diff --git a/PROJECT b/PROJECT
index 9d1f7c21..af4dfb44 100644
--- a/PROJECT
+++ b/PROJECT
@@ -1,3 +1,7 @@
+# Code generated by tool. DO NOT EDIT.
+# This file is used to track the info used to scaffold your project
+# and allow the plugins properly work.
+# More info: https://book.kubebuilder.io/reference/project-config.html
 domain: openstack.org
 layout:
 - go.kubebuilder.io/v3
@@ -42,4 +46,13 @@ resources:
     defaulting: true
     validation: true
     webhookVersion: v1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: openstack.org
+  group: mariadb
+  kind: MariaDBAccount
+  path: github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1
+  version: v1beta1
 version: "3"
diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
index 8de03cbc..8d0a43bd 100644
--- a/api/v1beta1/zz_generated.deepcopy.go
+++ b/api/v1beta1/zz_generated.deepcopy.go
@@ -232,7 +232,7 @@ func (in *MariaDBAccount) DeepCopyInto(out *MariaDBAccount) {
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	out.Spec = in.Spec
-	in.Status.DeepCopyInto(&out.Status)
+	out.Status = in.Status
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MariaDBAccount.
@@ -303,13 +303,6 @@ func (in *MariaDBAccountSpec) DeepCopy() *MariaDBAccountSpec {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MariaDBAccountStatus) DeepCopyInto(out *MariaDBAccountStatus) {
 	*out = *in
-	if in.Hash != nil {
-		in, out := &in.Hash, &out.Hash
-		*out = make(map[string]string, len(*in))
-		for key, val := range *in {
-			(*out)[key] = val
-		}
-	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MariaDBAccountStatus.
diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml
index 1da408ca..4a94488b 100644
--- a/config/crd/kustomization.yaml
+++ b/config/crd/kustomization.yaml
@@ -14,6 +14,7 @@ patchesStrategicMerge:
 #- patches/webhook_in_galeras.yaml
 #- patches/webhook_in_mariadbs.yaml
 #- patches/webhook_in_mariadbdatabases.yaml
+#- patches/webhook_in_mariadbaccounts.yaml
 #+kubebuilder:scaffold:crdkustomizewebhookpatch
 
 # [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix.
@@ -21,6 +22,7 @@ patchesStrategicMerge:
 #- patches/cainjection_in_galeras.yaml
 #- patches/cainjection_in_mariadbs.yaml
 #- patches/cainjection_in_mariadbdatabases.yaml
+#- patches/cainjection_in_mariadbaccounts.yaml
 #+kubebuilder:scaffold:crdkustomizecainjectionpatch
 
 # the following config is for teaching kustomize how to do kustomization for CRDs.
diff --git a/config/crd/patches/cainjection_in_mariadbaccounts.yaml b/config/crd/patches/cainjection_in_mariadbaccounts.yaml
new file mode 100644
index 00000000..1d5ed47c
--- /dev/null
+++ b/config/crd/patches/cainjection_in_mariadbaccounts.yaml
@@ -0,0 +1,7 @@
+# The following patch adds a directive for certmanager to inject CA into the CRD
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+  name: mariadbaccounts.mariadb.openstack.org
diff --git a/config/crd/patches/webhook_in_mariadbaccounts.yaml b/config/crd/patches/webhook_in_mariadbaccounts.yaml
new file mode 100644
index 00000000..3367c5d1
--- /dev/null
+++ b/config/crd/patches/webhook_in_mariadbaccounts.yaml
@@ -0,0 +1,16 @@
+# The following patch enables a conversion webhook for the CRD
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: mariadbaccounts.mariadb.openstack.org
+spec:
+  conversion:
+    strategy: Webhook
+    webhook:
+      clientConfig:
+        service:
+          namespace: system
+          name: webhook-service
+          path: /convert
+      conversionReviewVersions:
+      - v1
diff --git a/config/rbac/mariadbaccount_editor_role.yaml b/config/rbac/mariadbaccount_editor_role.yaml
new file mode 100644
index 00000000..f233ed4a
--- /dev/null
+++ b/config/rbac/mariadbaccount_editor_role.yaml
@@ -0,0 +1,31 @@
+# permissions for end users to edit mariadbaccounts.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/instance: mariadbaccount-editor-role
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: mariadb-operator
+    app.kubernetes.io/part-of: mariadb-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: mariadbaccount-editor-role
+rules:
+- apiGroups:
+  - mariadb.openstack.org
+  resources:
+  - mariadbaccounts
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - mariadb.openstack.org
+  resources:
+  - mariadbaccounts/status
+  verbs:
+  - get
diff --git a/config/rbac/mariadbaccount_viewer_role.yaml b/config/rbac/mariadbaccount_viewer_role.yaml
new file mode 100644
index 00000000..0d6c038b
--- /dev/null
+++ b/config/rbac/mariadbaccount_viewer_role.yaml
@@ -0,0 +1,27 @@
+# permissions for end users to view mariadbaccounts.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/instance: mariadbaccount-viewer-role
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: mariadb-operator
+    app.kubernetes.io/part-of: mariadb-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: mariadbaccount-viewer-role
+rules:
+- apiGroups:
+  - mariadb.openstack.org
+  resources:
+  - mariadbaccounts
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - mariadb.openstack.org
+  resources:
+  - mariadbaccounts/status
+  verbs:
+  - get
diff --git a/config/samples/kustomization.yaml b/config/samples/kustomization.yaml
index 0e707d3f..cb8e4142 100644
--- a/config/samples/kustomization.yaml
+++ b/config/samples/kustomization.yaml
@@ -3,4 +3,5 @@ resources:
 - mariadb_v1beta1_mariadb.yaml
 - mariadb_v1beta1_mariadbdatabase.yaml
 - mariadb_v1beta1_galera.yaml
+- mariadb_v1beta1_mariadbaccount.yaml
 #+kubebuilder:scaffold:manifestskustomizesamples
diff --git a/config/samples/mike_mariadb_v1beta1_galera.yaml b/config/samples/mike_mariadb_v1beta1_galera.yaml
new file mode 100644
index 00000000..caacab04
--- /dev/null
+++ b/config/samples/mike_mariadb_v1beta1_galera.yaml
@@ -0,0 +1,57 @@
+apiVersion: mariadb.openstack.org/v1beta1
+kind: Galera
+metadata:
+  name: mikegalera
+spec:
+  containerImage: quay.io/podified-antelope-centos9/openstack-mariadb:current-podified
+  secret: osp-secret
+  storageClass: local-storage
+  storageRequest: 500M
+  replicas: 3
+
+---
+
+apiVersion: mariadb.openstack.org/v1beta1
+kind: MariaDBDatabase
+metadata:
+  name: neutron
+  labels:
+    dbName: mikegalera
+spec:
+  name: neutron
+  secret: openstackdb-secret
+
+---
+
+apiVersion: mariadb.openstack.org/v1beta1
+kind: MariaDBAccount
+metadata:
+  labels:
+    mariaDBDatabaseName: neutron
+  name: neutron1
+spec:
+  userName: neutron1
+  secret: neutrondb-secret
+
+---
+
+apiVersion: v1
+data:
+  # 12345678
+  DatabasePassword: MTIzNDU2Nzg=
+kind: Secret
+metadata:
+  name: openstackdb-secret
+type: Opaque
+
+---
+
+apiVersion: v1
+data:
+  # neutron123
+  DatabasePassword: bmV1dHJvbjEyMw==
+kind: Secret
+metadata:
+  name: neutrondb-secret
+type: Opaque
+