manager.io/inject-ca-from: {{.Release.Namespace}}/sap-btp-operator-serving-cert
+  {{- end}}
+  name: sap-btp-operator-mutating-webhook-configuration
+webhooks:
+  - admissionReviewVersions:
+      - v1beta1
+      - v1
+    clientConfig:
+      service:
+        name: sap-btp-operator-webhook-service
+        namespace: {{.Release.Namespace}}
+        path: /mutate-services-cloud-sap-com-v1alpha1-servicebinding
+      {{- if .Values.manager.certificates.selfSigned }}
+      caBundle: {{.Values.manager.certificates.selfSigned.caBundle }}
+      {{- end }}
+      {{- if .Values.manager.certificates.gardenerCertManager }}
+      caBundle: {{.Values.manager.certificates.gardenerCertManager.caBundle }}
+      {{- end }}
+    failurePolicy: Fail
+    name: mservicebinding.kb.io
+    rules:
+      - apiGroups:
+          - services.cloud.sap.com
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - servicebindings
+    sideEffects: None
+  - admissionReviewVersions:
+      - v1beta1
+      - v1
+    clientConfig:
+      service:
+        name: sap-btp-operator-webhook-service
+        namespace: {{.Release.Namespace}}
+        path: /mutate-services-cloud-sap-com-v1alpha1-serviceinstance
+    failurePolicy: Fail
+    name: mserviceinstance.kb.io
+    rules:
+      - apiGroups:
+          - services.cloud.sap.com
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - serviceinstances
+    sideEffects: None
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  {{- if .Values.manager.certificates.certManager }}
+  annotations:
+    cert-manager.io/inject-ca-from: {{.Release.Namespace}}/sap-btp-operator-serving-cert
+  {{- end}}
+  name: sap-btp-operator-validating-webhook-configuration
+webhooks:
+  - admissionReviewVersions:
+      - v1beta1
+      - v1
+    clientConfig:
+      service:
+        name: sap-btp-operator-webhook-service
+        namespace: {{.Release.Namespace}}
+        path: /validate-services-cloud-sap-com-v1alpha1-servicebinding
+      {{- if .Values.manager.certificates.selfSigned }}
+      caBundle: {{.Values.manager.certificates.selfSigned.caBundle }}
+      {{- end }}
+      {{- if .Values.manager.certificates.gardenerCertManager }}
+      caBundle: {{.Values.manager.certificates.gardenerCertManager.caBundle }}
+      {{- end }}
+    failurePolicy: Fail
+    name: vservicebinding.kb.io
+    rules:
+      - apiGroups:
+          - services.cloud.sap.com
+        apiVersions:
+          - v1alpha1
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - servicebindings
+    sideEffects: None
\ No newline at end of file
diff --git a/sapbtp-operator-charts/values.yaml b/sapbtp-operator-charts/values.yaml
index 924f3f1c..7a8552f8 100644
--- a/sapbtp-operator-charts/values.yaml
+++ b/sapbtp-operator-charts/values.yaml
@@ -20,5 +20,33 @@ manager:
     url:
     tokenurl:
     tokenurlsuffix: "/oauth/token"
+  certificates:
+    # Configure if https://github.com/jetstack/cert-manager is used
+    certManager: true
+    # Configure if self-generated, self-signed certificates are used
+    # selfSigned: {}
+    # selfSigned:
+      # caBundle: "" # must be base64 encoded
+
+      # server-cert.pem
+      # crt: "" # must be base64 encoded
+
+      # server-key.pem
+      # key: "" # must be base64 encoded
+
+    # Configure if https://github.com/gardener/cert-management is used
+    # gardenerCertManager: {}
+    # gardenerCertManager:
+    ## set to use own issuer
+    # issuer:
+
+    ## setup to create issuer with own CA. This requires a caBUndle (ca-cert and ca-key)
+    # caBundle: "" # must be base64 encoded
+
+    ## ca-cert.pem
+    # crt: "" # must be base64 encoded
+
+    ## ca-key.pem
+    # key: "" # must be base64 encoded
 cluster:
   id: