From 594e1b553af95aaaab788153788100f5e04850b7 Mon Sep 17 00:00:00 2001
From: Dimitar Kostadinov <dimitar.kostadinov@sap.com>
Date: Mon, 21 Oct 2024 17:39:44 +0300
Subject: [PATCH] Address PR review feedback

---
 .../templates/clusterrole.yaml                |  7 ++
 example/controller-registration.yaml          |  2 +-
 hack/api-reference/registry.md                |  2 +-
 pkg/apis/registry/types.go                    |  2 +-
 pkg/apis/registry/v1alpha3/types.go           |  6 +-
 .../registrycaches/registry_caches.go         | 64 +++++++++++--------
 .../registrycaches/registry_caches_test.go    | 18 +++---
 .../registrycaches/templates/config.yml.tpl   |  4 +-
 pkg/controller/cache/actuator.go              | 18 +++---
 pkg/secrets/config.go                         |  4 ++
 pkg/webhook/cache/ensurer.go                  |  3 +-
 11 files changed, 76 insertions(+), 54 deletions(-)

diff --git a/charts/gardener-extension-registry-cache/templates/clusterrole.yaml b/charts/gardener-extension-registry-cache/templates/clusterrole.yaml
index 0a1cd853..d6ec5130 100644
--- a/charts/gardener-extension-registry-cache/templates/clusterrole.yaml
+++ b/charts/gardener-extension-registry-cache/templates/clusterrole.yaml
@@ -52,6 +52,13 @@ rules:
   - update
   - patch
   - delete
+# TODO(dimitar-kostadinov): Remove the below rule for managedresources/status after v0.11.0.
+- apiGroups:
+  - resources.gardener.cloud
+  resources:
+  - managedresources/status
+  verbs:
+  - patch
 - apiGroups:
   - ""
   resources:
diff --git a/example/controller-registration.yaml b/example/controller-registration.yaml
index 3fbed78b..95e82489 100644
--- a/example/controller-registration.yaml
+++ b/example/controller-registration.yaml
@@ -4,7 +4,7 @@ kind: ControllerDeployment
 metadata:
   name: extension-registry-cache
 helm:
-  rawChart: H4sIAAAAAAAAA+0d7XLbNrK/+RQ4pZ0mNyH1abunmdyca7uJp4mtsX2+u+l0PBAJS6hJggVIOWqSe/ZbECQFkpIoyj45SbnjsSUQWCyA3cXuYkFPMHeIT7hJ3ofEF5T5JicTKkI+N21sT0n7mwdDB+Bgby/+C1D8G3/u9gfd3l5vf1+Wd/d7+/1v0N7Du66GSISYI/QNZyxcV6/q+RcKk8r1t6bE9ejEZ5xs2Ydc4P3BYOX6w7Ln17/XGfQ636DOo450BfzJ1/8ZGuEwJNwXKGRILTO6nxIfjSPqOtSfoADbd3hChGU8Q1dTKpCIgoDxED4Aa7ho4rIx8nBoT6H2S8SJi0M6I9AunGrl2HcAgU8m8JT56HnAyS19Txx0T6HeX15Y6Nx354j5cUtJEgoIRy71iWVYx5c3lyHQBiiOmOcBguujS+RQLgxrQsN2/FuRb1jjP3g7/p0WTCdt+Sv9KmZ+e4FoDOOLAnRLXSKMv1riPoDfY3wHv0MPPv8Xql5jTlkk0OnxCXQYcPYbsUPDog7BbVUPigxrJmzmkLbx1Ku6OVTL/9EU89CaY8/dto8q+e/194ry3+s28r8TwAG9Jlyu+xDNugYOguxrq2t1WoZDhM1pEMZFh+gNbAbIliyBbhlH4ZSg1wkLoYuEcdCRZByUcZRl+NgjQ1TJa8Ys7btjQedfkBh9sVAt/w6zrQl7SB9V8n/QL9p/B/29g0b+dwHtNrocHf/b/Al2vyMWzGHLnIZXwAxDBFp4gC4PR+jyBIGoYz/+gm9ho6Q4JMhmXoD9udzYFzrAZn7I6TiCvVoY7baR4n9LbWAvYp5CtZDeUsJBmwSSwcweSDrUm7DhRKKQqMUUmTZqjTF8+Pb14cXxydnJxc2bw6Ofb45PL9ppPTPujbku8G/CtbFxYUGzVfyMLPTtcxuHyLLa8HN9cnF5en72IvlK3mMvcEl7FWK5DaKTFPWwgHrJA49yznhLDhAsrdiQStQn8fEYLA6UG7eyrGLVmhRKC0xqWZtxDjYHWlCGcpQZgY59Y9VZLf8hgRkB4sTWnmBt/w84b7/b+H+7gDrrfwPmPpjkwgqDWrZghf7vdrq9wvr39g72Gv2/C/jwwUQOOGLgdbWkldZC5qdPRrWlJtsRUPyytqEjAf10SycKjW5cqnIrRWNlmIWV9mbZLouc9qyL3WCKu8Yd9Z0heGmyYaTUXNZvsVuXYIeA6wkqEqpRRxGwinxTVTfT+uXhZIipB0pVYUNIPqG3aIrFKPZeUUtMcW9vf9hC1jV2I3CS4/pWiCcoaxFw6oe3qPWd+Md3oliTk4AJCtvlfB0K4gqyDOFwa4RqDrWPT82JDTwF1NH/tgvKkoA945Ja8YAK/d/v7vcL+r+/1+03+n8XYJpmTk3zMbYtHIVTxukfyrK8+wE0CAO1nCpkxQYXwAaGR0Ls4BAPQa1s6uQj5OIxKDTZBiEcBNZdNCbcJyGJO9ocD0IyNg3Wfjs2ejdtVO6S+sAFvg3dfviArAvYFrAg1hkQIjUjj8BOHxomNKSvOYuCmHQTrdzC4CkngkXcJknVRHQEfJkRPk5KJySM/7pAYfzhXkZLH9TRomrhaxtGGEabESA/BdmnKIAVJmWqsONRIXHn/BDFLWXCvCiMnZl7Mp4ydmfru/rmVCW0xFPKSfoxWD5tGQWVs+ZhH3ZIJyuFwmfo6vz4/LlDPQoKwrxjMH8O9dnsxRBdEI/NSKlVMsXgIsNSo1nH6natjrW0g7qroQ1Wm4LFGjnAssvWqNUqD1YQwBY+Td9q2T0cFLpP+ngQjnQI64hcIJPCnfFJzjZ0sJiOGXCM2Iweqa8EeN9kS+m2GePAWevFJ9ZIhQ6qEHtgCIMdCEJn2YwTJuCPt4QfbI4DomZVaY2AM1DsUxKJWPU9Mqc89ZbXgAZb2n9jsAQkX21kBlb7/92C/bfX6Q8a+28X8DD770fFBn8SMxAGfEFuJb2pol0zX1CrbC5vPjsiGssj5tjsVHguCZ9RmxzaNov8sNZEZztUeWBxceP+/2mhlv5XIbzaqQCV5//7pfgvfGn0/y6gcP6vh1zf4WCJYn+gmkmRabw0RB/NWCHH0VUfrAxHiyNb6CPygSrih2jQKKrHhvryD46XGQeUZ7A/MW6CJ8zvOQ1XxwSr5F8e9uTl/2Aw2G/kfxeQnGjkTgqu44U9T9cVFU5yNlIToAAyUVbnShbgWc44G6qOzQzG5R1vZfClI4qJFjd5RgetZUCjkP1HpgSsnb+PSNdfn9eRSx35d0jgsrkHI6lnA6yX/y7s/0X57/f73Ub+dwFF/w9kRCxcveNsxbd08R5Prj8jRzDuiE6mJp5hCrRTl4ZzMzvgXh50bofzAPAJ8OIIN0RA7GEciptRSdYboInx+VsZbR6iXvwkcKmNhSIhUS9J4ZH0ABUlIj7CZlxNXpxt/VabzYfO5zaTkyqMhCSNb2J8vs9CFfVPi8AanBL7TkReW8Wm9bwuNa15va7bhuoAHtqmK5NZktW7Wqn7hYWzmJWlW1aOnufxeTz61rpKRm79CDMykunvrY2MptaL9UNJtosVo4MZ5tQWlkoou5TRXJk0pjVYxHMX699asnitFS1UhBjahDwiqyrJxLUEbYGwOKVNx14ak5tj2Ycz7XYyLQGq3zN+J2ObRfllJgexox4xYYKVHIO+dF12T5zN2jvA8+tarNYdzIRmppjCJiRMOa4FDWZoB+Zg0M9jThWMWifKgNfmRy4W4iw/kWIuQF7Nv3U6SWWRCzOd1Zp2KbaYQsVsKc0ae4WCWEry4p6k4Fj6OsVlo8h1Rww04jynJVW6S5A91NthPtH4zERmomBetUlotwumj+ak5pp4+L1sZkecw9YII5Ff5PWRVxoVCx0mFslO1qLZ5dy3hU6axDwlsG+NCQ7NbOd8tWrjRCtaAnJyb4JGgpXEwDSSOmclaVk7K253mjS7VK1K3ThUSC2jaegc5uTx0eIp6LXfGPVR62WrOFh1HcdkAVHHwOZib1hFrWpynrY4zBoUcRcSvEzqvNJZqpwuZhUxJAfVCX9ssB7rWidSZUpVqI8tqaY8KSupNVL6sgofDK8aHeFFbCt2j2BJp8kzU572mNiRx9fi1XC1hl+3aSU86obT1ejU82XDz/RHckNEH3SmK5Nnelviz3RpV8ro7cnh8cnFzcnbk6Or0/Ozm7PDdyeXo8Ojk6wmQjOJ+yfY4IZaIUK3lLhOcghQKpc7/jAzeKyMY7Y1S1J6T98dvj65BmLPL27Or08u/nVxelWidYiU0av5qe2ljuu6RXLpDGZSiBFnY6KPcRqGwWsS5ocdxONtq1X7I/8oNgYql1aCAE0rR/nm6mqkPaA+DSl2j4mL54kyGqJuJ6vBiUzHqEurbDXfCal7ht6BKHNhKtGJR7BAl+2ioyJlm4h3bJaFzGbuEF0djVbxXmZq6G21xIByaGPR4iMCqfcWYY1up0L2Z8yNPPJOGhRLJkKpNG0AnqyohGnJrqxVlKspL40OkTRMHypmFSb/CgJLQrcZfbkZUvNTMpoKE2On4TadsyuD8rUnpO50rCFrSSxuTQwwBYfc4sgN3zEHUAx6HW0Qn0/c7GuBOvG/gDlg3/Eovgw6jpwJ2SwQWJn/sV/K/+gNmvjfTkCP/QWxt7SI/o2Yc5yt94/xen8hYcC63n/qLYNj908/ieq5ULf7OUbYEm0uiAfK80hewuSgX//+CnWt3r7ZASV7hAMVlaSA72dAnSyx9ZqG17qRHPnK2JnDUp+A6yEXOnWoD917PBeHMqbwmZ1ZNPB4UEf/1774kUCV/i+f//S6Tf7HbmCL/L8HXPz4Ko+DVl0PWZYrDnavX0y9X5c1/XjJ4lovj5uQviShfqNIm7lsObJoZJ54bV6kEfLUQvMVQV39XyvxO4FK+39QtP/7g35z/3snsKX+f1ji99e5DWyXHt7khTfwhFBH/yfHU7VdgAr93+t3Dor2/36nef/TTmBpYmeiUv6v2r2UB7RJHsQtZ54JtVzHDJmpDlbQ9798aKVnHq1h6+po1HrZks9aw83OTj79+n09CuJcDEIcUyXGmMBBYJYKM0nAyBFWpKNwZPqySHodYrKZNtMgVdKrFqWCzlv5bSx3QAm9KqStWtMQMMeM9+es58UBOUwDlXlruavoX9hmngYEVdJecoXrdFQKB+42TJmdJdbIAEuPc5I6cb+lI89l5/j5Y8TcmdWaI8wS6soMh/JxpRKnWqefT61Gv1jYYv/HytLc3AyovP/RK+7/g+5+c/9jJ1D0/4o2QOpWNI5epoXBnWNxBkB+iq7YHYEJvMWuIF+OPqoj/7MAb/Ue6Kr4z0Hp/Ld7MGje/7wTKFgScomVFeEUbn1Jrhc2mHZgFhYjQlAppPBsxJzDpBqYA1uoDBP631BtpBbakgGkVque/ZsvU7pGS7SCQqon4GSP6iVAI+RR/1B5AXo6jEc8xlWSMie/R5QTB7VWk2wtsFiqKaIia9laM9glLbVMJw+/X0KcHUQ1KMtQWNBuc7LyzXL5arUnZ4Gr7uSUWuqXQNI0Y0chkK95+h3+hkKmcBmFtC1lo2aZoMuuUMny0jWqRXLUJjylzj10nlUlKjdKs43lYPXK1qLe+juH1fp/pnp4wD8AqNb/g9L//9hr7L+dgLpuESvI9LWh4LlHnAXEdJh9Bx5/cDexHDJrZ6yS/PuLdhCNgdey8rb2srkSJ4d4MkSxGSFlINAubpzenrFwBJIqxcPQb7jJ/BvjGXjcoXxxnIjfip14qi8RsSaWenWVdHXHcxQHZBZXkoykphxb3i/OsjGfpamGKVYpIwGTd7mor71oO733Y6Tu7Q+dHzqSVO1AlCe6ItlZpErd63iGrt/2B++oAYK6oMjJSFm2PZW3khRTvweYliv0uOdeoX7vNa1UJi25c7cMY5H9HI8TVkC7fxGTnr3kPN1E9QstKvE5O8Ydqtsjy66WwDA68unKKx2pLW3kHP+hkd1RUkQOBv2kKM2Y7soXSBlG+S7KEP3yq2EsS38FZfop5giVMj+MPy8CHSk7J8XQXbxaF5rMTGg4jcbyDWttR9aV78CHQeS+ZM23EDaujCDR7nOnXaInFq9W3+pYHXMMdpfVhaVMcQzVYXryXz1aX45z0kADDTTQQAMNNNBAAw08KvwPAOmQSAB4AAA=
+  rawChart: H4sIAAAAAAAAA+0d7XLbNrK/+RQ4pZ0mNyH1abunmdyca7uJp4mtsX2+u+l0PBAJS6hJggVIOWqSe/ZbECQFkpIoyj4lTrnjsSUQWCyA3cXuYkFPMHeIT7hJ3ofEF5T5JicTKkI+N21sT0n7mwdDB+Bgby/+C1D8G3/u9gfd3l5vf1+Wd/d7+/1v0N7Du66GSISYI/QNZyxcV6/q+ROFSeX6W1PienTiM0627EMu8P5gsHL9Ydnz69/rDHqdb1DnUUe6Av7k6/8MjXAYEu4LFDKklhndT4mPxhF1HepPUIDtOzwhwjKeoaspFUhEQcB4CB+ANVw0cdkYeTi0p1D7JeLExSGdEWgXTrVy7DuAwCcTeMp89Dzg5Ja+Jw66p1DvLy8sdO67c8T8uKUkCQWEI5f6xDKs48ubyxBoAxRHzPMAwfXRJXIoF4Y1oWE7/q3IN6zxH7wd/04LppO2/JV+FTO/vUA0hvFFAbqlLhHGXy1xH8DvMb6D36EHn/8LVa8xpywS6PT4BDoMOPuN2KFhUYfgtqoHRYY1EzZzSNv43Ku6OVTL/9EU89CaY8/dto8q+e/194ry3+s28r8TwAG9Jlyu+xDNugYOguxrq2t1WoZDhM1pEMZFh+gNbAbIliyBbhlH4ZSg1wkLoYuEcdCRZByUcZRl+NgjQ1TJa8Ys7btjQedPSIyeLFTLv8Nsa8Ie0keV/B/0i/bfQX/voJH/XUC7jS5Hx/82f4Ld74gFc9gyp+EVMMMQgRYeoMvDEbo8QSDq2I+/4FvYKCkOCbKZF2B/Ljf2hQ6wmR9yOo5grxZGu22k+N9SG9iLmKdQLaS3lHDQJoFkMLMHkg71Jmw4kSgkajFFpo1aYwwfvn19eHF8cnZycfPm8Ojnm+PTi3Zaz4x7Y64L/JtwbWxcWNBsFT8jC3373MYhsqw2/FyfXFyenp+9SL6S99gLXNJehVhug+gkRT0soF7ywKOcM96SAwRLKzakEvVJfDwGiwPlxq0sq1i1JoXSApNa1macg82BFpShHGVGoGPfWHVWy39IYEaAOLG1J1jb/wPO2+82/t8uoM7634C5Dya5sMKgli1Yof+7nW6vsP69vYO9Rv/vAj58MJEDjhh4XS1ppbWQ+emTUW2pyXYEFL+sbehIQD/d0olCoxuXqtxK0VgZZmGlvVm2yyKnPetiN5jirnFHfWcIXppsGCk1l/Vb7NYl2CHgeoKKhGrUUQSsIt9U1c20fnk4GWLqgVJV2BCST+gtmmIxir1X1BJT3NvbH7aQdY3dCJzkuL4V4gnKWgSc+uEtan0n/vGdKNbkJGCCwnY5X4eCuIIsQzjcGqGaQ+3j5+bEBj4H1NH/tgvKkoA945Ja8YAK/d8f7Bfjf/29XrfR/7sA0zRzapqPsW3hKJwyTv9QluXdD6BBGKjlVCErNrgANjA8EmIHh3gIamVTJx8hF49Bock2COEgsO6iMeE+CUnc0eZ4EJKxabD227HRu2mjcpfUBy7wbej2wwdkXcC2gAWxzoAQqRl5BHb60DChIX3NWRTEpJto5RYGTzkRLOI2SaomoiPgy4zwcVI6IWH81wUK4w/3Mlr6oI4WVQtf2zDCMNqMAPkpyD5FAawwKVOFHY8KiTvnhyhuKRPmRWHszNyT8ZSxO1vf1TenKqElnlJO0o/B8mnLKKicNQ/7sEM6WSkUPkNX58fnzx3qUVAQ5h2D+XOoz2YvhuiCeGxGSq2SKQYXGZYazTpWt2t1rKUd1F0NbbDaFCzWyAGWDWVwvJJo6UuC9LF7JNk69jQ3HMcjzu/S4a9YxVarjE8QmJDw0advo74V53o4KHSf9PEgHOkQ1hG5QCb1U7YUOfPWwWI6ZrAoYjN6pMoVAVacv4WCshnjwGfrNUCsVAsdVCH2wJYHUxb0hmUzTpiAP94SfrA5DoiaVaX4As5gb5qSSMTa+5E55XPv2o8HW9p/Y7AE5KJsZAZW+//dgv23B0ZhY//tAh5m//2o2OBPYgbCgC/IraQ31VJr5gtqlc3lzWdHRGN5xBybnQrPJeEzapND22aRH9aa6Ey9lwcWFzfu/58Waul/FcKrnQpQef6/X4r/wpdG/+8CCuf/esj1HQ6WKPYHqpkUmcZLQ/TRjBVyHF31wcpwtDiyhT4iH6gifogGjaJ6bKgv/+C1mHFAeQb7E+MmOJX8ntNwdUywSv7lYU9e/g8Gg/1G/ncByYlG7qTgOl7Y83RdUeEkZyM1AQogE2V1rmQBnuWMs6Hq2MxgXN7xVgZfOqKYaHGTZ3TQWgY0Ctl/ZErA2vn7iHT99WUdudSRf4cELpt7MJJ6NsB6+e/C/l+U/36/38T/dwJF/w9kRCxcveNsxbd08R5Prr8gRzDuiE6mJp5hCrRTl4ZzMzvgXh4UbYfzAPAJ8OIIN0RA7GEcx5pRSdYboInx+VsZuB2iXvwkcKmNhSIhUS9J4ZH0ABUlIj7CZlxNXpxt/VabzYfO5zaTkyqMhCSNb2J8vs9CFfVPi8AanBL7TkReWwV29bwuNa15va7bhuoAHtqmK5NZktW7Wqn7hYWzmJWlW1aOnufxeTz61rpKRm79CDMykunvrY2MptaL9UNJtosVo4MZ5tQWlkoou5ShUJk0pjVYBEMX699asnitFS1UeBXahDwiqyrJxLUEbYGwOKVNx14ak5tj2Ycz7XYyLQGq3zN+J2ObRfllJgexox4xYYKVHIO+dF12T5zN2jvA8+tarNYdzIRmppjCJiRMOa4FDWZoB+Zg0M9jThWMWifKgNfmRy4W4iw/kWIuQF7Nv3U6SWWRCzOd1Zp2KbaYQsVsKc0ae4WCWEry4p6k4Fj6OsVlo8h1Rww04jynJVW6S5A91NthPtH4zERmomBetUlotwumj+ak5pp4+L1sZkecw9YII5Ff5PWRVxoVCx0mFslO1qLZ5dy3hU6axDwlsG+NCQ7NbOd8tWrjRCtaAnJyb4JGgpXEwDSSOmclaVk7K253mjS7VK1K3ThUSC2jaegc5uTx0eIp6LXfGPVR62WrOFh1HcdkAVHHwOZib1hFrWpynrY4zBoUcRcSvEzqvNJZqpwuZhUxJAfVCX9ssB7rWidSZUpVqI8tqaY8KSupNVL6sgofDK8aHeFFbCt2j2BJp8kzU572mNiR57fi1XC1hl+3aSU86obT1ejU82XDz/RHckNEH3SmK5Nnelviz3RpV8ro7cnh8cnFzcnbk6Or0/Ozm7PDdyeXo8Ojk6wmQjOJ+yfY4IZaIUK3lLhOcghQKpc7/jAzeKyMY7Y1S1J6T98dvj65BmLPL27Or08u/nVxelWidYiU0av5qe2ljuu6RXLpDGZSiBFnY6KPcRqGwWsS5ocdxONtq1X7I/8oNgYql1aCAE0rR/nm6mqkPaA+DSl2j4mL54kyGqJuJ6vBicxsqEurbDXfCal7ht6BKHNhKtGJR7BAl+2ioyJlm4h3bJaFzGbuEF0djVbxXmZq6G21U/VyaGPR4iMCqfcWYY1up0L2Z8yNPPJOGhRLJkKpNG0AnqyohGnJrqxVlKspL40OkTRMHypmFSb/CgJLQrcZfbkZUvNTMpoKE2On4TadsyuD8rUnpO50rCFrSSxuTQwwBYfc4sgN3zEHUAx6HW0QX07c7GuBOvG/gDlg3/Eovgw6jpwJ2SwQWJn/sV/K/+gNmvjfTkCP/QWxt7SI/o2Yc5yt94/xej+RMGBd7z/1lsGx+6efRPVcqNv9EiNsiTYXxAPleSQvYXLQr39/hbpWb9/sgJI9woGKSlLA9zOgTpbYek3Da91Ijnxl7MxhqU/A9ZALnTrUh+49notDGVP4ws4sGng8qKP/a1/8SKBK/5fPf3rdJv9jN7BF/t8DLn58lcdBq66HLEu0BrvXL+atr0s5frxMa62Xx83mXpKNvlGkzVy2HFk0Mk+8Ni/SCPncQvMVQV39XyvxO4FK+39QtP/7g35z/3snsKX+f1ji99e5DWyXHt7khTfwGaGO/k+Op2q7ABX6v9fvHBTt//1O8/6nncDSxM5EpfxftXspD2iTPIhbzjwTarmOGTJTHayg73/50ErPPFrD1tXRqPWyJZ+1hpudnXz69ft6FMS5GIQ4pkqMMYGDwCwVZpKAkSOsSEfhyPRlkfQ6xGQzbaZBqqRXLUoFnbfy21jugBJ6VUhbtaYhYI4Z789Zz4sDcpgGKvPWclfRn9hmngYEVdJecoXrdFQKB+42TJmdJdbIAEuPc5I6cb+lI89l5/j5Y8TcmdWaI8wS6soMh/JxpRKnWqefn1uNPlnYYv/HytLc3AyovP/RK+7/g+5+c/9jJ1D0/4o2QOpWNI5epoXBnWNxBkB+iq7YHYEJvMWuIE9HH9WR/1mAt3oPdFX856B0/ts9GDTvf94JFCwJucTKinAKt74k1wsbTDswC4sRIagUUng2Ys5hUg3MgS1Uhgn9b6g2UgttyQBSq1XP/s2XKV2jJVpBIdUTcLJH9RKgEfKof6i8AD0dxiMe4ypJmZPfI8qJg1qrSbYWWCzVFFGRtWytGeySllqmk4ffLyHODqIalGUoLGi3OVn5Zrl8tdqTs8BVd3JKLfVLIGmasaMQyDcm/Q5/QyFTuIxC2payUbNM0GVXqGR56RrVIjlqE55S5x46z6oSlRul2cZysHpla1Fv/Z3Dav0/Uz084B8AVOv/Qen/f+w19t9OQF23iBVk+tpQ8NwjzgJiOsy+A48/uJtYDpm1M1ZJ/v1FO4jGwGtZeVt72VyJk0M8GaLYjJAyEGgXN05vz1g4AkmV4mHoN9xk/o3xDDzuUL44Tqh3lSlP9SUi1sRS732Sru54juKAzOJKkpHUlGPL+8VZNuazNNUwxSplJGDyLhf1tRdtp/d+jNS9/aHzQ0eSqh2I8kRXJDuLVKl7Hc/Q9dv+4B01QFAXFDkZKcu2p/JWkmLq9wDTcoUe99wr1O+9ppXKpCV37pZhLLKf43HCCmj3L2LSs5ecp5uofqFFJT5nx7hDdXtk2dUSGEZHPl15pSO1pY2c4z80sjtKisjBoJ8UpRnTXfkCKcMo30UZol9+NYxl6a+gTD/FHKFS5ofx50WgI2XnpBi6i1frQpOZCQ2n0Vi+nqztyLryHfgwiNyXrPkWwsaVESTafe60S/TE4tXqWx2rY47B7rK6sJQpjqE6TE/+q0fr6TgnDTTQQAMNNNBAAw000MCjwv8A+OB6sQB4AAA=
   values:
     image:
       tag: v0.11.0-dev
diff --git a/hack/api-reference/registry.md b/hack/api-reference/registry.md
index 2ed1e047..b5feeff5 100644
--- a/hack/api-reference/registry.md
+++ b/hack/api-reference/registry.md
@@ -233,7 +233,7 @@ string
 </em>
 </td>
 <td>
-<p>CASecretName is the name of the CA secret</p>
+<p>CASecretName is the name of the CA bundle secret.</p>
 </td>
 </tr>
 <tr>
diff --git a/pkg/apis/registry/types.go b/pkg/apis/registry/types.go
index b5490189..02350d2a 100644
--- a/pkg/apis/registry/types.go
+++ b/pkg/apis/registry/types.go
@@ -69,7 +69,7 @@ var (
 type RegistryStatus struct {
 	metav1.TypeMeta
 
-	// CASecretName is the name of the CA secret
+	// CASecretName is the name of the CA bundle secret.
 	CASecretName string
 	// Caches is a slice of deployed registry caches.
 	Caches []RegistryCacheStatus
diff --git a/pkg/apis/registry/v1alpha3/types.go b/pkg/apis/registry/v1alpha3/types.go
index ce0f1ee2..c8634f1e 100644
--- a/pkg/apis/registry/v1alpha3/types.go
+++ b/pkg/apis/registry/v1alpha3/types.go
@@ -77,8 +77,8 @@ var (
 type RegistryStatus struct {
 	metav1.TypeMeta `json:",inline"`
 
-	// CASecretName is the name of the CA secret
-	CASecretName string `json:"caSecretName,omitempty"`
+	// CASecretName is the name of the CA bundle secret.
+	CASecretName string `json:"caSecretName"`
 	// Caches is a slice of deployed registry caches.
 	Caches []RegistryCacheStatus `json:"caches"`
 }
@@ -92,6 +92,4 @@ type RegistryCacheStatus struct {
 	Endpoint string `json:"endpoint"`
 	// RemoteURL is the remote registry URL.
 	RemoteURL string `json:"remoteURL"`
-	//// ClusterIP is the Endpoint IP address
-	//ClusterIP string `json:"clusterIP,omitempty"`
 }
diff --git a/pkg/component/registrycaches/registry_caches.go b/pkg/component/registrycaches/registry_caches.go
index a40ce269..2676d0b6 100644
--- a/pkg/component/registrycaches/registry_caches.go
+++ b/pkg/component/registrycaches/registry_caches.go
@@ -118,27 +118,9 @@ type registryCaches struct {
 
 // Deploy implements component.DeployWaiter.
 func (r *registryCaches) Deploy(ctx context.Context) error {
-	// TODO(dimitar-kostadinov): If services are previously created with ManagedResource remove service object references from ManagedResource status - remove this after v0.11.0
-	mr := &resourcesv1alpha1.ManagedResource{
-		ObjectMeta: metav1.ObjectMeta{Name: managedResourceName, Namespace: r.namespace},
-	}
-	err := r.client.Get(ctx, client.ObjectKeyFromObject(mr), mr)
-	if err != nil && !apierrors.IsNotFound(err) {
-		return err
-	}
-	var updatedRefs []resourcesv1alpha1.ObjectReference
-	for _, objectRef := range mr.Status.Resources {
-		if objectRef.Kind != "Service" {
-			updatedRefs = append(updatedRefs, objectRef)
-		}
-	}
-	if len(updatedRefs) != len(mr.Status.Resources) {
-		patch := client.MergeFrom(mr.DeepCopy())
-		mr.Status.Resources = updatedRefs
-		err = r.client.Status().Patch(ctx, mr, patch)
-		if err != nil {
-			return fmt.Errorf("failed to update ManagedResource status: %w", err)
-		}
+	// TODO(dimitar-kostadinov): Clean up this invocation after March 2025.
+	if err := r.removeServicesFromManagedResourceStatus(ctx); err != nil {
+		return fmt.Errorf("failed to remove Services from the ManagedResource status: %w", err)
 	}
 
 	//create registry cache services
@@ -159,10 +141,6 @@ func (r *registryCaches) Deploy(ctx context.Context) error {
 		return err
 	}
 
-	if len(r.values.Caches) != len(generatedSecrets)-1 {
-		return fmt.Errorf("not all secrets are generated for configured caches")
-	}
-
 	caSecret, found := r.secretManager.Get(secrets.CAName)
 	if !found {
 		return fmt.Errorf("secret %q not found", secrets.CAName)
@@ -428,7 +406,7 @@ func (r *registryCaches) computeResourcesDataForRegistryCache(ctx context.Contex
 								},
 								{
 									Name:      registryCertsVolumeName,
-									MountPath: "/etc/docker/registry/certs",
+									MountPath: "/etc/distribution/certs",
 								},
 							},
 						},
@@ -679,3 +657,37 @@ func computeUpstreamLabelValue(upstream string) string {
 	}
 	return upstreamLabel
 }
+
+// removeServicesFromManagedResourceStatus removes all resources with kind=Service from the ManagedResources .status.resources field.
+//
+// TODO(dimitar-kostadinov): Clean up this function in v0.12.0.
+func (r *registryCaches) removeServicesFromManagedResourceStatus(ctx context.Context) error {
+	mr := &resourcesv1alpha1.ManagedResource{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      managedResourceName,
+			Namespace: r.namespace,
+		},
+	}
+	if err := r.client.Get(ctx, client.ObjectKeyFromObject(mr), mr); err != nil && !apierrors.IsNotFound(err) {
+		return err
+	}
+
+	var updatedRefs []resourcesv1alpha1.ObjectReference
+	for _, objectRef := range mr.Status.Resources {
+		if objectRef.Kind != "Service" {
+			updatedRefs = append(updatedRefs, objectRef)
+		}
+	}
+	if len(updatedRefs) == len(mr.Status.Resources) {
+		// No changes, no need to patch. Exit early.
+		return nil
+	}
+
+	patch := client.MergeFrom(mr.DeepCopy())
+	mr.Status.Resources = updatedRefs
+	if err := r.client.Status().Patch(ctx, mr, patch); err != nil {
+		return fmt.Errorf("failed to update ManagedResource status: %w", err)
+	}
+
+	return nil
+}
diff --git a/pkg/component/registrycaches/registry_caches_test.go b/pkg/component/registrycaches/registry_caches_test.go
index a7f56258..b9782b15 100644
--- a/pkg/component/registrycaches/registry_caches_test.go
+++ b/pkg/component/registrycaches/registry_caches_test.go
@@ -162,8 +162,8 @@ http:
       path: /metrics
   draintimeout: 25s
   tls:
-    certificate: /etc/docker/registry/certs/tls.crt
-    key: /etc/docker/registry/certs/tls.key
+    certificate: /etc/distribution/certs/tls.crt
+    key: /etc/distribution/certs/tls.key
   headers:
     X-Content-Type-Options: [nosniff]
 health:
@@ -269,7 +269,7 @@ spec:
           name: cache-volume
         - mountPath: /etc/distribution
           name: config-volume
-        - mountPath: /etc/docker/registry/certs
+        - mountPath: /etc/distribution/certs
           name: certs-volume
       priorityClassName: system-cluster-critical
       securityContext:
@@ -388,8 +388,8 @@ status: {}
 				Expect(err).NotTo(HaveOccurred())
 				Expect(manifests).To(HaveLen(8))
 
-				dockerConfigSecretName := "registry-docker-io-config-c5a518bf"
-				arConfigSecretName := "registry-europe-docker-pkg-dev-config-b666ec9c"
+				dockerConfigSecretName := "registry-docker-io-config-1f752684"
+				arConfigSecretName := "registry-europe-docker-pkg-dev-config-6bc6fc48"
 
 				dockerSecret, ok := secretsManager.Get("docker.io-tls")
 				Expect(ok).To(BeTrue())
@@ -430,8 +430,8 @@ status: {}
 				Expect(err).NotTo(HaveOccurred())
 				Expect(manifests).To(HaveLen(6))
 
-				dockerConfigSecretName := "registry-docker-io-config-c5a518bf"
-				arConfigSecretName := "registry-europe-docker-pkg-dev-config-b666ec9c"
+				dockerConfigSecretName := "registry-docker-io-config-1f752684"
+				arConfigSecretName := "registry-europe-docker-pkg-dev-config-6bc6fc48"
 
 				dockerSecret, ok := secretsManager.Get("docker.io-tls")
 				Expect(ok).To(BeTrue())
@@ -509,8 +509,8 @@ status: {}
 				Expect(err).NotTo(HaveOccurred())
 				Expect(manifests).To(HaveLen(8))
 
-				dockerConfigSecretName := "registry-docker-io-config-e561062e"
-				arConfigSecretName := "registry-europe-docker-pkg-dev-config-0accd8a8"
+				dockerConfigSecretName := "registry-docker-io-config-1458b53f"
+				arConfigSecretName := "registry-europe-docker-pkg-dev-config-32aca758"
 
 				dockerSecret, ok := secretsManager.Get("docker.io-tls")
 				Expect(ok).To(BeTrue())
diff --git a/pkg/component/registrycaches/templates/config.yml.tpl b/pkg/component/registrycaches/templates/config.yml.tpl
index e5c2c9af..a4722d99 100644
--- a/pkg/component/registrycaches/templates/config.yml.tpl
+++ b/pkg/component/registrycaches/templates/config.yml.tpl
@@ -23,8 +23,8 @@ http:
       path: /metrics
   draintimeout: 25s
   tls:
-    certificate: /etc/docker/registry/certs/tls.crt
-    key: /etc/docker/registry/certs/tls.key
+    certificate: /etc/distribution/certs/tls.crt
+    key: /etc/distribution/certs/tls.key
   headers:
     X-Content-Type-Options: [nosniff]
 health:
diff --git a/pkg/controller/cache/actuator.go b/pkg/controller/cache/actuator.go
index 34c80ded..e83dff36 100644
--- a/pkg/controller/cache/actuator.go
+++ b/pkg/controller/cache/actuator.go
@@ -48,15 +48,6 @@ type actuator struct {
 
 // Reconcile the Extension resource.
 func (a *actuator) Reconcile(ctx context.Context, logger logr.Logger, ex *extensionsv1alpha1.Extension) error {
-	if ex.Spec.ProviderConfig == nil {
-		return fmt.Errorf("providerConfig is required for the registry-cache extension")
-	}
-
-	registryConfig := &api.RegistryConfig{}
-	if _, _, err := a.decoder.Decode(ex.Spec.ProviderConfig.Raw, nil, registryConfig); err != nil {
-		return fmt.Errorf("failed to decode provider config: %w", err)
-	}
-
 	namespace := ex.GetNamespace()
 	cluster, err := extensionscontroller.GetCluster(ctx, a.client, namespace)
 	if err != nil {
@@ -67,6 +58,15 @@ func (a *actuator) Reconcile(ctx context.Context, logger logr.Logger, ex *extens
 		return nil
 	}
 
+	if ex.Spec.ProviderConfig == nil {
+		return fmt.Errorf("providerConfig is required for the registry-cache extension")
+	}
+
+	registryConfig := &api.RegistryConfig{}
+	if _, _, err := a.decoder.Decode(ex.Spec.ProviderConfig.Raw, nil, registryConfig); err != nil {
+		return fmt.Errorf("failed to decode provider config: %w", err)
+	}
+
 	_, shootClient, err := util.NewClientForShoot(ctx, a.client, namespace, client.Options{}, extensionsconfig.RESTOptions{})
 	if err != nil {
 		return fmt.Errorf("failed to create shoot client: %w", err)
diff --git a/pkg/secrets/config.go b/pkg/secrets/config.go
index b76552b2..c270ed70 100644
--- a/pkg/secrets/config.go
+++ b/pkg/secrets/config.go
@@ -1,3 +1,7 @@
+// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
+//
+// SPDX-License-Identifier: Apache-2.0
+
 package secrets
 
 import (
diff --git a/pkg/webhook/cache/ensurer.go b/pkg/webhook/cache/ensurer.go
index 5e0033a4..5e03fa51 100644
--- a/pkg/webhook/cache/ensurer.go
+++ b/pkg/webhook/cache/ensurer.go
@@ -26,6 +26,8 @@ import (
 	api "github.com/gardener/gardener-extension-registry-cache/pkg/apis/registry"
 )
 
+const caBundlePath = "/etc/containerd/certs.d/ca-bundle.pem"
+
 // NewEnsurer creates a new registry cache ensurer.
 func NewEnsurer(client client.Client, decoder runtime.Decoder, logger logr.Logger) genericmutator.Ensurer {
 	return &ensurer{
@@ -42,7 +44,6 @@ type ensurer struct {
 	logger  logr.Logger
 }
 
-const caBundlePath = "/etc/containerd/certs.d/ca-bundle.pem" //TODO: is the location OK?
 // EnsureCRIConfig ensures the CRI config.
 func (e *ensurer) EnsureCRIConfig(ctx context.Context, gctx gcontext.GardenContext, new, _ *extensionsv1alpha1.CRIConfig) error {
 	cluster, err := gctx.GetCluster(ctx)