diff --git a/Dockerfile b/Dockerfile
index 005e2eb..8d159b5 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,5 @@
 # Build the manager binary
-FROM golang:1.23 as builder
+FROM golang:1.23 AS builder
 
 ARG GOARCH
 
diff --git a/Makefile b/Makefile
index 8265b41..c02e2c3 100644
--- a/Makefile
+++ b/Makefile
@@ -7,6 +7,9 @@ IMG ?= controller:latest
 SHELL = /usr/bin/env bash -o pipefail
 .SHELLFLAGS = -ec
 
+GOARCH  := $(shell go env GOARCH)
+GOOS    := $(shell go env GOOS)
+
 .PHONY: all
 all: build
 
@@ -130,6 +133,9 @@ LOCAL_BIN ?= $(shell pwd)/bin
 $(LOCAL_BIN):
 	mkdir -p $(LOCAL_BIN)
 
+# curl retries
+CURL_RETRIES=3
+
 ## Tools locations
 ADDLICENSE ?= $(LOCAL_BIN)/addlicense
 CONTROLLER_GEN ?= $(LOCAL_BIN)/controller-gen
@@ -148,13 +154,15 @@ MODELS_SCHEMA ?= $(LOCAL_BIN)/models-schema
 VGOPATH ?= $(LOCAL_BIN)/vgopath
 GEN_CRD_API_REFERENCE_DOCS ?= $(LOCAL_BIN)/gen-crd-api-reference-docs
 KUSTOMIZE ?= $(LOCAL_BIN)/kustomize
+KUBECTL ?= $(LOCAL_BIN)/kubectl-$(ENVTEST_K8S_VERSION)
+KUBECTL_BIN ?= $(LOCAL_BIN)/kubectl
 
 ## Tools versions
 ADDLICENSE_VERSION ?= v1.1.1
 CONTROLLER_GEN_VERSION ?= v0.14.0
 GOLANGCI_LINT_VERSION ?= v1.55.2
 GOIMPORTS_VERSION ?= v0.16.1
-ENVTEST_K8S_VERSION ?= 1.28.3
+ENVTEST_K8S_VERSION ?= 1.31.0
 CODE_GENERATOR_VERSION ?= v0.28.3
 VGOPATH_VERSION ?= v0.1.3
 GEN_CRD_API_REFERENCE_DOCS_VERSION ?= v0.3.0
@@ -249,3 +257,29 @@ $(INFORMER_GEN): $(LOCAL_BIN)
 kustomize: $(KUSTOMIZE)
 $(KUSTOMIZE): $(LOCAL_BIN)
 	@test -s $(KUSTOMIZE) || GOBIN=$(LOCAL_BIN) go install sigs.k8s.io/kustomize/kustomize/v4@$(KUSTOMIZE_VERSION)
+
+.PHONY: kubectl
+kubectl: $(KUBECTL) ## Download kubectl locally if necessary.
+$(KUBECTL): $(LOCAL_BIN)
+	curl --retry $(CURL_RETRIES) -fsL https://dl.k8s.io/release/v$(ENVTEST_K8S_VERSION)/bin/$(GOOS)/$(GOARCH)/kubectl -o $(KUBECTL)
+	ln -sf "$(KUBECTL)" "$(KUBECTL_BIN)"
+	chmod +x "$(KUBECTL_BIN)" "$(KUBECTL)"
+
+## --------------------------------------
+## Tilt / Kind
+## --------------------------------------
+
+KIND_CLUSTER_NAME ?= ipam
+
+.PHONY: kind-create
+kind-create: $(ENVTEST) ## create ipam kind cluster if needed
+	./scripts/kind-with-registry.sh
+
+.PHONY: kind-delete
+kind-delete: ## Destroys the "ipam" kind cluster.
+	kind delete cluster --name=$(KIND_CLUSTER_NAME)
+	docker stop kind-registry && docker rm kind-registry
+
+.PHONY: tilt-up
+tilt-up: $(ENVTEST) $(KUSTOMIZE) $(KUBECTL) kind-create ## start tilt and build kind cluster if needed
+	EXP_CLUSTER_RESOURCE_SET=true tilt up
diff --git a/Tiltfile b/Tiltfile
new file mode 100644
index 0000000..ed7575d
--- /dev/null
+++ b/Tiltfile
@@ -0,0 +1,68 @@
+#!/usr/bin/env bash
+#// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and IronCore contributors
+#// SPDX-License-Identifier: Apache-2.0
+
+update_settings(k8s_upsert_timeout_secs=60)  # on first tilt up, often can take longer than 30 seconds
+
+settings = {
+    "allowed_contexts": [
+        "kind-ipam"
+    ],
+    "kubectl": "./bin/kubectl",
+    "cert_manager_version": "v1.15.3",
+}
+
+kubectl = settings.get("kubectl")
+
+if "allowed_contexts" in settings:
+    allow_k8s_contexts(settings.get("allowed_contexts"))
+
+def deploy_cert_manager():
+    version = settings.get("cert_manager_version")
+    print("Installing cert-manager")
+    local("{} apply -f https://github.com/cert-manager/cert-manager/releases/download/{}/cert-manager.yaml".format(kubectl, version), quiet=True, echo_off=True)
+
+    print("Waiting for cert-manager to start")
+    local("{} wait --for=condition=Available --timeout=300s -n cert-manager deployment/cert-manager".format(kubectl), quiet=True, echo_off=True)
+    local("{} wait --for=condition=Available --timeout=300s -n cert-manager deployment/cert-manager-cainjector".format(kubectl), quiet=True, echo_off=True)
+    local("{} wait --for=condition=Available --timeout=300s -n cert-manager deployment/cert-manager-webhook".format(kubectl), quiet=True, echo_off=True)
+
+def waitforsystem():
+    print("Waiting for ipam-operator to start")
+    local("{} wait --for=condition=ready --timeout=300s -n ipam-system pod --all".format(kubectl), quiet=False, echo_off=True)
+
+##############################
+# Actual work happens here
+##############################
+
+deploy_cert_manager()
+
+docker_build('ironcore-dev/ipam', '.')
+
+yaml = kustomize('./config/default')
+
+k8s_yaml(yaml)
+
+k8s_yaml('./config/samples/ipam_v1alpha1_network.yaml')
+k8s_resource(
+    objects=['network-sample:network'],
+    new_name='network-sample',
+    trigger_mode=TRIGGER_MODE_MANUAL,
+    auto_init=False
+)
+
+k8s_yaml('./config/samples/ipam_v1alpha1_ipv4_child_cidr_subnet.yaml')
+k8s_resource(
+    objects=['ipv4-child-cidr-subnet-sample:subnet'],
+    new_name='ipv4-child-cidr-subnet-sample',
+    trigger_mode=TRIGGER_MODE_MANUAL,
+    auto_init=False
+)
+
+k8s_yaml('./config/samples/ipam_v1alpha1_ipv4_ip.yaml')
+k8s_resource(
+    objects=['ipv4-ip-sample:ip'],
+    new_name='ipv4-ip-sample',
+    trigger_mode=TRIGGER_MODE_MANUAL,
+    auto_init=False
+)
diff --git a/config/samples/ipam_v1alpha1_ipv4_child_cidr_subnet.yaml b/config/samples/ipam_v1alpha1_ipv4_child_cidr_subnet.yaml
index 6c18d57..0241a2b 100644
--- a/config/samples/ipam_v1alpha1_ipv4_child_cidr_subnet.yaml
+++ b/config/samples/ipam_v1alpha1_ipv4_child_cidr_subnet.yaml
@@ -5,7 +5,8 @@ metadata:
 spec:
   cidr: "10.0.0.0/16"
   parentSubnetName: "ipv4-parent-cidr-subnet-sample"
-  networkName: network-sample
+  network:
+    name: network-sample
   regions:
     - name: euw
       availabilityZones:
diff --git a/config/samples/ipam_v1alpha1_ipv4_ip.yaml b/config/samples/ipam_v1alpha1_ipv4_ip.yaml
index d67cd8e..66a2b6b 100644
--- a/config/samples/ipam_v1alpha1_ipv4_ip.yaml
+++ b/config/samples/ipam_v1alpha1_ipv4_ip.yaml
@@ -3,4 +3,5 @@ kind: IP
 metadata:
   name: ipv4-ip-sample
 spec:
-  subnetName: ipv4-child-cidr-subnet-sample
+  subnet:
+    name: ipv4-child-cidr-subnet-sample
diff --git a/scripts/kind-with-registry.sh b/scripts/kind-with-registry.sh
new file mode 100755
index 0000000..9734fa8
--- /dev/null
+++ b/scripts/kind-with-registry.sh
@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+#// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and IronCore contributors
+#// SPDX-License-Identifier: Apache-2.0
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+
+REPO_ROOT=$(dirname "${BASH_SOURCE[0]}")/..
+KUBECTL=$REPO_ROOT/bin/kubectl
+
+# desired kind cluster name; default is "ipam"
+KIND_CLUSTER_NAME="${KIND_CLUSTER_NAME:-ipam}"
+
+if [[ "$(kind get clusters)" =~ .*"${KIND_CLUSTER_NAME}".* ]]; then
+  echo "cluster already exists, moving on"
+  exit 0
+fi
+
+reg_name='kind-registry'
+reg_port="${KIND_REGISTRY_PORT:-5000}"
+
+# create registry container unless it already exists
+running="$(docker inspect -f '{{.State.Running}}' "${reg_name}" 2>/dev/null || true)"
+if [ "${running}" != 'true' ]; then
+  docker run -d --restart=always -p "127.0.0.1:${reg_port}:5000" --name "${reg_name}" registry:2
+fi
+
+# create a cluster with the local registry enabled in containerd
+cat <<EOF | kind create cluster --name "${KIND_CLUSTER_NAME}" --config=-
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+containerdConfigPatches:
+- |-
+  [plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:${reg_port}"]
+    endpoint = ["http://${reg_name}:5000"]
+EOF
+
+# connect the registry to the cluster network
+# (the network may already be connected)
+docker network connect "kind" "${reg_name}" || true
+
+# Document the local registry
+# https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/generic/1755-communicating-a-local-registry
+cat <<EOF | "${KUBECTL}" apply --namespace=kube-public -f -
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: local-registry-hosting
+  namespace: kube-public
+data:
+  localRegistryHosting.v1: |
+    host: "localhost:${reg_port}"
+    help: "https://kind.sigs.k8s.io/docs/user/local-registry/"
+EOF
+
+"${KUBECTL}" wait node "${KIND_CLUSTER_NAME}-control-plane" --for=condition=ready --timeout=90s