diff --git a/api/v1/onepassworditem_types.go b/api/v1/onepassworditem_types.go
index 296fabe..80c4d45 100644
--- a/api/v1/onepassworditem_types.go
+++ b/api/v1/onepassworditem_types.go
@@ -36,14 +36,35 @@ type OnePasswordItemSpec struct {
 	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
 	// Important: Run "make" to regenerate code after modifying this file
 
-	// Foo is an example field of OnePasswordItem. Edit onepassworditem_types.go to remove/update
-	Foo string `json:"foo,omitempty"`
+	ItemPath string `json:"itemPath,omitempty"`
+}
+
+type OnePasswordItemConditionType string
+
+const (
+	// OnePasswordItemReady means the Kubernetes secret is ready for use.
+	OnePasswordItemReady OnePasswordItemConditionType = "Ready"
+)
+
+type OnePasswordItemCondition struct {
+	// Type of job condition, Completed.
+	Type OnePasswordItemConditionType `json:"type"`
+	// Status of the condition, one of True, False, Unknown.
+	Status metav1.ConditionStatus `json:"status"`
+	// Last time the condition transit from one status to another.
+	// +optional
+	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"`
+	// Human-readable message indicating details about last transition.
+	// +optional
+	Message string `json:"message,omitempty"`
 }
 
 // OnePasswordItemStatus defines the observed state of OnePasswordItem
 type OnePasswordItemStatus struct {
 	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
 	// Important: Run "make" to regenerate code after modifying this file
+
+	Conditions []OnePasswordItemCondition `json:"conditions"`
 }
 
 //+kubebuilder:object:root=true
@@ -54,6 +75,8 @@ type OnePasswordItem struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
+	// Kubernetes secret type. More info: https://kubernetes.io/docs/concepts/configuration/secret/#secret-types
+	Type   string                `json:"type,omitempty"`
 	Spec   OnePasswordItemSpec   `json:"spec,omitempty"`
 	Status OnePasswordItemStatus `json:"status,omitempty"`
 }
diff --git a/api/v1/zz_generated.deepcopy.go b/api/v1/zz_generated.deepcopy.go
index c551fde..1c68279 100644
--- a/api/v1/zz_generated.deepcopy.go
+++ b/api/v1/zz_generated.deepcopy.go
@@ -39,7 +39,7 @@ func (in *OnePasswordItem) DeepCopyInto(out *OnePasswordItem) {
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	out.Spec = in.Spec
-	out.Status = in.Status
+	in.Status.DeepCopyInto(&out.Status)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OnePasswordItem.
@@ -60,6 +60,22 @@ func (in *OnePasswordItem) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OnePasswordItemCondition) DeepCopyInto(out *OnePasswordItemCondition) {
+	*out = *in
+	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OnePasswordItemCondition.
+func (in *OnePasswordItemCondition) DeepCopy() *OnePasswordItemCondition {
+	if in == nil {
+		return nil
+	}
+	out := new(OnePasswordItemCondition)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OnePasswordItemList) DeepCopyInto(out *OnePasswordItemList) {
 	*out = *in
@@ -110,6 +126,13 @@ func (in *OnePasswordItemSpec) DeepCopy() *OnePasswordItemSpec {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OnePasswordItemStatus) DeepCopyInto(out *OnePasswordItemStatus) {
 	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]OnePasswordItemCondition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OnePasswordItemStatus.
diff --git a/config/crd/bases/onepassword.com_onepassworditems.yaml b/config/crd/bases/onepassword.com_onepassworditems.yaml
new file mode 100644
index 0000000..5c9e4ca
--- /dev/null
+++ b/config/crd/bases/onepassword.com_onepassworditems.yaml
@@ -0,0 +1,77 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.9.2
+  creationTimestamp: null
+  name: onepassworditems.onepassword.com
+spec:
+  group: onepassword.com
+  names:
+    kind: OnePasswordItem
+    listKind: OnePasswordItemList
+    plural: onepassworditems
+    singular: onepassworditem
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: OnePasswordItem is the Schema for the onepassworditems API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: OnePasswordItemSpec defines the desired state of OnePasswordItem
+            properties:
+              itemPath:
+                type: string
+            type: object
+          status:
+            description: OnePasswordItemStatus defines the observed state of OnePasswordItem
+            properties:
+              conditions:
+                items:
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transit from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    message:
+                      description: Human-readable message indicating details about
+                        last transition.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of job condition, Completed.
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+            required:
+            - conditions
+            type: object
+          type:
+            description: 'Kubernetes secret type. More info: https://kubernetes.io/docs/concepts/configuration/secret/#secret-types'
+            type: string
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
new file mode 100644
index 0000000..df2f587
--- /dev/null
+++ b/config/rbac/role.yaml
@@ -0,0 +1,33 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: manager-role
+rules:
+- apiGroups:
+  - onepassword.com
+  resources:
+  - onepassworditems
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - onepassword.com
+  resources:
+  - onepassworditems/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - onepassword.com
+  resources:
+  - onepassworditems/status
+  verbs:
+  - get
+  - patch
+  - update