diff --git a/internal/controller/group/group.go b/internal/controller/group/group.go
index 28aeb002..59e42e25 100644
--- a/internal/controller/group/group.go
+++ b/internal/controller/group/group.go
@@ -53,7 +53,11 @@ type NoOpService struct{}
 var (
 	newCloudianService = func(providerConfig *apisv1alpha1.ProviderConfig, authHeader string) (*cloudian.Client, error) {
 		// FIXME: Don't require InsecureSkipVerify
-		return cloudian.NewClient(providerConfig.Spec.Endpoint, true, authHeader), nil
+		return cloudian.NewClient(
+			providerConfig.Spec.Endpoint,
+			authHeader,
+			cloudian.WithInsecureTLSVerify(true),
+		), nil
 	}
 )
 
diff --git a/internal/sdk/cloudian/sdk.go b/internal/sdk/cloudian/sdk.go
index a7300cb8..52fdac41 100644
--- a/internal/sdk/cloudian/sdk.go
+++ b/internal/sdk/cloudian/sdk.go
@@ -41,14 +41,25 @@ type User struct {
 
 var ErrNotFound = errors.New("not found")
 
-func NewClient(baseUrl string, tlsInsecureSkipVerify bool, authHeader string) *Client {
-	return &Client{
-		baseURL: baseUrl,
-		httpClient: &http.Client{Transport: &http.Transport{
-			TLSClientConfig: &tls.Config{InsecureSkipVerify: tlsInsecureSkipVerify}, // nolint:gosec
-		}},
+// WithInsecureTLSVerify skips the TLS validation of the server certificate when `insecure` is true.
+func WithInsecureTLSVerify(insecure bool) func(*Client) {
+	return func(c *Client) {
+		c.httpClient = &http.Client{Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: insecure}, // nolint:gosec
+		}}
+	}
+}
+
+func NewClient(baseURL string, authHeader string, opts ...func(*Client)) *Client {
+	c := &Client{
+		baseURL:    baseURL,
+		httpClient: http.DefaultClient,
 		authHeader: authHeader,
 	}
+	for _, opt := range opts {
+		opt(c)
+	}
+	return c
 }
 
 // List all users of a group.