diff --git a/README.md b/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..3e9d4a91e4d28331197d1b5d09dbdb5370178853
--- /dev/null
+++ b/README.md
@@ -0,0 +1,14 @@
+
+
+# OZG Operator
+
+## Installation
+
+### CRDs im Cluster anlegen
+
+    kubectl apply -f doc/crds/*yaml
+
+### Service Account anlegen
+
+    kubectl apply -f doc/ServiceAccount/*yaml
+
diff --git a/doc/serviceaccount-keycloakuser-read.yaml b/doc/ServiceAccount/serviceaccount-keycloakuser-read.yaml
similarity index 100%
rename from doc/serviceaccount-keycloakuser-read.yaml
rename to doc/ServiceAccount/serviceaccount-keycloakuser-read.yaml
diff --git a/doc/serviceaccount-keycloakuser-write.yaml b/doc/ServiceAccount/serviceaccount-keycloakuser-write.yaml
similarity index 100%
rename from doc/serviceaccount-keycloakuser-write.yaml
rename to doc/ServiceAccount/serviceaccount-keycloakuser-write.yaml
diff --git a/doc/serviceaccount-secrets-read.yaml b/doc/ServiceAccount/serviceaccount-secrets-read.yaml
similarity index 100%
rename from doc/serviceaccount-secrets-read.yaml
rename to doc/ServiceAccount/serviceaccount-secrets-read.yaml
diff --git a/doc/crds/operator.ozgcloud.de_OzgKeycloakRealms.yaml b/doc/crds/operator.ozgcloud.de_OzgKeycloakRealms.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..dd17754b2e4dac2a30c4547c0413b782440b13e0
--- /dev/null
+++ b/doc/crds/operator.ozgcloud.de_OzgKeycloakRealms.yaml
@@ -0,0 +1,44 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: kopkeycloakrealms.api.kop-stack.de
+spec:
+  group: api.kop-stack.de
+  names:
+    kind: OzgKeycloakRealm
+    listKind: OzgKeycloakRealmList
+    plural: ozgkeycloakrealms
+    singular: ozgkeycloakrealm
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: OzgKeycloakRealm is the Schema for the keycloak realms API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec defines the desired state of Keycloak
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+          status:
+            description: Status defines the observed state of Keycloak
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/src/main/java/de/ozgcloud/operator/keycloak/user/KeycloakUserMapper.java b/src/main/java/de/ozgcloud/operator/keycloak/user/KeycloakUserMapper.java
index d64a85eceee9718a11a273d10ae4d85ee9f5d766..b7922444508c717f938b0f7bfb1315b4fe0d1bda 100644
--- a/src/main/java/de/ozgcloud/operator/keycloak/user/KeycloakUserMapper.java
+++ b/src/main/java/de/ozgcloud/operator/keycloak/user/KeycloakUserMapper.java
@@ -67,7 +67,7 @@ interface KeycloakUserMapper {
 	@Named("mapClientRoles")
 	default Map<String, List<String>> mapClientRoles(List<OzgKeycloakUserSpec.KeycloakUserSpecClientRole> clientRoles) {
 		return clientRoles.stream()
-				.collect(Collectors.groupingBy(KeycloakUserSpecClientRole::getName,
-						Collectors.mapping(KeycloakUserSpecClientRole::getRole, Collectors.toList())));
+				.collect(Collectors.groupingBy(KeycloakUserSpecClientRole::getClientName,
+						Collectors.mapping(KeycloakUserSpecClientRole::getRoleName, Collectors.toList())));
 	}
 }
diff --git a/src/main/java/de/ozgcloud/operator/keycloak/user/OzgKeycloakUserSpec.java b/src/main/java/de/ozgcloud/operator/keycloak/user/OzgKeycloakUserSpec.java
index e54b0377064380ddb477be471c2808dd3ecc82ac..cfa46175ff49483906639cf811f7085e3bbcd76b 100644
--- a/src/main/java/de/ozgcloud/operator/keycloak/user/OzgKeycloakUserSpec.java
+++ b/src/main/java/de/ozgcloud/operator/keycloak/user/OzgKeycloakUserSpec.java
@@ -87,12 +87,10 @@ public class OzgKeycloakUserSpec {
 	@AllArgsConstructor
 	public static class KeycloakUserSpecClientRole {
 
-		@JsonProperty("name")
-		// TODO rename to clientName
-		private String name;
+		@JsonProperty("client_name")
+		private String clientName;
 
-		@JsonProperty("role")
-		// TODO rename to roleId
-		private String role;
+		@JsonProperty("role_name")
+		private String roleName;
 	}
 }
diff --git a/src/test/java/de/ozgcloud/operator/keycloak/user/KeycloakUserMapperTest.java b/src/test/java/de/ozgcloud/operator/keycloak/user/KeycloakUserMapperTest.java
index f7cbc2d9af79283f091851a0c720e9f0c12fe63e..6644ddc9e1b062096baefab5d3b3b6b0d6d31809 100644
--- a/src/test/java/de/ozgcloud/operator/keycloak/user/KeycloakUserMapperTest.java
+++ b/src/test/java/de/ozgcloud/operator/keycloak/user/KeycloakUserMapperTest.java
@@ -113,7 +113,7 @@ class KeycloakUserMapperTest {
 					.hasSize(1);
 
 			assertThat(mappedRoles.get(KeycloakUserSpecUserTestFactory.CLIENT_NAME))
-					.contains(KeycloakUserSpecUserTestFactory.ROLE1.getRole(), KeycloakUserSpecUserTestFactory.ROLE2.getRole());
+					.contains(KeycloakUserSpecUserTestFactory.ROLE1.getRoleName(), KeycloakUserSpecUserTestFactory.ROLE2.getRoleName());
 		}
 
 		@Test
@@ -121,7 +121,7 @@ class KeycloakUserMapperTest {
 			var keycloakUser = mapper.toUserRepresentation(OzgKeycloakUserSpecTestFactory.create());
 
 			assertThat(keycloakUser.getClientRoles().get(KeycloakUserSpecUserTestFactory.CLIENT_NAME)).hasSize(2)
-					.contains(KeycloakUserSpecUserTestFactory.ROLE1.getRole(), KeycloakUserSpecUserTestFactory.ROLE2.getRole());
+					.contains(KeycloakUserSpecUserTestFactory.ROLE1.getRoleName(), KeycloakUserSpecUserTestFactory.ROLE2.getRoleName());
 		}
 	}
 
diff --git a/src/test/java/de/ozgcloud/operator/keycloak/user/KeycloakUserSpecUserTestFactory.java b/src/test/java/de/ozgcloud/operator/keycloak/user/KeycloakUserSpecUserTestFactory.java
index 1754a373dd08900cb13db6628ff8437a8427e3bd..cc16319ad77d1b28276486f99c3ea10236de3a4f 100644
--- a/src/test/java/de/ozgcloud/operator/keycloak/user/KeycloakUserSpecUserTestFactory.java
+++ b/src/test/java/de/ozgcloud/operator/keycloak/user/KeycloakUserSpecUserTestFactory.java
@@ -19,8 +19,8 @@ class KeycloakUserSpecUserTestFactory {
 	public static final KeycloakUserSpecUserGroup GROUP2 = KeycloakUserSpecUserGroup.builder().name("GROUP2").build();
 
 	public static final String CLIENT_NAME = "alfa";
-	public static final KeycloakUserSpecClientRole ROLE1 = KeycloakUserSpecClientRole.builder().name(CLIENT_NAME).role("ROLE1").build();
-	public static final KeycloakUserSpecClientRole ROLE2 = KeycloakUserSpecClientRole.builder().name(CLIENT_NAME).role("ROLE2").build();
+	public static final KeycloakUserSpecClientRole ROLE1 = KeycloakUserSpecClientRole.builder().clientName(CLIENT_NAME).roleName("ROLE1").build();
+	public static final KeycloakUserSpecClientRole ROLE2 = KeycloakUserSpecClientRole.builder().clientName(CLIENT_NAME).roleName("ROLE2").build();
 
 	public static KeycloakUserSpecUser create() {
 		return createBuiler().build();