diff --git a/src/main/helm/templates/_helpers.tpl b/src/main/helm/templates/_helpers.tpl
index 46af0a151e0f6c014989a5cbb0dfa57a3410bbfa..d59b652ef42c838efa9acc93c794dc93d864c8c9 100644
--- a/src/main/helm/templates/_helpers.tpl
+++ b/src/main/helm/templates/_helpers.tpl
@@ -3,19 +3,23 @@
 {{- printf "%s-%s.%s" (.Values.ozgcloud).bezeichner (.Values.ozgcloud).adminDomainSuffix .Values.baseUrl }}
 {{- end -}}
 
+{{/* Namespace */}}
+{{- define "app.namespace" -}}
+{{- default .Release.Namespace | toString | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
 
 {{/* Default Labels: Helm recommended best-practice labels https://helm.sh/docs/chart_best_practices/labels/ */}}
 {{- define "app.defaultLabels" }}
 app.kubernetes.io/instance: administration
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 app.kubernetes.io/name: {{ .Release.Name }}
-app.kubernetes.io/namespace: {{ .Release.Namespace }}
+app.kubernetes.io/namespace: {{ include "app.namespace" . }}
 helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version }}
 {{- end -}}
 
 {{- define "app.matchLabels" }}
 app.kubernetes.io/name: {{ .Release.Name }}
-app.kubernetes.io/namespace: {{ .Release.Namespace }}
+app.kubernetes.io/namespace: {{ include "app.namespace" . }}
 {{- end -}}
 
 {{- define "app.imagePullSecret" }}
diff --git a/src/main/helm/templates/configmap_bindings_type.yaml b/src/main/helm/templates/configmap_bindings_type.yaml
index b31800e00fdc25ed4a17bbdce9978e9d06281fcf..87ce99270521bccf8a47249d4863e70ea45b8e39 100644
--- a/src/main/helm/templates/configmap_bindings_type.yaml
+++ b/src/main/helm/templates/configmap_bindings_type.yaml
@@ -23,7 +23,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: administration-bindings-type
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "app.namespace" . }}
 data:
   type: |
         ca-certificates
\ No newline at end of file
diff --git a/src/main/helm/templates/deployment.yaml b/src/main/helm/templates/deployment.yaml
index 5c2d3b2202756c2bbb132140f7ef454ee480e178..c5c0cf7411b990d848ab845e1f6a7bff0122472c 100644
--- a/src/main/helm/templates/deployment.yaml
+++ b/src/main/helm/templates/deployment.yaml
@@ -26,7 +26,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ .Release.Name }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "app.namespace" . }}
   labels:
     {{- include "app.defaultLabels" . | indent 4 }}
 spec:
@@ -36,7 +36,7 @@ spec:
   selector:
     matchLabels:
       app.kubernetes.io/name: {{ .Release.Name }}
-      app.kubernetes.io/namespace: {{ .Release.Namespace }}
+      app.kubernetes.io/namespace: {{ include "app.namespace" . }}
   strategy:
     rollingUpdate:
       maxSurge: 1
diff --git a/src/main/helm/templates/keycloak-client-crd.yaml b/src/main/helm/templates/keycloak-client-crd.yaml
deleted file mode 100644
index 63c8232459bb4babbfe34daad62cdfef2a7ac45b..0000000000000000000000000000000000000000
--- a/src/main/helm/templates/keycloak-client-crd.yaml
+++ /dev/null
@@ -1,27 +0,0 @@
-{{- if not (.Values.sso).disableOzgOperator -}}
-apiVersion: operator.ozgcloud.de/v1
-kind: OzgCloudKeycloakClient
-metadata:
-  name: administration-keycloak-client
-  namespace: {{ .Release.Namespace }}
-spec:
-  keep_after_delete: {{ (.Values.sso).keep_after_delete | default false }}
-  client_name: admin
-  client_base_url: https://{{ include "app.baseDomain" $ }}
-  client_web_origins:
-    - https://{{ include "app.baseDomain" $ }}
-  client_redirect_uris:
-    - https://{{ include "app.baseDomain" $ }}
-    - https://{{ include "app.baseDomain" $ }}/*
-  {{- if ((.Values.sso).client).additional_redirect_uris }}
-    {{- with ((.Values.sso).client).additional_redirect_uris }}
-{{ toYaml . | indent 4 }}
-    {{- end }}
-  {{- end }}
-  {{- if ((.Values.sso).client).client_roles }}
-  client_roles:
-    {{- with ((.Values.sso).client).client_roles }}
-{{ toYaml . | indent 4 }}
-    {{- end }}
-  {{- end }}
-{{- end -}}
\ No newline at end of file
diff --git a/src/main/helm/templates/keycloak_client_crd.yaml b/src/main/helm/templates/keycloak_client_crd.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..12c71b9e5c138ca1fc0d83f38074b52d49310a8a
--- /dev/null
+++ b/src/main/helm/templates/keycloak_client_crd.yaml
@@ -0,0 +1,36 @@
+{{- if not (.Values.sso).disableOzgOperator -}}
+{{ range $client := (.Values.sso).keycloak_clients }}
+---
+apiVersion: operator.ozgcloud.de/v1
+kind: OzgCloudKeycloakClient
+metadata:
+  name: administration-keycloak-client
+  namespace: {{ include "app.namespace" $ }}
+spec:
+  keep_after_delete: {{ $.Values.sso.keep_after_delete | default false }}
+  client_name: {{ $client.client_name }}
+  client_base_url: https://{{ include "app.baseDomain" $ }}  
+
+  client_web_origins:
+    - https://{{ include "app.baseDomain" $ }}
+  {{- if $client.additional_client_web_origins }}
+    {{- with $client.additional_client_web_origins }}
+{{ toYaml . | indent 4 }}
+    {{- end }}
+  {{- end }}
+  client_redirect_uris:
+    - https://{{ include "app.baseDomain" $ }}
+    - https://{{ include "app.baseDomain" $ }}/*
+  {{- if $client.additional_redirect_uris }}
+    {{- with $client.additional_redirect_uris }}
+{{ toYaml . | indent 4 }}
+    {{- end }}
+  {{- end }}
+  {{- if $client.client_roles }}
+  client_roles:
+    {{- with $client.client_roles }}
+{{ toYaml . | indent 4 }}
+    {{- end }}
+  {{- end }}
+{{ end }}
+{{- end -}}
\ No newline at end of file
diff --git a/src/main/helm/templates/keycloak_user_crd.yaml b/src/main/helm/templates/keycloak_user_crd.yaml
index 8dc497fa1fa9f4707f3ef8457e78db892d83ca42..0144559de10b2edb52816d3a1807415cf6a257c9 100644
--- a/src/main/helm/templates/keycloak_user_crd.yaml
+++ b/src/main/helm/templates/keycloak_user_crd.yaml
@@ -5,7 +5,7 @@ apiVersion: operator.ozgcloud.de/v1
 kind: OzgCloudKeycloakUser
 metadata:
   name: {{ include "app.nameToIdentifier" $user.name }}-keycloak-user
-  namespace: {{ $.Release.Namespace }}
+  namespace: {{ include "app.namespace" $ }}
 spec:
   keep_after_delete: {{ $.Values.sso.keep_after_delete | default false }}
   update_user: {{ $user.update_user | default false }}
diff --git a/src/main/helm/templates/network_policy.yaml b/src/main/helm/templates/network_policy.yaml
index aea305bd8780397e5bf8da332a581523fded2727..0b04539f5f49f11190eeeddf9de4c0fb867e7fd9 100644
--- a/src/main/helm/templates/network_policy.yaml
+++ b/src/main/helm/templates/network_policy.yaml
@@ -3,7 +3,7 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   name: network-policy-administration
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "app.namespace" . }}
 spec:
   podSelector:
     matchLabels:
diff --git a/src/main/helm/templates/ozgcloud_keycloak_operator_secrets_read_role.yaml b/src/main/helm/templates/ozgcloud_keycloak_operator_secrets_read_role.yaml
index 45514b61090d0c869bd29a6a352b58ad72dfb653..9d8961c699d854c92b3290e4a5cc002cdfa87c34 100644
--- a/src/main/helm/templates/ozgcloud_keycloak_operator_secrets_read_role.yaml
+++ b/src/main/helm/templates/ozgcloud_keycloak_operator_secrets_read_role.yaml
@@ -4,7 +4,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: ozgcloud-keycloak-operator-secrets-read-role-administration
-  namespace: {{ $.Release.Namespace }}
+  namespace: {{ include "app.namespace" $ }}
 rules:
   - apiGroups:
       - "*"
diff --git a/src/main/helm/templates/ozgcloud_keycloak_operator_secrets_read_role_binding.yaml b/src/main/helm/templates/ozgcloud_keycloak_operator_secrets_read_role_binding.yaml
index 813ed63e3c3e2599026885e82c418b88f43d54b1..1250afd39cd7e2308aca88ce232d3955344dc578 100644
--- a/src/main/helm/templates/ozgcloud_keycloak_operator_secrets_read_role_binding.yaml
+++ b/src/main/helm/templates/ozgcloud_keycloak_operator_secrets_read_role_binding.yaml
@@ -4,7 +4,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: ozgcloud-keycloak-operator-secrets-read-role-binding-administration
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "app.namespace" . }}
 subjects:
   - kind: ServiceAccount
     name: ozgcloud-keycloak-operator-serviceaccount
diff --git a/src/main/helm/templates/ozgcloud_keycloak_operator_secrets_write_role.yaml b/src/main/helm/templates/ozgcloud_keycloak_operator_secrets_write_role.yaml
index f8a609002bc284cd12ab42acdb97f096b77bd100..0072fe3e27c98741f13c1b12e45d09eed8a46416 100644
--- a/src/main/helm/templates/ozgcloud_keycloak_operator_secrets_write_role.yaml
+++ b/src/main/helm/templates/ozgcloud_keycloak_operator_secrets_write_role.yaml
@@ -4,7 +4,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: ozgcloud-keycloak-operator-secrets-write-role-administration
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "app.namespace" . }}
 rules:
   - apiGroups:
       - "*"
diff --git a/src/main/helm/templates/ozgcloud_keycloak_operator_secrets_write_role_binding.yaml b/src/main/helm/templates/ozgcloud_keycloak_operator_secrets_write_role_binding.yaml
index 2a1e624fbf66480ba9615ef3d7a939f3359d1418..ef069bf242a03deeeeece74f2fbcdb4fc3c33cfe 100644
--- a/src/main/helm/templates/ozgcloud_keycloak_operator_secrets_write_role_binding.yaml
+++ b/src/main/helm/templates/ozgcloud_keycloak_operator_secrets_write_role_binding.yaml
@@ -4,7 +4,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: ozgcloud-keycloak-operator-secrets-write-role-binding-administration
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "app.namespace" . }}
 subjects:
   - kind: ServiceAccount
     name: ozgcloud-keycloak-operator-serviceaccount
diff --git a/src/main/helm/templates/service.yaml b/src/main/helm/templates/service.yaml
index a6837725c8e260351db24061f5ec27a6bda93690..37c04166dcb350a192777039da660e0690ae1305 100644
--- a/src/main/helm/templates/service.yaml
+++ b/src/main/helm/templates/service.yaml
@@ -25,7 +25,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ .Release.Name }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "app.namespace" . }}
   labels:
     {{- include "app.defaultLabels" . | indent 4 }}
     component: administration-service
diff --git a/src/test/helm/keycloak_client_crd_test.yaml b/src/test/helm/keycloak_client_crd_test.yaml
index 03f8d1c5d3e6822eb601c4d11b8205c5c1796e82..47e90d4d0dd42abd6bd85d67ad1b223d2eed5abe 100644
--- a/src/test/helm/keycloak_client_crd_test.yaml
+++ b/src/test/helm/keycloak_client_crd_test.yaml
@@ -27,7 +27,7 @@ release:
   name: administration
   namespace: by-helm-test
 templates:
-  - templates/keycloak-client-crd.yaml
+  - templates/keycloak_client_crd.yaml
 set:
   ozgcloud:
     bundesland: by
@@ -35,12 +35,20 @@ set:
     environment: test
 tests:
   - it: should contain header data
+    set:
+      sso:
+        keycloak_clients:
+          - client_name: admin
     asserts:
       - isAPIVersion:
           of: operator.ozgcloud.de/v1
       - isKind:
           of: OzgCloudKeycloakClient
   - it: should have metadata
+    set:
+      sso:
+        keycloak_clients:
+          - client_name: admin
     asserts:
       - equal:
           path: metadata.name
@@ -49,6 +57,10 @@ tests:
           path: metadata.namespace
           value: by-helm-test
   - it: should set keep after delete default to false
+    set:
+      sso:
+        keycloak_clients:
+          - client_name: admin
     asserts:
       - equal:
           path: spec.keep_after_delete
@@ -57,39 +69,73 @@ tests:
     set:
       sso:
         keep_after_delete: true
+        keycloak_clients:
+          - client_name: admin
     asserts:
       - equal:
           path: spec.keep_after_delete
           value: true
   - it: has client name value
+    set:
+      sso:
+        keycloak_clients:
+          - client_name: admin
     asserts:
       - equal:
           path: spec.client_name
           value: admin
   - it: should set client base url
+    set:
+      sso:
+        keycloak_clients:
+          - client_name: admin
     asserts:
       - equal:
           path: spec.client_base_url
           value: https://helm-admin.ozg-sh.de
   - it: should set client redirect uris
+    set:
+      sso:
+        keycloak_clients:
+          - client_name: admin
     asserts:
       - equal:
           path: spec.client_web_origins
           value:
             - https://helm-admin.ozg-sh.de
   - it: should set client web origins
+    set:
+      sso:
+        keycloak_clients:
+          - client_name: admin
     asserts:
       - equal:
           path: spec.client_redirect_uris
           value:
             - https://helm-admin.ozg-sh.de
             - https://helm-admin.ozg-sh.de/*
+  - it: should use additional client web origins
+    set:
+      sso:
+        keycloak_clients:
+          - client_name: admin
+            additional_client_web_origins:
+              - https://some.origin.de
+              - https://some.other.origin.de
+    asserts:
+      - equal:
+          path: spec.client_web_origins
+          value:
+            - https://helm-admin.ozg-sh.de
+            - https://some.origin.de
+            - https://some.other.origin.de
   - it: should use additional redirect uris for client web origins
     set:
       sso:
-        client:
-          additional_redirect_uris:
-            - https://additional.url.de
+        keycloak_clients:
+          - client_name: admin
+            additional_redirect_uris:
+              - https://additional.url.de
     asserts:
       - equal:
           path: spec.client_redirect_uris
@@ -100,7 +146,9 @@ tests:
   - it: should not create client cr if ozg operator is disabled
     set:
       sso:
+        keycloak_clients:
+          - client_name: admin
         disableOzgOperator: true
     asserts:
       - hasDocuments:
-          count: 0
\ No newline at end of file
+          count: 0