diff --git a/PROJECT b/PROJECT
index 8d6e2c12d..1e524fdb2 100644
--- a/PROJECT
+++ b/PROJECT
@@ -8,6 +8,14 @@ layout:
 projectName: orc
 repo: github.com/k-orc/openstack-resource-controller
 resources:
+- api:
+    crdVersion: v1
+    namespaced: true
+  domain: k-orc.cloud
+  group: openstack
+  kind: ApplicationCredential
+  path: github.com/k-orc/openstack-resource-controller/api/v1alpha1
+  version: v1alpha1
 - api:
     crdVersion: v1
     namespaced: true
diff --git a/api/v1alpha1/applicationcredential_types.go b/api/v1alpha1/applicationcredential_types.go
new file mode 100644
index 000000000..eaca998c8
--- /dev/null
+++ b/api/v1alpha1/applicationcredential_types.go
@@ -0,0 +1,208 @@
+/*
+Copyright The ORC Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+// +kubebuilder:validation:Enum:=CONNECT;DELETE;GET;HEAD;OPTIONS;PATCH;POST;PUT;TRACE
+type HTTPMethod string
+
+const (
+	HTTPMethodCONNECT HTTPMethod = "CONNECT"
+	HTTPMethodDELETE  HTTPMethod = "DELETE"
+	HTTPMethodGET     HTTPMethod = "GET"
+	HTTPMethodHEAD    HTTPMethod = "HEAD"
+	HTTPMethodOPTIONS HTTPMethod = "OPTIONS"
+	HTTPMethodPATCH   HTTPMethod = "PATCH"
+	HTTPMethodPOST    HTTPMethod = "POST"
+	HTTPMethodPUT     HTTPMethod = "PUT"
+	HTTPMethodTRACE   HTTPMethod = "TRACE"
+)
+
+// +kubebuilder:validation:MinProperties:=1
+// +kubebuilder:validation:MaxProperties:=1
+type ApplicationCredentialAccessRole struct {
+	// name of an existing role
+	// +optional
+	Name *OpenStackName `json:"name,omitempty"`
+
+	// id is the ID of an role
+	// +kubebuilder:validation:MaxLength=1024
+	// +optional
+	ID *string `json:"id,omitempty"`
+}
+
+// ApplicationCredentialAccessRule defines an access rule
+// +kubebuilder:validation:MinProperties:=1
+type ApplicationCredentialAccessRule struct {
+	// API path that the application credential is permitted to access
+	// +kubebuilder:validation:MaxLength=1024
+	// +optional
+	Path *string `json:"path,omitempty"`
+
+	// request method that the application credential is permitted to use for a given API endpoint
+	// +optional
+	Method *HTTPMethod `json:"method,omitempty"`
+
+	// service type identifier for the service that the application credential is permitted to access
+	// +kubebuilder:validation:MaxLength=1024
+	// +optional
+	Service *string `json:"service,omitempty"`
+}
+
+// ApplicationCredentialResourceSpec contains the desired state of the resource.
+type ApplicationCredentialResourceSpec struct {
+	// name will be the name of the created resource. If not specified, the
+	// name of the ORC object will be used.
+	// +optional
+	Name *OpenStackName `json:"name,omitempty"`
+
+	// description is a human-readable description for the resource.
+	// +kubebuilder:validation:MinLength:=1
+	// +kubebuilder:validation:MaxLength:=255
+	// +optional
+	Description *string `json:"description,omitempty"`
+
+	// ID of the user the application credential belongs to
+	// TODO: Replace with UserRef when ORC has support for User objects
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="UserID is immutable"
+	// +kubebuilder:validation:MaxLength=1024
+	// +required
+	UserID string `json:"userID"`
+
+	// flag indicating whether the application credential may be used for creation or destruction of other application credentials or trusts
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Unrestricted is immutable"
+	// +optional
+	Unrestricted *bool `json:"unrestricted,omitempty"`
+
+	// TODO: Add description
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Secret is immutable"
+	// +optional
+	Secret *string `json:"secret,omitempty"`
+
+	// list of role objects may only contain roles that the user has assigned on the project. If not provided, the roles assigned to the application credential will be the same as the roles in the current token.
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Roles is immutable"
+	// +kubebuilder:validation:MaxItems:=256
+	// +listType=atomic
+	// +optional
+	Roles []ApplicationCredentialAccessRole `json:"roles,omitempty"`
+
+	// list of fine grained access control rules
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Rules is immutable"
+	// +kubebuilder:validation:MaxItems:=256
+	// +listType=atomic
+	// +optional
+	AccessRules []ApplicationCredentialAccessRule `json:"accessRules,omitempty"`
+
+	// expiry time for the application credential. If unset, the application credential does not expire.
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="ExpiresAt is immutable"
+	// +optional
+	ExpiresAt *metav1.Time `json:"expiresAt,omitempty"`
+}
+
+// ApplicationCredentialFilter defines an existing resource by its properties
+// +kubebuilder:validation:MinProperties:=1
+type ApplicationCredentialFilter struct {
+	// name of the existing resource
+	// +optional
+	Name *OpenStackName `json:"name,omitempty"`
+
+	// ID of the user the application credential belongs to
+	// +required
+	UserID string `json:"userID"`
+}
+
+type ApplicationCredentialAccessRoleStatus struct {
+	// name of an existing role
+	// +optional
+	Name *string `json:"name,omitempty"`
+
+	// id is the ID of an role
+	// +optional
+	ID *string `json:"id,omitempty"`
+
+	// id of the domain of this role
+	// +optional
+	DomainID *string `json:"domainID,omitempty"`
+}
+
+type ApplicationCredentialAccessRuleStatus struct {
+	// id is the ID of this access rule
+	// +optional
+	ID *string `json:"id,omitempty"`
+
+	// API path that the application credential is permitted to access
+	// +optional
+	Path *string `json:"path,omitempty"`
+
+	// request method that the application credential is permitted to use for a given API endpoint
+	// +optional
+	Method *string `json:"method,omitempty"`
+
+	// service type identifier for the service that the application credential is permitted to access
+	// +optional
+	Service *string `json:"service,omitempty"`
+}
+
+// ApplicationCredentialResourceStatus represents the observed state of the resource.
+type ApplicationCredentialResourceStatus struct {
+	// id is the ID of the application credential.
+	// +kubebuilder:validation:MaxLength=1024
+	// +optional
+	ID string `json:"id,omitempty"`
+
+	// name is a Human-readable name for the resource. Might not be unique.
+	// +kubebuilder:validation:MaxLength=1024
+	// +optional
+	Name string `json:"name,omitempty"`
+
+	// description is a human-readable description for the resource.
+	// +kubebuilder:validation:MaxLength=1024
+	// +optional
+	Description string `json:"description,omitempty"`
+
+	// flag indicating whether the application credential may be used for creation or destruction of other application credentials or trusts
+	// +optional
+	Unrestricted bool `json:"unrestricted,omitempty"`
+
+	// TODO: Add description
+	// +optional
+	Secret string `json:"secret,omitempty"`
+
+	// ID of the project the application credential was created for and that authentication requests using this application credential will be scoped to.
+	// +kubebuilder:validation:MaxLength=1024
+	// +optional
+	ProjectID string `json:"projectID,omitempty"`
+
+	// list of role objects may only contain roles that the user has assigned on the project
+	// +listType=atomic
+	// +optional
+	Roles []ApplicationCredentialAccessRoleStatus `json:"roles"`
+
+	// expiry time for the application credential
+	// +optional
+	ExpiresAt *metav1.Time `json:"expiresAt"`
+
+	// list of fine grained access control rules
+	// +listType=atomic
+	// +optional
+	AccessRules []ApplicationCredentialAccessRuleStatus `json:"accessRules,omitempty"`
+
+	// Links contains referencing links to the application credential
+	// +optional
+	Links map[string]string `json:"links"`
+}
diff --git a/api/v1alpha1/zz_generated.applicationcredential-resource.go b/api/v1alpha1/zz_generated.applicationcredential-resource.go
new file mode 100644
index 000000000..b6e2ea28b
--- /dev/null
+++ b/api/v1alpha1/zz_generated.applicationcredential-resource.go
@@ -0,0 +1,177 @@
+// Code generated by resource-generator. DO NOT EDIT.
+/*
+Copyright The ORC Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// ApplicationCredentialImport specifies an existing resource which will be imported instead of
+// creating a new one
+// +kubebuilder:validation:MinProperties:=1
+// +kubebuilder:validation:MaxProperties:=1
+type ApplicationCredentialImport struct {
+	// id contains the unique identifier of an existing OpenStack resource. Note
+	// that when specifying an import by ID, the resource MUST already exist.
+	// The ORC object will enter an error state if the resource does not exist.
+	// +optional
+	// +kubebuilder:validation:Format:=uuid
+	ID *string `json:"id,omitempty"`
+
+	// filter contains a resource query which is expected to return a single
+	// result. The controller will continue to retry if filter returns no
+	// results. If filter returns multiple results the controller will set an
+	// error state and will not continue to retry.
+	// +optional
+	Filter *ApplicationCredentialFilter `json:"filter,omitempty"`
+}
+
+// ApplicationCredentialSpec defines the desired state of an ORC object.
+// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'managed' ? has(self.resource) : true",message="resource must be specified when policy is managed"
+// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'managed' ? !has(self.__import__) : true",message="import may not be specified when policy is managed"
+// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'unmanaged' ? !has(self.resource) : true",message="resource may not be specified when policy is unmanaged"
+// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'unmanaged' ? has(self.__import__) : true",message="import must be specified when policy is unmanaged"
+// +kubebuilder:validation:XValidation:rule="has(self.managedOptions) ? self.managementPolicy == 'managed' : true",message="managedOptions may only be provided when policy is managed"
+type ApplicationCredentialSpec struct {
+	// import refers to an existing OpenStack resource which will be imported instead of
+	// creating a new one.
+	// +optional
+	Import *ApplicationCredentialImport `json:"import,omitempty"`
+
+	// resource specifies the desired state of the resource.
+	//
+	// resource may not be specified if the management policy is `unmanaged`.
+	//
+	// resource must be specified if the management policy is `managed`.
+	// +optional
+	Resource *ApplicationCredentialResourceSpec `json:"resource,omitempty"`
+
+	// managementPolicy defines how ORC will treat the object. Valid values are
+	// `managed`: ORC will create, update, and delete the resource; `unmanaged`:
+	// ORC will import an existing resource, and will not apply updates to it or
+	// delete it.
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="managementPolicy is immutable"
+	// +kubebuilder:default:=managed
+	// +optional
+	ManagementPolicy ManagementPolicy `json:"managementPolicy,omitempty"`
+
+	// managedOptions specifies options which may be applied to managed objects.
+	// +optional
+	ManagedOptions *ManagedOptions `json:"managedOptions,omitempty"`
+
+	// cloudCredentialsRef points to a secret containing OpenStack credentials
+	// +required
+	CloudCredentialsRef CloudCredentialsReference `json:"cloudCredentialsRef"`
+}
+
+// ApplicationCredentialStatus defines the observed state of an ORC resource.
+type ApplicationCredentialStatus struct {
+	// conditions represents the observed status of the object.
+	// Known .status.conditions.type are: "Available", "Progressing"
+	//
+	// Available represents the availability of the OpenStack resource. If it is
+	// true then the resource is ready for use.
+	//
+	// Progressing indicates whether the controller is still attempting to
+	// reconcile the current state of the OpenStack resource to the desired
+	// state. Progressing will be False either because the desired state has
+	// been achieved, or because some terminal error prevents it from ever being
+	// achieved and the controller is no longer attempting to reconcile. If
+	// Progressing is True, an observer waiting on the resource should continue
+	// to wait.
+	//
+	// +kubebuilder:validation:MaxItems:=32
+	// +patchMergeKey=type
+	// +patchStrategy=merge
+	// +listType=map
+	// +listMapKey=type
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
+
+	// id is the unique identifier of the OpenStack resource.
+	// +optional
+	ID *string `json:"id,omitempty"`
+
+	// resource contains the observed state of the OpenStack resource.
+	// +optional
+	Resource *ApplicationCredentialResourceStatus `json:"resource,omitempty"`
+}
+
+var _ ObjectWithConditions = &ApplicationCredential{}
+
+func (i *ApplicationCredential) GetConditions() []metav1.Condition {
+	return i.Status.Conditions
+}
+
+// +genclient
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:categories=openstack
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="ID",type="string",JSONPath=".status.id",description="Resource ID"
+// +kubebuilder:printcolumn:name="Available",type="string",JSONPath=".status.conditions[?(@.type=='Available')].status",description="Availability status of resource"
+// +kubebuilder:printcolumn:name="Message",type="string",JSONPath=".status.conditions[?(@.type=='Progressing')].message",description="Message describing current progress status"
+
+// ApplicationCredential is the Schema for an ORC resource.
+type ApplicationCredential struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata contains the object metadata
+	// +optional
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// spec specifies the desired state of the resource.
+	// +optional
+	Spec ApplicationCredentialSpec `json:"spec,omitempty"`
+
+	// status defines the observed state of the resource.
+	// +optional
+	Status ApplicationCredentialStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// ApplicationCredentialList contains a list of ApplicationCredential.
+type ApplicationCredentialList struct {
+	metav1.TypeMeta `json:",inline"`
+
+	// metadata contains the list metadata
+	// +optional
+	metav1.ListMeta `json:"metadata,omitempty"`
+
+	// items contains a list of ApplicationCredential.
+	// +required
+	Items []ApplicationCredential `json:"items"`
+}
+
+func (l *ApplicationCredentialList) GetItems() []ApplicationCredential {
+	return l.Items
+}
+
+func init() {
+	SchemeBuilder.Register(&ApplicationCredential{}, &ApplicationCredentialList{})
+}
+
+func (i *ApplicationCredential) GetCloudCredentialsRef() (*string, *CloudCredentialsReference) {
+	if i == nil {
+		return nil, nil
+	}
+
+	return &i.Namespace, &i.Spec.CloudCredentialsRef
+}
+
+var _ CloudCredentialsRefProvider = &ApplicationCredential{}
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index 1024ea46a..cfabcd873 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -110,6 +110,386 @@ func (in *AllowedAddressPairStatus) DeepCopy() *AllowedAddressPairStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ApplicationCredential) DeepCopyInto(out *ApplicationCredential) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationCredential.
+func (in *ApplicationCredential) DeepCopy() *ApplicationCredential {
+	if in == nil {
+		return nil
+	}
+	out := new(ApplicationCredential)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ApplicationCredential) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ApplicationCredentialAccessRole) DeepCopyInto(out *ApplicationCredentialAccessRole) {
+	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(OpenStackName)
+		**out = **in
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationCredentialAccessRole.
+func (in *ApplicationCredentialAccessRole) DeepCopy() *ApplicationCredentialAccessRole {
+	if in == nil {
+		return nil
+	}
+	out := new(ApplicationCredentialAccessRole)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ApplicationCredentialAccessRoleStatus) DeepCopyInto(out *ApplicationCredentialAccessRoleStatus) {
+	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.DomainID != nil {
+		in, out := &in.DomainID, &out.DomainID
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationCredentialAccessRoleStatus.
+func (in *ApplicationCredentialAccessRoleStatus) DeepCopy() *ApplicationCredentialAccessRoleStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ApplicationCredentialAccessRoleStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ApplicationCredentialAccessRule) DeepCopyInto(out *ApplicationCredentialAccessRule) {
+	*out = *in
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.Method != nil {
+		in, out := &in.Method, &out.Method
+		*out = new(HTTPMethod)
+		**out = **in
+	}
+	if in.Service != nil {
+		in, out := &in.Service, &out.Service
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationCredentialAccessRule.
+func (in *ApplicationCredentialAccessRule) DeepCopy() *ApplicationCredentialAccessRule {
+	if in == nil {
+		return nil
+	}
+	out := new(ApplicationCredentialAccessRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ApplicationCredentialAccessRuleStatus) DeepCopyInto(out *ApplicationCredentialAccessRuleStatus) {
+	*out = *in
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.Method != nil {
+		in, out := &in.Method, &out.Method
+		*out = new(string)
+		**out = **in
+	}
+	if in.Service != nil {
+		in, out := &in.Service, &out.Service
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationCredentialAccessRuleStatus.
+func (in *ApplicationCredentialAccessRuleStatus) DeepCopy() *ApplicationCredentialAccessRuleStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ApplicationCredentialAccessRuleStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ApplicationCredentialFilter) DeepCopyInto(out *ApplicationCredentialFilter) {
+	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(OpenStackName)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationCredentialFilter.
+func (in *ApplicationCredentialFilter) DeepCopy() *ApplicationCredentialFilter {
+	if in == nil {
+		return nil
+	}
+	out := new(ApplicationCredentialFilter)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ApplicationCredentialImport) DeepCopyInto(out *ApplicationCredentialImport) {
+	*out = *in
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Filter != nil {
+		in, out := &in.Filter, &out.Filter
+		*out = new(ApplicationCredentialFilter)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationCredentialImport.
+func (in *ApplicationCredentialImport) DeepCopy() *ApplicationCredentialImport {
+	if in == nil {
+		return nil
+	}
+	out := new(ApplicationCredentialImport)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ApplicationCredentialList) DeepCopyInto(out *ApplicationCredentialList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ApplicationCredential, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationCredentialList.
+func (in *ApplicationCredentialList) DeepCopy() *ApplicationCredentialList {
+	if in == nil {
+		return nil
+	}
+	out := new(ApplicationCredentialList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ApplicationCredentialList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ApplicationCredentialResourceSpec) DeepCopyInto(out *ApplicationCredentialResourceSpec) {
+	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(OpenStackName)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Unrestricted != nil {
+		in, out := &in.Unrestricted, &out.Unrestricted
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Secret != nil {
+		in, out := &in.Secret, &out.Secret
+		*out = new(string)
+		**out = **in
+	}
+	if in.Roles != nil {
+		in, out := &in.Roles, &out.Roles
+		*out = make([]ApplicationCredentialAccessRole, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AccessRules != nil {
+		in, out := &in.AccessRules, &out.AccessRules
+		*out = make([]ApplicationCredentialAccessRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ExpiresAt != nil {
+		in, out := &in.ExpiresAt, &out.ExpiresAt
+		*out = (*in).DeepCopy()
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationCredentialResourceSpec.
+func (in *ApplicationCredentialResourceSpec) DeepCopy() *ApplicationCredentialResourceSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ApplicationCredentialResourceSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ApplicationCredentialResourceStatus) DeepCopyInto(out *ApplicationCredentialResourceStatus) {
+	*out = *in
+	if in.Roles != nil {
+		in, out := &in.Roles, &out.Roles
+		*out = make([]ApplicationCredentialAccessRoleStatus, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ExpiresAt != nil {
+		in, out := &in.ExpiresAt, &out.ExpiresAt
+		*out = (*in).DeepCopy()
+	}
+	if in.AccessRules != nil {
+		in, out := &in.AccessRules, &out.AccessRules
+		*out = make([]ApplicationCredentialAccessRuleStatus, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Links != nil {
+		in, out := &in.Links, &out.Links
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationCredentialResourceStatus.
+func (in *ApplicationCredentialResourceStatus) DeepCopy() *ApplicationCredentialResourceStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ApplicationCredentialResourceStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ApplicationCredentialSpec) DeepCopyInto(out *ApplicationCredentialSpec) {
+	*out = *in
+	if in.Import != nil {
+		in, out := &in.Import, &out.Import
+		*out = new(ApplicationCredentialImport)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Resource != nil {
+		in, out := &in.Resource, &out.Resource
+		*out = new(ApplicationCredentialResourceSpec)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ManagedOptions != nil {
+		in, out := &in.ManagedOptions, &out.ManagedOptions
+		*out = new(ManagedOptions)
+		**out = **in
+	}
+	out.CloudCredentialsRef = in.CloudCredentialsRef
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationCredentialSpec.
+func (in *ApplicationCredentialSpec) DeepCopy() *ApplicationCredentialSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ApplicationCredentialSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ApplicationCredentialStatus) DeepCopyInto(out *ApplicationCredentialStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]v1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Resource != nil {
+		in, out := &in.Resource, &out.Resource
+		*out = new(ApplicationCredentialResourceStatus)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationCredentialStatus.
+func (in *ApplicationCredentialStatus) DeepCopy() *ApplicationCredentialStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ApplicationCredentialStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CloudCredentialsReference) DeepCopyInto(out *CloudCredentialsReference) {
 	*out = *in
diff --git a/cmd/manager/main.go b/cmd/manager/main.go
index 293aa2bab..d9f5bae88 100644
--- a/cmd/manager/main.go
+++ b/cmd/manager/main.go
@@ -27,6 +27,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 
+	"github.com/k-orc/openstack-resource-controller/v2/internal/controllers/applicationcredential"
 	"github.com/k-orc/openstack-resource-controller/v2/internal/controllers/domain"
 	"github.com/k-orc/openstack-resource-controller/v2/internal/controllers/flavor"
 	"github.com/k-orc/openstack-resource-controller/v2/internal/controllers/floatingip"
@@ -126,6 +127,7 @@ func main() {
 		keypair.New(scopeFactory),
 		group.New(scopeFactory),
 		role.New(scopeFactory),
+		applicationcredential.New(scopeFactory),
 	}
 
 	restConfig := ctrl.GetConfigOrDie()
diff --git a/cmd/models-schema/zz_generated.openapi.go b/cmd/models-schema/zz_generated.openapi.go
index 42f004b03..45d0df1ab 100644
--- a/cmd/models-schema/zz_generated.openapi.go
+++ b/cmd/models-schema/zz_generated.openapi.go
@@ -30,200 +30,212 @@ import (
 
 func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition {
 	return map[string]common.OpenAPIDefinition{
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.Address":                        schema_openstack_resource_controller_v2_api_v1alpha1_Address(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.AllocationPool":                 schema_openstack_resource_controller_v2_api_v1alpha1_AllocationPool(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.AllocationPoolStatus":           schema_openstack_resource_controller_v2_api_v1alpha1_AllocationPoolStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.AllowedAddressPair":             schema_openstack_resource_controller_v2_api_v1alpha1_AllowedAddressPair(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.AllowedAddressPairStatus":       schema_openstack_resource_controller_v2_api_v1alpha1_AllowedAddressPairStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.CloudCredentialsReference":      schema_openstack_resource_controller_v2_api_v1alpha1_CloudCredentialsReference(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.Domain":                         schema_openstack_resource_controller_v2_api_v1alpha1_Domain(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.DomainFilter":                   schema_openstack_resource_controller_v2_api_v1alpha1_DomainFilter(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.DomainImport":                   schema_openstack_resource_controller_v2_api_v1alpha1_DomainImport(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.DomainList":                     schema_openstack_resource_controller_v2_api_v1alpha1_DomainList(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.DomainResourceSpec":             schema_openstack_resource_controller_v2_api_v1alpha1_DomainResourceSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.DomainResourceStatus":           schema_openstack_resource_controller_v2_api_v1alpha1_DomainResourceStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.DomainSpec":                     schema_openstack_resource_controller_v2_api_v1alpha1_DomainSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.DomainStatus":                   schema_openstack_resource_controller_v2_api_v1alpha1_DomainStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ExternalGateway":                schema_openstack_resource_controller_v2_api_v1alpha1_ExternalGateway(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ExternalGatewayStatus":          schema_openstack_resource_controller_v2_api_v1alpha1_ExternalGatewayStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FilterByKeystoneTags":           schema_openstack_resource_controller_v2_api_v1alpha1_FilterByKeystoneTags(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FilterByNeutronTags":            schema_openstack_resource_controller_v2_api_v1alpha1_FilterByNeutronTags(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FilterByServerTags":             schema_openstack_resource_controller_v2_api_v1alpha1_FilterByServerTags(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FixedIPStatus":                  schema_openstack_resource_controller_v2_api_v1alpha1_FixedIPStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.Flavor":                         schema_openstack_resource_controller_v2_api_v1alpha1_Flavor(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FlavorFilter":                   schema_openstack_resource_controller_v2_api_v1alpha1_FlavorFilter(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FlavorImport":                   schema_openstack_resource_controller_v2_api_v1alpha1_FlavorImport(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FlavorList":                     schema_openstack_resource_controller_v2_api_v1alpha1_FlavorList(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FlavorResourceSpec":             schema_openstack_resource_controller_v2_api_v1alpha1_FlavorResourceSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FlavorResourceStatus":           schema_openstack_resource_controller_v2_api_v1alpha1_FlavorResourceStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FlavorSpec":                     schema_openstack_resource_controller_v2_api_v1alpha1_FlavorSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FlavorStatus":                   schema_openstack_resource_controller_v2_api_v1alpha1_FlavorStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FloatingIP":                     schema_openstack_resource_controller_v2_api_v1alpha1_FloatingIP(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FloatingIPFilter":               schema_openstack_resource_controller_v2_api_v1alpha1_FloatingIPFilter(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FloatingIPImport":               schema_openstack_resource_controller_v2_api_v1alpha1_FloatingIPImport(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FloatingIPList":                 schema_openstack_resource_controller_v2_api_v1alpha1_FloatingIPList(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FloatingIPResourceSpec":         schema_openstack_resource_controller_v2_api_v1alpha1_FloatingIPResourceSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FloatingIPResourceStatus":       schema_openstack_resource_controller_v2_api_v1alpha1_FloatingIPResourceStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FloatingIPSpec":                 schema_openstack_resource_controller_v2_api_v1alpha1_FloatingIPSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FloatingIPStatus":               schema_openstack_resource_controller_v2_api_v1alpha1_FloatingIPStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.Group":                          schema_openstack_resource_controller_v2_api_v1alpha1_Group(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.GroupFilter":                    schema_openstack_resource_controller_v2_api_v1alpha1_GroupFilter(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.GroupImport":                    schema_openstack_resource_controller_v2_api_v1alpha1_GroupImport(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.GroupList":                      schema_openstack_resource_controller_v2_api_v1alpha1_GroupList(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.GroupResourceSpec":              schema_openstack_resource_controller_v2_api_v1alpha1_GroupResourceSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.GroupResourceStatus":            schema_openstack_resource_controller_v2_api_v1alpha1_GroupResourceStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.GroupSpec":                      schema_openstack_resource_controller_v2_api_v1alpha1_GroupSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.GroupStatus":                    schema_openstack_resource_controller_v2_api_v1alpha1_GroupStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.HostRoute":                      schema_openstack_resource_controller_v2_api_v1alpha1_HostRoute(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.HostRouteStatus":                schema_openstack_resource_controller_v2_api_v1alpha1_HostRouteStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.IPv6Options":                    schema_openstack_resource_controller_v2_api_v1alpha1_IPv6Options(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.Image":                          schema_openstack_resource_controller_v2_api_v1alpha1_Image(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ImageContent":                   schema_openstack_resource_controller_v2_api_v1alpha1_ImageContent(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ImageContentSourceDownload":     schema_openstack_resource_controller_v2_api_v1alpha1_ImageContentSourceDownload(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ImageFilter":                    schema_openstack_resource_controller_v2_api_v1alpha1_ImageFilter(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ImageHash":                      schema_openstack_resource_controller_v2_api_v1alpha1_ImageHash(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ImageImport":                    schema_openstack_resource_controller_v2_api_v1alpha1_ImageImport(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ImageList":                      schema_openstack_resource_controller_v2_api_v1alpha1_ImageList(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ImageProperties":                schema_openstack_resource_controller_v2_api_v1alpha1_ImageProperties(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ImagePropertiesHardware":        schema_openstack_resource_controller_v2_api_v1alpha1_ImagePropertiesHardware(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ImagePropertiesOperatingSystem": schema_openstack_resource_controller_v2_api_v1alpha1_ImagePropertiesOperatingSystem(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ImageResourceSpec":              schema_openstack_resource_controller_v2_api_v1alpha1_ImageResourceSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ImageResourceStatus":            schema_openstack_resource_controller_v2_api_v1alpha1_ImageResourceStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ImageSpec":                      schema_openstack_resource_controller_v2_api_v1alpha1_ImageSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ImageStatus":                    schema_openstack_resource_controller_v2_api_v1alpha1_ImageStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ImageStatusExtra":               schema_openstack_resource_controller_v2_api_v1alpha1_ImageStatusExtra(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.KeyPair":                        schema_openstack_resource_controller_v2_api_v1alpha1_KeyPair(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.KeyPairFilter":                  schema_openstack_resource_controller_v2_api_v1alpha1_KeyPairFilter(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.KeyPairImport":                  schema_openstack_resource_controller_v2_api_v1alpha1_KeyPairImport(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.KeyPairList":                    schema_openstack_resource_controller_v2_api_v1alpha1_KeyPairList(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.KeyPairResourceSpec":            schema_openstack_resource_controller_v2_api_v1alpha1_KeyPairResourceSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.KeyPairResourceStatus":          schema_openstack_resource_controller_v2_api_v1alpha1_KeyPairResourceStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.KeyPairSpec":                    schema_openstack_resource_controller_v2_api_v1alpha1_KeyPairSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.KeyPairStatus":                  schema_openstack_resource_controller_v2_api_v1alpha1_KeyPairStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ManagedOptions":                 schema_openstack_resource_controller_v2_api_v1alpha1_ManagedOptions(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.Network":                        schema_openstack_resource_controller_v2_api_v1alpha1_Network(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.NetworkFilter":                  schema_openstack_resource_controller_v2_api_v1alpha1_NetworkFilter(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.NetworkImport":                  schema_openstack_resource_controller_v2_api_v1alpha1_NetworkImport(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.NetworkList":                    schema_openstack_resource_controller_v2_api_v1alpha1_NetworkList(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.NetworkResourceSpec":            schema_openstack_resource_controller_v2_api_v1alpha1_NetworkResourceSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.NetworkResourceStatus":          schema_openstack_resource_controller_v2_api_v1alpha1_NetworkResourceStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.NetworkSpec":                    schema_openstack_resource_controller_v2_api_v1alpha1_NetworkSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.NetworkStatus":                  schema_openstack_resource_controller_v2_api_v1alpha1_NetworkStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.NeutronStatusMetadata":          schema_openstack_resource_controller_v2_api_v1alpha1_NeutronStatusMetadata(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.Port":                           schema_openstack_resource_controller_v2_api_v1alpha1_Port(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.PortFilter":                     schema_openstack_resource_controller_v2_api_v1alpha1_PortFilter(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.PortImport":                     schema_openstack_resource_controller_v2_api_v1alpha1_PortImport(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.PortList":                       schema_openstack_resource_controller_v2_api_v1alpha1_PortList(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.PortRangeSpec":                  schema_openstack_resource_controller_v2_api_v1alpha1_PortRangeSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.PortRangeStatus":                schema_openstack_resource_controller_v2_api_v1alpha1_PortRangeStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.PortResourceSpec":               schema_openstack_resource_controller_v2_api_v1alpha1_PortResourceSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.PortResourceStatus":             schema_openstack_resource_controller_v2_api_v1alpha1_PortResourceStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.PortSpec":                       schema_openstack_resource_controller_v2_api_v1alpha1_PortSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.PortStatus":                     schema_openstack_resource_controller_v2_api_v1alpha1_PortStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.Project":                        schema_openstack_resource_controller_v2_api_v1alpha1_Project(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ProjectFilter":                  schema_openstack_resource_controller_v2_api_v1alpha1_ProjectFilter(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ProjectImport":                  schema_openstack_resource_controller_v2_api_v1alpha1_ProjectImport(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ProjectList":                    schema_openstack_resource_controller_v2_api_v1alpha1_ProjectList(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ProjectResourceSpec":            schema_openstack_resource_controller_v2_api_v1alpha1_ProjectResourceSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ProjectResourceStatus":          schema_openstack_resource_controller_v2_api_v1alpha1_ProjectResourceStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ProjectSpec":                    schema_openstack_resource_controller_v2_api_v1alpha1_ProjectSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ProjectStatus":                  schema_openstack_resource_controller_v2_api_v1alpha1_ProjectStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ProviderPropertiesStatus":       schema_openstack_resource_controller_v2_api_v1alpha1_ProviderPropertiesStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.Role":                           schema_openstack_resource_controller_v2_api_v1alpha1_Role(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RoleFilter":                     schema_openstack_resource_controller_v2_api_v1alpha1_RoleFilter(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RoleImport":                     schema_openstack_resource_controller_v2_api_v1alpha1_RoleImport(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RoleList":                       schema_openstack_resource_controller_v2_api_v1alpha1_RoleList(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RoleResourceSpec":               schema_openstack_resource_controller_v2_api_v1alpha1_RoleResourceSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RoleResourceStatus":             schema_openstack_resource_controller_v2_api_v1alpha1_RoleResourceStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RoleSpec":                       schema_openstack_resource_controller_v2_api_v1alpha1_RoleSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RoleStatus":                     schema_openstack_resource_controller_v2_api_v1alpha1_RoleStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.Router":                         schema_openstack_resource_controller_v2_api_v1alpha1_Router(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RouterFilter":                   schema_openstack_resource_controller_v2_api_v1alpha1_RouterFilter(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RouterImport":                   schema_openstack_resource_controller_v2_api_v1alpha1_RouterImport(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RouterInterface":                schema_openstack_resource_controller_v2_api_v1alpha1_RouterInterface(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RouterInterfaceList":            schema_openstack_resource_controller_v2_api_v1alpha1_RouterInterfaceList(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RouterInterfaceSpec":            schema_openstack_resource_controller_v2_api_v1alpha1_RouterInterfaceSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RouterInterfaceStatus":          schema_openstack_resource_controller_v2_api_v1alpha1_RouterInterfaceStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RouterList":                     schema_openstack_resource_controller_v2_api_v1alpha1_RouterList(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RouterResourceSpec":             schema_openstack_resource_controller_v2_api_v1alpha1_RouterResourceSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RouterResourceStatus":           schema_openstack_resource_controller_v2_api_v1alpha1_RouterResourceStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RouterSpec":                     schema_openstack_resource_controller_v2_api_v1alpha1_RouterSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RouterStatus":                   schema_openstack_resource_controller_v2_api_v1alpha1_RouterStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SecurityGroup":                  schema_openstack_resource_controller_v2_api_v1alpha1_SecurityGroup(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SecurityGroupFilter":            schema_openstack_resource_controller_v2_api_v1alpha1_SecurityGroupFilter(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SecurityGroupImport":            schema_openstack_resource_controller_v2_api_v1alpha1_SecurityGroupImport(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SecurityGroupList":              schema_openstack_resource_controller_v2_api_v1alpha1_SecurityGroupList(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SecurityGroupResourceSpec":      schema_openstack_resource_controller_v2_api_v1alpha1_SecurityGroupResourceSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SecurityGroupResourceStatus":    schema_openstack_resource_controller_v2_api_v1alpha1_SecurityGroupResourceStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SecurityGroupRule":              schema_openstack_resource_controller_v2_api_v1alpha1_SecurityGroupRule(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SecurityGroupRuleStatus":        schema_openstack_resource_controller_v2_api_v1alpha1_SecurityGroupRuleStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SecurityGroupSpec":              schema_openstack_resource_controller_v2_api_v1alpha1_SecurityGroupSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SecurityGroupStatus":            schema_openstack_resource_controller_v2_api_v1alpha1_SecurityGroupStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.Server":                         schema_openstack_resource_controller_v2_api_v1alpha1_Server(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerFilter":                   schema_openstack_resource_controller_v2_api_v1alpha1_ServerFilter(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerGroup":                    schema_openstack_resource_controller_v2_api_v1alpha1_ServerGroup(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerGroupFilter":              schema_openstack_resource_controller_v2_api_v1alpha1_ServerGroupFilter(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerGroupImport":              schema_openstack_resource_controller_v2_api_v1alpha1_ServerGroupImport(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerGroupList":                schema_openstack_resource_controller_v2_api_v1alpha1_ServerGroupList(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerGroupResourceSpec":        schema_openstack_resource_controller_v2_api_v1alpha1_ServerGroupResourceSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerGroupResourceStatus":      schema_openstack_resource_controller_v2_api_v1alpha1_ServerGroupResourceStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerGroupRules":               schema_openstack_resource_controller_v2_api_v1alpha1_ServerGroupRules(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerGroupRulesStatus":         schema_openstack_resource_controller_v2_api_v1alpha1_ServerGroupRulesStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerGroupSpec":                schema_openstack_resource_controller_v2_api_v1alpha1_ServerGroupSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerGroupStatus":              schema_openstack_resource_controller_v2_api_v1alpha1_ServerGroupStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerImport":                   schema_openstack_resource_controller_v2_api_v1alpha1_ServerImport(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerInterfaceFixedIP":         schema_openstack_resource_controller_v2_api_v1alpha1_ServerInterfaceFixedIP(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerInterfaceStatus":          schema_openstack_resource_controller_v2_api_v1alpha1_ServerInterfaceStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerList":                     schema_openstack_resource_controller_v2_api_v1alpha1_ServerList(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerMetadata":                 schema_openstack_resource_controller_v2_api_v1alpha1_ServerMetadata(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerMetadataStatus":           schema_openstack_resource_controller_v2_api_v1alpha1_ServerMetadataStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerPortSpec":                 schema_openstack_resource_controller_v2_api_v1alpha1_ServerPortSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerResourceSpec":             schema_openstack_resource_controller_v2_api_v1alpha1_ServerResourceSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerResourceStatus":           schema_openstack_resource_controller_v2_api_v1alpha1_ServerResourceStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerSpec":                     schema_openstack_resource_controller_v2_api_v1alpha1_ServerSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerStatus":                   schema_openstack_resource_controller_v2_api_v1alpha1_ServerStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerVolumeSpec":               schema_openstack_resource_controller_v2_api_v1alpha1_ServerVolumeSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerVolumeStatus":             schema_openstack_resource_controller_v2_api_v1alpha1_ServerVolumeStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.Service":                        schema_openstack_resource_controller_v2_api_v1alpha1_Service(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServiceFilter":                  schema_openstack_resource_controller_v2_api_v1alpha1_ServiceFilter(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServiceImport":                  schema_openstack_resource_controller_v2_api_v1alpha1_ServiceImport(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServiceList":                    schema_openstack_resource_controller_v2_api_v1alpha1_ServiceList(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServiceResourceSpec":            schema_openstack_resource_controller_v2_api_v1alpha1_ServiceResourceSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServiceResourceStatus":          schema_openstack_resource_controller_v2_api_v1alpha1_ServiceResourceStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServiceSpec":                    schema_openstack_resource_controller_v2_api_v1alpha1_ServiceSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServiceStatus":                  schema_openstack_resource_controller_v2_api_v1alpha1_ServiceStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.Subnet":                         schema_openstack_resource_controller_v2_api_v1alpha1_Subnet(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SubnetFilter":                   schema_openstack_resource_controller_v2_api_v1alpha1_SubnetFilter(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SubnetGateway":                  schema_openstack_resource_controller_v2_api_v1alpha1_SubnetGateway(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SubnetImport":                   schema_openstack_resource_controller_v2_api_v1alpha1_SubnetImport(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SubnetList":                     schema_openstack_resource_controller_v2_api_v1alpha1_SubnetList(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SubnetResourceSpec":             schema_openstack_resource_controller_v2_api_v1alpha1_SubnetResourceSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SubnetResourceStatus":           schema_openstack_resource_controller_v2_api_v1alpha1_SubnetResourceStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SubnetSpec":                     schema_openstack_resource_controller_v2_api_v1alpha1_SubnetSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SubnetStatus":                   schema_openstack_resource_controller_v2_api_v1alpha1_SubnetStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.UserDataSpec":                   schema_openstack_resource_controller_v2_api_v1alpha1_UserDataSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.Volume":                         schema_openstack_resource_controller_v2_api_v1alpha1_Volume(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeAttachmentStatus":         schema_openstack_resource_controller_v2_api_v1alpha1_VolumeAttachmentStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeFilter":                   schema_openstack_resource_controller_v2_api_v1alpha1_VolumeFilter(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeImport":                   schema_openstack_resource_controller_v2_api_v1alpha1_VolumeImport(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeList":                     schema_openstack_resource_controller_v2_api_v1alpha1_VolumeList(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeMetadata":                 schema_openstack_resource_controller_v2_api_v1alpha1_VolumeMetadata(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeMetadataStatus":           schema_openstack_resource_controller_v2_api_v1alpha1_VolumeMetadataStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeResourceSpec":             schema_openstack_resource_controller_v2_api_v1alpha1_VolumeResourceSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeResourceStatus":           schema_openstack_resource_controller_v2_api_v1alpha1_VolumeResourceStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeSpec":                     schema_openstack_resource_controller_v2_api_v1alpha1_VolumeSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeStatus":                   schema_openstack_resource_controller_v2_api_v1alpha1_VolumeStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeType":                     schema_openstack_resource_controller_v2_api_v1alpha1_VolumeType(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeTypeExtraSpec":            schema_openstack_resource_controller_v2_api_v1alpha1_VolumeTypeExtraSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeTypeExtraSpecStatus":      schema_openstack_resource_controller_v2_api_v1alpha1_VolumeTypeExtraSpecStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeTypeFilter":               schema_openstack_resource_controller_v2_api_v1alpha1_VolumeTypeFilter(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeTypeImport":               schema_openstack_resource_controller_v2_api_v1alpha1_VolumeTypeImport(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeTypeList":                 schema_openstack_resource_controller_v2_api_v1alpha1_VolumeTypeList(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeTypeResourceSpec":         schema_openstack_resource_controller_v2_api_v1alpha1_VolumeTypeResourceSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeTypeResourceStatus":       schema_openstack_resource_controller_v2_api_v1alpha1_VolumeTypeResourceStatus(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeTypeSpec":                 schema_openstack_resource_controller_v2_api_v1alpha1_VolumeTypeSpec(ref),
-		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeTypeStatus":               schema_openstack_resource_controller_v2_api_v1alpha1_VolumeTypeStatus(ref),
-		"k8s.io/api/core/v1.AWSElasticBlockStoreVolumeSource":                                           schema_k8sio_api_core_v1_AWSElasticBlockStoreVolumeSource(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.Address":                               schema_openstack_resource_controller_v2_api_v1alpha1_Address(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.AllocationPool":                        schema_openstack_resource_controller_v2_api_v1alpha1_AllocationPool(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.AllocationPoolStatus":                  schema_openstack_resource_controller_v2_api_v1alpha1_AllocationPoolStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.AllowedAddressPair":                    schema_openstack_resource_controller_v2_api_v1alpha1_AllowedAddressPair(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.AllowedAddressPairStatus":              schema_openstack_resource_controller_v2_api_v1alpha1_AllowedAddressPairStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ApplicationCredential":                 schema_openstack_resource_controller_v2_api_v1alpha1_ApplicationCredential(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ApplicationCredentialAccessRole":       schema_openstack_resource_controller_v2_api_v1alpha1_ApplicationCredentialAccessRole(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ApplicationCredentialAccessRoleStatus": schema_openstack_resource_controller_v2_api_v1alpha1_ApplicationCredentialAccessRoleStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ApplicationCredentialAccessRule":       schema_openstack_resource_controller_v2_api_v1alpha1_ApplicationCredentialAccessRule(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ApplicationCredentialAccessRuleStatus": schema_openstack_resource_controller_v2_api_v1alpha1_ApplicationCredentialAccessRuleStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ApplicationCredentialFilter":           schema_openstack_resource_controller_v2_api_v1alpha1_ApplicationCredentialFilter(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ApplicationCredentialImport":           schema_openstack_resource_controller_v2_api_v1alpha1_ApplicationCredentialImport(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ApplicationCredentialList":             schema_openstack_resource_controller_v2_api_v1alpha1_ApplicationCredentialList(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ApplicationCredentialResourceSpec":     schema_openstack_resource_controller_v2_api_v1alpha1_ApplicationCredentialResourceSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ApplicationCredentialResourceStatus":   schema_openstack_resource_controller_v2_api_v1alpha1_ApplicationCredentialResourceStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ApplicationCredentialSpec":             schema_openstack_resource_controller_v2_api_v1alpha1_ApplicationCredentialSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ApplicationCredentialStatus":           schema_openstack_resource_controller_v2_api_v1alpha1_ApplicationCredentialStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.CloudCredentialsReference":             schema_openstack_resource_controller_v2_api_v1alpha1_CloudCredentialsReference(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.Domain":                                schema_openstack_resource_controller_v2_api_v1alpha1_Domain(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.DomainFilter":                          schema_openstack_resource_controller_v2_api_v1alpha1_DomainFilter(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.DomainImport":                          schema_openstack_resource_controller_v2_api_v1alpha1_DomainImport(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.DomainList":                            schema_openstack_resource_controller_v2_api_v1alpha1_DomainList(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.DomainResourceSpec":                    schema_openstack_resource_controller_v2_api_v1alpha1_DomainResourceSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.DomainResourceStatus":                  schema_openstack_resource_controller_v2_api_v1alpha1_DomainResourceStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.DomainSpec":                            schema_openstack_resource_controller_v2_api_v1alpha1_DomainSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.DomainStatus":                          schema_openstack_resource_controller_v2_api_v1alpha1_DomainStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ExternalGateway":                       schema_openstack_resource_controller_v2_api_v1alpha1_ExternalGateway(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ExternalGatewayStatus":                 schema_openstack_resource_controller_v2_api_v1alpha1_ExternalGatewayStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FilterByKeystoneTags":                  schema_openstack_resource_controller_v2_api_v1alpha1_FilterByKeystoneTags(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FilterByNeutronTags":                   schema_openstack_resource_controller_v2_api_v1alpha1_FilterByNeutronTags(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FilterByServerTags":                    schema_openstack_resource_controller_v2_api_v1alpha1_FilterByServerTags(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FixedIPStatus":                         schema_openstack_resource_controller_v2_api_v1alpha1_FixedIPStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.Flavor":                                schema_openstack_resource_controller_v2_api_v1alpha1_Flavor(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FlavorFilter":                          schema_openstack_resource_controller_v2_api_v1alpha1_FlavorFilter(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FlavorImport":                          schema_openstack_resource_controller_v2_api_v1alpha1_FlavorImport(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FlavorList":                            schema_openstack_resource_controller_v2_api_v1alpha1_FlavorList(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FlavorResourceSpec":                    schema_openstack_resource_controller_v2_api_v1alpha1_FlavorResourceSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FlavorResourceStatus":                  schema_openstack_resource_controller_v2_api_v1alpha1_FlavorResourceStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FlavorSpec":                            schema_openstack_resource_controller_v2_api_v1alpha1_FlavorSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FlavorStatus":                          schema_openstack_resource_controller_v2_api_v1alpha1_FlavorStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FloatingIP":                            schema_openstack_resource_controller_v2_api_v1alpha1_FloatingIP(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FloatingIPFilter":                      schema_openstack_resource_controller_v2_api_v1alpha1_FloatingIPFilter(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FloatingIPImport":                      schema_openstack_resource_controller_v2_api_v1alpha1_FloatingIPImport(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FloatingIPList":                        schema_openstack_resource_controller_v2_api_v1alpha1_FloatingIPList(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FloatingIPResourceSpec":                schema_openstack_resource_controller_v2_api_v1alpha1_FloatingIPResourceSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FloatingIPResourceStatus":              schema_openstack_resource_controller_v2_api_v1alpha1_FloatingIPResourceStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FloatingIPSpec":                        schema_openstack_resource_controller_v2_api_v1alpha1_FloatingIPSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.FloatingIPStatus":                      schema_openstack_resource_controller_v2_api_v1alpha1_FloatingIPStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.Group":                                 schema_openstack_resource_controller_v2_api_v1alpha1_Group(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.GroupFilter":                           schema_openstack_resource_controller_v2_api_v1alpha1_GroupFilter(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.GroupImport":                           schema_openstack_resource_controller_v2_api_v1alpha1_GroupImport(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.GroupList":                             schema_openstack_resource_controller_v2_api_v1alpha1_GroupList(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.GroupResourceSpec":                     schema_openstack_resource_controller_v2_api_v1alpha1_GroupResourceSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.GroupResourceStatus":                   schema_openstack_resource_controller_v2_api_v1alpha1_GroupResourceStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.GroupSpec":                             schema_openstack_resource_controller_v2_api_v1alpha1_GroupSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.GroupStatus":                           schema_openstack_resource_controller_v2_api_v1alpha1_GroupStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.HostRoute":                             schema_openstack_resource_controller_v2_api_v1alpha1_HostRoute(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.HostRouteStatus":                       schema_openstack_resource_controller_v2_api_v1alpha1_HostRouteStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.IPv6Options":                           schema_openstack_resource_controller_v2_api_v1alpha1_IPv6Options(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.Image":                                 schema_openstack_resource_controller_v2_api_v1alpha1_Image(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ImageContent":                          schema_openstack_resource_controller_v2_api_v1alpha1_ImageContent(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ImageContentSourceDownload":            schema_openstack_resource_controller_v2_api_v1alpha1_ImageContentSourceDownload(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ImageFilter":                           schema_openstack_resource_controller_v2_api_v1alpha1_ImageFilter(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ImageHash":                             schema_openstack_resource_controller_v2_api_v1alpha1_ImageHash(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ImageImport":                           schema_openstack_resource_controller_v2_api_v1alpha1_ImageImport(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ImageList":                             schema_openstack_resource_controller_v2_api_v1alpha1_ImageList(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ImageProperties":                       schema_openstack_resource_controller_v2_api_v1alpha1_ImageProperties(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ImagePropertiesHardware":               schema_openstack_resource_controller_v2_api_v1alpha1_ImagePropertiesHardware(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ImagePropertiesOperatingSystem":        schema_openstack_resource_controller_v2_api_v1alpha1_ImagePropertiesOperatingSystem(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ImageResourceSpec":                     schema_openstack_resource_controller_v2_api_v1alpha1_ImageResourceSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ImageResourceStatus":                   schema_openstack_resource_controller_v2_api_v1alpha1_ImageResourceStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ImageSpec":                             schema_openstack_resource_controller_v2_api_v1alpha1_ImageSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ImageStatus":                           schema_openstack_resource_controller_v2_api_v1alpha1_ImageStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ImageStatusExtra":                      schema_openstack_resource_controller_v2_api_v1alpha1_ImageStatusExtra(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.KeyPair":                               schema_openstack_resource_controller_v2_api_v1alpha1_KeyPair(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.KeyPairFilter":                         schema_openstack_resource_controller_v2_api_v1alpha1_KeyPairFilter(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.KeyPairImport":                         schema_openstack_resource_controller_v2_api_v1alpha1_KeyPairImport(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.KeyPairList":                           schema_openstack_resource_controller_v2_api_v1alpha1_KeyPairList(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.KeyPairResourceSpec":                   schema_openstack_resource_controller_v2_api_v1alpha1_KeyPairResourceSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.KeyPairResourceStatus":                 schema_openstack_resource_controller_v2_api_v1alpha1_KeyPairResourceStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.KeyPairSpec":                           schema_openstack_resource_controller_v2_api_v1alpha1_KeyPairSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.KeyPairStatus":                         schema_openstack_resource_controller_v2_api_v1alpha1_KeyPairStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ManagedOptions":                        schema_openstack_resource_controller_v2_api_v1alpha1_ManagedOptions(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.Network":                               schema_openstack_resource_controller_v2_api_v1alpha1_Network(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.NetworkFilter":                         schema_openstack_resource_controller_v2_api_v1alpha1_NetworkFilter(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.NetworkImport":                         schema_openstack_resource_controller_v2_api_v1alpha1_NetworkImport(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.NetworkList":                           schema_openstack_resource_controller_v2_api_v1alpha1_NetworkList(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.NetworkResourceSpec":                   schema_openstack_resource_controller_v2_api_v1alpha1_NetworkResourceSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.NetworkResourceStatus":                 schema_openstack_resource_controller_v2_api_v1alpha1_NetworkResourceStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.NetworkSpec":                           schema_openstack_resource_controller_v2_api_v1alpha1_NetworkSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.NetworkStatus":                         schema_openstack_resource_controller_v2_api_v1alpha1_NetworkStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.NeutronStatusMetadata":                 schema_openstack_resource_controller_v2_api_v1alpha1_NeutronStatusMetadata(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.Port":                                  schema_openstack_resource_controller_v2_api_v1alpha1_Port(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.PortFilter":                            schema_openstack_resource_controller_v2_api_v1alpha1_PortFilter(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.PortImport":                            schema_openstack_resource_controller_v2_api_v1alpha1_PortImport(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.PortList":                              schema_openstack_resource_controller_v2_api_v1alpha1_PortList(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.PortRangeSpec":                         schema_openstack_resource_controller_v2_api_v1alpha1_PortRangeSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.PortRangeStatus":                       schema_openstack_resource_controller_v2_api_v1alpha1_PortRangeStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.PortResourceSpec":                      schema_openstack_resource_controller_v2_api_v1alpha1_PortResourceSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.PortResourceStatus":                    schema_openstack_resource_controller_v2_api_v1alpha1_PortResourceStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.PortSpec":                              schema_openstack_resource_controller_v2_api_v1alpha1_PortSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.PortStatus":                            schema_openstack_resource_controller_v2_api_v1alpha1_PortStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.Project":                               schema_openstack_resource_controller_v2_api_v1alpha1_Project(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ProjectFilter":                         schema_openstack_resource_controller_v2_api_v1alpha1_ProjectFilter(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ProjectImport":                         schema_openstack_resource_controller_v2_api_v1alpha1_ProjectImport(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ProjectList":                           schema_openstack_resource_controller_v2_api_v1alpha1_ProjectList(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ProjectResourceSpec":                   schema_openstack_resource_controller_v2_api_v1alpha1_ProjectResourceSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ProjectResourceStatus":                 schema_openstack_resource_controller_v2_api_v1alpha1_ProjectResourceStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ProjectSpec":                           schema_openstack_resource_controller_v2_api_v1alpha1_ProjectSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ProjectStatus":                         schema_openstack_resource_controller_v2_api_v1alpha1_ProjectStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ProviderPropertiesStatus":              schema_openstack_resource_controller_v2_api_v1alpha1_ProviderPropertiesStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.Role":                                  schema_openstack_resource_controller_v2_api_v1alpha1_Role(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RoleFilter":                            schema_openstack_resource_controller_v2_api_v1alpha1_RoleFilter(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RoleImport":                            schema_openstack_resource_controller_v2_api_v1alpha1_RoleImport(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RoleList":                              schema_openstack_resource_controller_v2_api_v1alpha1_RoleList(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RoleResourceSpec":                      schema_openstack_resource_controller_v2_api_v1alpha1_RoleResourceSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RoleResourceStatus":                    schema_openstack_resource_controller_v2_api_v1alpha1_RoleResourceStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RoleSpec":                              schema_openstack_resource_controller_v2_api_v1alpha1_RoleSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RoleStatus":                            schema_openstack_resource_controller_v2_api_v1alpha1_RoleStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.Router":                                schema_openstack_resource_controller_v2_api_v1alpha1_Router(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RouterFilter":                          schema_openstack_resource_controller_v2_api_v1alpha1_RouterFilter(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RouterImport":                          schema_openstack_resource_controller_v2_api_v1alpha1_RouterImport(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RouterInterface":                       schema_openstack_resource_controller_v2_api_v1alpha1_RouterInterface(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RouterInterfaceList":                   schema_openstack_resource_controller_v2_api_v1alpha1_RouterInterfaceList(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RouterInterfaceSpec":                   schema_openstack_resource_controller_v2_api_v1alpha1_RouterInterfaceSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RouterInterfaceStatus":                 schema_openstack_resource_controller_v2_api_v1alpha1_RouterInterfaceStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RouterList":                            schema_openstack_resource_controller_v2_api_v1alpha1_RouterList(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RouterResourceSpec":                    schema_openstack_resource_controller_v2_api_v1alpha1_RouterResourceSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RouterResourceStatus":                  schema_openstack_resource_controller_v2_api_v1alpha1_RouterResourceStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RouterSpec":                            schema_openstack_resource_controller_v2_api_v1alpha1_RouterSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.RouterStatus":                          schema_openstack_resource_controller_v2_api_v1alpha1_RouterStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SecurityGroup":                         schema_openstack_resource_controller_v2_api_v1alpha1_SecurityGroup(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SecurityGroupFilter":                   schema_openstack_resource_controller_v2_api_v1alpha1_SecurityGroupFilter(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SecurityGroupImport":                   schema_openstack_resource_controller_v2_api_v1alpha1_SecurityGroupImport(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SecurityGroupList":                     schema_openstack_resource_controller_v2_api_v1alpha1_SecurityGroupList(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SecurityGroupResourceSpec":             schema_openstack_resource_controller_v2_api_v1alpha1_SecurityGroupResourceSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SecurityGroupResourceStatus":           schema_openstack_resource_controller_v2_api_v1alpha1_SecurityGroupResourceStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SecurityGroupRule":                     schema_openstack_resource_controller_v2_api_v1alpha1_SecurityGroupRule(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SecurityGroupRuleStatus":               schema_openstack_resource_controller_v2_api_v1alpha1_SecurityGroupRuleStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SecurityGroupSpec":                     schema_openstack_resource_controller_v2_api_v1alpha1_SecurityGroupSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SecurityGroupStatus":                   schema_openstack_resource_controller_v2_api_v1alpha1_SecurityGroupStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.Server":                                schema_openstack_resource_controller_v2_api_v1alpha1_Server(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerFilter":                          schema_openstack_resource_controller_v2_api_v1alpha1_ServerFilter(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerGroup":                           schema_openstack_resource_controller_v2_api_v1alpha1_ServerGroup(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerGroupFilter":                     schema_openstack_resource_controller_v2_api_v1alpha1_ServerGroupFilter(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerGroupImport":                     schema_openstack_resource_controller_v2_api_v1alpha1_ServerGroupImport(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerGroupList":                       schema_openstack_resource_controller_v2_api_v1alpha1_ServerGroupList(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerGroupResourceSpec":               schema_openstack_resource_controller_v2_api_v1alpha1_ServerGroupResourceSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerGroupResourceStatus":             schema_openstack_resource_controller_v2_api_v1alpha1_ServerGroupResourceStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerGroupRules":                      schema_openstack_resource_controller_v2_api_v1alpha1_ServerGroupRules(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerGroupRulesStatus":                schema_openstack_resource_controller_v2_api_v1alpha1_ServerGroupRulesStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerGroupSpec":                       schema_openstack_resource_controller_v2_api_v1alpha1_ServerGroupSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerGroupStatus":                     schema_openstack_resource_controller_v2_api_v1alpha1_ServerGroupStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerImport":                          schema_openstack_resource_controller_v2_api_v1alpha1_ServerImport(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerInterfaceFixedIP":                schema_openstack_resource_controller_v2_api_v1alpha1_ServerInterfaceFixedIP(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerInterfaceStatus":                 schema_openstack_resource_controller_v2_api_v1alpha1_ServerInterfaceStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerList":                            schema_openstack_resource_controller_v2_api_v1alpha1_ServerList(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerMetadata":                        schema_openstack_resource_controller_v2_api_v1alpha1_ServerMetadata(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerMetadataStatus":                  schema_openstack_resource_controller_v2_api_v1alpha1_ServerMetadataStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerPortSpec":                        schema_openstack_resource_controller_v2_api_v1alpha1_ServerPortSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerResourceSpec":                    schema_openstack_resource_controller_v2_api_v1alpha1_ServerResourceSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerResourceStatus":                  schema_openstack_resource_controller_v2_api_v1alpha1_ServerResourceStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerSpec":                            schema_openstack_resource_controller_v2_api_v1alpha1_ServerSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerStatus":                          schema_openstack_resource_controller_v2_api_v1alpha1_ServerStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerVolumeSpec":                      schema_openstack_resource_controller_v2_api_v1alpha1_ServerVolumeSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServerVolumeStatus":                    schema_openstack_resource_controller_v2_api_v1alpha1_ServerVolumeStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.Service":                               schema_openstack_resource_controller_v2_api_v1alpha1_Service(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServiceFilter":                         schema_openstack_resource_controller_v2_api_v1alpha1_ServiceFilter(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServiceImport":                         schema_openstack_resource_controller_v2_api_v1alpha1_ServiceImport(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServiceList":                           schema_openstack_resource_controller_v2_api_v1alpha1_ServiceList(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServiceResourceSpec":                   schema_openstack_resource_controller_v2_api_v1alpha1_ServiceResourceSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServiceResourceStatus":                 schema_openstack_resource_controller_v2_api_v1alpha1_ServiceResourceStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServiceSpec":                           schema_openstack_resource_controller_v2_api_v1alpha1_ServiceSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ServiceStatus":                         schema_openstack_resource_controller_v2_api_v1alpha1_ServiceStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.Subnet":                                schema_openstack_resource_controller_v2_api_v1alpha1_Subnet(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SubnetFilter":                          schema_openstack_resource_controller_v2_api_v1alpha1_SubnetFilter(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SubnetGateway":                         schema_openstack_resource_controller_v2_api_v1alpha1_SubnetGateway(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SubnetImport":                          schema_openstack_resource_controller_v2_api_v1alpha1_SubnetImport(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SubnetList":                            schema_openstack_resource_controller_v2_api_v1alpha1_SubnetList(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SubnetResourceSpec":                    schema_openstack_resource_controller_v2_api_v1alpha1_SubnetResourceSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SubnetResourceStatus":                  schema_openstack_resource_controller_v2_api_v1alpha1_SubnetResourceStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SubnetSpec":                            schema_openstack_resource_controller_v2_api_v1alpha1_SubnetSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.SubnetStatus":                          schema_openstack_resource_controller_v2_api_v1alpha1_SubnetStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.UserDataSpec":                          schema_openstack_resource_controller_v2_api_v1alpha1_UserDataSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.Volume":                                schema_openstack_resource_controller_v2_api_v1alpha1_Volume(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeAttachmentStatus":                schema_openstack_resource_controller_v2_api_v1alpha1_VolumeAttachmentStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeFilter":                          schema_openstack_resource_controller_v2_api_v1alpha1_VolumeFilter(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeImport":                          schema_openstack_resource_controller_v2_api_v1alpha1_VolumeImport(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeList":                            schema_openstack_resource_controller_v2_api_v1alpha1_VolumeList(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeMetadata":                        schema_openstack_resource_controller_v2_api_v1alpha1_VolumeMetadata(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeMetadataStatus":                  schema_openstack_resource_controller_v2_api_v1alpha1_VolumeMetadataStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeResourceSpec":                    schema_openstack_resource_controller_v2_api_v1alpha1_VolumeResourceSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeResourceStatus":                  schema_openstack_resource_controller_v2_api_v1alpha1_VolumeResourceStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeSpec":                            schema_openstack_resource_controller_v2_api_v1alpha1_VolumeSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeStatus":                          schema_openstack_resource_controller_v2_api_v1alpha1_VolumeStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeType":                            schema_openstack_resource_controller_v2_api_v1alpha1_VolumeType(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeTypeExtraSpec":                   schema_openstack_resource_controller_v2_api_v1alpha1_VolumeTypeExtraSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeTypeExtraSpecStatus":             schema_openstack_resource_controller_v2_api_v1alpha1_VolumeTypeExtraSpecStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeTypeFilter":                      schema_openstack_resource_controller_v2_api_v1alpha1_VolumeTypeFilter(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeTypeImport":                      schema_openstack_resource_controller_v2_api_v1alpha1_VolumeTypeImport(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeTypeList":                        schema_openstack_resource_controller_v2_api_v1alpha1_VolumeTypeList(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeTypeResourceSpec":                schema_openstack_resource_controller_v2_api_v1alpha1_VolumeTypeResourceSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeTypeResourceStatus":              schema_openstack_resource_controller_v2_api_v1alpha1_VolumeTypeResourceStatus(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeTypeSpec":                        schema_openstack_resource_controller_v2_api_v1alpha1_VolumeTypeSpec(ref),
+		"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.VolumeTypeStatus":                      schema_openstack_resource_controller_v2_api_v1alpha1_VolumeTypeStatus(ref),
+		"k8s.io/api/core/v1.AWSElasticBlockStoreVolumeSource":                                                  schema_k8sio_api_core_v1_AWSElasticBlockStoreVolumeSource(ref),
 		"k8s.io/api/core/v1.Affinity":                                    schema_k8sio_api_core_v1_Affinity(ref),
 		"k8s.io/api/core/v1.AppArmorProfile":                             schema_k8sio_api_core_v1_AppArmorProfile(ref),
 		"k8s.io/api/core/v1.AttachedVolume":                              schema_k8sio_api_core_v1_AttachedVolume(ref),
@@ -648,6 +660,608 @@ func schema_openstack_resource_controller_v2_api_v1alpha1_AllowedAddressPairStat
 	}
 }
 
+func schema_openstack_resource_controller_v2_api_v1alpha1_ApplicationCredential(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "ApplicationCredential is the Schema for an ORC resource.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Description: "metadata contains the object metadata",
+							Default:     map[string]interface{}{},
+							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"),
+						},
+					},
+					"spec": {
+						SchemaProps: spec.SchemaProps{
+							Description: "spec specifies the desired state of the resource.",
+							Default:     map[string]interface{}{},
+							Ref:         ref("github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ApplicationCredentialSpec"),
+						},
+					},
+					"status": {
+						SchemaProps: spec.SchemaProps{
+							Description: "status defines the observed state of the resource.",
+							Default:     map[string]interface{}{},
+							Ref:         ref("github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ApplicationCredentialStatus"),
+						},
+					},
+				},
+			},
+		},
+		Dependencies: []string{
+			"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ApplicationCredentialSpec", "github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ApplicationCredentialStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta"},
+	}
+}
+
+func schema_openstack_resource_controller_v2_api_v1alpha1_ApplicationCredentialAccessRole(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Type: []string{"object"},
+				Properties: map[string]spec.Schema{
+					"name": {
+						SchemaProps: spec.SchemaProps{
+							Description: "name of an existing role",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"id": {
+						SchemaProps: spec.SchemaProps{
+							Description: "id is the ID of an role",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func schema_openstack_resource_controller_v2_api_v1alpha1_ApplicationCredentialAccessRoleStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Type: []string{"object"},
+				Properties: map[string]spec.Schema{
+					"name": {
+						SchemaProps: spec.SchemaProps{
+							Description: "name of an existing role",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"id": {
+						SchemaProps: spec.SchemaProps{
+							Description: "id is the ID of an role",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"domainID": {
+						SchemaProps: spec.SchemaProps{
+							Description: "id of the domain of this role",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func schema_openstack_resource_controller_v2_api_v1alpha1_ApplicationCredentialAccessRule(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "ApplicationCredentialAccessRule defines an access rule",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"path": {
+						SchemaProps: spec.SchemaProps{
+							Description: "API path that the application credential is permitted to access",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"method": {
+						SchemaProps: spec.SchemaProps{
+							Description: "request method that the application credential is permitted to use for a given API endpoint",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"service": {
+						SchemaProps: spec.SchemaProps{
+							Description: "service type identifier for the service that the application credential is permitted to access",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func schema_openstack_resource_controller_v2_api_v1alpha1_ApplicationCredentialAccessRuleStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Type: []string{"object"},
+				Properties: map[string]spec.Schema{
+					"id": {
+						SchemaProps: spec.SchemaProps{
+							Description: "id is the ID of this access rule",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"path": {
+						SchemaProps: spec.SchemaProps{
+							Description: "API path that the application credential is permitted to access",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"method": {
+						SchemaProps: spec.SchemaProps{
+							Description: "request method that the application credential is permitted to use for a given API endpoint",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"service": {
+						SchemaProps: spec.SchemaProps{
+							Description: "service type identifier for the service that the application credential is permitted to access",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func schema_openstack_resource_controller_v2_api_v1alpha1_ApplicationCredentialFilter(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "ApplicationCredentialFilter defines an existing resource by its properties",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"name": {
+						SchemaProps: spec.SchemaProps{
+							Description: "name of the existing resource",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"userID": {
+						SchemaProps: spec.SchemaProps{
+							Description: "ID of the user the application credential belongs to",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+				Required: []string{"userID"},
+			},
+		},
+	}
+}
+
+func schema_openstack_resource_controller_v2_api_v1alpha1_ApplicationCredentialImport(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "ApplicationCredentialImport specifies an existing resource which will be imported instead of creating a new one",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"id": {
+						SchemaProps: spec.SchemaProps{
+							Description: "id contains the unique identifier of an existing OpenStack resource. Note that when specifying an import by ID, the resource MUST already exist. The ORC object will enter an error state if the resource does not exist.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"filter": {
+						SchemaProps: spec.SchemaProps{
+							Description: "filter contains a resource query which is expected to return a single result. The controller will continue to retry if filter returns no results. If filter returns multiple results the controller will set an error state and will not continue to retry.",
+							Ref:         ref("github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ApplicationCredentialFilter"),
+						},
+					},
+				},
+			},
+		},
+		Dependencies: []string{
+			"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ApplicationCredentialFilter"},
+	}
+}
+
+func schema_openstack_resource_controller_v2_api_v1alpha1_ApplicationCredentialList(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "ApplicationCredentialList contains a list of ApplicationCredential.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"kind": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"apiVersion": {
+						SchemaProps: spec.SchemaProps{
+							Description: "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"metadata": {
+						SchemaProps: spec.SchemaProps{
+							Description: "metadata contains the list metadata",
+							Default:     map[string]interface{}{},
+							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"),
+						},
+					},
+					"items": {
+						SchemaProps: spec.SchemaProps{
+							Description: "items contains a list of ApplicationCredential.",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: map[string]interface{}{},
+										Ref:     ref("github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ApplicationCredential"),
+									},
+								},
+							},
+						},
+					},
+				},
+				Required: []string{"items"},
+			},
+		},
+		Dependencies: []string{
+			"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ApplicationCredential", "k8s.io/apimachinery/pkg/apis/meta/v1.ListMeta"},
+	}
+}
+
+func schema_openstack_resource_controller_v2_api_v1alpha1_ApplicationCredentialResourceSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "ApplicationCredentialResourceSpec contains the desired state of the resource.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"name": {
+						SchemaProps: spec.SchemaProps{
+							Description: "name will be the name of the created resource. If not specified, the name of the ORC object will be used.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"description": {
+						SchemaProps: spec.SchemaProps{
+							Description: "description is a human-readable description for the resource.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"userID": {
+						SchemaProps: spec.SchemaProps{
+							Description: "ID of the user the application credential belongs to",
+							Default:     "",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"unrestricted": {
+						SchemaProps: spec.SchemaProps{
+							Description: "flag indicating whether the application credential may be used for creation or destruction of other application credentials or trusts",
+							Type:        []string{"boolean"},
+							Format:      "",
+						},
+					},
+					"secret": {
+						SchemaProps: spec.SchemaProps{
+							Type:   []string{"string"},
+							Format: "",
+						},
+					},
+					"roles": {
+						VendorExtensible: spec.VendorExtensible{
+							Extensions: spec.Extensions{
+								"x-kubernetes-list-type": "atomic",
+							},
+						},
+						SchemaProps: spec.SchemaProps{
+							Description: "list of role objects may only contain roles that the user has assigned on the project. If not provided, the roles assigned to the application credential will be the same as the roles in the current token.",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: map[string]interface{}{},
+										Ref:     ref("github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ApplicationCredentialAccessRole"),
+									},
+								},
+							},
+						},
+					},
+					"accessRules": {
+						VendorExtensible: spec.VendorExtensible{
+							Extensions: spec.Extensions{
+								"x-kubernetes-list-type": "atomic",
+							},
+						},
+						SchemaProps: spec.SchemaProps{
+							Description: "list of fine grained access control rules",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: map[string]interface{}{},
+										Ref:     ref("github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ApplicationCredentialAccessRule"),
+									},
+								},
+							},
+						},
+					},
+					"expiresAt": {
+						SchemaProps: spec.SchemaProps{
+							Description: "expiry time for the application credential. If unset, the application credential does not expire.",
+							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+						},
+					},
+				},
+				Required: []string{"userID"},
+			},
+		},
+		Dependencies: []string{
+			"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ApplicationCredentialAccessRole", "github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ApplicationCredentialAccessRule", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+	}
+}
+
+func schema_openstack_resource_controller_v2_api_v1alpha1_ApplicationCredentialResourceStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "ApplicationCredentialResourceStatus represents the observed state of the resource.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"id": {
+						SchemaProps: spec.SchemaProps{
+							Description: "id is the ID of the application credential.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"name": {
+						SchemaProps: spec.SchemaProps{
+							Description: "name is a Human-readable name for the resource. Might not be unique.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"description": {
+						SchemaProps: spec.SchemaProps{
+							Description: "description is a human-readable description for the resource.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"unrestricted": {
+						SchemaProps: spec.SchemaProps{
+							Description: "flag indicating whether the application credential may be used for creation or destruction of other application credentials or trusts",
+							Type:        []string{"boolean"},
+							Format:      "",
+						},
+					},
+					"secret": {
+						SchemaProps: spec.SchemaProps{
+							Type:   []string{"string"},
+							Format: "",
+						},
+					},
+					"projectID": {
+						SchemaProps: spec.SchemaProps{
+							Description: "ID of the project the application credential was created for and that authentication requests using this application credential will be scoped to.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"roles": {
+						VendorExtensible: spec.VendorExtensible{
+							Extensions: spec.Extensions{
+								"x-kubernetes-list-type": "atomic",
+							},
+						},
+						SchemaProps: spec.SchemaProps{
+							Description: "list of role objects may only contain roles that the user has assigned on the project",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: map[string]interface{}{},
+										Ref:     ref("github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ApplicationCredentialAccessRoleStatus"),
+									},
+								},
+							},
+						},
+					},
+					"expiresAt": {
+						SchemaProps: spec.SchemaProps{
+							Description: "expiry time for the application credential",
+							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Time"),
+						},
+					},
+					"accessRules": {
+						VendorExtensible: spec.VendorExtensible{
+							Extensions: spec.Extensions{
+								"x-kubernetes-list-type": "atomic",
+							},
+						},
+						SchemaProps: spec.SchemaProps{
+							Description: "list of fine grained access control rules",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: map[string]interface{}{},
+										Ref:     ref("github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ApplicationCredentialAccessRuleStatus"),
+									},
+								},
+							},
+						},
+					},
+					"links": {
+						SchemaProps: spec.SchemaProps{
+							Description: "Links contains referencing links to the application credential",
+							Type:        []string{"object"},
+							AdditionalProperties: &spec.SchemaOrBool{
+								Allows: true,
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: "",
+										Type:    []string{"string"},
+										Format:  "",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		Dependencies: []string{
+			"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ApplicationCredentialAccessRoleStatus", "github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ApplicationCredentialAccessRuleStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.Time"},
+	}
+}
+
+func schema_openstack_resource_controller_v2_api_v1alpha1_ApplicationCredentialSpec(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "ApplicationCredentialSpec defines the desired state of an ORC object.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"import": {
+						SchemaProps: spec.SchemaProps{
+							Description: "import refers to an existing OpenStack resource which will be imported instead of creating a new one.",
+							Ref:         ref("github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ApplicationCredentialImport"),
+						},
+					},
+					"resource": {
+						SchemaProps: spec.SchemaProps{
+							Description: "resource specifies the desired state of the resource.\n\nresource may not be specified if the management policy is `unmanaged`.\n\nresource must be specified if the management policy is `managed`.",
+							Ref:         ref("github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ApplicationCredentialResourceSpec"),
+						},
+					},
+					"managementPolicy": {
+						SchemaProps: spec.SchemaProps{
+							Description: "managementPolicy defines how ORC will treat the object. Valid values are `managed`: ORC will create, update, and delete the resource; `unmanaged`: ORC will import an existing resource, and will not apply updates to it or delete it.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"managedOptions": {
+						SchemaProps: spec.SchemaProps{
+							Description: "managedOptions specifies options which may be applied to managed objects.",
+							Ref:         ref("github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ManagedOptions"),
+						},
+					},
+					"cloudCredentialsRef": {
+						SchemaProps: spec.SchemaProps{
+							Description: "cloudCredentialsRef points to a secret containing OpenStack credentials",
+							Default:     map[string]interface{}{},
+							Ref:         ref("github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.CloudCredentialsReference"),
+						},
+					},
+				},
+				Required: []string{"cloudCredentialsRef"},
+			},
+		},
+		Dependencies: []string{
+			"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ApplicationCredentialImport", "github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ApplicationCredentialResourceSpec", "github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.CloudCredentialsReference", "github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ManagedOptions"},
+	}
+}
+
+func schema_openstack_resource_controller_v2_api_v1alpha1_ApplicationCredentialStatus(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "ApplicationCredentialStatus defines the observed state of an ORC resource.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"conditions": {
+						VendorExtensible: spec.VendorExtensible{
+							Extensions: spec.Extensions{
+								"x-kubernetes-list-map-keys": []interface{}{
+									"type",
+								},
+								"x-kubernetes-list-type":       "map",
+								"x-kubernetes-patch-merge-key": "type",
+								"x-kubernetes-patch-strategy":  "merge",
+							},
+						},
+						SchemaProps: spec.SchemaProps{
+							Description: "conditions represents the observed status of the object. Known .status.conditions.type are: \"Available\", \"Progressing\"\n\nAvailable represents the availability of the OpenStack resource. If it is true then the resource is ready for use.\n\nProgressing indicates whether the controller is still attempting to reconcile the current state of the OpenStack resource to the desired state. Progressing will be False either because the desired state has been achieved, or because some terminal error prevents it from ever being achieved and the controller is no longer attempting to reconcile. If Progressing is True, an observer waiting on the resource should continue to wait.",
+							Type:        []string{"array"},
+							Items: &spec.SchemaOrArray{
+								Schema: &spec.Schema{
+									SchemaProps: spec.SchemaProps{
+										Default: map[string]interface{}{},
+										Ref:     ref("k8s.io/apimachinery/pkg/apis/meta/v1.Condition"),
+									},
+								},
+							},
+						},
+					},
+					"id": {
+						SchemaProps: spec.SchemaProps{
+							Description: "id is the unique identifier of the OpenStack resource.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+					"resource": {
+						SchemaProps: spec.SchemaProps{
+							Description: "resource contains the observed state of the OpenStack resource.",
+							Ref:         ref("github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ApplicationCredentialResourceStatus"),
+						},
+					},
+				},
+			},
+		},
+		Dependencies: []string{
+			"github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1.ApplicationCredentialResourceStatus", "k8s.io/apimachinery/pkg/apis/meta/v1.Condition"},
+	}
+}
+
 func schema_openstack_resource_controller_v2_api_v1alpha1_CloudCredentialsReference(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
diff --git a/cmd/resource-generator/main.go b/cmd/resource-generator/main.go
index b3f4ece76..bb71fb3d4 100644
--- a/cmd/resource-generator/main.go
+++ b/cmd/resource-generator/main.go
@@ -160,6 +160,9 @@ var resources []templateFields = []templateFields{
 	{
 		Name: "Group",
 	},
+	{
+		Name: "ApplicationCredential",
+	},
 }
 
 // These resources won't be generated
diff --git a/config/crd/bases/openstack.k-orc.cloud_applicationcredentials.yaml b/config/crd/bases/openstack.k-orc.cloud_applicationcredentials.yaml
new file mode 100644
index 000000000..4fa9ab7dc
--- /dev/null
+++ b/config/crd/bases/openstack.k-orc.cloud_applicationcredentials.yaml
@@ -0,0 +1,447 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.17.1
+  name: applicationcredentials.openstack.k-orc.cloud
+spec:
+  group: openstack.k-orc.cloud
+  names:
+    categories:
+    - openstack
+    kind: ApplicationCredential
+    listKind: ApplicationCredentialList
+    plural: applicationcredentials
+    singular: applicationcredential
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Resource ID
+      jsonPath: .status.id
+      name: ID
+      type: string
+    - description: Availability status of resource
+      jsonPath: .status.conditions[?(@.type=='Available')].status
+      name: Available
+      type: string
+    - description: Message describing current progress status
+      jsonPath: .status.conditions[?(@.type=='Progressing')].message
+      name: Message
+      type: string
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: ApplicationCredential is the Schema for an ORC resource.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: spec specifies the desired state of the resource.
+            properties:
+              cloudCredentialsRef:
+                description: cloudCredentialsRef points to a secret containing OpenStack
+                  credentials
+                properties:
+                  cloudName:
+                    description: cloudName specifies the name of the entry in the
+                      clouds.yaml file to use.
+                    maxLength: 256
+                    minLength: 1
+                    type: string
+                  secretName:
+                    description: |-
+                      secretName is the name of a secret in the same namespace as the resource being provisioned.
+                      The secret must contain a key named `clouds.yaml` which contains an OpenStack clouds.yaml file.
+                      The secret may optionally contain a key named `cacert` containing a PEM-encoded CA certificate.
+                    maxLength: 253
+                    minLength: 1
+                    type: string
+                required:
+                - cloudName
+                - secretName
+                type: object
+              import:
+                description: |-
+                  import refers to an existing OpenStack resource which will be imported instead of
+                  creating a new one.
+                maxProperties: 1
+                minProperties: 1
+                properties:
+                  filter:
+                    description: |-
+                      filter contains a resource query which is expected to return a single
+                      result. The controller will continue to retry if filter returns no
+                      results. If filter returns multiple results the controller will set an
+                      error state and will not continue to retry.
+                    minProperties: 1
+                    properties:
+                      name:
+                        description: name of the existing resource
+                        maxLength: 255
+                        minLength: 1
+                        pattern: ^[^,]+$
+                        type: string
+                      userID:
+                        description: ID of the user the application credential belongs
+                          to
+                        type: string
+                    required:
+                    - userID
+                    type: object
+                  id:
+                    description: |-
+                      id contains the unique identifier of an existing OpenStack resource. Note
+                      that when specifying an import by ID, the resource MUST already exist.
+                      The ORC object will enter an error state if the resource does not exist.
+                    format: uuid
+                    type: string
+                type: object
+              managedOptions:
+                description: managedOptions specifies options which may be applied
+                  to managed objects.
+                properties:
+                  onDelete:
+                    default: delete
+                    description: |-
+                      onDelete specifies the behaviour of the controller when the ORC
+                      object is deleted. Options are `delete` - delete the OpenStack resource;
+                      `detach` - do not delete the OpenStack resource. If not specified, the
+                      default is `delete`.
+                    enum:
+                    - delete
+                    - detach
+                    type: string
+                type: object
+              managementPolicy:
+                default: managed
+                description: |-
+                  managementPolicy defines how ORC will treat the object. Valid values are
+                  `managed`: ORC will create, update, and delete the resource; `unmanaged`:
+                  ORC will import an existing resource, and will not apply updates to it or
+                  delete it.
+                enum:
+                - managed
+                - unmanaged
+                type: string
+                x-kubernetes-validations:
+                - message: managementPolicy is immutable
+                  rule: self == oldSelf
+              resource:
+                description: |-
+                  resource specifies the desired state of the resource.
+
+                  resource may not be specified if the management policy is `unmanaged`.
+
+                  resource must be specified if the management policy is `managed`.
+                properties:
+                  accessRules:
+                    description: list of fine grained access control rules
+                    items:
+                      description: ApplicationCredentialAccessRule defines an access
+                        rule
+                      minProperties: 1
+                      properties:
+                        method:
+                          description: request method that the application credential
+                            is permitted to use for a given API endpoint
+                          enum:
+                          - CONNECT
+                          - DELETE
+                          - GET
+                          - HEAD
+                          - OPTIONS
+                          - PATCH
+                          - POST
+                          - PUT
+                          - TRACE
+                          type: string
+                        path:
+                          description: API path that the application credential is
+                            permitted to access
+                          maxLength: 1024
+                          type: string
+                        service:
+                          description: service type identifier for the service that
+                            the application credential is permitted to access
+                          maxLength: 1024
+                          type: string
+                      type: object
+                    maxItems: 256
+                    type: array
+                    x-kubernetes-list-type: atomic
+                    x-kubernetes-validations:
+                    - message: Rules is immutable
+                      rule: self == oldSelf
+                  description:
+                    description: description is a human-readable description for the
+                      resource.
+                    maxLength: 255
+                    minLength: 1
+                    type: string
+                  expiresAt:
+                    description: expiry time for the application credential. If unset,
+                      the application credential does not expire.
+                    format: date-time
+                    type: string
+                    x-kubernetes-validations:
+                    - message: ExpiresAt is immutable
+                      rule: self == oldSelf
+                  name:
+                    description: |-
+                      name will be the name of the created resource. If not specified, the
+                      name of the ORC object will be used.
+                    maxLength: 255
+                    minLength: 1
+                    pattern: ^[^,]+$
+                    type: string
+                  roles:
+                    description: list of role objects may only contain roles that
+                      the user has assigned on the project. If not provided, the roles
+                      assigned to the application credential will be the same as the
+                      roles in the current token.
+                    items:
+                      maxProperties: 1
+                      minProperties: 1
+                      properties:
+                        id:
+                          description: id is the ID of an role
+                          maxLength: 1024
+                          type: string
+                        name:
+                          description: name of an existing role
+                          maxLength: 255
+                          minLength: 1
+                          pattern: ^[^,]+$
+                          type: string
+                      type: object
+                    maxItems: 256
+                    type: array
+                    x-kubernetes-list-type: atomic
+                    x-kubernetes-validations:
+                    - message: Roles is immutable
+                      rule: self == oldSelf
+                  secret:
+                    type: string
+                    x-kubernetes-validations:
+                    - message: Secret is immutable
+                      rule: self == oldSelf
+                  unrestricted:
+                    description: flag indicating whether the application credential
+                      may be used for creation or destruction of other application
+                      credentials or trusts
+                    type: boolean
+                    x-kubernetes-validations:
+                    - message: Unrestricted is immutable
+                      rule: self == oldSelf
+                  userID:
+                    description: ID of the user the application credential belongs
+                      to
+                    maxLength: 1024
+                    type: string
+                    x-kubernetes-validations:
+                    - message: UserID is immutable
+                      rule: self == oldSelf
+                required:
+                - userID
+                type: object
+            required:
+            - cloudCredentialsRef
+            type: object
+            x-kubernetes-validations:
+            - message: resource must be specified when policy is managed
+              rule: 'self.managementPolicy == ''managed'' ? has(self.resource) : true'
+            - message: import may not be specified when policy is managed
+              rule: 'self.managementPolicy == ''managed'' ? !has(self.__import__)
+                : true'
+            - message: resource may not be specified when policy is unmanaged
+              rule: 'self.managementPolicy == ''unmanaged'' ? !has(self.resource)
+                : true'
+            - message: import must be specified when policy is unmanaged
+              rule: 'self.managementPolicy == ''unmanaged'' ? has(self.__import__)
+                : true'
+            - message: managedOptions may only be provided when policy is managed
+              rule: 'has(self.managedOptions) ? self.managementPolicy == ''managed''
+                : true'
+          status:
+            description: status defines the observed state of the resource.
+            properties:
+              conditions:
+                description: |-
+                  conditions represents the observed status of the object.
+                  Known .status.conditions.type are: "Available", "Progressing"
+
+                  Available represents the availability of the OpenStack resource. If it is
+                  true then the resource is ready for use.
+
+                  Progressing indicates whether the controller is still attempting to
+                  reconcile the current state of the OpenStack resource to the desired
+                  state. Progressing will be False either because the desired state has
+                  been achieved, or because some terminal error prevents it from ever being
+                  achieved and the controller is no longer attempting to reconcile. If
+                  Progressing is True, an observer waiting on the resource should continue
+                  to wait.
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                maxItems: 32
+                type: array
+                x-kubernetes-list-map-keys:
+                - type
+                x-kubernetes-list-type: map
+              id:
+                description: id is the unique identifier of the OpenStack resource.
+                type: string
+              resource:
+                description: resource contains the observed state of the OpenStack
+                  resource.
+                properties:
+                  accessRules:
+                    description: list of fine grained access control rules
+                    items:
+                      properties:
+                        id:
+                          description: id is the ID of this access rule
+                          type: string
+                        method:
+                          description: request method that the application credential
+                            is permitted to use for a given API endpoint
+                          type: string
+                        path:
+                          description: API path that the application credential is
+                            permitted to access
+                          type: string
+                        service:
+                          description: service type identifier for the service that
+                            the application credential is permitted to access
+                          type: string
+                      type: object
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  description:
+                    description: description is a human-readable description for the
+                      resource.
+                    maxLength: 1024
+                    type: string
+                  expiresAt:
+                    description: expiry time for the application credential
+                    format: date-time
+                    type: string
+                  id:
+                    description: id is the ID of the application credential.
+                    maxLength: 1024
+                    type: string
+                  links:
+                    additionalProperties:
+                      type: string
+                    description: Links contains referencing links to the application
+                      credential
+                    type: object
+                  name:
+                    description: name is a Human-readable name for the resource. Might
+                      not be unique.
+                    maxLength: 1024
+                    type: string
+                  projectID:
+                    description: ID of the project the application credential was
+                      created for and that authentication requests using this application
+                      credential will be scoped to.
+                    maxLength: 1024
+                    type: string
+                  roles:
+                    description: list of role objects may only contain roles that
+                      the user has assigned on the project
+                    items:
+                      properties:
+                        domainID:
+                          description: id of the domain of this role
+                          type: string
+                        id:
+                          description: id is the ID of an role
+                          type: string
+                        name:
+                          description: name of an existing role
+                          type: string
+                      type: object
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  secret:
+                    type: string
+                  unrestricted:
+                    description: flag indicating whether the application credential
+                      may be used for creation or destruction of other application
+                      credentials or trusts
+                    type: boolean
+                type: object
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml
index 33b8c85e2..e21841187 100644
--- a/config/crd/kustomization.yaml
+++ b/config/crd/kustomization.yaml
@@ -3,6 +3,7 @@
 # since it depends on service name and namespace that are out of this kustomize package.
 # It should be run by config/default
 resources:
+- bases/openstack.k-orc.cloud_applicationcredentials.yaml
 - bases/openstack.k-orc.cloud_domains.yaml
 - bases/openstack.k-orc.cloud_flavors.yaml
 - bases/openstack.k-orc.cloud_floatingips.yaml
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 5a0a7443b..bac7753e7 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -17,6 +17,7 @@ rules:
 - apiGroups:
   - openstack.k-orc.cloud
   resources:
+  - applicationcredentials
   - domains
   - flavors
   - floatingips
@@ -47,6 +48,7 @@ rules:
 - apiGroups:
   - openstack.k-orc.cloud
   resources:
+  - applicationcredentials/status
   - domains/status
   - flavors/status
   - floatingips/status
diff --git a/config/samples/kustomization.yaml b/config/samples/kustomization.yaml
index dac467c69..b810d1b0d 100644
--- a/config/samples/kustomization.yaml
+++ b/config/samples/kustomization.yaml
@@ -1,6 +1,7 @@
 # Code generated by resource-generator. DO NOT EDIT.
 ## Append samples of your project ##
 resources:
+- openstack_v1alpha1_applicationcredential.yaml
 - openstack_v1alpha1_domain.yaml
 - openstack_v1alpha1_flavor.yaml
 - openstack_v1alpha1_floatingip.yaml
diff --git a/config/samples/openstack_v1alpha1_applicationcredential.yaml b/config/samples/openstack_v1alpha1_applicationcredential.yaml
new file mode 100644
index 000000000..8edc2aba1
--- /dev/null
+++ b/config/samples/openstack_v1alpha1_applicationcredential.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: openstack.k-orc.cloud/v1alpha1
+kind: ApplicationCredential
+metadata:
+  name: applicationcredential-sample
+spec:
+  cloudCredentialsRef:
+    # TODO(scaffolding): Use openstack-admin if the resource needs admin credentials to be created
+    cloudName: openstack
+    secretName: openstack-clouds
+  managementPolicy: managed
+  resource:
+    description: Sample ApplicationCredential
+    # TODO(scaffolding): Add all fields the resource supports
diff --git a/internal/controllers/applicationcredential/actuator.go b/internal/controllers/applicationcredential/actuator.go
new file mode 100644
index 000000000..20edae8d7
--- /dev/null
+++ b/internal/controllers/applicationcredential/actuator.go
@@ -0,0 +1,168 @@
+/*
+Copyright The ORC Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package applicationcredential
+
+import (
+	"context"
+	"iter"
+
+	"github.com/gophercloud/gophercloud/v2/openstack/identity/v3/applicationcredentials"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/utils/ptr"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	orcv1alpha1 "github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1"
+	"github.com/k-orc/openstack-resource-controller/v2/internal/controllers/generic/interfaces"
+	"github.com/k-orc/openstack-resource-controller/v2/internal/controllers/generic/progress"
+	"github.com/k-orc/openstack-resource-controller/v2/internal/osclients"
+	orcerrors "github.com/k-orc/openstack-resource-controller/v2/internal/util/errors"
+)
+
+// OpenStack resource types
+type (
+	osResourceT = applicationcredentials.ApplicationCredential
+
+	createResourceActuator = interfaces.CreateResourceActuator[orcObjectPT, orcObjectT, filterT, osResourceT]
+	deleteResourceActuator = interfaces.DeleteResourceActuator[orcObjectPT, orcObjectT, osResourceT]
+	resourceReconciler     = interfaces.ResourceReconciler[orcObjectPT, osResourceT]
+	helperFactory          = interfaces.ResourceHelperFactory[orcObjectPT, orcObjectT, resourceSpecT, filterT, osResourceT]
+)
+
+type applicationcredentialActuator struct {
+	osClient  osclients.ApplicationCredentialClient
+	k8sClient client.Client
+}
+
+var _ createResourceActuator = applicationcredentialActuator{}
+var _ deleteResourceActuator = applicationcredentialActuator{}
+
+func (applicationcredentialActuator) GetResourceID(osResource *osResourceT) string {
+	return osResource.ID
+}
+
+func (actuator applicationcredentialActuator) GetOSResourceByID(ctx context.Context, id string) (*osResourceT, progress.ReconcileStatus) {
+	resource, err := actuator.osClient.GetApplicationCredential(ctx, id)
+	if err != nil {
+		return nil, progress.WrapError(err)
+	}
+	return resource, nil
+}
+
+func (actuator applicationcredentialActuator) ListOSResourcesForAdoption(ctx context.Context, orcObject orcObjectPT) (iter.Seq2[*osResourceT, error], bool) {
+	resourceSpec := orcObject.Spec.Resource
+	if resourceSpec == nil {
+		return nil, false
+	}
+
+	// TODO: Filter by ID? Client side filtering using Check osclients.ResourceFilter?
+
+	listOpts := applicationcredentials.ListOpts{
+		Name: getResourceName(orcObject),
+	}
+
+	return actuator.osClient.ListApplicationCredentials(ctx, resourceSpec.UserID, listOpts), true
+}
+
+func (actuator applicationcredentialActuator) ListOSResourcesForImport(ctx context.Context, obj orcObjectPT, filter filterT) (iter.Seq2[*osResourceT, error], progress.ReconcileStatus) {
+	// TODO: Filter by ID? Client side filtering using Check osclients.ResourceFilter?
+
+	listOpts := applicationcredentials.ListOpts{
+		Name: string(ptr.Deref(filter.Name, "")),
+	}
+
+	return actuator.osClient.ListApplicationCredentials(ctx, filter.UserID, listOpts), nil
+}
+
+func (actuator applicationcredentialActuator) CreateResource(ctx context.Context, obj orcObjectPT) (*osResourceT, progress.ReconcileStatus) {
+	resource := obj.Spec.Resource
+
+	if resource == nil {
+		// Should have been caught by API validation
+		return nil, progress.WrapError(
+			orcerrors.Terminal(orcv1alpha1.ConditionReasonInvalidConfiguration, "Creation requested, but spec.resource is not set"))
+	}
+	createOpts := applicationcredentials.CreateOpts{
+		Name:         getResourceName(obj),
+		Description:  ptr.Deref(resource.Description, ""),
+		Unrestricted: ptr.Deref(resource.Unrestricted, false),
+		Secret:       ptr.Deref(resource.Secret, ""),
+		// TODO: ExpiresAt
+		// TODO: Roles
+		// TODO: AccessRules
+	}
+
+	osResource, err := actuator.osClient.CreateApplicationCredential(ctx, resource.UserID, createOpts)
+	if err != nil {
+		// We should require the spec to be updated before retrying a create which returned a conflict
+		if !orcerrors.IsRetryable(err) {
+			err = orcerrors.Terminal(orcv1alpha1.ConditionReasonInvalidConfiguration, "invalid configuration creating resource: "+err.Error(), err)
+		}
+		return nil, progress.WrapError(err)
+	}
+
+	return osResource, nil
+}
+
+func (actuator applicationcredentialActuator) DeleteResource(ctx context.Context, _ orcObjectPT, resource *osResourceT) progress.ReconcileStatus {
+	return progress.WrapError(actuator.osClient.DeleteApplicationCredential(ctx, resource.resource.ID))
+}
+
+func (actuator applicationcredentialActuator) GetResourceReconcilers(ctx context.Context, orcObject orcObjectPT, osResource *osResourceT, controller interfaces.ResourceController) ([]resourceReconciler, progress.ReconcileStatus) {
+	// ApplicationCredentials are immutable - no update reconcilers needed
+	return []resourceReconciler{}, nil
+}
+
+type applicationcredentialHelperFactory struct{}
+
+var _ helperFactory = applicationcredentialHelperFactory{}
+
+func newActuator(ctx context.Context, orcObject *orcv1alpha1.ApplicationCredential, controller interfaces.ResourceController) (applicationcredentialActuator, progress.ReconcileStatus) {
+	log := ctrl.LoggerFrom(ctx)
+
+	// Ensure credential secrets exist and have our finalizer
+	_, reconcileStatus := credentialsDependency.GetDependencies(ctx, controller.GetK8sClient(), orcObject, func(*corev1.Secret) bool { return true })
+	if needsReschedule, _ := reconcileStatus.NeedsReschedule(); needsReschedule {
+		return applicationcredentialActuator{}, reconcileStatus
+	}
+
+	clientScope, err := controller.GetScopeFactory().NewClientScopeFromObject(ctx, controller.GetK8sClient(), log, orcObject)
+	if err != nil {
+		return applicationcredentialActuator{}, progress.WrapError(err)
+	}
+	osClient, err := clientScope.NewApplicationCredentialClient()
+	if err != nil {
+		return applicationcredentialActuator{}, progress.WrapError(err)
+	}
+
+	return applicationcredentialActuator{
+		osClient:  osClient,
+		k8sClient: controller.GetK8sClient(),
+	}, nil
+}
+
+func (applicationcredentialHelperFactory) NewAPIObjectAdapter(obj orcObjectPT) adapterI {
+	return applicationcredentialAdapter{obj}
+}
+
+func (applicationcredentialHelperFactory) NewCreateActuator(ctx context.Context, orcObject orcObjectPT, controller interfaces.ResourceController) (createResourceActuator, progress.ReconcileStatus) {
+	return newActuator(ctx, orcObject, controller)
+}
+
+func (applicationcredentialHelperFactory) NewDeleteActuator(ctx context.Context, orcObject orcObjectPT, controller interfaces.ResourceController) (deleteResourceActuator, progress.ReconcileStatus) {
+	return newActuator(ctx, orcObject, controller)
+}
diff --git a/internal/controllers/applicationcredential/actuator_test.go b/internal/controllers/applicationcredential/actuator_test.go
new file mode 100644
index 000000000..1a8015f89
--- /dev/null
+++ b/internal/controllers/applicationcredential/actuator_test.go
@@ -0,0 +1,119 @@
+/*
+Copyright The ORC Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package applicationcredential
+
+import (
+	"testing"
+
+	"github.com/gophercloud/gophercloud/v2/openstack/identity/v3/applicationcredentials"
+	orcv1alpha1 "github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1"
+	"k8s.io/utils/ptr"
+)
+
+func TestNeedsUpdate(t *testing.T) {
+	testCases := []struct {
+		name         string
+		updateOpts   applicationcredentials.UpdateOpts
+		expectChange bool
+	}{
+		{
+			name:         "Empty base opts",
+			updateOpts:   applicationcredentials.UpdateOpts{},
+			expectChange: false,
+		},
+		{
+			name:         "Updated opts",
+			updateOpts:   applicationcredentials.UpdateOpts{Name: ptr.To("updated")},
+			expectChange: true,
+		},
+	}
+
+	for _, tt := range testCases {
+		t.Run(tt.name, func(t *testing.T) {
+			got, _ := needsUpdate(tt.updateOpts)
+			if got != tt.expectChange {
+				t.Errorf("Expected change: %v, got: %v", tt.expectChange, got)
+			}
+		})
+	}
+}
+
+func TestHandleNameUpdate(t *testing.T) {
+	ptrToName := ptr.To[orcv1alpha1.OpenStackName]
+	testCases := []struct {
+		name          string
+		newValue      *orcv1alpha1.OpenStackName
+		existingValue string
+		expectChange  bool
+	}{
+		{name: "Identical", newValue: ptrToName("name"), existingValue: "name", expectChange: false},
+		{name: "Different", newValue: ptrToName("new-name"), existingValue: "name", expectChange: true},
+		{name: "No value provided, existing is identical to object name", newValue: nil, existingValue: "object-name", expectChange: false},
+		{name: "No value provided, existing is different from object name", newValue: nil, existingValue: "different-from-object-name", expectChange: true},
+	}
+
+	for _, tt := range testCases {
+		t.Run(tt.name, func(t *testing.T) {
+			resource := &orcv1alpha1.ApplicationCredential{}
+			resource.Name = "object-name"
+			resource.Spec = orcv1alpha1.ApplicationCredentialSpec{
+				Resource: &orcv1alpha1.ApplicationCredentialResourceSpec{Name: tt.newValue},
+			}
+			osResource := &osResourceT{Name: tt.existingValue}
+
+			updateOpts := applicationcredentials.UpdateOpts{}
+			handleNameUpdate(&updateOpts, resource, osResource)
+
+			got, _ := needsUpdate(updateOpts)
+			if got != tt.expectChange {
+				t.Errorf("Expected change: %v, got: %v", tt.expectChange, got)
+			}
+		})
+
+	}
+}
+
+func TestHandleDescriptionUpdate(t *testing.T) {
+	ptrToDescription := ptr.To[string]
+	testCases := []struct {
+		name          string
+		newValue      *string
+		existingValue string
+		expectChange  bool
+	}{
+		{name: "Identical", newValue: ptrToDescription("desc"), existingValue: "desc", expectChange: false},
+		{name: "Different", newValue: ptrToDescription("new-desc"), existingValue: "desc", expectChange: true},
+		{name: "No value provided, existing is set", newValue: nil, existingValue: "desc", expectChange: true},
+		{name: "No value provided, existing is empty", newValue: nil, existingValue: "", expectChange: false},
+	}
+
+	for _, tt := range testCases {
+		t.Run(tt.name, func(t *testing.T) {
+			resource := &orcv1alpha1.ApplicationCredentialResourceSpec{Description: tt.newValue}
+			osResource := &osResourceT{Description: tt.existingValue}
+
+			updateOpts := applicationcredentials.UpdateOpts{}
+			handleDescriptionUpdate(&updateOpts, resource, osResource)
+
+			got, _ := needsUpdate(updateOpts)
+			if got != tt.expectChange {
+				t.Errorf("Expected change: %v, got: %v", tt.expectChange, got)
+			}
+		})
+
+	}
+}
diff --git a/internal/controllers/applicationcredential/controller.go b/internal/controllers/applicationcredential/controller.go
new file mode 100644
index 000000000..ccfb03d5f
--- /dev/null
+++ b/internal/controllers/applicationcredential/controller.go
@@ -0,0 +1,68 @@
+/*
+Copyright The ORC Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package applicationcredential
+
+import (
+	"context"
+	"errors"
+
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/controller"
+
+	orcv1alpha1 "github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1"
+
+	"github.com/k-orc/openstack-resource-controller/v2/internal/controllers/generic/interfaces"
+	"github.com/k-orc/openstack-resource-controller/v2/internal/controllers/generic/reconciler"
+	"github.com/k-orc/openstack-resource-controller/v2/internal/scope"
+	"github.com/k-orc/openstack-resource-controller/v2/internal/util/credentials"
+)
+
+const controllerName = "applicationcredential"
+
+// +kubebuilder:rbac:groups=openstack.k-orc.cloud,resources=applicationcredentials,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=openstack.k-orc.cloud,resources=applicationcredentials/status,verbs=get;update;patch
+
+type applicationcredentialReconcilerConstructor struct {
+	scopeFactory scope.Factory
+}
+
+func New(scopeFactory scope.Factory) interfaces.Controller {
+	return applicationcredentialReconcilerConstructor{scopeFactory: scopeFactory}
+}
+
+func (applicationcredentialReconcilerConstructor) GetName() string {
+	return controllerName
+}
+
+// SetupWithManager sets up the controller with the Manager.
+func (c applicationcredentialReconcilerConstructor) SetupWithManager(ctx context.Context, mgr ctrl.Manager, options controller.Options) error {
+	log := ctrl.LoggerFrom(ctx)
+
+	builder := ctrl.NewControllerManagedBy(mgr).
+		WithOptions(options).
+		For(&orcv1alpha1.ApplicationCredential{})
+
+	if err := errors.Join(
+		credentialsDependency.AddToManager(ctx, mgr),
+		credentials.AddCredentialsWatch(log, mgr.GetClient(), builder, credentialsDependency),
+	); err != nil {
+		return err
+	}
+
+	r := reconciler.NewController(controllerName, mgr.GetClient(), c.scopeFactory, applicationcredentialHelperFactory{}, applicationcredentialStatusWriter{})
+	return builder.Complete(&r)
+}
diff --git a/internal/controllers/applicationcredential/status.go b/internal/controllers/applicationcredential/status.go
new file mode 100644
index 000000000..588d2a984
--- /dev/null
+++ b/internal/controllers/applicationcredential/status.go
@@ -0,0 +1,98 @@
+/*
+Copyright The ORC Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package applicationcredential
+
+import (
+	"github.com/go-logr/logr"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	orcv1alpha1 "github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1"
+	"github.com/k-orc/openstack-resource-controller/v2/internal/controllers/generic/interfaces"
+	"github.com/k-orc/openstack-resource-controller/v2/internal/controllers/generic/progress"
+	orcapplyconfigv1alpha1 "github.com/k-orc/openstack-resource-controller/v2/pkg/clients/applyconfiguration/api/v1alpha1"
+)
+
+type applicationcredentialStatusWriter struct{}
+
+type objectApplyT = orcapplyconfigv1alpha1.ApplicationCredentialApplyConfiguration
+type statusApplyT = orcapplyconfigv1alpha1.ApplicationCredentialStatusApplyConfiguration
+
+var _ interfaces.ResourceStatusWriter[*orcv1alpha1.ApplicationCredential, *osResourceT, *objectApplyT, *statusApplyT] = applicationcredentialStatusWriter{}
+
+func (applicationcredentialStatusWriter) GetApplyConfig(name, namespace string) *objectApplyT {
+	return orcapplyconfigv1alpha1.ApplicationCredential(name, namespace)
+}
+
+func (applicationcredentialStatusWriter) ResourceAvailableStatus(orcObject *orcv1alpha1.ApplicationCredential, osResource *osResourceT) (metav1.ConditionStatus, progress.ReconcileStatus) {
+	if osResource == nil {
+		if orcObject.Status.ID == nil {
+			return metav1.ConditionFalse, nil
+		} else {
+			return metav1.ConditionUnknown, nil
+		}
+	}
+	return metav1.ConditionTrue, nil
+}
+
+func (applicationcredentialStatusWriter) ApplyResourceStatus(log logr.Logger, osResource *osResourceT, statusApply *statusApplyT) {
+	resourceStatus := orcapplyconfigv1alpha1.ApplicationCredentialResourceStatus().
+		WithName(osResource.Name).
+		WithUnrestricted(osResource.Unrestricted).
+		WithSecret(osResource.Secret).
+		WithProjectID(osResource.ProjectID)
+
+	if !osResource.ExpiresAt.IsZero() {
+		resourceStatus.WithExpiresAt(metav1.NewTime(osResource.ExpiresAt))
+	}
+
+	if osResource.ID != "" {
+		resourceStatus.WithID(osResource.ID)
+	}
+
+	if osResource.Description != "" {
+		resourceStatus.WithDescription(osResource.Description)
+	}
+
+	for i := range osResource.Roles {
+		roleStatus := orcapplyconfigv1alpha1.ApplicationCredentialAccessRoleStatus().
+			WithID(osResource.Roles[i].ID).
+			WithName(osResource.Roles[i].Name).
+			WithDomainID(osResource.Roles[i].DomainID)
+
+		resourceStatus.WithRoles(roleStatus)
+	}
+
+	for i := range osResource.AccessRules {
+		accessRuleStatus := orcapplyconfigv1alpha1.ApplicationCredentialAccessRuleStatus().
+			WithID(osResource.AccessRules[i].ID).
+			WithPath(osResource.AccessRules[i].Path).
+			WithMethod(osResource.AccessRules[i].Method).
+			WithService(osResource.AccessRules[i].Service)
+
+		resourceStatus.WithAccessRules(accessRuleStatus)
+	}
+
+	links := make(map[string]string, len(osResource.Links))
+
+	for k, v := range osResource.Links {
+		links[k] = v.(string)
+	}
+
+	resourceStatus.WithLinks(links)
+
+	statusApply.WithResource(resourceStatus)
+}
diff --git a/internal/controllers/applicationcredential/tests/applicationcredential-create-full/00-assert.yaml b/internal/controllers/applicationcredential/tests/applicationcredential-create-full/00-assert.yaml
new file mode 100644
index 000000000..48d64128d
--- /dev/null
+++ b/internal/controllers/applicationcredential/tests/applicationcredential-create-full/00-assert.yaml
@@ -0,0 +1,28 @@
+---
+apiVersion: openstack.k-orc.cloud/v1alpha1
+kind: ApplicationCredential
+metadata:
+  name: applicationcredential-create-full
+status:
+  resource:
+    name: applicationcredential-create-full-override
+    description: ApplicationCredential from "create full" test
+    # TODO(scaffolding): Add all fields the resource supports
+  conditions:
+  - type: Available
+    status: "True"
+    reason: Success
+  - type: Progressing
+    status: "False"
+    reason: Success
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+resourceRefs:
+    - apiVersion: openstack.k-orc.cloud/v1alpha1
+      kind: ApplicationCredential
+      name: applicationcredential-create-full
+      ref: applicationcredential
+assertAll:
+    - celExpr: "applicationcredential.status.id != ''"
+    # TODO(scaffolding): Add more checks
diff --git a/internal/controllers/applicationcredential/tests/applicationcredential-create-full/00-create-resource.yaml b/internal/controllers/applicationcredential/tests/applicationcredential-create-full/00-create-resource.yaml
new file mode 100644
index 000000000..be77faf92
--- /dev/null
+++ b/internal/controllers/applicationcredential/tests/applicationcredential-create-full/00-create-resource.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: openstack.k-orc.cloud/v1alpha1
+kind: ApplicationCredential
+metadata:
+  name: applicationcredential-create-full
+spec:
+  cloudCredentialsRef:
+    # TODO(scaffolding): Use openstack-admin if the resource needs admin credentials to be created
+    cloudName: openstack
+    secretName: openstack-clouds
+  managementPolicy: managed
+  resource:
+    name: applicationcredential-create-full-override
+    description: ApplicationCredential from "create full" test
+    # TODO(scaffolding): Add all fields the resource supports
diff --git a/internal/controllers/applicationcredential/tests/applicationcredential-create-full/00-secret.yaml b/internal/controllers/applicationcredential/tests/applicationcredential-create-full/00-secret.yaml
new file mode 100644
index 000000000..045711ee7
--- /dev/null
+++ b/internal/controllers/applicationcredential/tests/applicationcredential-create-full/00-secret.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl create secret generic openstack-clouds --from-file=clouds.yaml=${E2E_KUTTL_OSCLOUDS} ${E2E_KUTTL_CACERT_OPT}
+    namespaced: true
diff --git a/internal/controllers/applicationcredential/tests/applicationcredential-create-full/README.md b/internal/controllers/applicationcredential/tests/applicationcredential-create-full/README.md
new file mode 100644
index 000000000..77afac10d
--- /dev/null
+++ b/internal/controllers/applicationcredential/tests/applicationcredential-create-full/README.md
@@ -0,0 +1,11 @@
+# Create a ApplicationCredential with all the options
+
+## Step 00
+
+Create a ApplicationCredential using all available fields, and verify that the observed state corresponds to the spec.
+
+Also validate that the OpenStack resource uses the name from the spec when it is specified.
+
+## Reference
+
+https://k-orc.cloud/development/writing-tests/#create-full
diff --git a/internal/controllers/applicationcredential/tests/applicationcredential-create-minimal/00-assert.yaml b/internal/controllers/applicationcredential/tests/applicationcredential-create-minimal/00-assert.yaml
new file mode 100644
index 000000000..1b9dc0db0
--- /dev/null
+++ b/internal/controllers/applicationcredential/tests/applicationcredential-create-minimal/00-assert.yaml
@@ -0,0 +1,27 @@
+---
+apiVersion: openstack.k-orc.cloud/v1alpha1
+kind: ApplicationCredential
+metadata:
+  name: applicationcredential-create-minimal
+status:
+  resource:
+    name: applicationcredential-create-minimal
+    # TODO(scaffolding): Add all fields the resource supports
+  conditions:
+  - type: Available
+    status: "True"
+    reason: Success
+  - type: Progressing
+    status: "False"
+    reason: Success
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+resourceRefs:
+    - apiVersion: openstack.k-orc.cloud/v1alpha1
+      kind: ApplicationCredential
+      name: applicationcredential-create-minimal
+      ref: applicationcredential
+assertAll:
+    - celExpr: "applicationcredential.status.id != ''"
+    # TODO(scaffolding): Add more checks
diff --git a/internal/controllers/applicationcredential/tests/applicationcredential-create-minimal/00-create-resource.yaml b/internal/controllers/applicationcredential/tests/applicationcredential-create-minimal/00-create-resource.yaml
new file mode 100644
index 000000000..df4ff5119
--- /dev/null
+++ b/internal/controllers/applicationcredential/tests/applicationcredential-create-minimal/00-create-resource.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: openstack.k-orc.cloud/v1alpha1
+kind: ApplicationCredential
+metadata:
+  name: applicationcredential-create-minimal
+spec:
+  cloudCredentialsRef:
+    # TODO(scaffolding): Use openstack-admin if the resource needs admin credentials to be created
+    cloudName: openstack
+    secretName: openstack-clouds
+  managementPolicy: managed
+  # TODO(scaffolding): Only add the mandatory fields. It's possible the resource
+  # doesn't have mandatory fields, in that case, leave it empty.
+  resource: {}
diff --git a/internal/controllers/applicationcredential/tests/applicationcredential-create-minimal/00-secret.yaml b/internal/controllers/applicationcredential/tests/applicationcredential-create-minimal/00-secret.yaml
new file mode 100644
index 000000000..045711ee7
--- /dev/null
+++ b/internal/controllers/applicationcredential/tests/applicationcredential-create-minimal/00-secret.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl create secret generic openstack-clouds --from-file=clouds.yaml=${E2E_KUTTL_OSCLOUDS} ${E2E_KUTTL_CACERT_OPT}
+    namespaced: true
diff --git a/internal/controllers/applicationcredential/tests/applicationcredential-create-minimal/01-assert.yaml b/internal/controllers/applicationcredential/tests/applicationcredential-create-minimal/01-assert.yaml
new file mode 100644
index 000000000..6362f0b10
--- /dev/null
+++ b/internal/controllers/applicationcredential/tests/applicationcredential-create-minimal/01-assert.yaml
@@ -0,0 +1,11 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+resourceRefs:
+    - apiVersion: v1
+      kind: Secret
+      name: openstack-clouds
+      ref: secret
+assertAll:
+    - celExpr: "secret.metadata.deletionTimestamp != 0"
+    - celExpr: "'openstack.k-orc.cloud/applicationcredential' in secret.metadata.finalizers"
diff --git a/internal/controllers/applicationcredential/tests/applicationcredential-create-minimal/01-delete-secret.yaml b/internal/controllers/applicationcredential/tests/applicationcredential-create-minimal/01-delete-secret.yaml
new file mode 100644
index 000000000..1620791b9
--- /dev/null
+++ b/internal/controllers/applicationcredential/tests/applicationcredential-create-minimal/01-delete-secret.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  # We expect the deletion to hang due to the finalizer, so use --wait=false
+  - command: kubectl delete secret openstack-clouds --wait=false
+    namespaced: true
diff --git a/internal/controllers/applicationcredential/tests/applicationcredential-create-minimal/README.md b/internal/controllers/applicationcredential/tests/applicationcredential-create-minimal/README.md
new file mode 100644
index 000000000..79cd913b3
--- /dev/null
+++ b/internal/controllers/applicationcredential/tests/applicationcredential-create-minimal/README.md
@@ -0,0 +1,15 @@
+# Create a ApplicationCredential with the minimum options
+
+## Step 00
+
+Create a minimal ApplicationCredential, that sets only the required fields, and verify that the observed state corresponds to the spec.
+
+Also validate that the OpenStack resource uses the name of the ORC object when no name is explicitly specified.
+
+## Step 01
+
+Try deleting the secret and ensure that it is not deleted thanks to the finalizer.
+
+## Reference
+
+https://k-orc.cloud/development/writing-tests/#create-minimal
diff --git a/internal/controllers/applicationcredential/tests/applicationcredential-import-error/00-assert.yaml b/internal/controllers/applicationcredential/tests/applicationcredential-import-error/00-assert.yaml
new file mode 100644
index 000000000..00afbdf41
--- /dev/null
+++ b/internal/controllers/applicationcredential/tests/applicationcredential-import-error/00-assert.yaml
@@ -0,0 +1,30 @@
+---
+apiVersion: openstack.k-orc.cloud/v1alpha1
+kind: ApplicationCredential
+metadata:
+  name: applicationcredential-import-error-external-1
+status:
+  conditions:
+    - type: Available
+      message: OpenStack resource is available
+      status: "True"
+      reason: Success
+    - type: Progressing
+      message: OpenStack resource is up to date
+      status: "False"
+      reason: Success
+---
+apiVersion: openstack.k-orc.cloud/v1alpha1
+kind: ApplicationCredential
+metadata:
+  name: applicationcredential-import-error-external-2
+status:
+  conditions:
+    - type: Available
+      message: OpenStack resource is available
+      status: "True"
+      reason: Success
+    - type: Progressing
+      message: OpenStack resource is up to date
+      status: "False"
+      reason: Success
diff --git a/internal/controllers/applicationcredential/tests/applicationcredential-import-error/00-create-resources.yaml b/internal/controllers/applicationcredential/tests/applicationcredential-import-error/00-create-resources.yaml
new file mode 100644
index 000000000..84d10c3d6
--- /dev/null
+++ b/internal/controllers/applicationcredential/tests/applicationcredential-import-error/00-create-resources.yaml
@@ -0,0 +1,28 @@
+---
+apiVersion: openstack.k-orc.cloud/v1alpha1
+kind: ApplicationCredential
+metadata:
+  name: applicationcredential-import-error-external-1
+spec:
+  cloudCredentialsRef:
+    # TODO(scaffolding): Use openstack-admin if the resource needs admin credentials to be created
+    cloudName: openstack
+    secretName: openstack-clouds
+  managementPolicy: managed
+  resource:
+    description: ApplicationCredential from "import error" test
+    # TODO(scaffolding): add any required field
+---
+apiVersion: openstack.k-orc.cloud/v1alpha1
+kind: ApplicationCredential
+metadata:
+  name: applicationcredential-import-error-external-2
+spec:
+  cloudCredentialsRef:
+    # TODO(scaffolding): Use openstack-admin if the resource needs admin credentials to be created
+    cloudName: openstack
+    secretName: openstack-clouds
+  managementPolicy: managed
+  resource:
+    description: ApplicationCredential from "import error" test
+    # TODO(scaffolding): add any required field
diff --git a/internal/controllers/applicationcredential/tests/applicationcredential-import-error/00-secret.yaml b/internal/controllers/applicationcredential/tests/applicationcredential-import-error/00-secret.yaml
new file mode 100644
index 000000000..045711ee7
--- /dev/null
+++ b/internal/controllers/applicationcredential/tests/applicationcredential-import-error/00-secret.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl create secret generic openstack-clouds --from-file=clouds.yaml=${E2E_KUTTL_OSCLOUDS} ${E2E_KUTTL_CACERT_OPT}
+    namespaced: true
diff --git a/internal/controllers/applicationcredential/tests/applicationcredential-import-error/01-assert.yaml b/internal/controllers/applicationcredential/tests/applicationcredential-import-error/01-assert.yaml
new file mode 100644
index 000000000..e97dd9774
--- /dev/null
+++ b/internal/controllers/applicationcredential/tests/applicationcredential-import-error/01-assert.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: openstack.k-orc.cloud/v1alpha1
+kind: ApplicationCredential
+metadata:
+  name: applicationcredential-import-error
+status:
+  conditions:
+    - type: Available
+      message: found more than one matching OpenStack resource during import
+      status: "False"
+      reason: InvalidConfiguration
+    - type: Progressing
+      message: found more than one matching OpenStack resource during import
+      status: "False"
+      reason: InvalidConfiguration
diff --git a/internal/controllers/applicationcredential/tests/applicationcredential-import-error/01-import-resource.yaml b/internal/controllers/applicationcredential/tests/applicationcredential-import-error/01-import-resource.yaml
new file mode 100644
index 000000000..e70ca24b4
--- /dev/null
+++ b/internal/controllers/applicationcredential/tests/applicationcredential-import-error/01-import-resource.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: openstack.k-orc.cloud/v1alpha1
+kind: ApplicationCredential
+metadata:
+  name: applicationcredential-import-error
+spec:
+  cloudCredentialsRef:
+    cloudName: openstack
+    secretName: openstack-clouds
+  managementPolicy: unmanaged
+  import:
+    filter:
+      description: ApplicationCredential from "import error" test
diff --git a/internal/controllers/applicationcredential/tests/applicationcredential-import-error/README.md b/internal/controllers/applicationcredential/tests/applicationcredential-import-error/README.md
new file mode 100644
index 000000000..acd794097
--- /dev/null
+++ b/internal/controllers/applicationcredential/tests/applicationcredential-import-error/README.md
@@ -0,0 +1,13 @@
+# Import ApplicationCredential with more than one matching resources
+
+## Step 00
+
+Create two ApplicationCredentials with identical specs.
+
+## Step 01
+
+Ensure that an imported ApplicationCredential with a filter matching the resources returns an error.
+
+## Reference
+
+https://k-orc.cloud/development/writing-tests/#import-error
diff --git a/internal/controllers/applicationcredential/tests/applicationcredential-import/00-assert.yaml b/internal/controllers/applicationcredential/tests/applicationcredential-import/00-assert.yaml
new file mode 100644
index 000000000..53ef7ac86
--- /dev/null
+++ b/internal/controllers/applicationcredential/tests/applicationcredential-import/00-assert.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: openstack.k-orc.cloud/v1alpha1
+kind: ApplicationCredential
+metadata:
+  name: applicationcredential-import
+status:
+  conditions:
+    - type: Available
+      message: Waiting for OpenStack resource to be created externally
+      status: "False"
+      reason: Progressing
+    - type: Progressing
+      message: Waiting for OpenStack resource to be created externally
+      status: "True"
+      reason: Progressing
diff --git a/internal/controllers/applicationcredential/tests/applicationcredential-import/00-import-resource.yaml b/internal/controllers/applicationcredential/tests/applicationcredential-import/00-import-resource.yaml
new file mode 100644
index 000000000..f000ecfd5
--- /dev/null
+++ b/internal/controllers/applicationcredential/tests/applicationcredential-import/00-import-resource.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: openstack.k-orc.cloud/v1alpha1
+kind: ApplicationCredential
+metadata:
+  name: applicationcredential-import
+spec:
+  cloudCredentialsRef:
+    cloudName: openstack
+    secretName: openstack-clouds
+  managementPolicy: unmanaged
+  import:
+    filter:
+      name: applicationcredential-import-external
+      description: ApplicationCredential applicationcredential-import-external from "applicationcredential-import" test
+      # TODO(scaffolding): Add all fields supported by the filter
diff --git a/internal/controllers/applicationcredential/tests/applicationcredential-import/00-secret.yaml b/internal/controllers/applicationcredential/tests/applicationcredential-import/00-secret.yaml
new file mode 100644
index 000000000..045711ee7
--- /dev/null
+++ b/internal/controllers/applicationcredential/tests/applicationcredential-import/00-secret.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl create secret generic openstack-clouds --from-file=clouds.yaml=${E2E_KUTTL_OSCLOUDS} ${E2E_KUTTL_CACERT_OPT}
+    namespaced: true
diff --git a/internal/controllers/applicationcredential/tests/applicationcredential-import/01-assert.yaml b/internal/controllers/applicationcredential/tests/applicationcredential-import/01-assert.yaml
new file mode 100644
index 000000000..3e0618259
--- /dev/null
+++ b/internal/controllers/applicationcredential/tests/applicationcredential-import/01-assert.yaml
@@ -0,0 +1,34 @@
+---
+apiVersion: openstack.k-orc.cloud/v1alpha1
+kind: ApplicationCredential
+metadata:
+  name: applicationcredential-import-external-not-this-one
+status:
+  conditions:
+    - type: Available
+      message: OpenStack resource is available
+      status: "True"
+      reason: Success
+    - type: Progressing
+      message: OpenStack resource is up to date
+      status: "False"
+      reason: Success
+  resource:
+    name: applicationcredential-import-external-not-this-one
+    description: ApplicationCredential applicationcredential-import-external from "applicationcredential-import" test
+    # TODO(scaffolding): Add fields necessary to match filter
+---
+apiVersion: openstack.k-orc.cloud/v1alpha1
+kind: ApplicationCredential
+metadata:
+  name: applicationcredential-import
+status:
+  conditions:
+    - type: Available
+      message: Waiting for OpenStack resource to be created externally
+      status: "False"
+      reason: Progressing
+    - type: Progressing
+      message: Waiting for OpenStack resource to be created externally
+      status: "True"
+      reason: Progressing
diff --git a/internal/controllers/applicationcredential/tests/applicationcredential-import/01-create-trap-resource.yaml b/internal/controllers/applicationcredential/tests/applicationcredential-import/01-create-trap-resource.yaml
new file mode 100644
index 000000000..bb3d0d5c4
--- /dev/null
+++ b/internal/controllers/applicationcredential/tests/applicationcredential-import/01-create-trap-resource.yaml
@@ -0,0 +1,17 @@
+---
+# This `applicationcredential-import-external-not-this-one` resource serves two purposes:
+# - ensure that we can successfully create another resource which name is a substring of it (i.e. it's not being adopted)
+# - ensure that importing a resource which name is a substring of it will not pick this one.
+apiVersion: openstack.k-orc.cloud/v1alpha1
+kind: ApplicationCredential
+metadata:
+  name: applicationcredential-import-external-not-this-one
+spec:
+  cloudCredentialsRef:
+    # TODO(scaffolding): Use openstack-admin if the resource needs admin credentials to be created
+    cloudName: openstack
+    secretName: openstack-clouds
+  managementPolicy: managed
+  resource:
+    description: ApplicationCredential applicationcredential-import-external from "applicationcredential-import" test
+    # TODO(scaffolding): Add fields necessary to match filter
diff --git a/internal/controllers/applicationcredential/tests/applicationcredential-import/02-assert.yaml b/internal/controllers/applicationcredential/tests/applicationcredential-import/02-assert.yaml
new file mode 100644
index 000000000..7412f2324
--- /dev/null
+++ b/internal/controllers/applicationcredential/tests/applicationcredential-import/02-assert.yaml
@@ -0,0 +1,33 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+resourceRefs:
+    - apiVersion: openstack.k-orc.cloud/v1alpha1
+      kind: ApplicationCredential
+      name: applicationcredential-import-external
+      ref: applicationcredential1
+    - apiVersion: openstack.k-orc.cloud/v1alpha1
+      kind: ApplicationCredential
+      name: applicationcredential-import-external-not-this-one
+      ref: applicationcredential2
+assertAll:
+    - celExpr: "applicationcredential1.status.id != applicationcredential2.status.id"
+---
+apiVersion: openstack.k-orc.cloud/v1alpha1
+kind: ApplicationCredential
+metadata:
+  name: applicationcredential-import
+status:
+  conditions:
+    - type: Available
+      message: OpenStack resource is available
+      status: "True"
+      reason: Success
+    - type: Progressing
+      message: OpenStack resource is up to date
+      status: "False"
+      reason: Success
+  resource:
+    name: applicationcredential-import-external
+    description: ApplicationCredential applicationcredential-import-external from "applicationcredential-import" test
+    # TODO(scaffolding): Add all fields the resource supports
diff --git a/internal/controllers/applicationcredential/tests/applicationcredential-import/02-create-resource.yaml b/internal/controllers/applicationcredential/tests/applicationcredential-import/02-create-resource.yaml
new file mode 100644
index 000000000..bfdb1a1ae
--- /dev/null
+++ b/internal/controllers/applicationcredential/tests/applicationcredential-import/02-create-resource.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: openstack.k-orc.cloud/v1alpha1
+kind: ApplicationCredential
+metadata:
+  name: applicationcredential-import-external
+spec:
+  cloudCredentialsRef:
+    # TODO(scaffolding): Use openstack-admin if the resource needs admin credentials to be created
+    cloudName: openstack
+    secretName: openstack-clouds
+  managementPolicy: managed
+  resource:
+    description: ApplicationCredential applicationcredential-import-external from "applicationcredential-import" test
+    # TODO(scaffolding): Add fields necessary to match filter
diff --git a/internal/controllers/applicationcredential/tests/applicationcredential-import/README.md b/internal/controllers/applicationcredential/tests/applicationcredential-import/README.md
new file mode 100644
index 000000000..36422d1a4
--- /dev/null
+++ b/internal/controllers/applicationcredential/tests/applicationcredential-import/README.md
@@ -0,0 +1,18 @@
+# Import ApplicationCredential
+
+## Step 00
+
+Import a applicationcredential that matches all fields in the filter, and verify it is waiting for the external resource to be created.
+
+## Step 01
+
+Create a applicationcredential whose name is a superstring of the one specified in the import filter, otherwise matching the filter, and verify that it's not being imported.
+
+## Step 02
+
+Create a applicationcredential matching the filter and verify that the observed status on the imported applicationcredential corresponds to the spec of the created applicationcredential.
+Also, confirm that it does not adopt any applicationcredential whose name is a superstring of its own.
+
+## Reference
+
+https://k-orc.cloud/development/writing-tests/#import
diff --git a/internal/controllers/applicationcredential/tests/applicationcredential-update/00-assert.yaml b/internal/controllers/applicationcredential/tests/applicationcredential-update/00-assert.yaml
new file mode 100644
index 000000000..fc2cfc9b5
--- /dev/null
+++ b/internal/controllers/applicationcredential/tests/applicationcredential-update/00-assert.yaml
@@ -0,0 +1,26 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+resourceRefs:
+    - apiVersion: openstack.k-orc.cloud/v1alpha1
+      kind: ApplicationCredential
+      name: applicationcredential-update
+      ref: applicationcredential
+assertAll:
+    - celExpr: "!has(applicationcredential.status.resource.description)"
+---
+apiVersion: openstack.k-orc.cloud/v1alpha1
+kind: ApplicationCredential
+metadata:
+  name: applicationcredential-update
+status:
+  resource:
+    name: applicationcredential-update
+    # TODO(scaffolding): Add matches for more fields
+  conditions:
+  - type: Available
+    status: "True"
+    reason: Success
+  - type: Progressing
+    status: "False"
+    reason: Success
diff --git a/internal/controllers/applicationcredential/tests/applicationcredential-update/00-minimal-resource.yaml b/internal/controllers/applicationcredential/tests/applicationcredential-update/00-minimal-resource.yaml
new file mode 100644
index 000000000..449f6ad0f
--- /dev/null
+++ b/internal/controllers/applicationcredential/tests/applicationcredential-update/00-minimal-resource.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: openstack.k-orc.cloud/v1alpha1
+kind: ApplicationCredential
+metadata:
+  name: applicationcredential-update
+spec:
+  cloudCredentialsRef:
+    # TODO(scaffolding): Use openstack-admin if the resource needs admin credentials to be created or updated
+    cloudName: openstack
+    secretName: openstack-clouds
+  managementPolicy: managed
+  # TODO(scaffolding): Only add the mandatory fields. It's possible the resource
+  # doesn't have mandatory fields, in that case, leave it empty.
+  resource: {}
diff --git a/internal/controllers/applicationcredential/tests/applicationcredential-update/00-secret.yaml b/internal/controllers/applicationcredential/tests/applicationcredential-update/00-secret.yaml
new file mode 100644
index 000000000..045711ee7
--- /dev/null
+++ b/internal/controllers/applicationcredential/tests/applicationcredential-update/00-secret.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl create secret generic openstack-clouds --from-file=clouds.yaml=${E2E_KUTTL_OSCLOUDS} ${E2E_KUTTL_CACERT_OPT}
+    namespaced: true
diff --git a/internal/controllers/applicationcredential/tests/applicationcredential-update/01-assert.yaml b/internal/controllers/applicationcredential/tests/applicationcredential-update/01-assert.yaml
new file mode 100644
index 000000000..bb022f746
--- /dev/null
+++ b/internal/controllers/applicationcredential/tests/applicationcredential-update/01-assert.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: openstack.k-orc.cloud/v1alpha1
+kind: ApplicationCredential
+metadata:
+  name: applicationcredential-update
+status:
+  resource:
+    name: applicationcredential-update-updated
+    description: applicationcredential-update-updated
+    # TODO(scaffolding): match all fields that were modified
+  conditions:
+  - type: Available
+    status: "True"
+    reason: Success
+  - type: Progressing
+    status: "False"
+    reason: Success
diff --git a/internal/controllers/applicationcredential/tests/applicationcredential-update/01-updated-resource.yaml b/internal/controllers/applicationcredential/tests/applicationcredential-update/01-updated-resource.yaml
new file mode 100644
index 000000000..ad1de371a
--- /dev/null
+++ b/internal/controllers/applicationcredential/tests/applicationcredential-update/01-updated-resource.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: openstack.k-orc.cloud/v1alpha1
+kind: ApplicationCredential
+metadata:
+  name: applicationcredential-update
+spec:
+  resource:
+    name: applicationcredential-update-updated
+    description: applicationcredential-update-updated
+    # TODO(scaffolding): update all mutable fields
diff --git a/internal/controllers/applicationcredential/tests/applicationcredential-update/02-assert.yaml b/internal/controllers/applicationcredential/tests/applicationcredential-update/02-assert.yaml
new file mode 100644
index 000000000..ec6e12d54
--- /dev/null
+++ b/internal/controllers/applicationcredential/tests/applicationcredential-update/02-assert.yaml
@@ -0,0 +1,26 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+resourceRefs:
+    - apiVersion: openstack.k-orc.cloud/v1alpha1
+      kind: ApplicationCredential
+      name: applicationcredential-update
+      ref: applicationcredential
+assertAll:
+    - celExpr: "!has(applicationcredential.status.resource.description)"
+---
+apiVersion: openstack.k-orc.cloud/v1alpha1
+kind: ApplicationCredential
+metadata:
+  name: applicationcredential-update
+status:
+  resource:
+    name: applicationcredential-update
+    # TODO(scaffolding): validate that updated fields were all reverted to their original value
+  conditions:
+  - type: Available
+    status: "True"
+    reason: Success
+  - type: Progressing
+    status: "False"
+    reason: Success
diff --git a/internal/controllers/applicationcredential/tests/applicationcredential-update/02-reverted-resource.yaml b/internal/controllers/applicationcredential/tests/applicationcredential-update/02-reverted-resource.yaml
new file mode 100644
index 000000000..2c6c253ff
--- /dev/null
+++ b/internal/controllers/applicationcredential/tests/applicationcredential-update/02-reverted-resource.yaml
@@ -0,0 +1,7 @@
+# NOTE: kuttl only does patch updates, which means we can't delete a field.
+# We have to use a kubectl apply command instead.
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl replace -f 00-minimal-resource.yaml
+    namespaced: true
diff --git a/internal/controllers/applicationcredential/tests/applicationcredential-update/README.md b/internal/controllers/applicationcredential/tests/applicationcredential-update/README.md
new file mode 100644
index 000000000..020723c0e
--- /dev/null
+++ b/internal/controllers/applicationcredential/tests/applicationcredential-update/README.md
@@ -0,0 +1,17 @@
+# Update ApplicationCredential
+
+## Step 00
+
+Create a ApplicationCredential using only mandatory fields.
+
+## Step 01
+
+Update all mutable fields.
+
+## Step 02
+
+Revert the resource to its original value and verify that the resulting object matches its state when first created.
+
+## Reference
+
+https://k-orc.cloud/development/writing-tests/#update
diff --git a/internal/controllers/applicationcredential/zz_generated.adapter.go b/internal/controllers/applicationcredential/zz_generated.adapter.go
new file mode 100644
index 000000000..55f0b5346
--- /dev/null
+++ b/internal/controllers/applicationcredential/zz_generated.adapter.go
@@ -0,0 +1,88 @@
+// Code generated by resource-generator. DO NOT EDIT.
+/*
+Copyright The ORC Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package applicationcredential
+
+import (
+	orcv1alpha1 "github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1"
+	"github.com/k-orc/openstack-resource-controller/v2/internal/controllers/generic/interfaces"
+)
+
+// Fundamental types
+type (
+	orcObjectT     = orcv1alpha1.ApplicationCredential
+	orcObjectListT = orcv1alpha1.ApplicationCredentialList
+	resourceSpecT  = orcv1alpha1.ApplicationCredentialResourceSpec
+	filterT        = orcv1alpha1.ApplicationCredentialFilter
+)
+
+// Derived types
+type (
+	orcObjectPT = *orcObjectT
+	adapterI    = interfaces.APIObjectAdapter[orcObjectPT, resourceSpecT, filterT]
+	adapterT    = applicationcredentialAdapter
+)
+
+type applicationcredentialAdapter struct {
+	*orcv1alpha1.ApplicationCredential
+}
+
+var _ adapterI = &adapterT{}
+
+func (f adapterT) GetObject() orcObjectPT {
+	return f.ApplicationCredential
+}
+
+func (f adapterT) GetManagementPolicy() orcv1alpha1.ManagementPolicy {
+	return f.Spec.ManagementPolicy
+}
+
+func (f adapterT) GetManagedOptions() *orcv1alpha1.ManagedOptions {
+	return f.Spec.ManagedOptions
+}
+
+func (f adapterT) GetStatusID() *string {
+	return f.Status.ID
+}
+
+func (f adapterT) GetResourceSpec() *resourceSpecT {
+	return f.Spec.Resource
+}
+
+func (f adapterT) GetImportID() *string {
+	if f.Spec.Import == nil {
+		return nil
+	}
+	return f.Spec.Import.ID
+}
+
+func (f adapterT) GetImportFilter() *filterT {
+	if f.Spec.Import == nil {
+		return nil
+	}
+	return f.Spec.Import.Filter
+}
+
+// getResourceName returns the name of the OpenStack resource we should use.
+// This method is not implemented as part of APIObjectAdapter as it is intended
+// to be used by resource actuators, which don't use the adapter.
+func getResourceName(orcObject orcObjectPT) string {
+	if orcObject.Spec.Resource.Name != nil {
+		return string(*orcObject.Spec.Resource.Name)
+	}
+	return orcObject.Name
+}
diff --git a/internal/controllers/applicationcredential/zz_generated.controller.go b/internal/controllers/applicationcredential/zz_generated.controller.go
new file mode 100644
index 000000000..09ae74111
--- /dev/null
+++ b/internal/controllers/applicationcredential/zz_generated.controller.go
@@ -0,0 +1,45 @@
+// Code generated by resource-generator. DO NOT EDIT.
+/*
+Copyright The ORC Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package applicationcredential
+
+import (
+	corev1 "k8s.io/api/core/v1"
+
+	"github.com/k-orc/openstack-resource-controller/v2/internal/util/dependency"
+	orcstrings "github.com/k-orc/openstack-resource-controller/v2/internal/util/strings"
+)
+
+var (
+	// NOTE: controllerName must be defined in any controller using this template
+
+	// finalizer is the string this controller adds to an object's Finalizers
+	finalizer = orcstrings.GetFinalizerName(controllerName)
+
+	// externalObjectFieldOwner is the field owner we use when using
+	// server-side-apply on objects we don't control
+	externalObjectFieldOwner = orcstrings.GetSSAFieldOwner(controllerName)
+
+	credentialsDependency = dependency.NewDeletionGuardDependency[*orcObjectListT, *corev1.Secret](
+		"spec.cloudCredentialsRef.secretName",
+		func(obj orcObjectPT) []string {
+			return []string{obj.Spec.CloudCredentialsRef.SecretName}
+		},
+		finalizer, externalObjectFieldOwner,
+		dependency.OverrideDependencyName("credentials"),
+	)
+)
diff --git a/internal/osclients/applicationcredential.go b/internal/osclients/applicationcredential.go
new file mode 100644
index 000000000..1f74db888
--- /dev/null
+++ b/internal/osclients/applicationcredential.go
@@ -0,0 +1,95 @@
+/*
+Copyright The ORC Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package osclients
+
+import (
+	"context"
+	"fmt"
+	"iter"
+
+	"github.com/gophercloud/gophercloud/v2"
+	"github.com/gophercloud/gophercloud/v2/openstack"
+	"github.com/gophercloud/gophercloud/v2/openstack/identity/v3/applicationcredentials"
+	"github.com/gophercloud/utils/v2/openstack/clientconfig"
+)
+
+type ApplicationCredentialClient interface {
+	ListApplicationCredentials(ctx context.Context, userID string, listOpts applicationcredentials.ListOptsBuilder) iter.Seq2[*applicationcredentials.ApplicationCredential, error]
+	CreateApplicationCredential(ctx context.Context, userID string, opts applicationcredentials.CreateOptsBuilder) (*applicationcredentials.ApplicationCredential, error)
+	DeleteApplicationCredential(ctx context.Context, userID string, resourceID string) error
+	GetApplicationCredential(ctx context.Context, userID string, resourceID string) (*applicationcredentials.ApplicationCredential, error)
+}
+
+type applicationcredentialClient struct{ client *gophercloud.ServiceClient }
+
+// NewApplicationCredentialClient returns a new OpenStack client.
+func NewApplicationCredentialClient(providerClient *gophercloud.ProviderClient, providerClientOpts *clientconfig.ClientOpts) (ApplicationCredentialClient, error) {
+	client, err := openstack.NewIdentityV3(providerClient, gophercloud.EndpointOpts{
+		Region:       providerClientOpts.RegionName,
+		Availability: clientconfig.GetEndpointType(providerClientOpts.EndpointType),
+	})
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to create applicationcredential service client: %v", err)
+	}
+
+	return &applicationcredentialClient{client}, nil
+}
+
+func (c applicationcredentialClient) ListApplicationCredentials(ctx context.Context, userID string, listOpts applicationcredentials.ListOptsBuilder) iter.Seq2[*applicationcredentials.ApplicationCredential, error] {
+	pager := applicationcredentials.List(c.client, userID, listOpts)
+	return func(yield func(*applicationcredentials.ApplicationCredential, error) bool) {
+		_ = pager.EachPage(ctx, yieldPage(applicationcredentials.ExtractApplicationCredentials, yield))
+	}
+}
+
+func (c applicationcredentialClient) CreateApplicationCredential(ctx context.Context, userID string, opts applicationcredentials.CreateOptsBuilder) (*applicationcredentials.ApplicationCredential, error) {
+	return applicationcredentials.Create(ctx, c.client, userID, opts).Extract()
+}
+
+func (c applicationcredentialClient) DeleteApplicationCredential(ctx context.Context, userID string, resourceID string) error {
+	return applicationcredentials.Delete(ctx, c.client, userID, resourceID).ExtractErr()
+}
+
+func (c applicationcredentialClient) GetApplicationCredential(ctx context.Context, userID string, resourceID string) (*applicationcredentials.ApplicationCredential, error) {
+	return applicationcredentials.Get(ctx, c.client, userID, resourceID).Extract()
+}
+
+type applicationcredentialErrorClient struct{ error }
+
+// NewApplicationCredentialErrorClient returns a ApplicationCredentialClient in which every method returns the given error.
+func NewApplicationCredentialErrorClient(e error) ApplicationCredentialClient {
+	return applicationcredentialErrorClient{e}
+}
+
+func (e applicationcredentialErrorClient) ListApplicationCredentials(_ context.Context, _ string, _ applicationcredentials.ListOptsBuilder) iter.Seq2[*applicationcredentials.ApplicationCredential, error] {
+	return func(yield func(*applicationcredentials.ApplicationCredential, error) bool) {
+		yield(nil, e.error)
+	}
+}
+
+func (e applicationcredentialErrorClient) CreateApplicationCredential(_ context.Context, _ string, _ applicationcredentials.CreateOptsBuilder) (*applicationcredentials.ApplicationCredential, error) {
+	return nil, e.error
+}
+
+func (e applicationcredentialErrorClient) DeleteApplicationCredential(_ context.Context, _ string, _ string) error {
+	return e.error
+}
+
+func (e applicationcredentialErrorClient) GetApplicationCredential(_ context.Context, _ string, _ string) (*applicationcredentials.ApplicationCredential, error) {
+	return nil, e.error
+}
diff --git a/internal/osclients/mock/applicationcredential.go b/internal/osclients/mock/applicationcredential.go
new file mode 100644
index 000000000..b8dbe819b
--- /dev/null
+++ b/internal/osclients/mock/applicationcredential.go
@@ -0,0 +1,116 @@
+/*
+Copyright The ORC Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+// Code generated by MockGen. DO NOT EDIT.
+// Source: ../applicationcredential.go
+//
+// Generated by this command:
+//
+//	mockgen -package mock -destination=applicationcredential.go -source=../applicationcredential.go github.com/k-orc/openstack-resource-controller/internal/osclients/mock ApplicationCredentialClient
+//
+
+// Package mock is a generated GoMock package.
+package mock
+
+import (
+	context "context"
+	iter "iter"
+	reflect "reflect"
+
+	applicationcredentials "github.com/gophercloud/gophercloud/v2/openstack/identity/v3/applicationcredentials"
+	gomock "go.uber.org/mock/gomock"
+)
+
+// MockApplicationCredentialClient is a mock of ApplicationCredentialClient interface.
+type MockApplicationCredentialClient struct {
+	ctrl     *gomock.Controller
+	recorder *MockApplicationCredentialClientMockRecorder
+	isgomock struct{}
+}
+
+// MockApplicationCredentialClientMockRecorder is the mock recorder for MockApplicationCredentialClient.
+type MockApplicationCredentialClientMockRecorder struct {
+	mock *MockApplicationCredentialClient
+}
+
+// NewMockApplicationCredentialClient creates a new mock instance.
+func NewMockApplicationCredentialClient(ctrl *gomock.Controller) *MockApplicationCredentialClient {
+	mock := &MockApplicationCredentialClient{ctrl: ctrl}
+	mock.recorder = &MockApplicationCredentialClientMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockApplicationCredentialClient) EXPECT() *MockApplicationCredentialClientMockRecorder {
+	return m.recorder
+}
+
+// CreateApplicationCredential mocks base method.
+func (m *MockApplicationCredentialClient) CreateApplicationCredential(ctx context.Context, userID string, opts applicationcredentials.CreateOptsBuilder) (*applicationcredentials.ApplicationCredential, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "CreateApplicationCredential", ctx, userID, opts)
+	ret0, _ := ret[0].(*applicationcredentials.ApplicationCredential)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// CreateApplicationCredential indicates an expected call of CreateApplicationCredential.
+func (mr *MockApplicationCredentialClientMockRecorder) CreateApplicationCredential(ctx, userID, opts any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateApplicationCredential", reflect.TypeOf((*MockApplicationCredentialClient)(nil).CreateApplicationCredential), ctx, userID, opts)
+}
+
+// DeleteApplicationCredential mocks base method.
+func (m *MockApplicationCredentialClient) DeleteApplicationCredential(ctx context.Context, userID, resourceID string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "DeleteApplicationCredential", ctx, userID, resourceID)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// DeleteApplicationCredential indicates an expected call of DeleteApplicationCredential.
+func (mr *MockApplicationCredentialClientMockRecorder) DeleteApplicationCredential(ctx, userID, resourceID any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteApplicationCredential", reflect.TypeOf((*MockApplicationCredentialClient)(nil).DeleteApplicationCredential), ctx, userID, resourceID)
+}
+
+// GetApplicationCredential mocks base method.
+func (m *MockApplicationCredentialClient) GetApplicationCredential(ctx context.Context, userID, resourceID string) (*applicationcredentials.ApplicationCredential, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetApplicationCredential", ctx, userID, resourceID)
+	ret0, _ := ret[0].(*applicationcredentials.ApplicationCredential)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// GetApplicationCredential indicates an expected call of GetApplicationCredential.
+func (mr *MockApplicationCredentialClientMockRecorder) GetApplicationCredential(ctx, userID, resourceID any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetApplicationCredential", reflect.TypeOf((*MockApplicationCredentialClient)(nil).GetApplicationCredential), ctx, userID, resourceID)
+}
+
+// ListApplicationCredentials mocks base method.
+func (m *MockApplicationCredentialClient) ListApplicationCredentials(ctx context.Context, userID string, listOpts applicationcredentials.ListOptsBuilder) iter.Seq2[*applicationcredentials.ApplicationCredential, error] {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "ListApplicationCredentials", ctx, userID, listOpts)
+	ret0, _ := ret[0].(iter.Seq2[*applicationcredentials.ApplicationCredential, error])
+	return ret0
+}
+
+// ListApplicationCredentials indicates an expected call of ListApplicationCredentials.
+func (mr *MockApplicationCredentialClientMockRecorder) ListApplicationCredentials(ctx, userID, listOpts any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ListApplicationCredentials", reflect.TypeOf((*MockApplicationCredentialClient)(nil).ListApplicationCredentials), ctx, userID, listOpts)
+}
diff --git a/internal/osclients/mock/doc.go b/internal/osclients/mock/doc.go
index 0da3b97ba..ce6bcf03c 100644
--- a/internal/osclients/mock/doc.go
+++ b/internal/osclients/mock/doc.go
@@ -35,6 +35,9 @@ import (
 //go:generate mockgen -package mock -destination=identity.go -source=../identity.go github.com/k-orc/openstack-resource-controller/internal/osclients/mock IdentityClient
 //go:generate /usr/bin/env bash -c "cat ../../../hack/boilerplate.go.txt identity.go > _identity.go && mv _identity.go identity.go"
 
+//go:generate mockgen -package mock -destination=applicationcredential.go -source=../applicationcredential.go github.com/k-orc/openstack-resource-controller/internal/osclients/mock ApplicationCredentialClient
+//go:generate /usr/bin/env bash -c "cat ../../../hack/boilerplate.go.txt applicationcredential.go > _applicationcredential.go && mv _applicationcredential.go applicationcredential.go"
+
 //go:generate mockgen -package mock -destination=domain.go -source=../domain.go github.com/k-orc/openstack-resource-controller/internal/osclients/mock DomainClient
 //go:generate /usr/bin/env bash -c "cat ../../../hack/boilerplate.go.txt domain.go > _domain.go && mv _domain.go domain.go"
 
diff --git a/internal/scope/mock.go b/internal/scope/mock.go
index ef959fae5..1fc86b66a 100644
--- a/internal/scope/mock.go
+++ b/internal/scope/mock.go
@@ -34,22 +34,24 @@ import (
 // MockScopeFactory implements both the ScopeFactory and ClientScope interfaces. It can be used in place of the default ProviderScopeFactory
 // when we want to use mocked service clients which do not attempt to connect to a running OpenStack cloud.
 type MockScopeFactory struct {
-	ComputeClient    *mock.MockComputeClient
-	DomainClient     *mock.MockDomainClient
-	GroupClient      *mock.MockGroupClient
-	IdentityClient   *mock.MockIdentityClient
-	ImageClient      *mock.MockImageClient
-	KeyPairClient    *mock.MockKeyPairClient
-	NetworkClient    *mock.MockNetworkClient
-	RoleClient       *mock.MockRoleClient
-	ServiceClient    *mock.MockServiceClient
-	VolumeClient     *mock.MockVolumeClient
-	VolumeTypeClient *mock.MockVolumeTypeClient
+	ApplicationCredentialClient *mock.MockApplicationCredentialClient
+	ComputeClient               *mock.MockComputeClient
+	DomainClient                *mock.MockDomainClient
+	GroupClient                 *mock.MockGroupClient
+	IdentityClient              *mock.MockIdentityClient
+	ImageClient                 *mock.MockImageClient
+	KeyPairClient               *mock.MockKeyPairClient
+	NetworkClient               *mock.MockNetworkClient
+	RoleClient                  *mock.MockRoleClient
+	ServiceClient               *mock.MockServiceClient
+	VolumeClient                *mock.MockVolumeClient
+	VolumeTypeClient            *mock.MockVolumeTypeClient
 
 	clientScopeCreateError error
 }
 
 func NewMockScopeFactory(mockCtrl *gomock.Controller) *MockScopeFactory {
+	applicationcredentialClient := mock.NewMockApplicationCredentialClient(mockCtrl)
 	computeClient := mock.NewMockComputeClient(mockCtrl)
 	domainClient := mock.NewMockDomainClient(mockCtrl)
 	groupClient := mock.NewMockGroupClient(mockCtrl)
@@ -63,17 +65,18 @@ func NewMockScopeFactory(mockCtrl *gomock.Controller) *MockScopeFactory {
 	volumetypeClient := mock.NewMockVolumeTypeClient(mockCtrl)
 
 	return &MockScopeFactory{
-		ComputeClient:    computeClient,
-		DomainClient:     domainClient,
-		GroupClient:      groupClient,
-		IdentityClient:   identityClient,
-		ImageClient:      imageClient,
-		KeyPairClient:    keypairClient,
-		NetworkClient:    networkClient,
-		RoleClient:       roleClient,
-		ServiceClient:    serviceClient,
-		VolumeClient:     volumeClient,
-		VolumeTypeClient: volumetypeClient,
+		ApplicationCredentialClient: applicationcredentialClient,
+		ComputeClient:               computeClient,
+		DomainClient:                domainClient,
+		GroupClient:                 groupClient,
+		IdentityClient:              identityClient,
+		ImageClient:                 imageClient,
+		KeyPairClient:               keypairClient,
+		NetworkClient:               networkClient,
+		RoleClient:                  roleClient,
+		ServiceClient:               serviceClient,
+		VolumeClient:                volumeClient,
+		VolumeTypeClient:            volumetypeClient,
 	}
 }
 
@@ -132,6 +135,10 @@ func (f *MockScopeFactory) NewRoleClient() (osclients.RoleClient, error) {
 	return f.RoleClient, nil
 }
 
+func (f *MockScopeFactory) NewApplicationCredentialClient() (osclients.ApplicationCredentialClient, error) {
+	return f.ApplicationCredentialClient, nil
+}
+
 func (f *MockScopeFactory) ExtractToken() (*tokens.Token, error) {
 	return &tokens.Token{ExpiresAt: time.Now().Add(24 * time.Hour)}, nil
 }
diff --git a/internal/scope/provider.go b/internal/scope/provider.go
index 65670ba60..849858e75 100644
--- a/internal/scope/provider.go
+++ b/internal/scope/provider.go
@@ -137,6 +137,10 @@ func NewCachedProviderScope(cache *cache.LRUExpireCache, cloud clientconfig.Clou
 	return scope, nil
 }
 
+func (s *providerScope) NewApplicationCredentialClient() (clients.ApplicationCredentialClient, error) {
+	return clients.NewApplicationCredentialClient(s.providerClient, s.providerClientOpts)
+}
+
 func (s *providerScope) NewComputeClient() (clients.ComputeClient, error) {
 	return clients.NewComputeClient(s.providerClient, s.providerClientOpts)
 }
diff --git a/internal/scope/scope.go b/internal/scope/scope.go
index 7da50dc8f..abb61be71 100644
--- a/internal/scope/scope.go
+++ b/internal/scope/scope.go
@@ -48,6 +48,7 @@ type Factory interface {
 
 // Scope contains arguments common to most operations.
 type Scope interface {
+	NewApplicationCredentialClient() (osclients.ApplicationCredentialClient, error)
 	NewComputeClient() (osclients.ComputeClient, error)
 	NewDomainClient() (osclients.DomainClient, error)
 	NewGroupClient() (osclients.GroupClient, error)
diff --git a/kuttl-test.yaml b/kuttl-test.yaml
index d499782e6..005930bef 100644
--- a/kuttl-test.yaml
+++ b/kuttl-test.yaml
@@ -2,6 +2,7 @@
 apiVersion: kuttl.dev/v1beta1
 kind: TestSuite
 testDirs:
+- ./internal/controllers/applicationcredential/tests/
 - ./internal/controllers/domain/tests/
 - ./internal/controllers/flavor/tests/
 - ./internal/controllers/floatingip/tests/
diff --git a/pkg/clients/applyconfiguration/api/v1alpha1/applicationcredential.go b/pkg/clients/applyconfiguration/api/v1alpha1/applicationcredential.go
new file mode 100644
index 000000000..db5eb36e8
--- /dev/null
+++ b/pkg/clients/applyconfiguration/api/v1alpha1/applicationcredential.go
@@ -0,0 +1,281 @@
+/*
+Copyright The ORC Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	apiv1alpha1 "github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1"
+	internal "github.com/k-orc/openstack-resource-controller/v2/pkg/clients/applyconfiguration/internal"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	managedfields "k8s.io/apimachinery/pkg/util/managedfields"
+	v1 "k8s.io/client-go/applyconfigurations/meta/v1"
+)
+
+// ApplicationCredentialApplyConfiguration represents a declarative configuration of the ApplicationCredential type for use
+// with apply.
+type ApplicationCredentialApplyConfiguration struct {
+	v1.TypeMetaApplyConfiguration    `json:",inline"`
+	*v1.ObjectMetaApplyConfiguration `json:"metadata,omitempty"`
+	Spec                             *ApplicationCredentialSpecApplyConfiguration   `json:"spec,omitempty"`
+	Status                           *ApplicationCredentialStatusApplyConfiguration `json:"status,omitempty"`
+}
+
+// ApplicationCredential constructs a declarative configuration of the ApplicationCredential type for use with
+// apply.
+func ApplicationCredential(name, namespace string) *ApplicationCredentialApplyConfiguration {
+	b := &ApplicationCredentialApplyConfiguration{}
+	b.WithName(name)
+	b.WithNamespace(namespace)
+	b.WithKind("ApplicationCredential")
+	b.WithAPIVersion("openstack.k-orc.cloud/v1alpha1")
+	return b
+}
+
+// ExtractApplicationCredential extracts the applied configuration owned by fieldManager from
+// applicationCredential. If no managedFields are found in applicationCredential for fieldManager, a
+// ApplicationCredentialApplyConfiguration is returned with only the Name, Namespace (if applicable),
+// APIVersion and Kind populated. It is possible that no managed fields were found for because other
+// field managers have taken ownership of all the fields previously owned by fieldManager, or because
+// the fieldManager never owned fields any fields.
+// applicationCredential must be a unmodified ApplicationCredential API object that was retrieved from the Kubernetes API.
+// ExtractApplicationCredential provides a way to perform a extract/modify-in-place/apply workflow.
+// Note that an extracted apply configuration will contain fewer fields than what the fieldManager previously
+// applied if another fieldManager has updated or force applied any of the previously applied fields.
+// Experimental!
+func ExtractApplicationCredential(applicationCredential *apiv1alpha1.ApplicationCredential, fieldManager string) (*ApplicationCredentialApplyConfiguration, error) {
+	return extractApplicationCredential(applicationCredential, fieldManager, "")
+}
+
+// ExtractApplicationCredentialStatus is the same as ExtractApplicationCredential except
+// that it extracts the status subresource applied configuration.
+// Experimental!
+func ExtractApplicationCredentialStatus(applicationCredential *apiv1alpha1.ApplicationCredential, fieldManager string) (*ApplicationCredentialApplyConfiguration, error) {
+	return extractApplicationCredential(applicationCredential, fieldManager, "status")
+}
+
+func extractApplicationCredential(applicationCredential *apiv1alpha1.ApplicationCredential, fieldManager string, subresource string) (*ApplicationCredentialApplyConfiguration, error) {
+	b := &ApplicationCredentialApplyConfiguration{}
+	err := managedfields.ExtractInto(applicationCredential, internal.Parser().Type("com.github.k-orc.openstack-resource-controller.v2.api.v1alpha1.ApplicationCredential"), fieldManager, b, subresource)
+	if err != nil {
+		return nil, err
+	}
+	b.WithName(applicationCredential.Name)
+	b.WithNamespace(applicationCredential.Namespace)
+
+	b.WithKind("ApplicationCredential")
+	b.WithAPIVersion("openstack.k-orc.cloud/v1alpha1")
+	return b, nil
+}
+func (b ApplicationCredentialApplyConfiguration) IsApplyConfiguration() {}
+
+// WithKind sets the Kind field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Kind field is set to the value of the last call.
+func (b *ApplicationCredentialApplyConfiguration) WithKind(value string) *ApplicationCredentialApplyConfiguration {
+	b.TypeMetaApplyConfiguration.Kind = &value
+	return b
+}
+
+// WithAPIVersion sets the APIVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the APIVersion field is set to the value of the last call.
+func (b *ApplicationCredentialApplyConfiguration) WithAPIVersion(value string) *ApplicationCredentialApplyConfiguration {
+	b.TypeMetaApplyConfiguration.APIVersion = &value
+	return b
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *ApplicationCredentialApplyConfiguration) WithName(value string) *ApplicationCredentialApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.Name = &value
+	return b
+}
+
+// WithGenerateName sets the GenerateName field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the GenerateName field is set to the value of the last call.
+func (b *ApplicationCredentialApplyConfiguration) WithGenerateName(value string) *ApplicationCredentialApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.GenerateName = &value
+	return b
+}
+
+// WithNamespace sets the Namespace field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Namespace field is set to the value of the last call.
+func (b *ApplicationCredentialApplyConfiguration) WithNamespace(value string) *ApplicationCredentialApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.Namespace = &value
+	return b
+}
+
+// WithUID sets the UID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the UID field is set to the value of the last call.
+func (b *ApplicationCredentialApplyConfiguration) WithUID(value types.UID) *ApplicationCredentialApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.UID = &value
+	return b
+}
+
+// WithResourceVersion sets the ResourceVersion field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ResourceVersion field is set to the value of the last call.
+func (b *ApplicationCredentialApplyConfiguration) WithResourceVersion(value string) *ApplicationCredentialApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.ResourceVersion = &value
+	return b
+}
+
+// WithGeneration sets the Generation field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Generation field is set to the value of the last call.
+func (b *ApplicationCredentialApplyConfiguration) WithGeneration(value int64) *ApplicationCredentialApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.Generation = &value
+	return b
+}
+
+// WithCreationTimestamp sets the CreationTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the CreationTimestamp field is set to the value of the last call.
+func (b *ApplicationCredentialApplyConfiguration) WithCreationTimestamp(value metav1.Time) *ApplicationCredentialApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.CreationTimestamp = &value
+	return b
+}
+
+// WithDeletionTimestamp sets the DeletionTimestamp field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionTimestamp field is set to the value of the last call.
+func (b *ApplicationCredentialApplyConfiguration) WithDeletionTimestamp(value metav1.Time) *ApplicationCredentialApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.DeletionTimestamp = &value
+	return b
+}
+
+// WithDeletionGracePeriodSeconds sets the DeletionGracePeriodSeconds field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DeletionGracePeriodSeconds field is set to the value of the last call.
+func (b *ApplicationCredentialApplyConfiguration) WithDeletionGracePeriodSeconds(value int64) *ApplicationCredentialApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	b.ObjectMetaApplyConfiguration.DeletionGracePeriodSeconds = &value
+	return b
+}
+
+// WithLabels puts the entries into the Labels field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Labels field,
+// overwriting an existing map entries in Labels field with the same key.
+func (b *ApplicationCredentialApplyConfiguration) WithLabels(entries map[string]string) *ApplicationCredentialApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.ObjectMetaApplyConfiguration.Labels == nil && len(entries) > 0 {
+		b.ObjectMetaApplyConfiguration.Labels = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.ObjectMetaApplyConfiguration.Labels[k] = v
+	}
+	return b
+}
+
+// WithAnnotations puts the entries into the Annotations field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Annotations field,
+// overwriting an existing map entries in Annotations field with the same key.
+func (b *ApplicationCredentialApplyConfiguration) WithAnnotations(entries map[string]string) *ApplicationCredentialApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	if b.ObjectMetaApplyConfiguration.Annotations == nil && len(entries) > 0 {
+		b.ObjectMetaApplyConfiguration.Annotations = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.ObjectMetaApplyConfiguration.Annotations[k] = v
+	}
+	return b
+}
+
+// WithOwnerReferences adds the given value to the OwnerReferences field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the OwnerReferences field.
+func (b *ApplicationCredentialApplyConfiguration) WithOwnerReferences(values ...*v1.OwnerReferenceApplyConfiguration) *ApplicationCredentialApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithOwnerReferences")
+		}
+		b.ObjectMetaApplyConfiguration.OwnerReferences = append(b.ObjectMetaApplyConfiguration.OwnerReferences, *values[i])
+	}
+	return b
+}
+
+// WithFinalizers adds the given value to the Finalizers field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Finalizers field.
+func (b *ApplicationCredentialApplyConfiguration) WithFinalizers(values ...string) *ApplicationCredentialApplyConfiguration {
+	b.ensureObjectMetaApplyConfigurationExists()
+	for i := range values {
+		b.ObjectMetaApplyConfiguration.Finalizers = append(b.ObjectMetaApplyConfiguration.Finalizers, values[i])
+	}
+	return b
+}
+
+func (b *ApplicationCredentialApplyConfiguration) ensureObjectMetaApplyConfigurationExists() {
+	if b.ObjectMetaApplyConfiguration == nil {
+		b.ObjectMetaApplyConfiguration = &v1.ObjectMetaApplyConfiguration{}
+	}
+}
+
+// WithSpec sets the Spec field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Spec field is set to the value of the last call.
+func (b *ApplicationCredentialApplyConfiguration) WithSpec(value *ApplicationCredentialSpecApplyConfiguration) *ApplicationCredentialApplyConfiguration {
+	b.Spec = value
+	return b
+}
+
+// WithStatus sets the Status field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Status field is set to the value of the last call.
+func (b *ApplicationCredentialApplyConfiguration) WithStatus(value *ApplicationCredentialStatusApplyConfiguration) *ApplicationCredentialApplyConfiguration {
+	b.Status = value
+	return b
+}
+
+// GetKind retrieves the value of the Kind field in the declarative configuration.
+func (b *ApplicationCredentialApplyConfiguration) GetKind() *string {
+	return b.TypeMetaApplyConfiguration.Kind
+}
+
+// GetAPIVersion retrieves the value of the APIVersion field in the declarative configuration.
+func (b *ApplicationCredentialApplyConfiguration) GetAPIVersion() *string {
+	return b.TypeMetaApplyConfiguration.APIVersion
+}
+
+// GetName retrieves the value of the Name field in the declarative configuration.
+func (b *ApplicationCredentialApplyConfiguration) GetName() *string {
+	b.ensureObjectMetaApplyConfigurationExists()
+	return b.ObjectMetaApplyConfiguration.Name
+}
+
+// GetNamespace retrieves the value of the Namespace field in the declarative configuration.
+func (b *ApplicationCredentialApplyConfiguration) GetNamespace() *string {
+	b.ensureObjectMetaApplyConfigurationExists()
+	return b.ObjectMetaApplyConfiguration.Namespace
+}
diff --git a/pkg/clients/applyconfiguration/api/v1alpha1/applicationcredentialaccessrole.go b/pkg/clients/applyconfiguration/api/v1alpha1/applicationcredentialaccessrole.go
new file mode 100644
index 000000000..66395d138
--- /dev/null
+++ b/pkg/clients/applyconfiguration/api/v1alpha1/applicationcredentialaccessrole.go
@@ -0,0 +1,52 @@
+/*
+Copyright The ORC Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	apiv1alpha1 "github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1"
+)
+
+// ApplicationCredentialAccessRoleApplyConfiguration represents a declarative configuration of the ApplicationCredentialAccessRole type for use
+// with apply.
+type ApplicationCredentialAccessRoleApplyConfiguration struct {
+	Name *apiv1alpha1.OpenStackName `json:"name,omitempty"`
+	ID   *string                    `json:"id,omitempty"`
+}
+
+// ApplicationCredentialAccessRoleApplyConfiguration constructs a declarative configuration of the ApplicationCredentialAccessRole type for use with
+// apply.
+func ApplicationCredentialAccessRole() *ApplicationCredentialAccessRoleApplyConfiguration {
+	return &ApplicationCredentialAccessRoleApplyConfiguration{}
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *ApplicationCredentialAccessRoleApplyConfiguration) WithName(value apiv1alpha1.OpenStackName) *ApplicationCredentialAccessRoleApplyConfiguration {
+	b.Name = &value
+	return b
+}
+
+// WithID sets the ID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ID field is set to the value of the last call.
+func (b *ApplicationCredentialAccessRoleApplyConfiguration) WithID(value string) *ApplicationCredentialAccessRoleApplyConfiguration {
+	b.ID = &value
+	return b
+}
diff --git a/pkg/clients/applyconfiguration/api/v1alpha1/applicationcredentialaccessrolestatus.go b/pkg/clients/applyconfiguration/api/v1alpha1/applicationcredentialaccessrolestatus.go
new file mode 100644
index 000000000..536a84e61
--- /dev/null
+++ b/pkg/clients/applyconfiguration/api/v1alpha1/applicationcredentialaccessrolestatus.go
@@ -0,0 +1,57 @@
+/*
+Copyright The ORC Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// ApplicationCredentialAccessRoleStatusApplyConfiguration represents a declarative configuration of the ApplicationCredentialAccessRoleStatus type for use
+// with apply.
+type ApplicationCredentialAccessRoleStatusApplyConfiguration struct {
+	Name     *string `json:"name,omitempty"`
+	ID       *string `json:"id,omitempty"`
+	DomainID *string `json:"domainID,omitempty"`
+}
+
+// ApplicationCredentialAccessRoleStatusApplyConfiguration constructs a declarative configuration of the ApplicationCredentialAccessRoleStatus type for use with
+// apply.
+func ApplicationCredentialAccessRoleStatus() *ApplicationCredentialAccessRoleStatusApplyConfiguration {
+	return &ApplicationCredentialAccessRoleStatusApplyConfiguration{}
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *ApplicationCredentialAccessRoleStatusApplyConfiguration) WithName(value string) *ApplicationCredentialAccessRoleStatusApplyConfiguration {
+	b.Name = &value
+	return b
+}
+
+// WithID sets the ID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ID field is set to the value of the last call.
+func (b *ApplicationCredentialAccessRoleStatusApplyConfiguration) WithID(value string) *ApplicationCredentialAccessRoleStatusApplyConfiguration {
+	b.ID = &value
+	return b
+}
+
+// WithDomainID sets the DomainID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the DomainID field is set to the value of the last call.
+func (b *ApplicationCredentialAccessRoleStatusApplyConfiguration) WithDomainID(value string) *ApplicationCredentialAccessRoleStatusApplyConfiguration {
+	b.DomainID = &value
+	return b
+}
diff --git a/pkg/clients/applyconfiguration/api/v1alpha1/applicationcredentialaccessrule.go b/pkg/clients/applyconfiguration/api/v1alpha1/applicationcredentialaccessrule.go
new file mode 100644
index 000000000..8b620bc67
--- /dev/null
+++ b/pkg/clients/applyconfiguration/api/v1alpha1/applicationcredentialaccessrule.go
@@ -0,0 +1,61 @@
+/*
+Copyright The ORC Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	apiv1alpha1 "github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1"
+)
+
+// ApplicationCredentialAccessRuleApplyConfiguration represents a declarative configuration of the ApplicationCredentialAccessRule type for use
+// with apply.
+type ApplicationCredentialAccessRuleApplyConfiguration struct {
+	Path    *string                 `json:"path,omitempty"`
+	Method  *apiv1alpha1.HTTPMethod `json:"method,omitempty"`
+	Service *string                 `json:"service,omitempty"`
+}
+
+// ApplicationCredentialAccessRuleApplyConfiguration constructs a declarative configuration of the ApplicationCredentialAccessRule type for use with
+// apply.
+func ApplicationCredentialAccessRule() *ApplicationCredentialAccessRuleApplyConfiguration {
+	return &ApplicationCredentialAccessRuleApplyConfiguration{}
+}
+
+// WithPath sets the Path field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Path field is set to the value of the last call.
+func (b *ApplicationCredentialAccessRuleApplyConfiguration) WithPath(value string) *ApplicationCredentialAccessRuleApplyConfiguration {
+	b.Path = &value
+	return b
+}
+
+// WithMethod sets the Method field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Method field is set to the value of the last call.
+func (b *ApplicationCredentialAccessRuleApplyConfiguration) WithMethod(value apiv1alpha1.HTTPMethod) *ApplicationCredentialAccessRuleApplyConfiguration {
+	b.Method = &value
+	return b
+}
+
+// WithService sets the Service field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Service field is set to the value of the last call.
+func (b *ApplicationCredentialAccessRuleApplyConfiguration) WithService(value string) *ApplicationCredentialAccessRuleApplyConfiguration {
+	b.Service = &value
+	return b
+}
diff --git a/pkg/clients/applyconfiguration/api/v1alpha1/applicationcredentialaccessrulestatus.go b/pkg/clients/applyconfiguration/api/v1alpha1/applicationcredentialaccessrulestatus.go
new file mode 100644
index 000000000..9624a3d3f
--- /dev/null
+++ b/pkg/clients/applyconfiguration/api/v1alpha1/applicationcredentialaccessrulestatus.go
@@ -0,0 +1,66 @@
+/*
+Copyright The ORC Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// ApplicationCredentialAccessRuleStatusApplyConfiguration represents a declarative configuration of the ApplicationCredentialAccessRuleStatus type for use
+// with apply.
+type ApplicationCredentialAccessRuleStatusApplyConfiguration struct {
+	ID      *string `json:"id,omitempty"`
+	Path    *string `json:"path,omitempty"`
+	Method  *string `json:"method,omitempty"`
+	Service *string `json:"service,omitempty"`
+}
+
+// ApplicationCredentialAccessRuleStatusApplyConfiguration constructs a declarative configuration of the ApplicationCredentialAccessRuleStatus type for use with
+// apply.
+func ApplicationCredentialAccessRuleStatus() *ApplicationCredentialAccessRuleStatusApplyConfiguration {
+	return &ApplicationCredentialAccessRuleStatusApplyConfiguration{}
+}
+
+// WithID sets the ID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ID field is set to the value of the last call.
+func (b *ApplicationCredentialAccessRuleStatusApplyConfiguration) WithID(value string) *ApplicationCredentialAccessRuleStatusApplyConfiguration {
+	b.ID = &value
+	return b
+}
+
+// WithPath sets the Path field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Path field is set to the value of the last call.
+func (b *ApplicationCredentialAccessRuleStatusApplyConfiguration) WithPath(value string) *ApplicationCredentialAccessRuleStatusApplyConfiguration {
+	b.Path = &value
+	return b
+}
+
+// WithMethod sets the Method field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Method field is set to the value of the last call.
+func (b *ApplicationCredentialAccessRuleStatusApplyConfiguration) WithMethod(value string) *ApplicationCredentialAccessRuleStatusApplyConfiguration {
+	b.Method = &value
+	return b
+}
+
+// WithService sets the Service field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Service field is set to the value of the last call.
+func (b *ApplicationCredentialAccessRuleStatusApplyConfiguration) WithService(value string) *ApplicationCredentialAccessRuleStatusApplyConfiguration {
+	b.Service = &value
+	return b
+}
diff --git a/pkg/clients/applyconfiguration/api/v1alpha1/applicationcredentialfilter.go b/pkg/clients/applyconfiguration/api/v1alpha1/applicationcredentialfilter.go
new file mode 100644
index 000000000..0c7d450c6
--- /dev/null
+++ b/pkg/clients/applyconfiguration/api/v1alpha1/applicationcredentialfilter.go
@@ -0,0 +1,52 @@
+/*
+Copyright The ORC Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	apiv1alpha1 "github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1"
+)
+
+// ApplicationCredentialFilterApplyConfiguration represents a declarative configuration of the ApplicationCredentialFilter type for use
+// with apply.
+type ApplicationCredentialFilterApplyConfiguration struct {
+	Name   *apiv1alpha1.OpenStackName `json:"name,omitempty"`
+	UserID *string                    `json:"userID,omitempty"`
+}
+
+// ApplicationCredentialFilterApplyConfiguration constructs a declarative configuration of the ApplicationCredentialFilter type for use with
+// apply.
+func ApplicationCredentialFilter() *ApplicationCredentialFilterApplyConfiguration {
+	return &ApplicationCredentialFilterApplyConfiguration{}
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *ApplicationCredentialFilterApplyConfiguration) WithName(value apiv1alpha1.OpenStackName) *ApplicationCredentialFilterApplyConfiguration {
+	b.Name = &value
+	return b
+}
+
+// WithUserID sets the UserID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the UserID field is set to the value of the last call.
+func (b *ApplicationCredentialFilterApplyConfiguration) WithUserID(value string) *ApplicationCredentialFilterApplyConfiguration {
+	b.UserID = &value
+	return b
+}
diff --git a/pkg/clients/applyconfiguration/api/v1alpha1/applicationcredentialimport.go b/pkg/clients/applyconfiguration/api/v1alpha1/applicationcredentialimport.go
new file mode 100644
index 000000000..b84df0314
--- /dev/null
+++ b/pkg/clients/applyconfiguration/api/v1alpha1/applicationcredentialimport.go
@@ -0,0 +1,48 @@
+/*
+Copyright The ORC Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+// ApplicationCredentialImportApplyConfiguration represents a declarative configuration of the ApplicationCredentialImport type for use
+// with apply.
+type ApplicationCredentialImportApplyConfiguration struct {
+	ID     *string                                        `json:"id,omitempty"`
+	Filter *ApplicationCredentialFilterApplyConfiguration `json:"filter,omitempty"`
+}
+
+// ApplicationCredentialImportApplyConfiguration constructs a declarative configuration of the ApplicationCredentialImport type for use with
+// apply.
+func ApplicationCredentialImport() *ApplicationCredentialImportApplyConfiguration {
+	return &ApplicationCredentialImportApplyConfiguration{}
+}
+
+// WithID sets the ID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ID field is set to the value of the last call.
+func (b *ApplicationCredentialImportApplyConfiguration) WithID(value string) *ApplicationCredentialImportApplyConfiguration {
+	b.ID = &value
+	return b
+}
+
+// WithFilter sets the Filter field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Filter field is set to the value of the last call.
+func (b *ApplicationCredentialImportApplyConfiguration) WithFilter(value *ApplicationCredentialFilterApplyConfiguration) *ApplicationCredentialImportApplyConfiguration {
+	b.Filter = value
+	return b
+}
diff --git a/pkg/clients/applyconfiguration/api/v1alpha1/applicationcredentialresourcespec.go b/pkg/clients/applyconfiguration/api/v1alpha1/applicationcredentialresourcespec.go
new file mode 100644
index 000000000..bba4b072c
--- /dev/null
+++ b/pkg/clients/applyconfiguration/api/v1alpha1/applicationcredentialresourcespec.go
@@ -0,0 +1,117 @@
+/*
+Copyright The ORC Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	apiv1alpha1 "github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// ApplicationCredentialResourceSpecApplyConfiguration represents a declarative configuration of the ApplicationCredentialResourceSpec type for use
+// with apply.
+type ApplicationCredentialResourceSpecApplyConfiguration struct {
+	Name         *apiv1alpha1.OpenStackName                          `json:"name,omitempty"`
+	Description  *string                                             `json:"description,omitempty"`
+	UserID       *string                                             `json:"userID,omitempty"`
+	Unrestricted *bool                                               `json:"unrestricted,omitempty"`
+	Secret       *string                                             `json:"secret,omitempty"`
+	Roles        []ApplicationCredentialAccessRoleApplyConfiguration `json:"roles,omitempty"`
+	AccessRules  []ApplicationCredentialAccessRuleApplyConfiguration `json:"accessRules,omitempty"`
+	ExpiresAt    *v1.Time                                            `json:"expiresAt,omitempty"`
+}
+
+// ApplicationCredentialResourceSpecApplyConfiguration constructs a declarative configuration of the ApplicationCredentialResourceSpec type for use with
+// apply.
+func ApplicationCredentialResourceSpec() *ApplicationCredentialResourceSpecApplyConfiguration {
+	return &ApplicationCredentialResourceSpecApplyConfiguration{}
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *ApplicationCredentialResourceSpecApplyConfiguration) WithName(value apiv1alpha1.OpenStackName) *ApplicationCredentialResourceSpecApplyConfiguration {
+	b.Name = &value
+	return b
+}
+
+// WithDescription sets the Description field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Description field is set to the value of the last call.
+func (b *ApplicationCredentialResourceSpecApplyConfiguration) WithDescription(value string) *ApplicationCredentialResourceSpecApplyConfiguration {
+	b.Description = &value
+	return b
+}
+
+// WithUserID sets the UserID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the UserID field is set to the value of the last call.
+func (b *ApplicationCredentialResourceSpecApplyConfiguration) WithUserID(value string) *ApplicationCredentialResourceSpecApplyConfiguration {
+	b.UserID = &value
+	return b
+}
+
+// WithUnrestricted sets the Unrestricted field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Unrestricted field is set to the value of the last call.
+func (b *ApplicationCredentialResourceSpecApplyConfiguration) WithUnrestricted(value bool) *ApplicationCredentialResourceSpecApplyConfiguration {
+	b.Unrestricted = &value
+	return b
+}
+
+// WithSecret sets the Secret field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Secret field is set to the value of the last call.
+func (b *ApplicationCredentialResourceSpecApplyConfiguration) WithSecret(value string) *ApplicationCredentialResourceSpecApplyConfiguration {
+	b.Secret = &value
+	return b
+}
+
+// WithRoles adds the given value to the Roles field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Roles field.
+func (b *ApplicationCredentialResourceSpecApplyConfiguration) WithRoles(values ...*ApplicationCredentialAccessRoleApplyConfiguration) *ApplicationCredentialResourceSpecApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithRoles")
+		}
+		b.Roles = append(b.Roles, *values[i])
+	}
+	return b
+}
+
+// WithAccessRules adds the given value to the AccessRules field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the AccessRules field.
+func (b *ApplicationCredentialResourceSpecApplyConfiguration) WithAccessRules(values ...*ApplicationCredentialAccessRuleApplyConfiguration) *ApplicationCredentialResourceSpecApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithAccessRules")
+		}
+		b.AccessRules = append(b.AccessRules, *values[i])
+	}
+	return b
+}
+
+// WithExpiresAt sets the ExpiresAt field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ExpiresAt field is set to the value of the last call.
+func (b *ApplicationCredentialResourceSpecApplyConfiguration) WithExpiresAt(value v1.Time) *ApplicationCredentialResourceSpecApplyConfiguration {
+	b.ExpiresAt = &value
+	return b
+}
diff --git a/pkg/clients/applyconfiguration/api/v1alpha1/applicationcredentialresourcestatus.go b/pkg/clients/applyconfiguration/api/v1alpha1/applicationcredentialresourcestatus.go
new file mode 100644
index 000000000..da15dbb52
--- /dev/null
+++ b/pkg/clients/applyconfiguration/api/v1alpha1/applicationcredentialresourcestatus.go
@@ -0,0 +1,140 @@
+/*
+Copyright The ORC Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// ApplicationCredentialResourceStatusApplyConfiguration represents a declarative configuration of the ApplicationCredentialResourceStatus type for use
+// with apply.
+type ApplicationCredentialResourceStatusApplyConfiguration struct {
+	ID           *string                                                   `json:"id,omitempty"`
+	Name         *string                                                   `json:"name,omitempty"`
+	Description  *string                                                   `json:"description,omitempty"`
+	Unrestricted *bool                                                     `json:"unrestricted,omitempty"`
+	Secret       *string                                                   `json:"secret,omitempty"`
+	ProjectID    *string                                                   `json:"projectID,omitempty"`
+	Roles        []ApplicationCredentialAccessRoleStatusApplyConfiguration `json:"roles,omitempty"`
+	ExpiresAt    *v1.Time                                                  `json:"expiresAt,omitempty"`
+	AccessRules  []ApplicationCredentialAccessRuleStatusApplyConfiguration `json:"accessRules,omitempty"`
+	Links        map[string]string                                         `json:"links,omitempty"`
+}
+
+// ApplicationCredentialResourceStatusApplyConfiguration constructs a declarative configuration of the ApplicationCredentialResourceStatus type for use with
+// apply.
+func ApplicationCredentialResourceStatus() *ApplicationCredentialResourceStatusApplyConfiguration {
+	return &ApplicationCredentialResourceStatusApplyConfiguration{}
+}
+
+// WithID sets the ID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ID field is set to the value of the last call.
+func (b *ApplicationCredentialResourceStatusApplyConfiguration) WithID(value string) *ApplicationCredentialResourceStatusApplyConfiguration {
+	b.ID = &value
+	return b
+}
+
+// WithName sets the Name field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Name field is set to the value of the last call.
+func (b *ApplicationCredentialResourceStatusApplyConfiguration) WithName(value string) *ApplicationCredentialResourceStatusApplyConfiguration {
+	b.Name = &value
+	return b
+}
+
+// WithDescription sets the Description field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Description field is set to the value of the last call.
+func (b *ApplicationCredentialResourceStatusApplyConfiguration) WithDescription(value string) *ApplicationCredentialResourceStatusApplyConfiguration {
+	b.Description = &value
+	return b
+}
+
+// WithUnrestricted sets the Unrestricted field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Unrestricted field is set to the value of the last call.
+func (b *ApplicationCredentialResourceStatusApplyConfiguration) WithUnrestricted(value bool) *ApplicationCredentialResourceStatusApplyConfiguration {
+	b.Unrestricted = &value
+	return b
+}
+
+// WithSecret sets the Secret field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Secret field is set to the value of the last call.
+func (b *ApplicationCredentialResourceStatusApplyConfiguration) WithSecret(value string) *ApplicationCredentialResourceStatusApplyConfiguration {
+	b.Secret = &value
+	return b
+}
+
+// WithProjectID sets the ProjectID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ProjectID field is set to the value of the last call.
+func (b *ApplicationCredentialResourceStatusApplyConfiguration) WithProjectID(value string) *ApplicationCredentialResourceStatusApplyConfiguration {
+	b.ProjectID = &value
+	return b
+}
+
+// WithRoles adds the given value to the Roles field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Roles field.
+func (b *ApplicationCredentialResourceStatusApplyConfiguration) WithRoles(values ...*ApplicationCredentialAccessRoleStatusApplyConfiguration) *ApplicationCredentialResourceStatusApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithRoles")
+		}
+		b.Roles = append(b.Roles, *values[i])
+	}
+	return b
+}
+
+// WithExpiresAt sets the ExpiresAt field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ExpiresAt field is set to the value of the last call.
+func (b *ApplicationCredentialResourceStatusApplyConfiguration) WithExpiresAt(value v1.Time) *ApplicationCredentialResourceStatusApplyConfiguration {
+	b.ExpiresAt = &value
+	return b
+}
+
+// WithAccessRules adds the given value to the AccessRules field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the AccessRules field.
+func (b *ApplicationCredentialResourceStatusApplyConfiguration) WithAccessRules(values ...*ApplicationCredentialAccessRuleStatusApplyConfiguration) *ApplicationCredentialResourceStatusApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithAccessRules")
+		}
+		b.AccessRules = append(b.AccessRules, *values[i])
+	}
+	return b
+}
+
+// WithLinks puts the entries into the Links field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, the entries provided by each call will be put on the Links field,
+// overwriting an existing map entries in Links field with the same key.
+func (b *ApplicationCredentialResourceStatusApplyConfiguration) WithLinks(entries map[string]string) *ApplicationCredentialResourceStatusApplyConfiguration {
+	if b.Links == nil && len(entries) > 0 {
+		b.Links = make(map[string]string, len(entries))
+	}
+	for k, v := range entries {
+		b.Links[k] = v
+	}
+	return b
+}
diff --git a/pkg/clients/applyconfiguration/api/v1alpha1/applicationcredentialspec.go b/pkg/clients/applyconfiguration/api/v1alpha1/applicationcredentialspec.go
new file mode 100644
index 000000000..d73e0886b
--- /dev/null
+++ b/pkg/clients/applyconfiguration/api/v1alpha1/applicationcredentialspec.go
@@ -0,0 +1,79 @@
+/*
+Copyright The ORC Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	apiv1alpha1 "github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1"
+)
+
+// ApplicationCredentialSpecApplyConfiguration represents a declarative configuration of the ApplicationCredentialSpec type for use
+// with apply.
+type ApplicationCredentialSpecApplyConfiguration struct {
+	Import              *ApplicationCredentialImportApplyConfiguration       `json:"import,omitempty"`
+	Resource            *ApplicationCredentialResourceSpecApplyConfiguration `json:"resource,omitempty"`
+	ManagementPolicy    *apiv1alpha1.ManagementPolicy                        `json:"managementPolicy,omitempty"`
+	ManagedOptions      *ManagedOptionsApplyConfiguration                    `json:"managedOptions,omitempty"`
+	CloudCredentialsRef *CloudCredentialsReferenceApplyConfiguration         `json:"cloudCredentialsRef,omitempty"`
+}
+
+// ApplicationCredentialSpecApplyConfiguration constructs a declarative configuration of the ApplicationCredentialSpec type for use with
+// apply.
+func ApplicationCredentialSpec() *ApplicationCredentialSpecApplyConfiguration {
+	return &ApplicationCredentialSpecApplyConfiguration{}
+}
+
+// WithImport sets the Import field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Import field is set to the value of the last call.
+func (b *ApplicationCredentialSpecApplyConfiguration) WithImport(value *ApplicationCredentialImportApplyConfiguration) *ApplicationCredentialSpecApplyConfiguration {
+	b.Import = value
+	return b
+}
+
+// WithResource sets the Resource field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Resource field is set to the value of the last call.
+func (b *ApplicationCredentialSpecApplyConfiguration) WithResource(value *ApplicationCredentialResourceSpecApplyConfiguration) *ApplicationCredentialSpecApplyConfiguration {
+	b.Resource = value
+	return b
+}
+
+// WithManagementPolicy sets the ManagementPolicy field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ManagementPolicy field is set to the value of the last call.
+func (b *ApplicationCredentialSpecApplyConfiguration) WithManagementPolicy(value apiv1alpha1.ManagementPolicy) *ApplicationCredentialSpecApplyConfiguration {
+	b.ManagementPolicy = &value
+	return b
+}
+
+// WithManagedOptions sets the ManagedOptions field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ManagedOptions field is set to the value of the last call.
+func (b *ApplicationCredentialSpecApplyConfiguration) WithManagedOptions(value *ManagedOptionsApplyConfiguration) *ApplicationCredentialSpecApplyConfiguration {
+	b.ManagedOptions = value
+	return b
+}
+
+// WithCloudCredentialsRef sets the CloudCredentialsRef field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the CloudCredentialsRef field is set to the value of the last call.
+func (b *ApplicationCredentialSpecApplyConfiguration) WithCloudCredentialsRef(value *CloudCredentialsReferenceApplyConfiguration) *ApplicationCredentialSpecApplyConfiguration {
+	b.CloudCredentialsRef = value
+	return b
+}
diff --git a/pkg/clients/applyconfiguration/api/v1alpha1/applicationcredentialstatus.go b/pkg/clients/applyconfiguration/api/v1alpha1/applicationcredentialstatus.go
new file mode 100644
index 000000000..2dc54e77a
--- /dev/null
+++ b/pkg/clients/applyconfiguration/api/v1alpha1/applicationcredentialstatus.go
@@ -0,0 +1,66 @@
+/*
+Copyright The ORC Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by applyconfiguration-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1 "k8s.io/client-go/applyconfigurations/meta/v1"
+)
+
+// ApplicationCredentialStatusApplyConfiguration represents a declarative configuration of the ApplicationCredentialStatus type for use
+// with apply.
+type ApplicationCredentialStatusApplyConfiguration struct {
+	Conditions []v1.ConditionApplyConfiguration                       `json:"conditions,omitempty"`
+	ID         *string                                                `json:"id,omitempty"`
+	Resource   *ApplicationCredentialResourceStatusApplyConfiguration `json:"resource,omitempty"`
+}
+
+// ApplicationCredentialStatusApplyConfiguration constructs a declarative configuration of the ApplicationCredentialStatus type for use with
+// apply.
+func ApplicationCredentialStatus() *ApplicationCredentialStatusApplyConfiguration {
+	return &ApplicationCredentialStatusApplyConfiguration{}
+}
+
+// WithConditions adds the given value to the Conditions field in the declarative configuration
+// and returns the receiver, so that objects can be build by chaining "With" function invocations.
+// If called multiple times, values provided by each call will be appended to the Conditions field.
+func (b *ApplicationCredentialStatusApplyConfiguration) WithConditions(values ...*v1.ConditionApplyConfiguration) *ApplicationCredentialStatusApplyConfiguration {
+	for i := range values {
+		if values[i] == nil {
+			panic("nil value passed to WithConditions")
+		}
+		b.Conditions = append(b.Conditions, *values[i])
+	}
+	return b
+}
+
+// WithID sets the ID field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the ID field is set to the value of the last call.
+func (b *ApplicationCredentialStatusApplyConfiguration) WithID(value string) *ApplicationCredentialStatusApplyConfiguration {
+	b.ID = &value
+	return b
+}
+
+// WithResource sets the Resource field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the Resource field is set to the value of the last call.
+func (b *ApplicationCredentialStatusApplyConfiguration) WithResource(value *ApplicationCredentialResourceStatusApplyConfiguration) *ApplicationCredentialStatusApplyConfiguration {
+	b.Resource = value
+	return b
+}
diff --git a/pkg/clients/applyconfiguration/internal/internal.go b/pkg/clients/applyconfiguration/internal/internal.go
index dfb83d47f..26e1c8de0 100644
--- a/pkg/clients/applyconfiguration/internal/internal.go
+++ b/pkg/clients/applyconfiguration/internal/internal.go
@@ -84,6 +84,205 @@ var schemaYAML = typed.YAMLObject(`types:
     - name: mac
       type:
         scalar: string
+- name: com.github.k-orc.openstack-resource-controller.v2.api.v1alpha1.ApplicationCredential
+  map:
+    fields:
+    - name: apiVersion
+      type:
+        scalar: string
+    - name: kind
+      type:
+        scalar: string
+    - name: metadata
+      type:
+        namedType: io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta
+      default: {}
+    - name: spec
+      type:
+        namedType: com.github.k-orc.openstack-resource-controller.v2.api.v1alpha1.ApplicationCredentialSpec
+      default: {}
+    - name: status
+      type:
+        namedType: com.github.k-orc.openstack-resource-controller.v2.api.v1alpha1.ApplicationCredentialStatus
+      default: {}
+- name: com.github.k-orc.openstack-resource-controller.v2.api.v1alpha1.ApplicationCredentialAccessRole
+  map:
+    fields:
+    - name: id
+      type:
+        scalar: string
+    - name: name
+      type:
+        scalar: string
+- name: com.github.k-orc.openstack-resource-controller.v2.api.v1alpha1.ApplicationCredentialAccessRoleStatus
+  map:
+    fields:
+    - name: domainID
+      type:
+        scalar: string
+    - name: id
+      type:
+        scalar: string
+    - name: name
+      type:
+        scalar: string
+- name: com.github.k-orc.openstack-resource-controller.v2.api.v1alpha1.ApplicationCredentialAccessRule
+  map:
+    fields:
+    - name: method
+      type:
+        scalar: string
+    - name: path
+      type:
+        scalar: string
+    - name: service
+      type:
+        scalar: string
+- name: com.github.k-orc.openstack-resource-controller.v2.api.v1alpha1.ApplicationCredentialAccessRuleStatus
+  map:
+    fields:
+    - name: id
+      type:
+        scalar: string
+    - name: method
+      type:
+        scalar: string
+    - name: path
+      type:
+        scalar: string
+    - name: service
+      type:
+        scalar: string
+- name: com.github.k-orc.openstack-resource-controller.v2.api.v1alpha1.ApplicationCredentialFilter
+  map:
+    fields:
+    - name: name
+      type:
+        scalar: string
+    - name: userID
+      type:
+        scalar: string
+      default: ""
+- name: com.github.k-orc.openstack-resource-controller.v2.api.v1alpha1.ApplicationCredentialImport
+  map:
+    fields:
+    - name: filter
+      type:
+        namedType: com.github.k-orc.openstack-resource-controller.v2.api.v1alpha1.ApplicationCredentialFilter
+    - name: id
+      type:
+        scalar: string
+- name: com.github.k-orc.openstack-resource-controller.v2.api.v1alpha1.ApplicationCredentialResourceSpec
+  map:
+    fields:
+    - name: accessRules
+      type:
+        list:
+          elementType:
+            namedType: com.github.k-orc.openstack-resource-controller.v2.api.v1alpha1.ApplicationCredentialAccessRule
+          elementRelationship: atomic
+    - name: description
+      type:
+        scalar: string
+    - name: expiresAt
+      type:
+        namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Time
+    - name: name
+      type:
+        scalar: string
+    - name: roles
+      type:
+        list:
+          elementType:
+            namedType: com.github.k-orc.openstack-resource-controller.v2.api.v1alpha1.ApplicationCredentialAccessRole
+          elementRelationship: atomic
+    - name: secret
+      type:
+        scalar: string
+    - name: unrestricted
+      type:
+        scalar: boolean
+    - name: userID
+      type:
+        scalar: string
+      default: ""
+- name: com.github.k-orc.openstack-resource-controller.v2.api.v1alpha1.ApplicationCredentialResourceStatus
+  map:
+    fields:
+    - name: accessRules
+      type:
+        list:
+          elementType:
+            namedType: com.github.k-orc.openstack-resource-controller.v2.api.v1alpha1.ApplicationCredentialAccessRuleStatus
+          elementRelationship: atomic
+    - name: description
+      type:
+        scalar: string
+    - name: expiresAt
+      type:
+        namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Time
+    - name: id
+      type:
+        scalar: string
+    - name: links
+      type:
+        map:
+          elementType:
+            scalar: string
+    - name: name
+      type:
+        scalar: string
+    - name: projectID
+      type:
+        scalar: string
+    - name: roles
+      type:
+        list:
+          elementType:
+            namedType: com.github.k-orc.openstack-resource-controller.v2.api.v1alpha1.ApplicationCredentialAccessRoleStatus
+          elementRelationship: atomic
+    - name: secret
+      type:
+        scalar: string
+    - name: unrestricted
+      type:
+        scalar: boolean
+- name: com.github.k-orc.openstack-resource-controller.v2.api.v1alpha1.ApplicationCredentialSpec
+  map:
+    fields:
+    - name: cloudCredentialsRef
+      type:
+        namedType: com.github.k-orc.openstack-resource-controller.v2.api.v1alpha1.CloudCredentialsReference
+      default: {}
+    - name: import
+      type:
+        namedType: com.github.k-orc.openstack-resource-controller.v2.api.v1alpha1.ApplicationCredentialImport
+    - name: managedOptions
+      type:
+        namedType: com.github.k-orc.openstack-resource-controller.v2.api.v1alpha1.ManagedOptions
+    - name: managementPolicy
+      type:
+        scalar: string
+    - name: resource
+      type:
+        namedType: com.github.k-orc.openstack-resource-controller.v2.api.v1alpha1.ApplicationCredentialResourceSpec
+- name: com.github.k-orc.openstack-resource-controller.v2.api.v1alpha1.ApplicationCredentialStatus
+  map:
+    fields:
+    - name: conditions
+      type:
+        list:
+          elementType:
+            namedType: io.k8s.apimachinery.pkg.apis.meta.v1.Condition
+          elementRelationship: associative
+          keys:
+          - type
+    - name: id
+      type:
+        scalar: string
+    - name: resource
+      type:
+        namedType: com.github.k-orc.openstack-resource-controller.v2.api.v1alpha1.ApplicationCredentialResourceStatus
 - name: com.github.k-orc.openstack-resource-controller.v2.api.v1alpha1.CloudCredentialsReference
   map:
     fields:
diff --git a/pkg/clients/applyconfiguration/utils.go b/pkg/clients/applyconfiguration/utils.go
index 5a3990951..f7c293a7b 100644
--- a/pkg/clients/applyconfiguration/utils.go
+++ b/pkg/clients/applyconfiguration/utils.go
@@ -42,6 +42,28 @@ func ForKind(kind schema.GroupVersionKind) interface{} {
 		return &apiv1alpha1.AllowedAddressPairApplyConfiguration{}
 	case v1alpha1.SchemeGroupVersion.WithKind("AllowedAddressPairStatus"):
 		return &apiv1alpha1.AllowedAddressPairStatusApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("ApplicationCredential"):
+		return &apiv1alpha1.ApplicationCredentialApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("ApplicationCredentialAccessRole"):
+		return &apiv1alpha1.ApplicationCredentialAccessRoleApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("ApplicationCredentialAccessRoleStatus"):
+		return &apiv1alpha1.ApplicationCredentialAccessRoleStatusApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("ApplicationCredentialAccessRule"):
+		return &apiv1alpha1.ApplicationCredentialAccessRuleApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("ApplicationCredentialAccessRuleStatus"):
+		return &apiv1alpha1.ApplicationCredentialAccessRuleStatusApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("ApplicationCredentialFilter"):
+		return &apiv1alpha1.ApplicationCredentialFilterApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("ApplicationCredentialImport"):
+		return &apiv1alpha1.ApplicationCredentialImportApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("ApplicationCredentialResourceSpec"):
+		return &apiv1alpha1.ApplicationCredentialResourceSpecApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("ApplicationCredentialResourceStatus"):
+		return &apiv1alpha1.ApplicationCredentialResourceStatusApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("ApplicationCredentialSpec"):
+		return &apiv1alpha1.ApplicationCredentialSpecApplyConfiguration{}
+	case v1alpha1.SchemeGroupVersion.WithKind("ApplicationCredentialStatus"):
+		return &apiv1alpha1.ApplicationCredentialStatusApplyConfiguration{}
 	case v1alpha1.SchemeGroupVersion.WithKind("CloudCredentialsReference"):
 		return &apiv1alpha1.CloudCredentialsReferenceApplyConfiguration{}
 	case v1alpha1.SchemeGroupVersion.WithKind("Domain"):
diff --git a/pkg/clients/clientset/clientset/typed/api/v1alpha1/api_client.go b/pkg/clients/clientset/clientset/typed/api/v1alpha1/api_client.go
index 4317c8aa6..3fa3dc105 100644
--- a/pkg/clients/clientset/clientset/typed/api/v1alpha1/api_client.go
+++ b/pkg/clients/clientset/clientset/typed/api/v1alpha1/api_client.go
@@ -28,6 +28,7 @@ import (
 
 type OpenstackV1alpha1Interface interface {
 	RESTClient() rest.Interface
+	ApplicationCredentialsGetter
 	DomainsGetter
 	FlavorsGetter
 	FloatingIPsGetter
@@ -54,6 +55,10 @@ type OpenstackV1alpha1Client struct {
 	restClient rest.Interface
 }
 
+func (c *OpenstackV1alpha1Client) ApplicationCredentials(namespace string) ApplicationCredentialInterface {
+	return newApplicationCredentials(c, namespace)
+}
+
 func (c *OpenstackV1alpha1Client) Domains(namespace string) DomainInterface {
 	return newDomains(c, namespace)
 }
diff --git a/pkg/clients/clientset/clientset/typed/api/v1alpha1/applicationcredential.go b/pkg/clients/clientset/clientset/typed/api/v1alpha1/applicationcredential.go
new file mode 100644
index 000000000..f3f3411c5
--- /dev/null
+++ b/pkg/clients/clientset/clientset/typed/api/v1alpha1/applicationcredential.go
@@ -0,0 +1,74 @@
+/*
+Copyright The ORC Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	context "context"
+
+	apiv1alpha1 "github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1"
+	applyconfigurationapiv1alpha1 "github.com/k-orc/openstack-resource-controller/v2/pkg/clients/applyconfiguration/api/v1alpha1"
+	scheme "github.com/k-orc/openstack-resource-controller/v2/pkg/clients/clientset/clientset/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	gentype "k8s.io/client-go/gentype"
+)
+
+// ApplicationCredentialsGetter has a method to return a ApplicationCredentialInterface.
+// A group's client should implement this interface.
+type ApplicationCredentialsGetter interface {
+	ApplicationCredentials(namespace string) ApplicationCredentialInterface
+}
+
+// ApplicationCredentialInterface has methods to work with ApplicationCredential resources.
+type ApplicationCredentialInterface interface {
+	Create(ctx context.Context, applicationCredential *apiv1alpha1.ApplicationCredential, opts v1.CreateOptions) (*apiv1alpha1.ApplicationCredential, error)
+	Update(ctx context.Context, applicationCredential *apiv1alpha1.ApplicationCredential, opts v1.UpdateOptions) (*apiv1alpha1.ApplicationCredential, error)
+	// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus().
+	UpdateStatus(ctx context.Context, applicationCredential *apiv1alpha1.ApplicationCredential, opts v1.UpdateOptions) (*apiv1alpha1.ApplicationCredential, error)
+	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+	Get(ctx context.Context, name string, opts v1.GetOptions) (*apiv1alpha1.ApplicationCredential, error)
+	List(ctx context.Context, opts v1.ListOptions) (*apiv1alpha1.ApplicationCredentialList, error)
+	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *apiv1alpha1.ApplicationCredential, err error)
+	Apply(ctx context.Context, applicationCredential *applyconfigurationapiv1alpha1.ApplicationCredentialApplyConfiguration, opts v1.ApplyOptions) (result *apiv1alpha1.ApplicationCredential, err error)
+	// Add a +genclient:noStatus comment above the type to avoid generating ApplyStatus().
+	ApplyStatus(ctx context.Context, applicationCredential *applyconfigurationapiv1alpha1.ApplicationCredentialApplyConfiguration, opts v1.ApplyOptions) (result *apiv1alpha1.ApplicationCredential, err error)
+	ApplicationCredentialExpansion
+}
+
+// applicationCredentials implements ApplicationCredentialInterface
+type applicationCredentials struct {
+	*gentype.ClientWithListAndApply[*apiv1alpha1.ApplicationCredential, *apiv1alpha1.ApplicationCredentialList, *applyconfigurationapiv1alpha1.ApplicationCredentialApplyConfiguration]
+}
+
+// newApplicationCredentials returns a ApplicationCredentials
+func newApplicationCredentials(c *OpenstackV1alpha1Client, namespace string) *applicationCredentials {
+	return &applicationCredentials{
+		gentype.NewClientWithListAndApply[*apiv1alpha1.ApplicationCredential, *apiv1alpha1.ApplicationCredentialList, *applyconfigurationapiv1alpha1.ApplicationCredentialApplyConfiguration](
+			"applicationcredentials",
+			c.RESTClient(),
+			scheme.ParameterCodec,
+			namespace,
+			func() *apiv1alpha1.ApplicationCredential { return &apiv1alpha1.ApplicationCredential{} },
+			func() *apiv1alpha1.ApplicationCredentialList { return &apiv1alpha1.ApplicationCredentialList{} },
+		),
+	}
+}
diff --git a/pkg/clients/clientset/clientset/typed/api/v1alpha1/fake/fake_api_client.go b/pkg/clients/clientset/clientset/typed/api/v1alpha1/fake/fake_api_client.go
index 595446f05..d91a3a3cd 100644
--- a/pkg/clients/clientset/clientset/typed/api/v1alpha1/fake/fake_api_client.go
+++ b/pkg/clients/clientset/clientset/typed/api/v1alpha1/fake/fake_api_client.go
@@ -28,6 +28,10 @@ type FakeOpenstackV1alpha1 struct {
 	*testing.Fake
 }
 
+func (c *FakeOpenstackV1alpha1) ApplicationCredentials(namespace string) v1alpha1.ApplicationCredentialInterface {
+	return newFakeApplicationCredentials(c, namespace)
+}
+
 func (c *FakeOpenstackV1alpha1) Domains(namespace string) v1alpha1.DomainInterface {
 	return newFakeDomains(c, namespace)
 }
diff --git a/pkg/clients/clientset/clientset/typed/api/v1alpha1/fake/fake_applicationcredential.go b/pkg/clients/clientset/clientset/typed/api/v1alpha1/fake/fake_applicationcredential.go
new file mode 100644
index 000000000..c093e7c28
--- /dev/null
+++ b/pkg/clients/clientset/clientset/typed/api/v1alpha1/fake/fake_applicationcredential.go
@@ -0,0 +1,53 @@
+/*
+Copyright The ORC Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	v1alpha1 "github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1"
+	apiv1alpha1 "github.com/k-orc/openstack-resource-controller/v2/pkg/clients/applyconfiguration/api/v1alpha1"
+	typedapiv1alpha1 "github.com/k-orc/openstack-resource-controller/v2/pkg/clients/clientset/clientset/typed/api/v1alpha1"
+	gentype "k8s.io/client-go/gentype"
+)
+
+// fakeApplicationCredentials implements ApplicationCredentialInterface
+type fakeApplicationCredentials struct {
+	*gentype.FakeClientWithListAndApply[*v1alpha1.ApplicationCredential, *v1alpha1.ApplicationCredentialList, *apiv1alpha1.ApplicationCredentialApplyConfiguration]
+	Fake *FakeOpenstackV1alpha1
+}
+
+func newFakeApplicationCredentials(fake *FakeOpenstackV1alpha1, namespace string) typedapiv1alpha1.ApplicationCredentialInterface {
+	return &fakeApplicationCredentials{
+		gentype.NewFakeClientWithListAndApply[*v1alpha1.ApplicationCredential, *v1alpha1.ApplicationCredentialList, *apiv1alpha1.ApplicationCredentialApplyConfiguration](
+			fake.Fake,
+			namespace,
+			v1alpha1.SchemeGroupVersion.WithResource("applicationcredentials"),
+			v1alpha1.SchemeGroupVersion.WithKind("ApplicationCredential"),
+			func() *v1alpha1.ApplicationCredential { return &v1alpha1.ApplicationCredential{} },
+			func() *v1alpha1.ApplicationCredentialList { return &v1alpha1.ApplicationCredentialList{} },
+			func(dst, src *v1alpha1.ApplicationCredentialList) { dst.ListMeta = src.ListMeta },
+			func(list *v1alpha1.ApplicationCredentialList) []*v1alpha1.ApplicationCredential {
+				return gentype.ToPointerSlice(list.Items)
+			},
+			func(list *v1alpha1.ApplicationCredentialList, items []*v1alpha1.ApplicationCredential) {
+				list.Items = gentype.FromPointerSlice(items)
+			},
+		),
+		fake,
+	}
+}
diff --git a/pkg/clients/clientset/clientset/typed/api/v1alpha1/generated_expansion.go b/pkg/clients/clientset/clientset/typed/api/v1alpha1/generated_expansion.go
index 558e399d0..ada65c63d 100644
--- a/pkg/clients/clientset/clientset/typed/api/v1alpha1/generated_expansion.go
+++ b/pkg/clients/clientset/clientset/typed/api/v1alpha1/generated_expansion.go
@@ -18,6 +18,8 @@ limitations under the License.
 
 package v1alpha1
 
+type ApplicationCredentialExpansion interface{}
+
 type DomainExpansion interface{}
 
 type FlavorExpansion interface{}
diff --git a/pkg/clients/informers/externalversions/api/v1alpha1/applicationcredential.go b/pkg/clients/informers/externalversions/api/v1alpha1/applicationcredential.go
new file mode 100644
index 000000000..a728706a7
--- /dev/null
+++ b/pkg/clients/informers/externalversions/api/v1alpha1/applicationcredential.go
@@ -0,0 +1,102 @@
+/*
+Copyright The ORC Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	context "context"
+	time "time"
+
+	v2apiv1alpha1 "github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1"
+	clientset "github.com/k-orc/openstack-resource-controller/v2/pkg/clients/clientset/clientset"
+	internalinterfaces "github.com/k-orc/openstack-resource-controller/v2/pkg/clients/informers/externalversions/internalinterfaces"
+	apiv1alpha1 "github.com/k-orc/openstack-resource-controller/v2/pkg/clients/listers/api/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// ApplicationCredentialInformer provides access to a shared informer and lister for
+// ApplicationCredentials.
+type ApplicationCredentialInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() apiv1alpha1.ApplicationCredentialLister
+}
+
+type applicationCredentialInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewApplicationCredentialInformer constructs a new informer for ApplicationCredential type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewApplicationCredentialInformer(client clientset.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredApplicationCredentialInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredApplicationCredentialInformer constructs a new informer for ApplicationCredential type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredApplicationCredentialInformer(client clientset.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.OpenstackV1alpha1().ApplicationCredentials(namespace).List(context.Background(), options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.OpenstackV1alpha1().ApplicationCredentials(namespace).Watch(context.Background(), options)
+			},
+			ListWithContextFunc: func(ctx context.Context, options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.OpenstackV1alpha1().ApplicationCredentials(namespace).List(ctx, options)
+			},
+			WatchFuncWithContext: func(ctx context.Context, options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.OpenstackV1alpha1().ApplicationCredentials(namespace).Watch(ctx, options)
+			},
+		},
+		&v2apiv1alpha1.ApplicationCredential{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *applicationCredentialInformer) defaultInformer(client clientset.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredApplicationCredentialInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *applicationCredentialInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&v2apiv1alpha1.ApplicationCredential{}, f.defaultInformer)
+}
+
+func (f *applicationCredentialInformer) Lister() apiv1alpha1.ApplicationCredentialLister {
+	return apiv1alpha1.NewApplicationCredentialLister(f.Informer().GetIndexer())
+}
diff --git a/pkg/clients/informers/externalversions/api/v1alpha1/interface.go b/pkg/clients/informers/externalversions/api/v1alpha1/interface.go
index 2e06781ab..e41285f4e 100644
--- a/pkg/clients/informers/externalversions/api/v1alpha1/interface.go
+++ b/pkg/clients/informers/externalversions/api/v1alpha1/interface.go
@@ -24,6 +24,8 @@ import (
 
 // Interface provides access to all the informers in this group version.
 type Interface interface {
+	// ApplicationCredentials returns a ApplicationCredentialInformer.
+	ApplicationCredentials() ApplicationCredentialInformer
 	// Domains returns a DomainInformer.
 	Domains() DomainInformer
 	// Flavors returns a FlavorInformer.
@@ -75,6 +77,11 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 	return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
 }
 
+// ApplicationCredentials returns a ApplicationCredentialInformer.
+func (v *version) ApplicationCredentials() ApplicationCredentialInformer {
+	return &applicationCredentialInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}
+
 // Domains returns a DomainInformer.
 func (v *version) Domains() DomainInformer {
 	return &domainInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
diff --git a/pkg/clients/informers/externalversions/generic.go b/pkg/clients/informers/externalversions/generic.go
index 1bb2313e0..fb144630a 100644
--- a/pkg/clients/informers/externalversions/generic.go
+++ b/pkg/clients/informers/externalversions/generic.go
@@ -53,6 +53,8 @@ func (f *genericInformer) Lister() cache.GenericLister {
 func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource) (GenericInformer, error) {
 	switch resource {
 	// Group=openstack.k-orc.cloud, Version=v1alpha1
+	case v1alpha1.SchemeGroupVersion.WithResource("applicationcredentials"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Openstack().V1alpha1().ApplicationCredentials().Informer()}, nil
 	case v1alpha1.SchemeGroupVersion.WithResource("domains"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Openstack().V1alpha1().Domains().Informer()}, nil
 	case v1alpha1.SchemeGroupVersion.WithResource("flavors"):
diff --git a/pkg/clients/listers/api/v1alpha1/applicationcredential.go b/pkg/clients/listers/api/v1alpha1/applicationcredential.go
new file mode 100644
index 000000000..559f9b947
--- /dev/null
+++ b/pkg/clients/listers/api/v1alpha1/applicationcredential.go
@@ -0,0 +1,70 @@
+/*
+Copyright The ORC Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	apiv1alpha1 "github.com/k-orc/openstack-resource-controller/v2/api/v1alpha1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	listers "k8s.io/client-go/listers"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// ApplicationCredentialLister helps list ApplicationCredentials.
+// All objects returned here must be treated as read-only.
+type ApplicationCredentialLister interface {
+	// List lists all ApplicationCredentials in the indexer.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*apiv1alpha1.ApplicationCredential, err error)
+	// ApplicationCredentials returns an object that can list and get ApplicationCredentials.
+	ApplicationCredentials(namespace string) ApplicationCredentialNamespaceLister
+	ApplicationCredentialListerExpansion
+}
+
+// applicationCredentialLister implements the ApplicationCredentialLister interface.
+type applicationCredentialLister struct {
+	listers.ResourceIndexer[*apiv1alpha1.ApplicationCredential]
+}
+
+// NewApplicationCredentialLister returns a new ApplicationCredentialLister.
+func NewApplicationCredentialLister(indexer cache.Indexer) ApplicationCredentialLister {
+	return &applicationCredentialLister{listers.New[*apiv1alpha1.ApplicationCredential](indexer, apiv1alpha1.Resource("applicationcredential"))}
+}
+
+// ApplicationCredentials returns an object that can list and get ApplicationCredentials.
+func (s *applicationCredentialLister) ApplicationCredentials(namespace string) ApplicationCredentialNamespaceLister {
+	return applicationCredentialNamespaceLister{listers.NewNamespaced[*apiv1alpha1.ApplicationCredential](s.ResourceIndexer, namespace)}
+}
+
+// ApplicationCredentialNamespaceLister helps list and get ApplicationCredentials.
+// All objects returned here must be treated as read-only.
+type ApplicationCredentialNamespaceLister interface {
+	// List lists all ApplicationCredentials in the indexer for a given namespace.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*apiv1alpha1.ApplicationCredential, err error)
+	// Get retrieves the ApplicationCredential from the indexer for a given namespace and name.
+	// Objects returned here must be treated as read-only.
+	Get(name string) (*apiv1alpha1.ApplicationCredential, error)
+	ApplicationCredentialNamespaceListerExpansion
+}
+
+// applicationCredentialNamespaceLister implements the ApplicationCredentialNamespaceLister
+// interface.
+type applicationCredentialNamespaceLister struct {
+	listers.ResourceIndexer[*apiv1alpha1.ApplicationCredential]
+}
diff --git a/pkg/clients/listers/api/v1alpha1/expansion_generated.go b/pkg/clients/listers/api/v1alpha1/expansion_generated.go
index 1380d0372..0540a6c35 100644
--- a/pkg/clients/listers/api/v1alpha1/expansion_generated.go
+++ b/pkg/clients/listers/api/v1alpha1/expansion_generated.go
@@ -18,6 +18,14 @@ limitations under the License.
 
 package v1alpha1
 
+// ApplicationCredentialListerExpansion allows custom methods to be added to
+// ApplicationCredentialLister.
+type ApplicationCredentialListerExpansion interface{}
+
+// ApplicationCredentialNamespaceListerExpansion allows custom methods to be added to
+// ApplicationCredentialNamespaceLister.
+type ApplicationCredentialNamespaceListerExpansion interface{}
+
 // DomainListerExpansion allows custom methods to be added to
 // DomainLister.
 type DomainListerExpansion interface{}
diff --git a/website/docs/crd-reference.md b/website/docs/crd-reference.md
index f1664a185..91e773ab4 100644
--- a/website/docs/crd-reference.md
+++ b/website/docs/crd-reference.md
@@ -10,6 +10,7 @@ Package v1alpha1 contains API Schema definitions for the openstack v1alpha1 API
 
 
 ### Resource Types
+- [ApplicationCredential](#applicationcredential)
 - [Domain](#domain)
 - [Flavor](#flavor)
 - [FloatingIP](#floatingip)
@@ -117,6 +118,224 @@ _Appears in:_
 | `mac` _string_ | mac contains a MAC address which a server connected to the port can<br />send packets with. |  | MaxLength: 1024 <br /> |
 
 
+#### ApplicationCredential
+
+
+
+ApplicationCredential is the Schema for an ORC resource.
+
+
+
+
+
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `apiVersion` _string_ | `openstack.k-orc.cloud/v1alpha1` | | |
+| `kind` _string_ | `ApplicationCredential` | | |
+| `metadata` _[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#objectmeta-v1-meta)_ | Refer to Kubernetes API documentation for fields of `metadata`. |  |  |
+| `spec` _[ApplicationCredentialSpec](#applicationcredentialspec)_ | spec specifies the desired state of the resource. |  |  |
+| `status` _[ApplicationCredentialStatus](#applicationcredentialstatus)_ | status defines the observed state of the resource. |  |  |
+
+
+#### ApplicationCredentialAccessRole
+
+
+
+
+
+_Validation:_
+- MaxProperties: 1
+- MinProperties: 1
+
+_Appears in:_
+- [ApplicationCredentialResourceSpec](#applicationcredentialresourcespec)
+
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `name` _[OpenStackName](#openstackname)_ | name of an existing role |  | MaxLength: 255 <br />MinLength: 1 <br />Pattern: `^[^,]+$` <br /> |
+| `id` _string_ | id is the ID of an role |  | MaxLength: 1024 <br /> |
+
+
+#### ApplicationCredentialAccessRoleStatus
+
+
+
+
+
+
+
+_Appears in:_
+- [ApplicationCredentialResourceStatus](#applicationcredentialresourcestatus)
+
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `name` _string_ | name of an existing role |  |  |
+| `id` _string_ | id is the ID of an role |  |  |
+| `domainID` _string_ | id of the domain of this role |  |  |
+
+
+#### ApplicationCredentialAccessRule
+
+
+
+ApplicationCredentialAccessRule defines an access rule
+
+_Validation:_
+- MinProperties: 1
+
+_Appears in:_
+- [ApplicationCredentialResourceSpec](#applicationcredentialresourcespec)
+
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `path` _string_ | API path that the application credential is permitted to access |  | MaxLength: 1024 <br /> |
+| `method` _[HTTPMethod](#httpmethod)_ | request method that the application credential is permitted to use for a given API endpoint |  | Enum: [CONNECT DELETE GET HEAD OPTIONS PATCH POST PUT TRACE] <br /> |
+| `service` _string_ | service type identifier for the service that the application credential is permitted to access |  | MaxLength: 1024 <br /> |
+
+
+#### ApplicationCredentialAccessRuleStatus
+
+
+
+
+
+
+
+_Appears in:_
+- [ApplicationCredentialResourceStatus](#applicationcredentialresourcestatus)
+
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `id` _string_ | id is the ID of this access rule |  |  |
+| `path` _string_ | API path that the application credential is permitted to access |  |  |
+| `method` _string_ | request method that the application credential is permitted to use for a given API endpoint |  |  |
+| `service` _string_ | service type identifier for the service that the application credential is permitted to access |  |  |
+
+
+#### ApplicationCredentialFilter
+
+
+
+ApplicationCredentialFilter defines an existing resource by its properties
+
+_Validation:_
+- MinProperties: 1
+
+_Appears in:_
+- [ApplicationCredentialImport](#applicationcredentialimport)
+
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `name` _[OpenStackName](#openstackname)_ | name of the existing resource |  | MaxLength: 255 <br />MinLength: 1 <br />Pattern: `^[^,]+$` <br /> |
+| `userID` _string_ | ID of the user the application credential belongs to |  |  |
+
+
+#### ApplicationCredentialImport
+
+
+
+ApplicationCredentialImport specifies an existing resource which will be imported instead of
+creating a new one
+
+_Validation:_
+- MaxProperties: 1
+- MinProperties: 1
+
+_Appears in:_
+- [ApplicationCredentialSpec](#applicationcredentialspec)
+
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `id` _string_ | id contains the unique identifier of an existing OpenStack resource. Note<br />that when specifying an import by ID, the resource MUST already exist.<br />The ORC object will enter an error state if the resource does not exist. |  | Format: uuid <br /> |
+| `filter` _[ApplicationCredentialFilter](#applicationcredentialfilter)_ | filter contains a resource query which is expected to return a single<br />result. The controller will continue to retry if filter returns no<br />results. If filter returns multiple results the controller will set an<br />error state and will not continue to retry. |  | MinProperties: 1 <br /> |
+
+
+#### ApplicationCredentialResourceSpec
+
+
+
+ApplicationCredentialResourceSpec contains the desired state of the resource.
+
+
+
+_Appears in:_
+- [ApplicationCredentialSpec](#applicationcredentialspec)
+
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `name` _[OpenStackName](#openstackname)_ | name will be the name of the created resource. If not specified, the<br />name of the ORC object will be used. |  | MaxLength: 255 <br />MinLength: 1 <br />Pattern: `^[^,]+$` <br /> |
+| `description` _string_ | description is a human-readable description for the resource. |  | MaxLength: 255 <br />MinLength: 1 <br /> |
+| `userID` _string_ | ID of the user the application credential belongs to |  | MaxLength: 1024 <br /> |
+| `unrestricted` _boolean_ | flag indicating whether the application credential may be used for creation or destruction of other application credentials or trusts |  |  |
+| `secret` _string_ |  |  |  |
+| `roles` _[ApplicationCredentialAccessRole](#applicationcredentialaccessrole) array_ | list of role objects may only contain roles that the user has assigned on the project. If not provided, the roles assigned to the application credential will be the same as the roles in the current token. |  | MaxItems: 256 <br />MaxProperties: 1 <br />MinProperties: 1 <br /> |
+| `accessRules` _[ApplicationCredentialAccessRule](#applicationcredentialaccessrule) array_ | list of fine grained access control rules |  | MaxItems: 256 <br />MinProperties: 1 <br /> |
+| `expiresAt` _[Time](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#time-v1-meta)_ | expiry time for the application credential. If unset, the application credential does not expire. |  |  |
+
+
+#### ApplicationCredentialResourceStatus
+
+
+
+ApplicationCredentialResourceStatus represents the observed state of the resource.
+
+
+
+_Appears in:_
+- [ApplicationCredentialStatus](#applicationcredentialstatus)
+
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `id` _string_ | id is the ID of the application credential. |  | MaxLength: 1024 <br /> |
+| `name` _string_ | name is a Human-readable name for the resource. Might not be unique. |  | MaxLength: 1024 <br /> |
+| `description` _string_ | description is a human-readable description for the resource. |  | MaxLength: 1024 <br /> |
+| `unrestricted` _boolean_ | flag indicating whether the application credential may be used for creation or destruction of other application credentials or trusts |  |  |
+| `secret` _string_ |  |  |  |
+| `projectID` _string_ | ID of the project the application credential was created for and that authentication requests using this application credential will be scoped to. |  | MaxLength: 1024 <br /> |
+| `roles` _[ApplicationCredentialAccessRoleStatus](#applicationcredentialaccessrolestatus) array_ | list of role objects may only contain roles that the user has assigned on the project |  |  |
+| `expiresAt` _[Time](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#time-v1-meta)_ | expiry time for the application credential |  |  |
+| `accessRules` _[ApplicationCredentialAccessRuleStatus](#applicationcredentialaccessrulestatus) array_ | list of fine grained access control rules |  |  |
+| `links` _object (keys:string, values:string)_ | Links contains referencing links to the application credential |  |  |
+
+
+#### ApplicationCredentialSpec
+
+
+
+ApplicationCredentialSpec defines the desired state of an ORC object.
+
+
+
+_Appears in:_
+- [ApplicationCredential](#applicationcredential)
+
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `import` _[ApplicationCredentialImport](#applicationcredentialimport)_ | import refers to an existing OpenStack resource which will be imported instead of<br />creating a new one. |  | MaxProperties: 1 <br />MinProperties: 1 <br /> |
+| `resource` _[ApplicationCredentialResourceSpec](#applicationcredentialresourcespec)_ | resource specifies the desired state of the resource.<br />resource may not be specified if the management policy is `unmanaged`.<br />resource must be specified if the management policy is `managed`. |  |  |
+| `managementPolicy` _[ManagementPolicy](#managementpolicy)_ | managementPolicy defines how ORC will treat the object. Valid values are<br />`managed`: ORC will create, update, and delete the resource; `unmanaged`:<br />ORC will import an existing resource, and will not apply updates to it or<br />delete it. | managed | Enum: [managed unmanaged] <br /> |
+| `managedOptions` _[ManagedOptions](#managedoptions)_ | managedOptions specifies options which may be applied to managed objects. |  |  |
+| `cloudCredentialsRef` _[CloudCredentialsReference](#cloudcredentialsreference)_ | cloudCredentialsRef points to a secret containing OpenStack credentials |  |  |
+
+
+#### ApplicationCredentialStatus
+
+
+
+ApplicationCredentialStatus defines the observed state of an ORC resource.
+
+
+
+_Appears in:_
+- [ApplicationCredential](#applicationcredential)
+
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `conditions` _[Condition](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/#condition-v1-meta) array_ | conditions represents the observed status of the object.<br />Known .status.conditions.type are: "Available", "Progressing"<br />Available represents the availability of the OpenStack resource. If it is<br />true then the resource is ready for use.<br />Progressing indicates whether the controller is still attempting to<br />reconcile the current state of the OpenStack resource to the desired<br />state. Progressing will be False either because the desired state has<br />been achieved, or because some terminal error prevents it from ever being<br />achieved and the controller is no longer attempting to reconcile. If<br />Progressing is True, an observer waiting on the resource should continue<br />to wait. |  | MaxItems: 32 <br /> |
+| `id` _string_ | id is the unique identifier of the OpenStack resource. |  |  |
+| `resource` _[ApplicationCredentialResourceStatus](#applicationcredentialresourcestatus)_ | resource contains the observed state of the OpenStack resource. |  |  |
+
+
 #### AvailabilityZoneHint
 
 _Underlying type:_ _string_
@@ -163,6 +382,7 @@ CloudCredentialsReference is a reference to a secret containing OpenStack creden
 
 
 _Appears in:_
+- [ApplicationCredentialSpec](#applicationcredentialspec)
 - [DomainSpec](#domainspec)
 - [FlavorSpec](#flavorspec)
 - [FloatingIPSpec](#floatingipspec)
@@ -892,6 +1112,31 @@ _Appears in:_
 | `resource` _[GroupResourceStatus](#groupresourcestatus)_ | resource contains the observed state of the OpenStack resource. |  |  |
 
 
+#### HTTPMethod
+
+_Underlying type:_ _string_
+
+
+
+_Validation:_
+- Enum: [CONNECT DELETE GET HEAD OPTIONS PATCH POST PUT TRACE]
+
+_Appears in:_
+- [ApplicationCredentialAccessRule](#applicationcredentialaccessrule)
+
+| Field | Description |
+| --- | --- |
+| `CONNECT` |  |
+| `DELETE` |  |
+| `GET` |  |
+| `HEAD` |  |
+| `OPTIONS` |  |
+| `PATCH` |  |
+| `POST` |  |
+| `PUT` |  |
+| `TRACE` |  |
+
+
 #### HostRoute
 
 
@@ -1676,6 +1921,7 @@ _Appears in:_
 
 
 _Appears in:_
+- [ApplicationCredentialSpec](#applicationcredentialspec)
 - [DomainSpec](#domainspec)
 - [FlavorSpec](#flavorspec)
 - [FloatingIPSpec](#floatingipspec)
@@ -1710,6 +1956,7 @@ _Validation:_
 - Enum: [managed unmanaged]
 
 _Appears in:_
+- [ApplicationCredentialSpec](#applicationcredentialspec)
 - [DomainSpec](#domainspec)
 - [FlavorSpec](#flavorspec)
 - [FloatingIPSpec](#floatingipspec)
@@ -2003,6 +2250,9 @@ _Validation:_
 - Pattern: `^[^,]+$`
 
 _Appears in:_
+- [ApplicationCredentialAccessRole](#applicationcredentialaccessrole)
+- [ApplicationCredentialFilter](#applicationcredentialfilter)
+- [ApplicationCredentialResourceSpec](#applicationcredentialresourcespec)
 - [FlavorFilter](#flavorfilter)
 - [FlavorResourceSpec](#flavorresourcespec)
 - [ImageFilter](#imagefilter)