diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml
index 086e377..161b938 100644
--- a/.github/workflows/selftest.yml
+++ b/.github/workflows/selftest.yml
@@ -15,5 +15,5 @@ jobs:
           path: e2e
       - uses: ./e2e
         with:
-          controller-ref: main
+          controller-ref: oidc-ca
           jumpstarter-ref: main
diff --git a/action.yml b/action.yml
index f7b4509..687e774 100644
--- a/action.yml
+++ b/action.yml
@@ -30,36 +30,12 @@ runs:
     - name: Deploy dex
       shell: bash
       run: |
-        go run github.com/cloudflare/cfssl/cmd/cfssl@latest gencert -initca "$GITHUB_ACTION_PATH"/ca-csr.json | \
-          go run github.com/cloudflare/cfssl/cmd/cfssljson@latest -bare ca -
-        go run github.com/cloudflare/cfssl/cmd/cfssl@latest gencert -ca=ca.pem -ca-key=ca-key.pem \
-          -config="$GITHUB_ACTION_PATH"/ca-config.json -profile=www "$GITHUB_ACTION_PATH"/dex-csr.json | \
-          go run github.com/cloudflare/cfssl/cmd/cfssljson@latest -bare server
-
-        cp "$GITHUB_ACTION_PATH"/kind_cluster.yaml ./controller/hack/kind_cluster.yaml
         make -C controller cluster
 
-        kubectl create namespace dex
-        kubectl -n dex create secret tls dex-tls \
-          --cert=server.pem \
-          --key=server-key.pem
-
-        go run github.com/mikefarah/yq/v4@latest -i \
-          '.jumpstarter-controller.config.authentication.jwt[0].issuer.certificateAuthority = load_str("ca.pem")' \
-          "$GITHUB_ACTION_PATH"/values.kind.yaml
-
         # important!
         kubectl create clusterrolebinding oidc-reviewer  \
          --clusterrole=system:service-account-issuer-discovery \
          --group=system:unauthenticated
-
-        helm repo add dex https://charts.dexidp.io
-        helm install --namespace dex --wait -f "$GITHUB_ACTION_PATH"/dex.values.yaml dex dex/dex
-
-        sudo cp ca.pem /usr/local/share/ca-certificates/dex.crt
-        sudo update-ca-certificates
-
-        echo "127.0.0.1 dex.dex.svc.cluster.local" | sudo tee -a /etc/hosts
     - name: Deploy jumpstarter controller
       shell: bash
       run: |
@@ -77,107 +53,6 @@ runs:
     - name: Run jumpstarter
       shell: bash
       run: |
-        ENDPOINT=$(helm get values jumpstarter --output json | jq -r '."jumpstarter-controller".grpc.endpoint')
-
-        sudo mkdir -p /etc/jumpstarter/exporters
-        sudo chown $USER /etc/jumpstarter/exporters
-
-        . .venv/bin/activate
-
-        export JUMPSTARTER_GRPC_INSECURE=1
-
-        kubectl create -n default sa test-client-sa
-        kubectl create -n default sa test-exporter-sa
-
-        jmp admin create client   test-client-oidc     --unsafe --out /dev/null \
-          --oidc-username dex:test-client-oidc
-        jmp admin create client   test-client-sa       --unsafe --out /dev/null \
-          --oidc-username dex:system:serviceaccount:default:test-client-sa
-        jmp admin create client   test-client-legacy   --unsafe --save
-
-        jmp admin create exporter test-exporter-oidc   --out /dev/null \
-          --oidc-username dex:test-exporter-oidc \
-          --label example.com/board oidc
-        jmp admin create exporter test-exporter-sa     --out /dev/null \
-          --oidc-username dex:system:serviceaccount:default:test-exporter-sa \
-          --label example.com/board sa
-        jmp admin create exporter test-exporter-legacy --save \
-          --label example.com/board legacy
-
-        jmp config client   list
-        jmp config exporter list
-
-        jmp login --client test-client-oidc \
-          --endpoint "$ENDPOINT" --namespace default --name test-client-oidc \
-          --issuer https://dex.dex.svc.cluster.local:5556 \
-          --username test-client-oidc@example.com --password password --unsafe
-
-        jmp login --client test-client-sa \
-          --endpoint "$ENDPOINT" --namespace default --name test-client-sa \
-          --issuer https://dex.dex.svc.cluster.local:5556 \
-          --connector-id kubernetes \
-          --token $(kubectl create -n default token test-client-sa) --unsafe
-
-        jmp login --exporter test-exporter-oidc \
-          --endpoint "$ENDPOINT" --namespace default --name test-exporter-oidc \
-          --issuer https://dex.dex.svc.cluster.local:5556 \
-          --username test-exporter-oidc@example.com --password password
-
-        jmp login --exporter test-exporter-sa \
-          --endpoint "$ENDPOINT" --namespace default --name test-exporter-sa \
-          --issuer https://dex.dex.svc.cluster.local:5556 \
-          --connector-id kubernetes \
-          --token $(kubectl create -n default token test-exporter-sa)
-
-        go run github.com/mikefarah/yq/v4@latest -i ". * load(\"$GITHUB_ACTION_PATH/exporter.yaml\")" \
-          /etc/jumpstarter/exporters/test-exporter-oidc.yaml
-        go run github.com/mikefarah/yq/v4@latest -i ". * load(\"$GITHUB_ACTION_PATH/exporter.yaml\")" \
-          /etc/jumpstarter/exporters/test-exporter-sa.yaml
-        go run github.com/mikefarah/yq/v4@latest -i ". * load(\"$GITHUB_ACTION_PATH/exporter.yaml\")" \
-          /etc/jumpstarter/exporters/test-exporter-legacy.yaml
-
-        jmp config client list
-        jmp config exporter list
-
-        jmp run --exporter test-exporter-oidc &
-        jmp run --exporter test-exporter-sa &
-        jmp run --exporter test-exporter-legacy &
-
-        kubectl -n default wait --for=condition=Online exporters.jumpstarter.dev/test-exporter-oidc
-        kubectl -n default wait --for=condition=Online exporters.jumpstarter.dev/test-exporter-sa
-        kubectl -n default wait --for=condition=Online exporters.jumpstarter.dev/test-exporter-legacy
-
-        jmp config client use test-client-oidc
-
-        jmp create lease     --selector example.com/board=oidc --duration 1d
-        jmp get    leases
-        jmp get    exporters
-        jmp delete leases    --all
-
-        jmp admin get client
-        jmp admin get exporter
-        jmp admin get lease
-
-        jmp run --exporter test-exporter-oidc &
-        kubectl -n default wait --for=condition=Online exporters.jumpstarter.dev/test-exporter-oidc
-
-        jmp shell --client test-client-oidc --selector example.com/board=oidc <<EOF
-        j power on
-        EOF
-
-        jmp shell --client test-client-sa --selector example.com/board=sa <<EOF
-        j power on
-        EOF
-
-        jmp shell --client test-client-legacy --selector example.com/board=legacy <<EOF
-        j power on
-        EOF
-
-        kubectl -n default get secret test-client-oidc-client
-        kubectl -n default get secret test-exporter-oidc-exporter
-
-        jmp admin delete client   test-client-oidc -d
-        jmp admin delete exporter test-exporter-oidc -d
+        kubectl -n default apply      -f "$GITHUB_ACTION_PATH"/qemu-exporter-statefulset.yaml
 
-        ! kubectl -n default get secret test-client-oidc-client
-        ! kubectl -n default get secret test-exporter-oidc-exporter
+        kubectl -n default rollout status --watch statefulset qemu-exporter --timeout 600s
diff --git a/ca-config.json b/ca-config.json
deleted file mode 100644
index e3e997a..0000000
--- a/ca-config.json
+++ /dev/null
@@ -1,26 +0,0 @@
-{
-    "signing": {
-        "default": {
-            "expiry": "168h"
-        },
-        "profiles": {
-            "www": {
-                "expiry": "8760h",
-                "usages": [
-                    "signing",
-                    "key encipherment",
-                    "server auth"
-                ]
-            },
-            "client": {
-                "expiry": "8760h",
-                "usages": [
-                    "signing",
-                    "key encipherment",
-                    "client auth"
-                ]
-            }
-        }
-    }
-}
-
diff --git a/ca-csr.json b/ca-csr.json
deleted file mode 100644
index b927a1d..0000000
--- a/ca-csr.json
+++ /dev/null
@@ -1,19 +0,0 @@
-{
-    "CN": "example.net",
-    "hosts": [
-        "example.net",
-        "www.example.net"
-    ],
-    "key": {
-        "algo": "ecdsa",
-        "size": 256
-    },
-    "names": [
-        {
-            "C": "US",
-            "ST": "CA",
-            "L": "San Francisco"
-        }
-    ]
-}
-
diff --git a/dex-csr.json b/dex-csr.json
deleted file mode 100644
index 860c7b2..0000000
--- a/dex-csr.json
+++ /dev/null
@@ -1,18 +0,0 @@
-{
-    "CN": "dex.dex.svc.cluster.local",
-    "hosts": [
-        "dex.dex.svc.cluster.local"
-    ],
-    "key": {
-        "algo": "ecdsa",
-        "size": 256
-    },
-    "names": [
-        {
-            "C": "US",
-            "ST": "CA",
-            "L": "San Francisco"
-        }
-    ]
-}
-
diff --git a/dex.values.yaml b/dex.values.yaml
deleted file mode 100644
index ee43f1e..0000000
--- a/dex.values.yaml
+++ /dev/null
@@ -1,55 +0,0 @@
-https:
-  enabled: true
-config:
-  issuer: https://dex.dex.svc.cluster.local:5556
-  web:
-    tlsCert: /etc/dex/tls/tls.crt
-    tlsKey: /etc/dex/tls/tls.key
-  storage:
-    type: kubernetes
-    config:
-      inCluster: true
-  staticClients:
-    - id: jumpstarter-cli
-      name: Jumpstarter CLI
-      public: true
-  oauth2:
-    responseTypes: ["code", "token", "id_token", "id_token token"]
-    passwordConnector: local
-  enablePasswordDB: true
-  staticPasswords:
-    - email: "test-client-oidc@example.com"
-      hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" # password
-      username: "test-client-oidc"
-      userID: "73bca0b9-9be6-4e73-a8fb-347c2ac23255"
-    - email: "test-exporter-oidc@example.com"
-      hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W" # password
-      username: "test-exporter-oidc"
-      userID: "a4cb4de2-4467-4e5c-a42a-33be8783649d"
-  connectors:
-    - name: kubernetes
-      type: oidc
-      id: kubernetes
-      config:
-        # kubectl get --raw /.well-known/openid-configuration | jq -r '.issuer'
-        issuer: "https://kubernetes.default.svc.cluster.local"
-        rootCAs:
-          - /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
-        userNameKey: sub
-        scopes:
-          - profile
-volumes:
-  - name: tls
-    secret:
-      secretName: dex-tls
-volumeMounts:
-  - name: tls
-    mountPath: /etc/dex/tls
-service:
-  type: NodePort
-  ports:
-    http:
-      port: 5554
-    https:
-      port: 5556
-      nodePort: 32000
diff --git a/kind_cluster.yaml b/kind_cluster.yaml
deleted file mode 100644
index 419386c..0000000
--- a/kind_cluster.yaml
+++ /dev/null
@@ -1,37 +0,0 @@
-kind: Cluster
-apiVersion: kind.x-k8s.io/v1alpha4
-kubeadmConfigPatches:
-- |
-  kind: ClusterConfiguration
-  apiServer:
-    extraArgs:
-      "service-node-port-range": "3000-32767"
-- |
-  kind: InitConfiguration
-  nodeRegistration:
-    kubeletExtraArgs:
-      node-labels: "ingress-ready=true"
-nodes:
-- role: control-plane
-  extraPortMappings:
-  - containerPort: 80 # ingress controller
-    hostPort: 5080
-    protocol: TCP
-  - containerPort: 30010 # grpc nodeport
-    hostPort: 8082
-    protocol: TCP
-  - containerPort: 30011 # grpc router nodeport
-    hostPort: 8083
-    protocol: TCP
-  - containerPort: 32000 # dex nodeport
-    hostPort: 5556
-    protocol: TCP
-
-  - containerPort: 443
-    hostPort: 5443
-    protocol: TCP
-# if we needed to mount a hostPath volume into the kind cluster, we can do it like this
-#  extraMounts:
-#  - hostPath: ./bin/e2e-certs
-#    containerPath: /tmp/e2e-certs
-  
diff --git a/qemu-exporter-statefulset.yaml b/qemu-exporter-statefulset.yaml
new file mode 100644
index 0000000..f574324
--- /dev/null
+++ b/qemu-exporter-statefulset.yaml
@@ -0,0 +1,108 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: qemu-exporter
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: qemu-exporter-role
+rules:
+  - apiGroups: ["jumpstarter.dev"]
+    resources: ["exporters"]
+    verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: qemu-exporter-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: qemu-exporter-role
+subjects:
+  - kind: ServiceAccount
+    name: qemu-exporter
+    namespace: default # FIXME: make namespace configurable
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: qemu-exporter
+spec:
+  serviceName: qemu-exporter
+  replicas: 3
+  selector:
+    matchLabels:
+      exporter-mock: qemu
+  template:
+    metadata:
+      labels:
+        exporter-mock: qemu
+    spec:
+      serviceAccountName: qemu-exporter
+      restartPolicy: Always
+      volumes:
+        - name: shared
+          emptyDir: {}
+      initContainers:
+        - name: jumpstarter-init
+          image: quay.io/jumpstarter-dev/jumpstarter-utils:latest
+          volumeMounts:
+            - mountPath: /shared
+              name: shared
+          command:
+            - /bin/bash
+            - -c
+            - |
+              set -exo pipefail
+
+              kubectl apply -f - << EOF
+              apiVersion: jumpstarter.dev/v1alpha1
+              kind: Exporter
+              metadata:
+                namespace: $(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
+                name: $(cat /etc/hostname)
+                labels:
+                  example.com/board: qemu
+              spec:
+                username: kubernetes:$(kubectl auth whoami -o jsonpath="{.status.userInfo.username}")
+              EOF
+
+              while [ -z "$ENDPOINT" ]
+              do
+                ENDPOINT=$(kubectl get -n $(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace) \
+                  exporters.jumpstarter.dev $(cat /etc/hostname) -o jsonpath="{.status.endpoint}")
+                sleep 1s
+              done
+              echo "$ENDPOINT" > /shared/endpoint
+      containers:
+        - name: jumpstarter-exporter
+          image: quay.io/ncao/jumpstarter:summit
+          imagePullPolicy: IfNotPresent
+          volumeMounts:
+            - mountPath: /shared
+              name: shared
+          env:
+            - name: JUMPSTARTER_GRPC_INSECURE
+              value: "1"
+          command:
+            - /bin/bash
+            - -c
+            - |
+              set -euxo pipefail
+
+              cat <<EOF > qemu.yaml
+              apiVersion: jumpstarter.dev/v1alpha1
+              kind: ExporterConfig
+              metadata:
+                namespace: $(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
+                name: $(cat /etc/hostname)
+              endpoint: $(cat /shared/endpoint)
+              token: $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+              export:
+                qemu:
+                  type: jumpstarter_driver_qemu.driver.Qemu
+              EOF
+
+              jmp run --exporter-config qemu.yaml
diff --git a/values.kind.yaml b/values.kind.yaml
index baa65f2..6965aa6 100644
--- a/values.kind.yaml
+++ b/values.kind.yaml
@@ -1,21 +1,14 @@
-global:
-  baseDomain: jumpstarter.127.0.0.1.nip.io
-  metrics:
-    enabled: false
-
 jumpstarter-controller:
-  grpc:
-    mode: "ingress"
   config:
     authentication:
       jwt:
-      - issuer:
-          url: https://dex.dex.svc.cluster.local:5556
-          audiences:
-          - jumpstarter-cli
-          audienceMatchPolicy: MatchAny
-          certificateAuthority: placeholder
-        claimMappings:
-          username:
-            claim: "name"
-            prefix: "dex:"
+        - issuer:
+            url: https://kubernetes.default.svc.cluster.local
+            audiences:
+              - https://kubernetes.default.svc.cluster.local
+            audienceMatchPolicy: MatchAny
+            certificateAuthority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+          claimMappings:
+            username:
+              claim: "sub"
+              prefix: "kubernetes:"