Эх сурвалжийг харах

feat: add provider chart deployment options

Moritz Johner 2 сар өмнө
parent
commit
133823f62c
24 өөрчлөгдсөн 2252 нэмэгдсэн , 151 устгасан
  1. 207 0
      deploy/charts/README.md
  2. 8 0
      deploy/charts/external-secrets/README.md
  3. 62 0
      deploy/charts/external-secrets/templates/_helpers.tpl
  4. 8 0
      deploy/charts/external-secrets/templates/cert-controller-deployment.yaml
  5. 1 0
      deploy/charts/external-secrets/templates/cert-controller-rbac.yaml
  6. 18 0
      deploy/charts/external-secrets/templates/provider-class.yaml
  7. 155 0
      deploy/charts/external-secrets/templates/provider-deployment.yaml
  8. 42 0
      deploy/charts/external-secrets/templates/provider-hpa.yaml
  9. 28 0
      deploy/charts/external-secrets/templates/provider-poddisruptionbudget.yaml
  10. 103 0
      deploy/charts/external-secrets/templates/provider-rbac.yaml
  11. 35 0
      deploy/charts/external-secrets/templates/provider-service.yaml
  12. 25 0
      deploy/charts/external-secrets/templates/provider-serviceaccount.yaml
  13. 30 0
      deploy/charts/external-secrets/templates/provider-servicemonitor.yaml
  14. 33 0
      deploy/charts/external-secrets/templates/rbac.yaml
  15. 586 145
      deploy/charts/external-secrets/tests/__snapshot__/crds_test.yaml.snap
  16. 1 1
      deploy/charts/external-secrets/tests/crds_test.yaml
  17. 21 0
      deploy/charts/external-secrets/tests/provider_class_test.yaml
  18. 40 0
      deploy/charts/external-secrets/tests/provider_rbac_test.yaml
  19. 3 3
      deploy/charts/external-secrets/tests/webhook_test.yaml
  20. 91 0
      deploy/charts/external-secrets/values-test.yaml
  21. 238 0
      deploy/charts/external-secrets/values-with-providers-example.yaml
  22. 298 0
      deploy/charts/external-secrets/values.schema.json
  23. 218 0
      deploy/charts/external-secrets/values.yaml
  24. 1 2
      hack/helm.generate.sh

+ 207 - 0
deploy/charts/README.md

@@ -0,0 +1,207 @@
+# External Secrets Operator V2 - Helm Charts
+
+This directory contains production-ready Helm charts for External Secrets Operator V2.
+
+## Available Charts
+
+### [external-secrets-v2](./external-secrets-v2/)
+
+Main controller chart for External Secrets Operator V2.
+
+**Install**:
+```bash
+helm install external-secrets-v2 ./external-secrets-v2 \
+  --namespace external-secrets-system \
+  --create-namespace
+```
+
+**Features**:
+- Automatic TLS certificate management
+- Leader election for HA
+- Prometheus metrics
+- Security hardening
+- Flexible RBAC
+
+[📖 Chart Documentation](./external-secrets-v2/README.md)
+
+### [external-secrets-v2-provider-aws](./external-secrets-v2-provider-aws/)
+
+AWS Secrets Manager provider for External Secrets Operator V2.
+
+**Install**:
+```bash
+helm install aws-provider ./external-secrets-v2-provider-aws \
+  --namespace external-secrets-system \
+  --set aws.region=us-east-1 \
+  --set serviceAccount.annotations."eks\.amazonaws\.com/role-arn"="arn:aws:iam::ACCOUNT:role/ROLE"
+```
+
+**Features**:
+- IRSA (IAM Roles for Service Accounts) support
+- Connection pooling (50x faster)
+- Auto-scaling support
+- High availability
+
+[📖 Chart Documentation](./external-secrets-v2-provider-aws/README.md)
+
+## Quick Start
+
+### 1. Install Controller
+
+```bash
+helm install external-secrets-v2 ./external-secrets-v2 \
+  --namespace external-secrets-system \
+  --create-namespace \
+  --wait
+```
+
+### 2. Install Provider
+
+```bash
+helm install aws-provider ./external-secrets-v2-provider-aws \
+  --namespace external-secrets-system \
+  --set aws.region=us-east-1 \
+  --set serviceAccount.annotations."eks\.amazonaws\.com/role-arn"="arn:aws:iam::123456789012:role/eso-aws" \
+  --wait
+```
+
+### 3. Verify
+
+```bash
+kubectl get pods -n external-secrets-system
+```
+
+## Documentation
+
+- 📘 [Quick Start Guide](../../examples/v2/helm-quick-start.md)
+- 📗 [Installation Guide](../../docs/guides/helm-v2-installation.md)
+- 📙 [Design Document](../../design/014-helm-charts-implementation.md)
+
+## Testing
+
+Run automated tests:
+
+```bash
+../../hack/test-helm-charts.sh all
+```
+
+## Development
+
+### Lint Charts
+
+```bash
+helm lint ./external-secrets-v2
+helm lint ./external-secrets-v2-provider-aws
+```
+
+### Template Rendering
+
+```bash
+helm template test ./external-secrets-v2 > rendered-controller.yaml
+helm template test ./external-secrets-v2-provider-aws > rendered-provider.yaml
+```
+
+### Dry Run
+
+```bash
+helm install --dry-run test ./external-secrets-v2
+helm install --dry-run test ./external-secrets-v2-provider-aws
+```
+
+## Production Deployment
+
+### High Availability
+
+```yaml
+# values-ha.yaml
+replicaCount: 3
+
+podDisruptionBudget:
+  enabled: true
+  minAvailable: 2
+
+metrics:
+  enabled: true
+  serviceMonitor:
+    enabled: true
+
+affinity:
+  podAntiAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+    - labelSelector:
+        matchLabels:
+          app.kubernetes.io/name: external-secrets-v2
+      topologyKey: kubernetes.io/hostname
+```
+
+```bash
+helm install external-secrets-v2 ./external-secrets-v2 \
+  --namespace external-secrets-system \
+  --create-namespace \
+  -f values-ha.yaml
+```
+
+## GitOps
+
+### ArgoCD
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: external-secrets-v2
+spec:
+  project: default
+  source:
+    repoURL: https://charts.external-secrets.io
+    chart: external-secrets-v2
+    targetRevision: 0.1.0-alpha.1
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: external-secrets-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true
+```
+
+### Flux
+
+```yaml
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: external-secrets-v2
+  namespace: flux-system
+spec:
+  interval: 10m
+  chart:
+    spec:
+      chart: external-secrets-v2
+      version: 0.1.0-alpha.1
+      sourceRef:
+        kind: HelmRepository
+        name: external-secrets
+  targetNamespace: external-secrets-system
+  install:
+    createNamespace: true
+```
+
+## Chart Versions
+
+| Chart | Version | App Version | Status |
+|-------|---------|-------------|--------|
+| external-secrets-v2 | 0.1.0-alpha.1 | v0.1.0-alpha.1 | Alpha |
+| external-secrets-v2-provider-aws | 0.1.0-alpha.1 | v0.1.0-alpha.1 | Alpha |
+
+## Support
+
+- 🐛 [Report Issues](https://github.com/external-secrets/external-secrets/issues)
+- 💬 [Slack](https://kubernetes.slack.com/messages/external-secrets)
+- 📚 [Documentation](https://external-secrets.io)
+
+## License
+
+Apache 2.0 - See [LICENSE](../../LICENSE)

+ 8 - 0
deploy/charts/external-secrets/README.md

@@ -96,8 +96,11 @@ The command removes all the Kubernetes components associated with the chart and
 | crds.conversion.enabled | bool | `false` | Conversion is disabled by default as we stopped supporting v1alpha1. |
 | crds.createClusterExternalSecret | bool | `true` | If true, create CRDs for Cluster External Secret. If set to false you must also set processClusterExternalSecret: false. |
 | crds.createClusterGenerator | bool | `true` | If true, create CRDs for Cluster Generator. If set to false you must also set processClusterGenerator: false. |
+| crds.createClusterProviderClass | bool | `true` | If true, create CRDs for Cluster Provider Class. |
+| crds.createClusterProviderStore | bool | `true` | If true, create CRDs for Cluster Provider Store. |
 | crds.createClusterPushSecret | bool | `true` | If true, create CRDs for Cluster Push Secret. If set to false you must also set processClusterPushSecret: false. |
 | crds.createClusterSecretStore | bool | `true` | If true, create CRDs for Cluster Secret Store. If set to false you must also set processClusterStore: false. |
+| crds.createProviderStore | bool | `true` | If true, create CRDs for Provider Store. |
 | crds.createPushSecret | bool | `true` | If true, create CRDs for Push Secret. If set to false you must also set processPushSecret: false. |
 | crds.createSecretStore | bool | `true` | If true, create CRDs for Secret Store. If set to false you must also set processSecretStore: false. |
 | crds.unsafeServeV1Beta1 | bool | `false` | If true, enable v1beta1 API version serving for ExternalSecret, ClusterExternalSecret, SecretStore, and ClusterSecretStore CRDs. v1beta1 is deprecated. Only enable this for backward compatibility if you have existing v1beta1 resources. Warning: This flag will be removed on 2026.05.01. |
@@ -180,6 +183,10 @@ The command removes all the Kubernetes components associated with the chart and
 | processClusterStore | bool | `true` | if true, the operator will process cluster store. Else, it will ignore them. |
 | processPushSecret | bool | `true` | if true, the operator will process push secret. Else, it will ignore them. |
 | processSecretStore | bool | `true` | if true, the operator will process secret store. Else, it will ignore them. |
+| providerDefaults | object | `{"affinity":{},"autoscaling":{"enabled":false,"maxReplicas":10,"minReplicas":2,"targetCPUUtilizationPercentage":80,"targetMemoryUtilizationPercentage":80},"health":{"livenessProbe":{"enabled":false,"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":20,"timeoutSeconds":5},"port":8082,"readinessProbe":{"enabled":false,"failureThreshold":3,"initialDelaySeconds":5,"periodSeconds":10,"timeoutSeconds":5}},"metrics":{"enabled":true,"port":8081,"serviceMonitor":{"enabled":false,"interval":"30s","labels":{},"namespace":"","scrapeTimeout":"10s"}},"nodeSelector":{},"podAnnotations":{},"podDisruptionBudget":{"enabled":true,"minAvailable":1},"podLabels":{},"podSecurityContext":{"enabled":true,"fsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}},"priorityClassName":"","replicaCount":2,"resources":{"limits":{"cpu":"200m","memory":"256Mi"},"requests":{"cpu":"50m","memory":"64Mi"}},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"enabled":true,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65532},"service":{"annotations":{},"port":8080,"type":"ClusterIP"},"serviceAccount":{"annotations":{},"automount":true,"create":true,"name":""},"tls":{"caSecretName":"external-secrets-v2-ca","certPath":"/etc/provider/certs","enabled":true,"mountCA":true},"tolerations":[],"topologySpreadConstraints":[]}` | Provider defaults configuration Common configuration that is automatically merged with each provider's configuration Individual providers can override any of these defaults by specifying the same keys |
+| providers | object | `{"enabled":false,"list":[]}` | Provider deployment configuration Deploy one or more external secret providers alongside the controller Each provider runs as a separate deployment with its own configuration |
+| providers.enabled | bool | `false` | Enable provider deployments |
+| providers.list | list | `[]` | List of providers to deploy Each provider automatically inherits defaults from providerDefaults above You only need to specify what you want to override |
 | rbac.aggregateToEdit | bool | `true` | Specifies whether permissions are aggregated to the edit ClusterRole |
 | rbac.aggregateToView | bool | `true` | Specifies whether permissions are aggregated to the view ClusterRole |
 | rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
@@ -226,6 +233,7 @@ The command removes all the Kubernetes components associated with the chart and
 | systemAuthDelegator | bool | `false` | If true the system:auth-delegator ClusterRole will be added to RBAC |
 | tolerations | list | `[]` |  |
 | topologySpreadConstraints | list | `[]` |  |
+| v2 | object | `{"enabled":true}` | Experimental v2 out-of-process provider runtime support. Enables ProviderStore / ClusterProviderStore and SecretStore runtimeRef compatibility flows. |
 | vault | object | `{"enableTokenCache":false,"tokenCacheSize":262144}` | Vault token cache configuration |
 | vault.enableTokenCache | bool | `false` | Enable Vault token cache. External secrets will reuse the Vault token without creating a new one on each request. |
 | vault.tokenCacheSize | int | `262144` | Maximum size of Vault token cache. Only used if enableTokenCache is true. |

+ 62 - 0
deploy/charts/external-secrets/templates/_helpers.tpl

@@ -248,6 +248,7 @@ Create the name of the pod disruption budget to use in the webhook
 {{- define "external-secrets.webhookPdbName" -}}
 {{- .Values.webhook.podDisruptionBudget.nameOverride | default (printf "%s-webhook-pdb" (include "external-secrets.fullname" .)) }}
 {{- end }}
+{{/*
 Fail the install if a cluster scoped reconciler is enabled while its namespace scoped counterpart is disabled
 */}}
 {{- define "external-secrets.reconciler-sanity-test" -}}
@@ -278,3 +279,64 @@ Decide whether to render the ServiceMonitor resource.
     {{- fail (printf "Invalid renderMode '%s'. Must be one of: skipIfMissing, failIfMissing, alwaysRender." $mode) -}}
   {{- end -}}
 {{- end -}}
+
+{{/*
+Provider helpers
+*/}}
+{{- define "external-secrets.provider.fullname" -}}
+{{- $providerName := .provider.name | default .provider.type -}}
+{{- printf "%s-provider-%s" (include "external-secrets.fullname" .root) $providerName | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "external-secrets.provider.servicename" -}}
+{{- $providerName := .provider.name | default .provider.type -}}
+{{- printf "provider-%s" $providerName | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "external-secrets.provider.labels" -}}
+helm.sh/chart: {{ include "external-secrets.chart" .root }}
+{{ include "external-secrets.provider.selectorLabels" . }}
+{{- if .root.Chart.AppVersion }}
+app.kubernetes.io/version: {{ .root.Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .root.Release.Service }}
+app.kubernetes.io/component: provider
+external-secrets.io/provider: {{ .provider.type }}
+{{- with .root.Values.commonLabels }}
+{{ toYaml . }}
+{{- end }}
+{{- with .provider.podLabels }}
+{{ toYaml . }}
+{{- end }}
+{{- end -}}
+
+{{- define "external-secrets.provider.selectorLabels" -}}
+{{- $providerName := .provider.name | default .provider.type -}}
+app.kubernetes.io/name: {{ include "external-secrets.name" .root }}-provider-{{ $providerName }}
+app.kubernetes.io/instance: {{ .root.Release.Name }}
+{{- end -}}
+
+{{- define "external-secrets.provider.serviceAccountName" -}}
+{{- if .provider.serviceAccount.create -}}
+{{- default (include "external-secrets.provider.fullname" .) .provider.serviceAccount.name -}}
+{{- else -}}
+{{- default "default" .provider.serviceAccount.name -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "external-secrets.provider.image" -}}
+{{- $tag := .provider.image.tag | default .root.Chart.AppVersion -}}
+{{- printf "%s:%s" .provider.image.repository $tag -}}
+{{- end -}}
+
+{{/*
+Merge provider defaults with provider-specific configuration.
+Provider-specific values take precedence over defaults.
+Usage: {{- $provider := include "external-secrets.provider.mergeDefaults" (dict "provider" $provider "root" $root) | fromYaml -}}
+*/}}
+{{- define "external-secrets.provider.mergeDefaults" -}}
+{{- $defaults := .root.Values.providerDefaults | default dict -}}
+{{- $provider := .provider -}}
+{{- $merged := deepCopy $defaults | mustMergeOverwrite (deepCopy $provider) -}}
+{{- $merged | toYaml -}}
+{{- end -}}

+ 8 - 0
deploy/charts/external-secrets/templates/cert-controller-deployment.yaml

@@ -92,6 +92,14 @@ spec:
           {{- if .Values.leaderElect }}
           - --enable-leader-election=true
           {{- end }}
+          {{- if and .Values.v2.enabled .Values.providers.enabled }}
+          - --provider-namespace={{ template "external-secrets.namespace" . }}
+            {{- range .Values.providers.list }}
+            {{- if .enabled }}
+          - --provider-service-names={{ include "external-secrets.provider.servicename" (dict "provider" . "root" $) }}
+            {{- end }}
+            {{- end }}
+          {{- end }}
           {{- range $key, $value := .Values.certController.extraArgs }}
             {{- if $value }}
           - --{{ $key }}={{ $value }}

+ 1 - 0
deploy/charts/external-secrets/templates/cert-controller-rbac.yaml

@@ -66,6 +66,7 @@ rules:
     - "list"
     - "watch"
     - "update"
+    - "create"
     - "patch"
   - apiGroups:
     - "coordination.k8s.io"

+ 18 - 0
deploy/charts/external-secrets/templates/provider-class.yaml

@@ -0,0 +1,18 @@
+{{- if .Values.providers.enabled }}
+{{- range .Values.providers.list }}
+{{- if .enabled }}
+{{- $root := $ }}
+{{- $provider := include "external-secrets.provider.mergeDefaults" (dict "provider" . "root" $root) | fromYaml }}
+{{- $providerName := $provider.name | default $provider.type }}
+---
+apiVersion: external-secrets.io/v1alpha1
+kind: ClusterProviderClass
+metadata:
+  name: {{ $providerName }}
+  labels:
+    {{- include "external-secrets.provider.labels" (dict "provider" $provider "root" $root) | nindent 4 }}
+spec:
+  address: {{ include "external-secrets.provider.servicename" (dict "provider" $provider "root" $root) }}.{{ include "external-secrets.namespace" $root }}.svc:{{ $provider.service.port | default 8080 }}
+{{- end }}
+{{- end }}
+{{- end }}

+ 155 - 0
deploy/charts/external-secrets/templates/provider-deployment.yaml

@@ -0,0 +1,155 @@
+{{- if .Values.providers.enabled }}
+{{- range .Values.providers.list }}
+{{- if .enabled }}
+{{- $root := $ }}
+{{- $provider := include "external-secrets.provider.mergeDefaults" (dict "provider" . "root" $root) | fromYaml }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "external-secrets.provider.fullname" (dict "provider" $provider "root" $root) }}
+  namespace: {{ include "external-secrets.namespace" $root }}
+  labels:
+    {{- include "external-secrets.provider.labels" (dict "provider" $provider "root" $root) | nindent 4 }}
+  {{- with $root.Values.commonAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if not (and $provider.autoscaling $provider.autoscaling.enabled) }}
+  replicas: {{ $provider.replicaCount | default 2 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "external-secrets.provider.selectorLabels" (dict "provider" $provider "root" $root) | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        {{- with $provider.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      labels:
+        {{- include "external-secrets.provider.selectorLabels" (dict "provider" $provider "root" $root) | nindent 8 }}
+        {{- with $provider.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with $provider.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "external-secrets.provider.serviceAccountName" (dict "provider" $provider "root" $root) }}
+      {{- if $provider.priorityClassName }}
+      priorityClassName: {{ $provider.priorityClassName }}
+      {{- end }}
+      {{- if and $provider.podSecurityContext $provider.podSecurityContext.enabled }}
+      securityContext:
+        {{- include "external-secrets.renderSecurityContext" (dict "securityContext" $provider.podSecurityContext "context" $root) | nindent 8 }}
+      {{- end }}
+      containers:
+      - name: provider
+        image: {{ include "external-secrets.provider.image" (dict "provider" $provider "root" $root) }}
+        imagePullPolicy: {{ $provider.image.pullPolicy | default "IfNotPresent" }}
+        {{- if and $provider.securityContext $provider.securityContext.enabled }}
+        securityContext:
+          {{- include "external-secrets.renderSecurityContext" (dict "securityContext" $provider.securityContext "context" $root) | nindent 10 }}
+        {{- end }}
+        args: []
+        env:
+        {{- if and $provider.tls $provider.tls.enabled }}
+        - name: TLS_ENABLED
+          value: "true"
+        - name: TLS_CERT_DIR
+          value: {{ $provider.tls.certPath | default "/etc/provider/certs" }}
+        {{- end }}
+        {{- if $provider.config }}
+        {{- range $key, $value := $provider.config }}
+        - name: {{ $key | upper | replace "." "_" }}
+          value: {{ $value | quote }}
+        {{- end }}
+        {{- end }}
+        {{- with $provider.extraEnv }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        ports:
+        - name: grpc
+          containerPort: {{ $provider.service.port | default 8080 }}
+          protocol: TCP
+        {{- if and $provider.metrics $provider.metrics.enabled }}
+        - name: metrics
+          containerPort: {{ $provider.metrics.port | default 8081 }}
+          protocol: TCP
+        {{- end }}
+        {{- if $provider.health }}
+        - name: health
+          containerPort: {{ $provider.health.port | default 8082 }}
+          protocol: TCP
+        {{- end }}
+        {{- if and $provider.health $provider.health.livenessProbe $provider.health.livenessProbe.enabled }}
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: health
+          initialDelaySeconds: {{ $provider.health.livenessProbe.initialDelaySeconds | default 10 }}
+          periodSeconds: {{ $provider.health.livenessProbe.periodSeconds | default 20 }}
+          timeoutSeconds: {{ $provider.health.livenessProbe.timeoutSeconds | default 5 }}
+          failureThreshold: {{ $provider.health.livenessProbe.failureThreshold | default 3 }}
+        {{- end }}
+        {{- if and $provider.health $provider.health.readinessProbe $provider.health.readinessProbe.enabled }}
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: health
+          initialDelaySeconds: {{ $provider.health.readinessProbe.initialDelaySeconds | default 5 }}
+          periodSeconds: {{ $provider.health.readinessProbe.periodSeconds | default 10 }}
+          timeoutSeconds: {{ $provider.health.readinessProbe.timeoutSeconds | default 5 }}
+          failureThreshold: {{ $provider.health.readinessProbe.failureThreshold | default 3 }}
+        {{- end }}
+        {{- with $provider.resources }}
+        resources:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        volumeMounts:
+        {{- if and $provider.tls $provider.tls.enabled }}
+        - name: provider-certs
+          mountPath: {{ $provider.tls.certPath | default "/etc/provider/certs" }}
+          readOnly: true
+        {{- end }}
+        {{- with $provider.extraVolumeMounts }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      volumes:
+      {{- if and $provider.tls $provider.tls.enabled }}
+      - name: provider-certs
+        secret:
+          secretName: "external-secrets-provider-tls"
+          items:
+          - key: tls.crt
+            path: tls.crt
+          - key: tls.key
+            path: tls.key
+          - key: ca.crt
+            path: ca.crt
+      {{- end }}
+      {{- with $provider.extraVolumes }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
+      {{- with $provider.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $provider.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $provider.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $provider.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

+ 42 - 0
deploy/charts/external-secrets/templates/provider-hpa.yaml

@@ -0,0 +1,42 @@
+{{- if .Values.providers.enabled }}
+{{- range .Values.providers.list }}
+{{- if .enabled }}
+{{- $root := $ }}
+{{- $provider := include "external-secrets.provider.mergeDefaults" (dict "provider" . "root" $root) | fromYaml }}
+{{- if and $provider.autoscaling $provider.autoscaling.enabled }}
+---
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "external-secrets.provider.fullname" (dict "provider" $provider "root" $root) }}
+  namespace: {{ include "external-secrets.namespace" $root }}
+  labels:
+    {{- include "external-secrets.provider.labels" (dict "provider" $provider "root" $root) | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "external-secrets.provider.fullname" (dict "provider" $provider "root" $root) }}
+  minReplicas: {{ $provider.autoscaling.minReplicas | default 2 }}
+  maxReplicas: {{ $provider.autoscaling.maxReplicas | default 10 }}
+  metrics:
+  {{- if $provider.autoscaling.targetCPUUtilizationPercentage }}
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: {{ $provider.autoscaling.targetCPUUtilizationPercentage }}
+  {{- end }}
+  {{- if $provider.autoscaling.targetMemoryUtilizationPercentage }}
+  - type: Resource
+    resource:
+      name: memory
+      target:
+        type: Utilization
+        averageUtilization: {{ $provider.autoscaling.targetMemoryUtilizationPercentage }}
+  {{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

+ 28 - 0
deploy/charts/external-secrets/templates/provider-poddisruptionbudget.yaml

@@ -0,0 +1,28 @@
+{{- if .Values.providers.enabled }}
+{{- range .Values.providers.list }}
+{{- if .enabled }}
+{{- $root := $ }}
+{{- $provider := include "external-secrets.provider.mergeDefaults" (dict "provider" . "root" $root) | fromYaml }}
+{{- if and $provider.podDisruptionBudget $provider.podDisruptionBudget.enabled }}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "external-secrets.provider.fullname" (dict "provider" $provider "root" $root) }}
+  namespace: {{ include "external-secrets.namespace" $root }}
+  labels:
+    {{- include "external-secrets.provider.labels" (dict "provider" $provider "root" $root) | nindent 4 }}
+spec:
+  {{- if $provider.podDisruptionBudget.minAvailable }}
+  minAvailable: {{ $provider.podDisruptionBudget.minAvailable }}
+  {{- end }}
+  {{- if $provider.podDisruptionBudget.maxUnavailable }}
+  maxUnavailable: {{ $provider.podDisruptionBudget.maxUnavailable }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "external-secrets.provider.selectorLabels" (dict "provider" $provider "root" $root) | nindent 6 }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

+ 103 - 0
deploy/charts/external-secrets/templates/provider-rbac.yaml

@@ -0,0 +1,103 @@
+{{- if and .Values.providers.enabled .Values.rbac.create }}
+{{- range .Values.providers.list }}
+{{- if .enabled }}
+{{- $root := $ }}
+{{- $provider := include "external-secrets.provider.mergeDefaults" (dict "provider" . "root" $root) | fromYaml }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "external-secrets.provider.fullname" (dict "provider" $provider "root" $root) }}
+  labels:
+    {{- include "external-secrets.provider.labels" (dict "provider" $provider "root" $root) | nindent 4 }}
+rules:
+  # All providers need to read their own provider configuration CRDs
+  - apiGroups:
+    - "provider.external-secrets.io"
+    resources:
+    - "fakes"
+    - "kubernetes"
+    - "secretmanagers"
+    - "secretsmanagers"
+    - "parameterstores"
+    verbs:
+    - "get"
+    - "list"
+    - "watch"
+  # Providers that support generators need to read generator CRDs
+  - apiGroups:
+    - "generators.external-secrets.io"
+    resources:
+    - "fakes"
+    - "passwords"
+    - "ecrauthorizationtokens"
+    - "stssessiontokens"
+    - "gcraccesstokens"
+    - "uuids"
+    - "vaultdynamicsecrets"
+    - "acraccesstokens"
+    verbs:
+    - "get"
+    - "list"
+    - "watch"
+  - apiGroups:
+    - ""
+    resources:
+    - "secrets"
+    verbs:
+    - "get"
+    - "list"
+    - "watch"
+{{- if eq $provider.type "kubernetes" }}
+  # Kubernetes provider needs to read service accounts for auth
+  - apiGroups:
+    - ""
+    resources:
+    - "serviceaccounts"
+    verbs:
+    - "get"
+  # Kubernetes provider needs to get service account tokens
+  - apiGroups:
+    - ""
+    resources:
+    - "serviceaccounts/token"
+    verbs:
+    - "create"
+  - apiGroups:
+    - authorization.k8s.io
+    resources:
+    - selfsubjectrulesreviews
+    verbs:
+    - create
+{{- end }}
+{{- if eq $provider.type "aws" }}
+  # AWS provider may need access to AWS credentials stored in secrets
+  - apiGroups:
+    - ""
+    resources:
+    - "secrets"
+    - "configmaps"
+    verbs:
+    - "get"
+    - "list"
+{{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "external-secrets.provider.fullname" (dict "provider" $provider "root" $root) }}
+  labels:
+    {{- include "external-secrets.provider.labels" (dict "provider" $provider "root" $root) | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "external-secrets.provider.fullname" (dict "provider" $provider "root" $root) }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "external-secrets.provider.serviceAccountName" (dict "provider" $provider "root" $root) }}
+    namespace: {{ include "external-secrets.namespace" $root }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+

+ 35 - 0
deploy/charts/external-secrets/templates/provider-service.yaml

@@ -0,0 +1,35 @@
+{{- if .Values.providers.enabled }}
+{{- range .Values.providers.list }}
+{{- if .enabled }}
+{{- $root := $ }}
+{{- $provider := include "external-secrets.provider.mergeDefaults" (dict "provider" . "root" $root) | fromYaml }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "external-secrets.provider.servicename" (dict "provider" $provider "root" $root) }}
+  namespace: {{ include "external-secrets.namespace" $root }}
+  labels:
+    {{- include "external-secrets.provider.labels" (dict "provider" $provider "root" $root) | nindent 4 }}
+  {{- with $provider.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ $provider.service.type | default "ClusterIP" }}
+  ports:
+  - port: {{ $provider.service.port | default 8080 }}
+    targetPort: grpc
+    protocol: TCP
+    name: grpc
+  {{- if and $provider.metrics $provider.metrics.enabled }}
+  - port: {{ $provider.metrics.port | default 8081 }}
+    targetPort: metrics
+    protocol: TCP
+    name: metrics
+  {{- end }}
+  selector:
+    {{- include "external-secrets.provider.selectorLabels" (dict "provider" $provider "root" $root) | nindent 4 }}
+{{- end }}
+{{- end }}
+{{- end }}

+ 25 - 0
deploy/charts/external-secrets/templates/provider-serviceaccount.yaml

@@ -0,0 +1,25 @@
+{{- if .Values.providers.enabled }}
+{{- range .Values.providers.list }}
+{{- if .enabled }}
+{{- $root := $ }}
+{{- $provider := include "external-secrets.provider.mergeDefaults" (dict "provider" . "root" $root) | fromYaml }}
+{{- if $provider.serviceAccount.create }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "external-secrets.provider.serviceAccountName" (dict "provider" $provider "root" $root) }}
+  namespace: {{ include "external-secrets.namespace" $root }}
+  labels:
+    {{- include "external-secrets.provider.labels" (dict "provider" $provider "root" $root) | nindent 4 }}
+  {{- with $provider.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- if $provider.serviceAccount.automount }}
+automountServiceAccountToken: true
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

+ 30 - 0
deploy/charts/external-secrets/templates/provider-servicemonitor.yaml

@@ -0,0 +1,30 @@
+{{- if .Values.providers.enabled }}
+{{- range .Values.providers.list }}
+{{- if .enabled }}
+{{- $root := $ }}
+{{- $provider := include "external-secrets.provider.mergeDefaults" (dict "provider" . "root" $root) | fromYaml }}
+{{- if and $provider.metrics $provider.metrics.enabled $provider.metrics.serviceMonitor $provider.metrics.serviceMonitor.enabled }}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "external-secrets.provider.fullname" (dict "provider" $provider "root" $root) }}
+  namespace: {{ $provider.metrics.serviceMonitor.namespace | default (include "external-secrets.namespace" $root) }}
+  labels:
+    {{- include "external-secrets.provider.labels" (dict "provider" $provider "root" $root) | nindent 4 }}
+    {{- with $provider.metrics.serviceMonitor.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "external-secrets.provider.selectorLabels" (dict "provider" $provider "root" $root) | nindent 6 }}
+  endpoints:
+  - port: metrics
+    interval: {{ $provider.metrics.serviceMonitor.interval | default "30s" }}
+    scrapeTimeout: {{ $provider.metrics.serviceMonitor.scrapeTimeout | default "10s" }}
+    path: /metrics
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

+ 33 - 0
deploy/charts/external-secrets/templates/rbac.yaml

@@ -13,10 +13,27 @@ metadata:
   labels:
     {{- include "external-secrets.labels" . | nindent 4 }}
 rules:
+  {{- if .Values.v2.enabled }}
+  - apiGroups:
+    - "provider.external-secrets.io"
+    resources:
+    - "kubernetes"
+    - "awssecretsmanagers"
+    - "fakes"
+    verbs:
+    - "get"
+    - "list"
+    - "watch"
+  {{- end }}
   - apiGroups:
     - "external-secrets.io"
     resources:
     - "secretstores"
+    {{- if .Values.v2.enabled }}
+    - "providerstores"
+    - "clusterproviderstores"
+    - "clusterproviderclasses"
+    {{- end }}
     {{- if .Values.processClusterStore }}
     - "clustersecretstores"
     {{- end }}
@@ -37,6 +54,14 @@ rules:
   - apiGroups:
     - "external-secrets.io"
     resources:
+    {{- if .Values.v2.enabled }}
+    - "providerstores"
+    - "providerstores/status"
+    - "clusterproviderstores"
+    - "clusterproviderstores/status"
+    - "clusterproviderclasses"
+    - "clusterproviderclasses/status"
+    {{- end }}
     - "externalsecrets"
     - "externalsecrets/status"
     {{- if .Values.openshiftFinalizers }}
@@ -238,6 +263,10 @@ rules:
     resources:
       - "externalsecrets"
       - "secretstores"
+      {{- if .Values.v2.enabled }}
+      - "providers"
+      - "clusterproviders"
+      {{- end }}
       {{- if .Values.processClusterStore }}
       - "clustersecretstores"
       {{- end }}
@@ -300,6 +329,10 @@ rules:
     resources:
       - "externalsecrets"
       - "secretstores"
+      {{- if .Values.v2.enabled }}
+      - "providers"
+      - "clusterproviders"
+      {{- end }}
       {{- if .Values.processClusterStore }}
       - "clustersecretstores"
       {{- end }}

+ 586 - 145
deploy/charts/external-secrets/tests/__snapshot__/crds_test.yaml.snap

@@ -60,7 +60,7 @@ should match snapshot of default values:
                   description: SecretStoreSpec defines the desired state of SecretStore.
                   properties:
                     conditions:
-                      description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
+                      description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
                       items:
                         description: |-
                           ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
@@ -354,96 +354,6 @@ should match snapshot of default values:
                             - akeylessGWApiURL
                             - authSecretRef
                           type: object
-                        alibaba:
-                          description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
-                          properties:
-                            auth:
-                              description: AlibabaAuth contains a secretRef for credentials.
-                              properties:
-                                rrsa:
-                                  description: AlibabaRRSAAuth authenticates against Alibaba using RRSA.
-                                  properties:
-                                    oidcProviderArn:
-                                      type: string
-                                    oidcTokenFilePath:
-                                      type: string
-                                    roleArn:
-                                      type: string
-                                    sessionName:
-                                      type: string
-                                  required:
-                                    - oidcProviderArn
-                                    - oidcTokenFilePath
-                                    - roleArn
-                                    - sessionName
-                                  type: object
-                                secretRef:
-                                  description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-                                  properties:
-                                    accessKeyIDSecretRef:
-                                      description: The AccessKeyID is used for authentication
-                                      properties:
-                                        key:
-                                          description: |-
-                                            A key in the referenced Secret.
-                                            Some instances of this field may be defaulted, in others it may be required.
-                                          maxLength: 253
-                                          minLength: 1
-                                          pattern: ^[-._a-zA-Z0-9]+$
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          maxLength: 253
-                                          minLength: 1
-                                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            The namespace of the Secret resource being referred to.
-                                            Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
-                                          maxLength: 63
-                                          minLength: 1
-                                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
-                                          type: string
-                                      type: object
-                                    accessKeySecretSecretRef:
-                                      description: The AccessKeySecret is used for authentication
-                                      properties:
-                                        key:
-                                          description: |-
-                                            A key in the referenced Secret.
-                                            Some instances of this field may be defaulted, in others it may be required.
-                                          maxLength: 253
-                                          minLength: 1
-                                          pattern: ^[-._a-zA-Z0-9]+$
-                                          type: string
-                                        name:
-                                          description: The name of the Secret resource being referred to.
-                                          maxLength: 253
-                                          minLength: 1
-                                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
-                                          type: string
-                                        namespace:
-                                          description: |-
-                                            The namespace of the Secret resource being referred to.
-                                            Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
-                                          maxLength: 63
-                                          minLength: 1
-                                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
-                                          type: string
-                                      type: object
-                                  required:
-                                    - accessKeyIDSecretRef
-                                    - accessKeySecretSecretRef
-                                  type: object
-                              type: object
-                            regionID:
-                              description: Alibaba Region to be used for the provider
-                              type: string
-                          required:
-                            - auth
-                            - regionID
-                          type: object
                         aws:
                           description: AWS configures this store to sync secrets using AWS Secret Manager provider
                           properties:
@@ -608,7 +518,6 @@ should match snapshot of default values:
                                     ForceDeleteWithoutRecovery in the same call. If you don't use either,
                                     then by default Secrets Manager uses a 30-day recovery window.
                                     see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
-                                  format: int64
                                   type: integer
                               type: object
                             service:
@@ -767,8 +676,11 @@ should match snapshot of default values:
                               type: string
                             customCloudConfig:
                               description: |-
-                                CustomCloudConfig defines custom Azure Stack Hub or Azure Stack Edge endpoints.
+                                CustomCloudConfig defines custom Azure endpoints for non-standard clouds.
                                 Required when EnvironmentType is AzureStackCloud.
+                                Optional for other environment types - useful for Azure China when using Workload Identity
+                                with AKS, where the OIDC issuer (login.partner.microsoftonline.cn) differs from the
+                                standard China Cloud endpoint (login.chinacloudapi.cn).
                                 IMPORTANT: This feature REQUIRES UseAzureSDK to be set to true. Custom cloud
                                 configuration is not supported with the legacy go-autorest SDK.
                               properties:
@@ -852,6 +764,97 @@ should match snapshot of default values:
                           required:
                             - vaultUrl
                           type: object
+                        barbican:
+                          description: Barbican configures this store to sync secrets using the OpenStack Barbican provider
+                          properties:
+                            auth:
+                              description: BarbicanAuth contains the authentication information for Barbican.
+                              properties:
+                                password:
+                                  description: BarbicanProviderPasswordRef defines a reference to a secret containing password for the Barbican provider.
+                                  properties:
+                                    secretRef:
+                                      description: |-
+                                        SecretKeySelector is a reference to a specific 'key' within a Secret resource.
+                                        In some instances, `key` is a required field.
+                                      properties:
+                                        key:
+                                          description: |-
+                                            A key in the referenced Secret.
+                                            Some instances of this field may be defaulted, in others it may be required.
+                                          maxLength: 253
+                                          minLength: 1
+                                          pattern: ^[-._a-zA-Z0-9]+$
+                                          type: string
+                                        name:
+                                          description: The name of the Secret resource being referred to.
+                                          maxLength: 253
+                                          minLength: 1
+                                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                                          type: string
+                                        namespace:
+                                          description: |-
+                                            The namespace of the Secret resource being referred to.
+                                            Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+                                          maxLength: 63
+                                          minLength: 1
+                                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                          type: string
+                                      type: object
+                                  required:
+                                    - secretRef
+                                  type: object
+                                username:
+                                  description: BarbicanProviderUsernameRef defines a reference to a secret containing username for the Barbican provider.
+                                  maxProperties: 1
+                                  minProperties: 1
+                                  properties:
+                                    secretRef:
+                                      description: |-
+                                        SecretKeySelector is a reference to a specific 'key' within a Secret resource.
+                                        In some instances, `key` is a required field.
+                                      properties:
+                                        key:
+                                          description: |-
+                                            A key in the referenced Secret.
+                                            Some instances of this field may be defaulted, in others it may be required.
+                                          maxLength: 253
+                                          minLength: 1
+                                          pattern: ^[-._a-zA-Z0-9]+$
+                                          type: string
+                                        name:
+                                          description: The name of the Secret resource being referred to.
+                                          maxLength: 253
+                                          minLength: 1
+                                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                                          type: string
+                                        namespace:
+                                          description: |-
+                                            The namespace of the Secret resource being referred to.
+                                            Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+                                          maxLength: 63
+                                          minLength: 1
+                                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                          type: string
+                                      type: object
+                                    value:
+                                      type: string
+                                  type: object
+                              required:
+                                - password
+                                - username
+                              type: object
+                            authURL:
+                              type: string
+                            domainName:
+                              type: string
+                            region:
+                              type: string
+                            tenantName:
+                              type: string
+                          required:
+                            - auth
+                          type: object
                         beyondtrust:
                           description: Beyondtrust configures this store to sync secrets using Password Safe provider.
                           properties:
@@ -1034,6 +1037,10 @@ should match snapshot of default values:
                                 clientTimeOutSeconds:
                                   description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
                                   type: integer
+                                decrypt:
+                                  default: true
+                                  description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
+                                  type: boolean
                                 retrievalType:
                                   description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
                                   type: string
@@ -1557,60 +1564,59 @@ should match snapshot of default values:
                             - clientSecret
                             - tenant
                           type: object
-                        device42:
-                          description: Device42 configures this store to sync secrets using the Device42 provider
+                        doppler:
+                          description: Doppler configures this store to sync secrets using the Doppler provider
                           properties:
                             auth:
-                              description: Auth configures how secret-manager authenticates with a Device42 instance.
+                              description: Auth configures how the Operator authenticates with the Doppler API
                               properties:
-                                secretRef:
-                                  description: Device42SecretRef contains the secret reference for accessing the Device42 instance.
+                                oidcConfig:
+                                  description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
                                   properties:
-                                    credentials:
-                                      description: Username / Password is used for authentication.
+                                    expirationSeconds:
+                                      default: 600
+                                      description: |-
+                                        ExpirationSeconds sets the ServiceAccount token validity duration.
+                                        Defaults to 10 minutes.
+                                      format: int64
+                                      type: integer
+                                    identity:
+                                      description: Identity is the Doppler Service Account Identity ID configured for OIDC authentication.
+                                      type: string
+                                    serviceAccountRef:
+                                      description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
                                       properties:
-                                        key:
+                                        audiences:
                                           description: |-
-                                            A key in the referenced Secret.
-                                            Some instances of this field may be defaulted, in others it may be required.
-                                          maxLength: 253
-                                          minLength: 1
-                                          pattern: ^[-._a-zA-Z0-9]+$
-                                          type: string
+                                            Audience specifies the `aud` claim for the service account token
+                                            If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+                                            then this audiences will be appended to the list
+                                          items:
+                                            type: string
+                                          type: array
                                         name:
-                                          description: The name of the Secret resource being referred to.
+                                          description: The name of the ServiceAccount resource being referred to.
                                           maxLength: 253
                                           minLength: 1
                                           pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                           type: string
                                         namespace:
                                           description: |-
-                                            The namespace of the Secret resource being referred to.
+                                            Namespace of the resource being referred to.
                                             Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                           maxLength: 63
                                           minLength: 1
                                           pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                           type: string
+                                      required:
+                                        - name
                                       type: object
+                                  required:
+                                    - identity
+                                    - serviceAccountRef
                                   type: object
-                              required:
-                                - secretRef
-                              type: object
-                            host:
-                              description: URL configures the Device42 instance URL.
-                              type: string
-                          required:
-                            - auth
-                            - host
-                          type: object
-                        doppler:
-                          description: Doppler configures this store to sync secrets using the Doppler provider
-                          properties:
-                            auth:
-                              description: Auth configures how the Operator authenticates with the Doppler API
-                              properties:
                                 secretRef:
-                                  description: DopplerAuthSecretRef contains the secret reference for accessing the Doppler API.
+                                  description: SecretRef authenticates using a Doppler service token stored in a Kubernetes Secret.
                                   properties:
                                     dopplerToken:
                                       description: |-
@@ -1644,9 +1650,10 @@ should match snapshot of default values:
                                   required:
                                     - dopplerToken
                                   type: object
-                              required:
-                                - secretRef
                               type: object
+                              x-kubernetes-validations:
+                                - message: Exactly one of 'secretRef' or 'oidcConfig' must be specified
+                                  rule: (has(self.secretRef) && !has(self.oidcConfig)) || (!has(self.secretRef) && has(self.oidcConfig))
                             config:
                               description: Doppler config (required if not using a Service Token)
                               type: string
@@ -1675,6 +1682,87 @@ should match snapshot of default values:
                           required:
                             - auth
                           type: object
+                        dvls:
+                          description: DVLS configures this store to sync secrets using Devolutions Server provider
+                          properties:
+                            auth:
+                              description: Auth defines the authentication method to use.
+                              properties:
+                                secretRef:
+                                  description: SecretRef contains the Application ID and Application Secret for authentication.
+                                  properties:
+                                    appId:
+                                      description: AppID is the reference to the secret containing the Application ID.
+                                      properties:
+                                        key:
+                                          description: |-
+                                            A key in the referenced Secret.
+                                            Some instances of this field may be defaulted, in others it may be required.
+                                          maxLength: 253
+                                          minLength: 1
+                                          pattern: ^[-._a-zA-Z0-9]+$
+                                          type: string
+                                        name:
+                                          description: The name of the Secret resource being referred to.
+                                          maxLength: 253
+                                          minLength: 1
+                                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                                          type: string
+                                        namespace:
+                                          description: |-
+                                            The namespace of the Secret resource being referred to.
+                                            Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+                                          maxLength: 63
+                                          minLength: 1
+                                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                          type: string
+                                      type: object
+                                    appSecret:
+                                      description: AppSecret is the reference to the secret containing the Application Secret.
+                                      properties:
+                                        key:
+                                          description: |-
+                                            A key in the referenced Secret.
+                                            Some instances of this field may be defaulted, in others it may be required.
+                                          maxLength: 253
+                                          minLength: 1
+                                          pattern: ^[-._a-zA-Z0-9]+$
+                                          type: string
+                                        name:
+                                          description: The name of the Secret resource being referred to.
+                                          maxLength: 253
+                                          minLength: 1
+                                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                                          type: string
+                                        namespace:
+                                          description: |-
+                                            The namespace of the Secret resource being referred to.
+                                            Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+                                          maxLength: 63
+                                          minLength: 1
+                                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                          type: string
+                                      type: object
+                                  required:
+                                    - appId
+                                    - appSecret
+                                  type: object
+                              required:
+                                - secretRef
+                              type: object
+                            insecure:
+                              description: |-
+                                Insecure allows connecting to DVLS over plain HTTP.
+                                This is NOT RECOMMENDED for production use.
+                                Set to true only if you understand the security implications.
+                              type: boolean
+                            serverUrl:
+                              description: ServerURL is the DVLS instance URL (e.g., https://dvls.example.com).
+                              type: string
+                          required:
+                            - auth
+                            - serverUrl
+                          type: object
                         fake:
                           description: Fake configures a store with static key/value pairs
                           properties:
@@ -1953,12 +2041,11 @@ should match snapshot of default values:
                           type: object
                         github:
                           description: |-
-                            Github configures this store to push GitHub Action secrets using GitHub API provider.
+                            Github configures this store to push GitHub Actions secrets using the GitHub API provider.
                             Note: This provider only supports write operations (PushSecret) and cannot fetch secrets from GitHub
                           properties:
                             appID:
                               description: appID specifies the Github APP that will be used to authenticate the client
-                              format: int64
                               type: integer
                             auth:
                               description: auth configures how secret-manager authenticates with a Github instance.
@@ -1999,8 +2086,17 @@ should match snapshot of default values:
                               type: string
                             installationID:
                               description: installationID specifies the Github APP installation that will be used to authenticate the client
-                              format: int64
                               type: integer
+                            orgSecretVisibility:
+                              description: |-
+                                orgSecretVisibility controls the visibility of organization secrets pushed via PushSecret.
+                                Valid values are "all" or "private".
+                                When unset, new secrets are created with visibility "all" and existing secrets preserve
+                                whatever visibility they already have in GitHub.
+                              enum:
+                                - all
+                                - private
+                              type: string
                             organization:
                               description: organization will be used to fetch secrets from the Github organization
                               type: string
@@ -2901,6 +2997,48 @@ should match snapshot of default values:
                                     - clientSecret
                                   type: object
                               type: object
+                            caBundle:
+                              description: |-
+                                CABundle is a PEM-encoded CA certificate bundle used to validate
+                                the Infisical server's TLS certificate. Mutually exclusive with CAProvider.
+                              format: byte
+                              type: string
+                            caProvider:
+                              description: |-
+                                CAProvider is a reference to a Secret or ConfigMap that contains a CA certificate.
+                                The certificate is used to validate the Infisical server's TLS certificate.
+                                Mutually exclusive with CABundle.
+                              properties:
+                                key:
+                                  description: The key where the CA certificate can be found in the Secret or ConfigMap.
+                                  maxLength: 253
+                                  minLength: 1
+                                  pattern: ^[-._a-zA-Z0-9]+$
+                                  type: string
+                                name:
+                                  description: The name of the object located at the provider type.
+                                  maxLength: 253
+                                  minLength: 1
+                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                                  type: string
+                                namespace:
+                                  description: |-
+                                    The namespace the Provider type is in.
+                                    Can only be defined when used in a ClusterSecretStore.
+                                  maxLength: 63
+                                  minLength: 1
+                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                  type: string
+                                type:
+                                  description: The type of provider to use such as "Secret", or "ConfigMap".
+                                  enum:
+                                    - Secret
+                                    - ConfigMap
+                                  type: string
+                              required:
+                                - name
+                                - type
+                              type: object
                             hostAPI:
                               default: https://app.infisical.com/api
                               description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
@@ -3179,6 +3317,120 @@ should match snapshot of default values:
                                   type: string
                               type: object
                           type: object
+                        nebiusmysterybox:
+                          description: NebiusMysterybox configures this store to sync secrets using NebiusMysterybox provider
+                          properties:
+                            apiDomain:
+                              description: NebiusMysterybox API endpoint
+                              type: string
+                            auth:
+                              description: Auth defines parameters to authenticate in MysteryBox
+                              properties:
+                                serviceAccountCredsSecretRef:
+                                  description: |-
+                                    ServiceAccountCreds references a Kubernetes Secret key that contains a JSON
+                                    document with service account credentials used to get an IAM token.
+
+                                    Expected JSON structure:
+                                    {
+                                      "subject-credentials": {
+                                        "alg": "RS256",
+                                        "private-key": "-----BEGIN PRIVATE KEY-----\n<private-key>\n-----END PRIVATE KEY-----\n",
+                                        "kid": "<public-key-id>",
+                                        "iss": "<issuer-service-account-id>",
+                                        "sub": "<subject-service-account-id>"
+                                      }
+                                    }
+                                  properties:
+                                    key:
+                                      description: |-
+                                        A key in the referenced Secret.
+                                        Some instances of this field may be defaulted, in others it may be required.
+                                      maxLength: 253
+                                      minLength: 1
+                                      pattern: ^[-._a-zA-Z0-9]+$
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      maxLength: 253
+                                      minLength: 1
+                                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                                      type: string
+                                    namespace:
+                                      description: |-
+                                        The namespace of the Secret resource being referred to.
+                                        Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+                                      maxLength: 63
+                                      minLength: 1
+                                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                      type: string
+                                  type: object
+                                tokenSecretRef:
+                                  description: Token authenticates with Nebius Mysterybox by presenting a token.
+                                  properties:
+                                    key:
+                                      description: |-
+                                        A key in the referenced Secret.
+                                        Some instances of this field may be defaulted, in others it may be required.
+                                      maxLength: 253
+                                      minLength: 1
+                                      pattern: ^[-._a-zA-Z0-9]+$
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      maxLength: 253
+                                      minLength: 1
+                                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                                      type: string
+                                    namespace:
+                                      description: |-
+                                        The namespace of the Secret resource being referred to.
+                                        Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+                                      maxLength: 63
+                                      minLength: 1
+                                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                      type: string
+                                  type: object
+                              type: object
+                              x-kubernetes-validations:
+                                - message: either serviceAccountCredsSecretRef or tokenSecretRef must be set
+                                  rule: has(self.serviceAccountCredsSecretRef) || has(self.tokenSecretRef)
+                            caProvider:
+                              description: The provider for the CA bundle to use to validate NebiusMysterybox server certificate.
+                              properties:
+                                certSecretRef:
+                                  description: |-
+                                    SecretKeySelector is a reference to a specific 'key' within a Secret resource.
+                                    In some instances, `key` is a required field.
+                                  properties:
+                                    key:
+                                      description: |-
+                                        A key in the referenced Secret.
+                                        Some instances of this field may be defaulted, in others it may be required.
+                                      maxLength: 253
+                                      minLength: 1
+                                      pattern: ^[-._a-zA-Z0-9]+$
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      maxLength: 253
+                                      minLength: 1
+                                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                                      type: string
+                                    namespace:
+                                      description: |-
+                                        The namespace of the Secret resource being referred to.
+                                        Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+                                      maxLength: 63
+                                      minLength: 1
+                                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                      type: string
+                                  type: object
+                              type: object
+                          required:
+                            - apiDomain
+                            - auth
+                          type: object
                         ngrok:
                           description: Ngrok configures this store to sync secrets using the ngrok provider.
                           properties:
@@ -3406,6 +3658,28 @@ should match snapshot of default values:
                               required:
                                 - serviceAccountSecretRef
                               type: object
+                            cache:
+                              description: |-
+                                Cache configures client-side caching for read operations (GetSecret, GetSecretMap).
+                                When enabled, secrets are cached with the specified TTL.
+                                Write operations (PushSecret, DeleteSecret) automatically invalidate relevant cache entries.
+                                If omitted, caching is disabled (default).
+                                cache: {} is a valid option to set.
+                              properties:
+                                maxSize:
+                                  default: 100
+                                  description: |-
+                                    MaxSize is the maximum number of secrets to cache.
+                                    When the cache is full, least-recently-used entries are evicted.
+                                  minimum: 1
+                                  type: integer
+                                ttl:
+                                  default: 5m
+                                  description: |-
+                                    TTL is the time-to-live for cached secrets.
+                                    Format: duration string (e.g., "5m", "1h", "30s")
+                                  type: string
+                              type: object
                             integrationInfo:
                               description: |-
                                 IntegrationInfo specifies the name and version of the integration built using the 1Password Go SDK.
@@ -3566,6 +3840,168 @@ should match snapshot of default values:
                             - region
                             - vault
                           type: object
+                        ovh:
+                          description: OVHcloud configures this store to sync secrets using the OVHcloud provider.
+                          properties:
+                            auth:
+                              description: Authentication method (mtls or token).
+                              properties:
+                                mtls:
+                                  description: OvhClientMTLS defines the configuration required to authenticate to OVHcloud's Secret Manager using mTLS.
+                                  properties:
+                                    caBundle:
+                                      format: byte
+                                      type: string
+                                    caProvider:
+                                      description: |-
+                                        CAProvider provides a custom certificate authority for accessing the provider's store.
+                                        The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate.
+                                      properties:
+                                        key:
+                                          description: The key where the CA certificate can be found in the Secret or ConfigMap.
+                                          maxLength: 253
+                                          minLength: 1
+                                          pattern: ^[-._a-zA-Z0-9]+$
+                                          type: string
+                                        name:
+                                          description: The name of the object located at the provider type.
+                                          maxLength: 253
+                                          minLength: 1
+                                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                                          type: string
+                                        namespace:
+                                          description: |-
+                                            The namespace the Provider type is in.
+                                            Can only be defined when used in a ClusterSecretStore.
+                                          maxLength: 63
+                                          minLength: 1
+                                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                          type: string
+                                        type:
+                                          description: The type of provider to use such as "Secret", or "ConfigMap".
+                                          enum:
+                                            - Secret
+                                            - ConfigMap
+                                          type: string
+                                      required:
+                                        - name
+                                        - type
+                                      type: object
+                                    certSecretRef:
+                                      description: |-
+                                        SecretKeySelector is a reference to a specific 'key' within a Secret resource.
+                                        In some instances, `key` is a required field.
+                                      properties:
+                                        key:
+                                          description: |-
+                                            A key in the referenced Secret.
+                                            Some instances of this field may be defaulted, in others it may be required.
+                                          maxLength: 253
+                                          minLength: 1
+                                          pattern: ^[-._a-zA-Z0-9]+$
+                                          type: string
+                                        name:
+                                          description: The name of the Secret resource being referred to.
+                                          maxLength: 253
+                                          minLength: 1
+                                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                                          type: string
+                                        namespace:
+                                          description: |-
+                                            The namespace of the Secret resource being referred to.
+                                            Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+                                          maxLength: 63
+                                          minLength: 1
+                                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                          type: string
+                                      type: object
+                                    keySecretRef:
+                                      description: |-
+                                        SecretKeySelector is a reference to a specific 'key' within a Secret resource.
+                                        In some instances, `key` is a required field.
+                                      properties:
+                                        key:
+                                          description: |-
+                                            A key in the referenced Secret.
+                                            Some instances of this field may be defaulted, in others it may be required.
+                                          maxLength: 253
+                                          minLength: 1
+                                          pattern: ^[-._a-zA-Z0-9]+$
+                                          type: string
+                                        name:
+                                          description: The name of the Secret resource being referred to.
+                                          maxLength: 253
+                                          minLength: 1
+                                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                                          type: string
+                                        namespace:
+                                          description: |-
+                                            The namespace of the Secret resource being referred to.
+                                            Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+                                          maxLength: 63
+                                          minLength: 1
+                                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                          type: string
+                                      type: object
+                                  required:
+                                    - certSecretRef
+                                    - keySecretRef
+                                  type: object
+                                token:
+                                  description: OvhClientToken defines the configuration required to authenticate to OVHcloud's Secret Manager using a token.
+                                  properties:
+                                    tokenSecretRef:
+                                      description: |-
+                                        SecretKeySelector is a reference to a specific 'key' within a Secret resource.
+                                        In some instances, `key` is a required field.
+                                      properties:
+                                        key:
+                                          description: |-
+                                            A key in the referenced Secret.
+                                            Some instances of this field may be defaulted, in others it may be required.
+                                          maxLength: 253
+                                          minLength: 1
+                                          pattern: ^[-._a-zA-Z0-9]+$
+                                          type: string
+                                        name:
+                                          description: The name of the Secret resource being referred to.
+                                          maxLength: 253
+                                          minLength: 1
+                                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                                          type: string
+                                        namespace:
+                                          description: |-
+                                            The namespace of the Secret resource being referred to.
+                                            Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
+                                          maxLength: 63
+                                          minLength: 1
+                                          pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                                          type: string
+                                      type: object
+                                  required:
+                                    - tokenSecretRef
+                                  type: object
+                              type: object
+                            casRequired:
+                              description: 'Enables or disables check-and-set (CAS) (default: false).'
+                              type: boolean
+                            okmsTimeout:
+                              default: 30
+                              description: 'Setup a timeout in seconds when requests to the KMS are made (default: 30).'
+                              format: int32
+                              minimum: 1
+                              type: integer
+                            okmsid:
+                              description: specifies the OKMS ID.
+                              type: string
+                            server:
+                              description: specifies the OKMS server endpoint.
+                              type: string
+                          required:
+                            - auth
+                            - okmsid
+                            - server
+                          type: object
                         passbolt:
                           description: |-
                             PassboltProvider provides access to Passbolt secrets manager.
@@ -3794,7 +4230,7 @@ should match snapshot of default values:
                             - project
                           type: object
                         scaleway:
-                          description: Scaleway
+                          description: Scaleway configures this store to sync secrets using the Scaleway provider.
                           properties:
                             accessKey:
                               description: AccessKey is the non-secret part of the api key.
@@ -4057,7 +4493,7 @@ should match snapshot of default values:
                             - url
                           type: object
                         vault:
-                          description: Vault configures this store to sync secrets using Hashi provider
+                          description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
                           properties:
                             auth:
                               description: Auth configures how secret-manager authenticates with the Vault server.
@@ -4209,6 +4645,9 @@ should match snapshot of default values:
                                           pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                           type: string
                                       type: object
+                                    vaultRole:
+                                      description: VaultRole specifies the Vault role to use for TLS certificate authentication.
+                                      type: string
                                   type: object
                                 gcp:
                                   description: |-
@@ -4496,6 +4935,7 @@ should match snapshot of default values:
                                             Optional audiences field that will be used to request a temporary Kubernetes service
                                             account token for the service account referenced by `serviceAccountRef`.
                                             Defaults to a single audience `vault` it not specified.
+
                                             Deprecated: use serviceAccountRef.Audiences instead
                                           items:
                                             type: string
@@ -4505,9 +4945,9 @@ should match snapshot of default values:
                                             Optional expiration time in seconds that will be used to request a temporary
                                             Kubernetes service account token for the service account referenced by
                                             `serviceAccountRef`.
+
                                             Deprecated: this will be removed in the future.
                                             Defaults to 10 minutes.
-                                          format: int64
                                           type: integer
                                         serviceAccountRef:
                                           description: Service account field containing the name of a kubernetes ServiceAccount.
@@ -5426,10 +5866,9 @@ should match snapshot of default values:
                       description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
                       type: integer
                     retrySettings:
-                      description: Used to configure http retries if failed
+                      description: Used to configure HTTP retries on failures.
                       properties:
                         maxRetries:
-                          format: int32
                           type: integer
                         retryInterval:
                           type: string
@@ -5510,7 +5949,7 @@ should match snapshot of default values:
                   description: SecretStoreSpec defines the desired state of SecretStore.
                   properties:
                     conditions:
-                      description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
+                      description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
                       items:
                         description: |-
                           ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
@@ -6058,7 +6497,6 @@ should match snapshot of default values:
                                     ForceDeleteWithoutRecovery in the same call. If you don't use either,
                                     then by default Secrets Manager uses a 30 day recovery window.
                                     see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
-                                  format: int64
                                   type: integer
                               type: object
                             service:
@@ -6450,6 +6888,10 @@ should match snapshot of default values:
                                 clientTimeOutSeconds:
                                   description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
                                   type: integer
+                                decrypt:
+                                  default: true
+                                  description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
+                                  type: boolean
                                 retrievalType:
                                   description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
                                   type: string
@@ -7243,11 +7685,10 @@ should match snapshot of default values:
                               type: string
                           type: object
                         github:
-                          description: Github configures this store to push Github Action secrets using Github API provider
+                          description: Github configures this store to push GitHub Actions secrets using the GitHub API provider.
                           properties:
                             appID:
                               description: appID specifies the Github APP that will be used to authenticate the client
-                              format: int64
                               type: integer
                             auth:
                               description: auth configures how secret-manager authenticates with a Github instance.
@@ -7288,7 +7729,6 @@ should match snapshot of default values:
                               type: string
                             installationID:
                               description: installationID specifies the Github APP installation that will be used to authenticate the client
-                              format: int64
                               type: integer
                             organization:
                               description: organization will be used to fetch secrets from the Github organization
@@ -8311,7 +8751,7 @@ should match snapshot of default values:
                             - project
                           type: object
                         scaleway:
-                          description: Scaleway
+                          description: Scaleway configures this store to sync secrets using the Scaleway provider.
                           properties:
                             accessKey:
                               description: AccessKey is the non-secret part of the api key.
@@ -8531,7 +8971,7 @@ should match snapshot of default values:
                             - url
                           type: object
                         vault:
-                          description: Vault configures this store to sync secrets using Hashi provider
+                          description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
                           properties:
                             auth:
                               description: Auth configures how secret-manager authenticates with the Vault server.
@@ -8836,6 +9276,7 @@ should match snapshot of default values:
                                             Optional audiences field that will be used to request a temporary Kubernetes service
                                             account token for the service account referenced by `serviceAccountRef`.
                                             Defaults to a single audience `vault` it not specified.
+
                                             Deprecated: use serviceAccountRef.Audiences instead
                                           items:
                                             type: string
@@ -8845,9 +9286,9 @@ should match snapshot of default values:
                                             Optional expiration time in seconds that will be used to request a temporary
                                             Kubernetes service account token for the service account referenced by
                                             `serviceAccountRef`.
+
                                             Deprecated: this will be removed in the future.
                                             Defaults to 10 minutes.
-                                          format: int64
                                           type: integer
                                         serviceAccountRef:
                                           description: Service account field containing the name of a kubernetes ServiceAccount.
@@ -9617,7 +10058,7 @@ should match snapshot of default values:
                       description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
                       type: integer
                     retrySettings:
-                      description: Used to configure http retries if failed
+                      description: Used to configure HTTP retries on failures.
                       properties:
                         maxRetries:
                           description: MaxRetries is the maximum number of retry attempts.

+ 1 - 1
deploy/charts/external-secrets/tests/crds_test.yaml

@@ -1,6 +1,6 @@
 suite: test crds
 templates:
-  - crds/secretstore.yaml
+  - crds/external-secrets.io_secretstore.yaml
 tests:
   - it: should match snapshot of default values
     asserts:

+ 21 - 0
deploy/charts/external-secrets/tests/provider_class_test.yaml

@@ -0,0 +1,21 @@
+suite: provider class
+templates:
+  - provider-class.yaml
+tests:
+  - it: renders a ClusterProviderClass for each enabled provider
+    set:
+      namespaceOverride: default
+      providers:
+        enabled: true
+        list:
+          - name: aws
+            type: aws
+            enabled: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ClusterProviderClass
+      - equal:
+          path: spec.address
+          value: provider-aws.default.svc:8080

+ 40 - 0
deploy/charts/external-secrets/tests/provider_rbac_test.yaml

@@ -0,0 +1,40 @@
+suite: test provider rbac
+templates:
+  - provider-rbac.yaml
+tests:
+  - it: should grant gcp providers access to secretmanager configs
+    set:
+      providers:
+        enabled: true
+        list:
+          - name: gcp
+            type: gcp
+            enabled: true
+            image:
+              repository: ghcr.io/external-secrets/provider-gcp
+              tag: test
+    documentIndex: 0
+    asserts:
+      - isKind:
+          of: ClusterRole
+      - contains:
+          path: rules[0].resources
+          content: secretmanagers
+  - it: should grant aws providers access to secretsmanager configs
+    set:
+      providers:
+        enabled: true
+        list:
+          - name: aws
+            type: aws
+            enabled: true
+            image:
+              repository: ghcr.io/external-secrets/provider-aws
+              tag: test
+    documentIndex: 0
+    asserts:
+      - isKind:
+          of: ClusterRole
+      - contains:
+          path: rules[0].resources
+          content: secretsmanagers

+ 3 - 3
deploy/charts/external-secrets/tests/webhook_test.yaml

@@ -5,7 +5,7 @@ templates:
   - webhook-service.yaml
   - webhook-certificate.yaml
   - validatingwebhook.yaml
-  - crds/externalsecret.yaml
+  - crds/external-secrets.io_externalsecret.yaml
 tests:
   - it: should match snapshot of default values
     asserts:
@@ -182,7 +182,7 @@ tests:
           value: "NAMESPACE/RELEASE-NAME-external-secrets-webhook"
     templates:
       - validatingwebhook.yaml
-      - crds/externalsecret.yaml
+      - crds/external-secrets.io_externalsecret.yaml
   - it: should not add annotations to the webhook
     set:
       webhook.create: true
@@ -194,7 +194,7 @@ tests:
           # value: "NAMESPACE/RELEASE-NAME-external-secrets-webhook"
     templates:
       - validatingwebhook.yaml
-      - crds/externalsecret.yaml
+      - crds/external-secrets.io_externalsecret.yaml
   - it: should have the correct labels
     set:
       webhook.create: true

+ 91 - 0
deploy/charts/external-secrets/values-test.yaml

@@ -0,0 +1,91 @@
+# Minimal test configuration for provider deployment
+replicaCount: 1
+
+image:
+  repository: oci.external-secrets.io/external-secrets/external-secrets
+  pullPolicy: IfNotPresent
+
+installCRDs: true
+v2:
+  enabled: true
+crds:
+  createClusterProviderClass: true
+  createProviderStore: true
+  createClusterProviderStore: true
+
+providers:
+  enabled: true
+  list:
+    - name: aws-test
+      type: aws
+      enabled: true
+      replicaCount: 1
+      
+      image:
+        repository: oci.external-secrets.io/external-secrets/provider-aws
+        pullPolicy: IfNotPresent
+      
+      serviceAccount:
+        create: true
+        automount: true
+      
+      podSecurityContext:
+        enabled: true
+        runAsNonRoot: true
+        runAsUser: 65532
+      
+      securityContext:
+        enabled: true
+        allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: true
+        runAsNonRoot: true
+        runAsUser: 65532
+        capabilities:
+          drop:
+          - ALL
+      
+      service:
+        type: ClusterIP
+        port: 8080
+      
+      resources:
+        limits:
+          cpu: 100m
+          memory: 128Mi
+        requests:
+          cpu: 25m
+          memory: 32Mi
+      
+      tls:
+        enabled: false
+      
+      config:
+        region: us-east-1
+      
+      logging:
+        level: info
+        format: json
+      
+      metrics:
+        enabled: true
+        port: 8081
+      
+      health:
+        port: 8082
+      
+      podDisruptionBudget:
+        enabled: false
+      
+      autoscaling:
+        enabled: false
+
+serviceAccount:
+  create: true
+
+resources:
+  limits:
+    cpu: 100m
+    memory: 128Mi
+  requests:
+    cpu: 25m
+    memory: 32Mi

+ 238 - 0
deploy/charts/external-secrets/values-with-providers-example.yaml

@@ -0,0 +1,238 @@
+# Example values.yaml demonstrating provider deployment
+# This shows how to deploy External Secrets with multiple providers
+
+# Deploy the External Secrets controller
+replicaCount: 1
+
+image:
+  repository: oci.external-secrets.io/external-secrets/external-secrets
+  pullPolicy: IfNotPresent
+  tag: ""
+
+# Install CRDs
+installCRDs: true
+v2:
+  enabled: true
+crds:
+  createClusterProviderClass: true
+  createProviderStore: true
+  createClusterProviderStore: true
+
+# Enable provider deployments
+providers:
+  enabled: true
+  
+  list:
+    # AWS Provider Example
+    - name: aws-primary
+      type: aws
+      enabled: true
+      replicaCount: 2
+      
+      image:
+        repository: oci.external-secrets.io/external-secrets/provider-aws
+        pullPolicy: IfNotPresent
+        tag: ""
+      
+      serviceAccount:
+        create: true
+        annotations:
+          # Example: Use IRSA for AWS authentication
+          eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/eso-provider-aws
+        automount: true
+      
+      podSecurityContext:
+        enabled: true
+        runAsNonRoot: true
+        runAsUser: 65532
+        fsGroup: 65532
+        seccompProfile:
+          type: RuntimeDefault
+      
+      securityContext:
+        enabled: true
+        allowPrivilegeEscalation: false
+        readOnlyRootFilesystem: true
+        runAsNonRoot: true
+        runAsUser: 65532
+        capabilities:
+          drop:
+          - ALL
+      
+      service:
+        type: ClusterIP
+        port: 8080
+      
+      resources:
+        limits:
+          cpu: 200m
+          memory: 256Mi
+        requests:
+          cpu: 50m
+          memory: 64Mi
+      
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            podAffinityTerm:
+              labelSelector:
+                matchLabels:
+                  app.kubernetes.io/component: provider
+                  external-secrets.io/provider: aws
+              topologyKey: kubernetes.io/hostname
+      
+      podDisruptionBudget:
+        enabled: true
+        minAvailable: 1
+      
+      tls:
+        enabled: true
+        certPath: /etc/provider/certs
+        caSecretName: external-secrets-v2-ca
+        mountCA: true
+      
+      config:
+        region: us-east-1
+        authMethod: irsa
+      
+      logging:
+        level: info
+        format: json
+      
+      metrics:
+        enabled: true
+        port: 8081
+        serviceMonitor:
+          enabled: true
+          interval: 30s
+          scrapeTimeout: 10s
+      
+      health:
+        port: 8082
+        livenessProbe:
+          enabled: true
+          initialDelaySeconds: 10
+          periodSeconds: 20
+        readinessProbe:
+          enabled: true
+          initialDelaySeconds: 5
+          periodSeconds: 10
+    
+    # GCP Provider Example (disabled by default)
+    - name: gcp
+      type: gcp
+      enabled: false
+      replicaCount: 2
+      
+      image:
+        repository: oci.external-secrets.io/external-secrets/provider-gcp
+        pullPolicy: IfNotPresent
+      
+      serviceAccount:
+        create: true
+        annotations:
+          # Example: Use Workload Identity for GCP authentication
+          iam.gke.io/gcp-service-account: eso-provider@project-id.iam.gserviceaccount.com
+      
+      resources:
+        limits:
+          cpu: 200m
+          memory: 256Mi
+        requests:
+          cpu: 50m
+          memory: 64Mi
+      
+      config:
+        projectID: my-project-id
+      
+      logging:
+        level: info
+      
+      metrics:
+        enabled: true
+    
+    # Azure Provider Example (disabled by default)
+    - name: azure
+      type: azure
+      enabled: false
+      replicaCount: 2
+      
+      image:
+        repository: oci.external-secrets.io/external-secrets/provider-azure
+        pullPolicy: IfNotPresent
+      
+      serviceAccount:
+        create: true
+        annotations:
+          # Example: Use Azure Workload Identity
+          azure.workload.identity/client-id: "00000000-0000-0000-0000-000000000000"
+      
+      podLabels:
+        azure.workload.identity/use: "true"
+      
+      resources:
+        limits:
+          cpu: 200m
+          memory: 256Mi
+        requests:
+          cpu: 50m
+          memory: 64Mi
+      
+      config:
+        vaultURL: https://my-keyvault.vault.azure.net
+        tenantID: "00000000-0000-0000-0000-000000000000"
+      
+      logging:
+        level: info
+      
+      metrics:
+        enabled: true
+    
+    # Vault Provider Example (disabled by default)
+    - name: vault
+      type: vault
+      enabled: false
+      replicaCount: 2
+      
+      image:
+        repository: oci.external-secrets.io/external-secrets/provider-vault
+        pullPolicy: IfNotPresent
+      
+      serviceAccount:
+        create: true
+      
+      resources:
+        limits:
+          cpu: 200m
+          memory: 256Mi
+        requests:
+          cpu: 50m
+          memory: 64Mi
+      
+      config:
+        vaultAddr: https://vault.example.com
+        authMethod: kubernetes
+      
+      extraEnv:
+      - name: VAULT_SKIP_VERIFY
+        value: "false"
+      
+      logging:
+        level: info
+      
+      metrics:
+        enabled: true
+
+# Standard controller configuration continues...
+serviceAccount:
+  create: true
+  annotations: {}
+
+resources:
+  limits:
+    cpu: 500m
+    memory: 512Mi
+  requests:
+    cpu: 100m
+    memory: 128Mi

+ 298 - 0
deploy/charts/external-secrets/values.schema.json

@@ -294,12 +294,21 @@
                 "createClusterGenerator": {
                     "type": "boolean"
                 },
+                "createClusterProviderClass": {
+                    "type": "boolean"
+                },
+                "createClusterProviderStore": {
+                    "type": "boolean"
+                },
                 "createClusterPushSecret": {
                     "type": "boolean"
                 },
                 "createClusterSecretStore": {
                     "type": "boolean"
                 },
+                "createProviderStore": {
+                    "type": "boolean"
+                },
                 "createPushSecret": {
                     "type": "boolean"
                 },
@@ -637,6 +646,287 @@
         "processSecretStore": {
             "type": "boolean"
         },
+        "providerDefaults": {
+            "type": "object",
+            "properties": {
+                "affinity": {
+                    "type": "object"
+                },
+                "autoscaling": {
+                    "type": "object",
+                    "properties": {
+                        "enabled": {
+                            "type": "boolean"
+                        },
+                        "maxReplicas": {
+                            "type": "integer"
+                        },
+                        "minReplicas": {
+                            "type": "integer"
+                        },
+                        "targetCPUUtilizationPercentage": {
+                            "type": "integer"
+                        },
+                        "targetMemoryUtilizationPercentage": {
+                            "type": "integer"
+                        }
+                    }
+                },
+                "health": {
+                    "type": "object",
+                    "properties": {
+                        "livenessProbe": {
+                            "type": "object",
+                            "properties": {
+                                "enabled": {
+                                    "type": "boolean"
+                                },
+                                "failureThreshold": {
+                                    "type": "integer"
+                                },
+                                "initialDelaySeconds": {
+                                    "type": "integer"
+                                },
+                                "periodSeconds": {
+                                    "type": "integer"
+                                },
+                                "timeoutSeconds": {
+                                    "type": "integer"
+                                }
+                            }
+                        },
+                        "port": {
+                            "type": "integer"
+                        },
+                        "readinessProbe": {
+                            "type": "object",
+                            "properties": {
+                                "enabled": {
+                                    "type": "boolean"
+                                },
+                                "failureThreshold": {
+                                    "type": "integer"
+                                },
+                                "initialDelaySeconds": {
+                                    "type": "integer"
+                                },
+                                "periodSeconds": {
+                                    "type": "integer"
+                                },
+                                "timeoutSeconds": {
+                                    "type": "integer"
+                                }
+                            }
+                        }
+                    }
+                },
+                "metrics": {
+                    "type": "object",
+                    "properties": {
+                        "enabled": {
+                            "type": "boolean"
+                        },
+                        "port": {
+                            "type": "integer"
+                        },
+                        "serviceMonitor": {
+                            "type": "object",
+                            "properties": {
+                                "enabled": {
+                                    "type": "boolean"
+                                },
+                                "interval": {
+                                    "type": "string"
+                                },
+                                "labels": {
+                                    "type": "object"
+                                },
+                                "namespace": {
+                                    "type": "string"
+                                },
+                                "scrapeTimeout": {
+                                    "type": "string"
+                                }
+                            }
+                        }
+                    }
+                },
+                "nodeSelector": {
+                    "type": "object"
+                },
+                "podAnnotations": {
+                    "type": "object"
+                },
+                "podDisruptionBudget": {
+                    "type": "object",
+                    "properties": {
+                        "enabled": {
+                            "type": "boolean"
+                        },
+                        "minAvailable": {
+                            "type": "integer"
+                        }
+                    }
+                },
+                "podLabels": {
+                    "type": "object"
+                },
+                "podSecurityContext": {
+                    "type": "object",
+                    "properties": {
+                        "enabled": {
+                            "type": "boolean"
+                        },
+                        "fsGroup": {
+                            "type": "integer"
+                        },
+                        "runAsNonRoot": {
+                            "type": "boolean"
+                        },
+                        "runAsUser": {
+                            "type": "integer"
+                        },
+                        "seccompProfile": {
+                            "type": "object",
+                            "properties": {
+                                "type": {
+                                    "type": "string"
+                                }
+                            }
+                        }
+                    }
+                },
+                "priorityClassName": {
+                    "type": "string"
+                },
+                "replicaCount": {
+                    "type": "integer"
+                },
+                "resources": {
+                    "type": "object",
+                    "properties": {
+                        "limits": {
+                            "type": "object",
+                            "properties": {
+                                "cpu": {
+                                    "type": "string"
+                                },
+                                "memory": {
+                                    "type": "string"
+                                }
+                            }
+                        },
+                        "requests": {
+                            "type": "object",
+                            "properties": {
+                                "cpu": {
+                                    "type": "string"
+                                },
+                                "memory": {
+                                    "type": "string"
+                                }
+                            }
+                        }
+                    }
+                },
+                "securityContext": {
+                    "type": "object",
+                    "properties": {
+                        "allowPrivilegeEscalation": {
+                            "type": "boolean"
+                        },
+                        "capabilities": {
+                            "type": "object",
+                            "properties": {
+                                "drop": {
+                                    "type": "array",
+                                    "items": {
+                                        "type": "string"
+                                    }
+                                }
+                            }
+                        },
+                        "enabled": {
+                            "type": "boolean"
+                        },
+                        "readOnlyRootFilesystem": {
+                            "type": "boolean"
+                        },
+                        "runAsNonRoot": {
+                            "type": "boolean"
+                        },
+                        "runAsUser": {
+                            "type": "integer"
+                        }
+                    }
+                },
+                "service": {
+                    "type": "object",
+                    "properties": {
+                        "annotations": {
+                            "type": "object"
+                        },
+                        "port": {
+                            "type": "integer"
+                        },
+                        "type": {
+                            "type": "string"
+                        }
+                    }
+                },
+                "serviceAccount": {
+                    "type": "object",
+                    "properties": {
+                        "annotations": {
+                            "type": "object"
+                        },
+                        "automount": {
+                            "type": "boolean"
+                        },
+                        "create": {
+                            "type": "boolean"
+                        },
+                        "name": {
+                            "type": "string"
+                        }
+                    }
+                },
+                "tls": {
+                    "type": "object",
+                    "properties": {
+                        "caSecretName": {
+                            "type": "string"
+                        },
+                        "certPath": {
+                            "type": "string"
+                        },
+                        "enabled": {
+                            "type": "boolean"
+                        },
+                        "mountCA": {
+                            "type": "boolean"
+                        }
+                    }
+                },
+                "tolerations": {
+                    "type": "array"
+                },
+                "topologySpreadConstraints": {
+                    "type": "array"
+                }
+            }
+        },
+        "providers": {
+            "type": "object",
+            "properties": {
+                "enabled": {
+                    "type": "boolean"
+                },
+                "list": {
+                    "type": "array"
+                }
+            }
+        },
         "rbac": {
             "type": "object",
             "properties": {
@@ -835,6 +1125,14 @@
         "topologySpreadConstraints": {
             "type": "array"
         },
+        "v2": {
+            "type": "object",
+            "properties": {
+                "enabled": {
+                    "type": "boolean"
+                }
+            }
+        },
         "vault": {
             "type": "object",
             "properties": {

+ 218 - 0
deploy/charts/external-secrets/values.yaml

@@ -61,6 +61,12 @@ crds:
   createClusterExternalSecret: true
   # -- If true, create CRDs for Cluster Secret Store. If set to false you must also set processClusterStore: false.
   createClusterSecretStore: true
+  # -- If true, create CRDs for Cluster Provider Class.
+  createClusterProviderClass: true
+  # -- If true, create CRDs for Provider Store.
+  createProviderStore: true
+  # -- If true, create CRDs for Cluster Provider Store.
+  createClusterProviderStore: true
   # -- If true, create CRDs for Secret Store. If set to false you must also set processSecretStore: false.
   createSecretStore: true
   # -- If true, create CRDs for Cluster Generator. If set to false you must also set processClusterGenerator: false.
@@ -132,6 +138,11 @@ processClusterGenerator: true
 # -- if true, the operator will process push secret. Else, it will ignore them.
 processPushSecret: true
 
+# -- Experimental v2 out-of-process provider runtime support.
+# Enables ProviderStore / ClusterProviderStore and SecretStore runtimeRef compatibility flows.
+v2:
+  enabled: true
+
 # -- Enable support for generic targets (ConfigMaps, Custom Resources).
 # Warning: Using generic target. Make sure access policies and encryption are properly configured.
 # When enabled, this grants the controller permissions to create/update/delete
@@ -772,3 +783,210 @@ hostAliases: []
 
 # -- Any extra pod spec on the deployment
 podSpecExtra: {}
+
+# -- Provider defaults configuration
+# Common configuration that is automatically merged with each provider's configuration
+# Individual providers can override any of these defaults by specifying the same keys
+providerDefaults:
+  # Default replica count
+  replicaCount: 2
+
+  # Default service account configuration
+  serviceAccount:
+    create: true
+    automount: true
+    annotations: {}
+    name: ""
+
+  # Default pod annotations and labels
+  podAnnotations: {}
+  podLabels: {}
+
+  # Default pod security context
+  podSecurityContext:
+    enabled: true
+    runAsNonRoot: true
+    runAsUser: 65532
+    fsGroup: 65532
+    seccompProfile:
+      type: RuntimeDefault
+
+  # Default container security context
+  securityContext:
+    enabled: true
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    runAsUser: 65532
+    capabilities:
+      drop:
+      - ALL
+
+  # Default service configuration
+  service:
+    type: ClusterIP
+    port: 8080
+    annotations: {}
+
+  # Default resource limits and requests
+  resources:
+    limits:
+      cpu: 200m
+      memory: 256Mi
+    requests:
+      cpu: 50m
+      memory: 64Mi
+
+  # Default node selector, tolerations, and affinity
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+  topologySpreadConstraints: []
+  priorityClassName: ""
+
+  # Default pod disruption budget
+  podDisruptionBudget:
+    enabled: true
+    minAvailable: 1
+
+  # Default TLS configuration
+  tls:
+    enabled: true
+    certPath: /etc/provider/certs
+    caSecretName: external-secrets-v2-ca
+    mountCA: true
+
+  # Default metrics configuration
+  metrics:
+    enabled: true
+    port: 8081
+    serviceMonitor:
+      enabled: false
+      namespace: ""
+      interval: 30s
+      scrapeTimeout: 10s
+      labels: {}
+
+  # Default health check configuration
+  health:
+    port: 8082
+    livenessProbe:
+      enabled: false
+      initialDelaySeconds: 10
+      periodSeconds: 20
+      timeoutSeconds: 5
+      failureThreshold: 3
+    readinessProbe:
+      enabled: false
+      initialDelaySeconds: 5
+      periodSeconds: 10
+      timeoutSeconds: 5
+      failureThreshold: 3
+
+  # Default extra volumes and volume mounts
+  # Note: it is intentionally not defined here to allow per-provider overrides
+  # extraVolumes: []
+  # extraVolumeMounts: []
+
+  # Default autoscaling configuration (disabled by default)
+  autoscaling:
+    enabled: false
+    minReplicas: 2
+    maxReplicas: 10
+    targetCPUUtilizationPercentage: 80
+    targetMemoryUtilizationPercentage: 80
+
+# -- Provider deployment configuration
+# Deploy one or more external secret providers alongside the controller
+# Each provider runs as a separate deployment with its own configuration
+providers:
+  # -- Enable provider deployments
+  enabled: false
+
+  # -- List of providers to deploy
+  # Each provider automatically inherits defaults from providerDefaults above
+  # You only need to specify what you want to override
+  list: []
+  # Example configurations:
+  #
+  # Simple provider configuration - uses all defaults from providerDefaults:
+  # - name: fake
+  #   type: fake
+  #   enabled: true
+  #   image:
+  #     repository: ghcr.io/external-secrets/provider-fake
+  #     tag: latest
+  #     pullPolicy: IfNotPresent
+  #   # All other settings (serviceAccount, podSecurityContext, resources, etc.)
+  #   # are automatically inherited from providerDefaults
+  #
+  # Advanced provider configuration - overrides specific defaults:
+  # - name: aws
+  #   type: aws
+  #   enabled: true
+  #   replicaCount: 3  # Override default replica count (default is 2)
+  #
+  #   image:
+  #     repository: oci.external-secrets.io/external-secrets/provider-aws
+  #     pullPolicy: IfNotPresent
+  #     tag: ""
+  #
+  #   imagePullSecrets: []
+  #
+  #   # Override service account to add AWS IAM role annotation
+  #   serviceAccount:
+  #     create: true
+  #     annotations:
+  #       eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/eso-provider-aws
+  #     name: ""
+  #     automount: true
+  #
+  #   # Add custom pod labels
+  #   podLabels:
+  #     custom-label: custom-value
+  #
+  #   # Override resources for higher limits
+  #   resources:
+  #     limits:
+  #       cpu: 500m
+  #       memory: 512Mi
+  #     requests:
+  #       cpu: 100m
+  #       memory: 128Mi
+  #
+  #   # Add custom affinity for better distribution
+  #   affinity:
+  #     podAntiAffinity:
+  #       preferredDuringSchedulingIgnoredDuringExecution:
+  #       - weight: 100
+  #         podAffinityTerm:
+  #           labelSelector:
+  #             matchLabels:
+  #               app.kubernetes.io/component: provider
+  #               external-secrets.io/provider: aws
+  #           topologyKey: kubernetes.io/hostname
+  #
+  #   # Provider-specific configuration
+  #   config: {}
+  #     # For AWS provider:
+  #     # region: us-east-1
+  #     # authMethod: irsa  # irsa, credentials, none
+  #     # credentials:
+  #     #   existingSecret: ""
+  #     #   accessKeyId: ""
+  #     #   secretAccessKey: ""
+  #     # assumeRoleARN: ""
+  #     # sessionTags: {}
+  #     # externalID: ""
+  #     # connectionPool:
+  #     #   maxConnections: 50
+  #     #   idleTimeout: 5m
+  #     #   maxLifetime: 30m
+  #
+  #   # Enable autoscaling
+  #   autoscaling:
+  #     enabled: true
+  #     minReplicas: 3
+  #     maxReplicas: 10
+  #     targetCPUUtilizationPercentage: 80
+  #     targetMemoryUtilizationPercentage: 80

+ 1 - 2
hack/helm.generate.sh

@@ -13,7 +13,7 @@ fi
 cd "${SCRIPT_DIR}"/../
 
 # Split the generated bundle yaml file to inject control flags
-yq e -Ns "\"${HELM_DIR}/templates/crds/\" + .spec.names.singular" ${BUNDLE_DIR}/bundle.yaml
+yq e -Ns "\"${HELM_DIR}/templates/crds/\" + .spec.group + \"_\" + .spec.names.singular" ${BUNDLE_DIR}/bundle.yaml
 
 # Add helm if statement for controlling the install of CRDs
 for i in "${HELM_DIR}"/templates/crds/*.yml; do
@@ -39,7 +39,6 @@ for i in "${HELM_DIR}"/templates/crds/*.yml; do
   echo "{{- end }}" >> "$i"
   rm "$i.bkp"
 
-  $SEDPRG -i 's/name: kubernetes/name: {{ include "external-secrets.fullname" . }}-webhook/g' "$i"
   $SEDPRG -i 's/namespace: default/namespace: {{ .Release.Namespace | quote }}/g' "$i"
   $SEDPRG -i '0,/annotations/!b;//a\    {{- with .Values.crds.annotations }}\n    {{- toYaml . | nindent 4}}\n    {{- end }}\n    {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}\n    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook\n    {{- end }}' "$i"
   mv "$i" "${i%.yml}.yaml"