fix: revert main to 0.15.1 (#4657)

Signed-off-by: Gustavo Carvalho <gustavo@externalsecrets.com>

.github/workflows/codeql.yml

@@ -27,9 +27,9 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
+      uses: github/codeql-action/init@5f8171a638ada777af81d42b55959a643bb29017 # v3.28.12
       with:
         languages: go
         build-mode: autobuild
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
+      uses: github/codeql-action/analyze@5f8171a638ada777af81d42b55959a643bb29017 # v3.28.12

.github/workflows/dependabot-approve.yml

@@ -1,40 +0,0 @@
-name: Dependabot Pull Request Approve and Merge
-on: pull_request_target
-permissions:
-  contents: read
-jobs:
-  dependabot:
-    permissions:
-      pull-requests: write
-      contents: write
-    runs-on: ubuntu-latest
-    # Checking the actor will prevent your Action run failing on non-Dependabot
-    # PRs but also ensures that it only does work for Dependabot PRs.
-    if: ${{ github.actor == 'dependabot[bot]' }}
-    steps:
-      - uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2
-        id: app-token
-        with:
-          app-id: ${{ secrets.APP_ID }}
-          private-key: ${{ secrets.PRIVATE_KEY }}
-      # This first step will fail if there's no metadata and so the approval
-      # will not occur.
-      - name: Dependabot metadata
-        id: dependabot-metadata
-        uses: dependabot/fetch-metadata@d7267f607e9d3fb96fc2fbe83e0af444713e90b7 # v2.3.0
-        with:
-          github-token: "${{ steps.app-token.outputs.token }}"
-      # Here the PR gets approved.
-      - name: Approve a PR
-        run: gh pr review --approve "$PR_URL"
-        env:
-          PR_URL: ${{ github.event.pull_request.html_url }}
-          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"
-      # Finally, this sets the PR to allow auto-merging for patch and minor
-      # updates if all checks pass
-      - name: Enable auto-merge for Dependabot PRs
-        if: ${{ steps.dependabot-metadata.outputs.update-type == 'version-update:semver-patch' }}
-        run: gh pr merge --auto --squash "$PR_URL"
-        env:
-          PR_URL: ${{ github.event.pull_request.html_url }}
-          GITHUB_TOKEN: "${{ steps.app-token.outputs.token }}"

.github/workflows/e2e.yml

@@ -101,11 +101,43 @@ jobs:
     - id: e2e
       uses: ./.github/actions/e2e
     - id: create_token
-      if: always()
       uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
       with:
         app_id: ${{ secrets.APP_ID }}
         private_key: ${{ secrets.PRIVATE_KEY }}
+    # Update check run called "integration-fork"
+    - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      id: update-check-run
+      if: ${{ always() }}
+      env:
+        number: ${{ github.event.client_payload.pull_request.number }}
+        job: ${{ github.job }}
+        # Conveniently, job.status maps to https://developer.github.com/v3/checks/runs/#update-a-check-run
+        conclusion: ${{ job.status }}
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        script: |
+          const { data: pull } = await github.rest.pulls.get({
+            ...context.repo,
+            pull_number: process.env.number
+          });
+          const ref = pull.head.sha;
+          console.log("\n\nPR sha: " + ref)
+          const { data: checks } = await github.rest.checks.listForRef({
+            ...context.repo,
+            ref
+          });
+          console.log("\n\nPR CHECKS: " + checks)
+          const check = checks.check_runs.filter(c => c.name === process.env.job);
+          console.log("\n\nPR Filtered CHECK: " + check)
+          console.log(check)
+          const { data: result } = await github.rest.checks.update({
+            ...context.repo,
+            check_run_id: check[0].id,
+            status: 'completed',
+            conclusion: process.env.conclusion
+          });
+          return result;
     - name: Update on Succeess
       if: always() && steps.e2e.conclusion == 'success'
       uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0

.github/workflows/helm.yml

@@ -34,7 +34,7 @@ jobs:
         with:
           version: v3.14.2 # remember to also update for the second job (release)
 
-      - uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
+      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: 3.12
 

.github/workflows/release_esoctl.yml

@@ -45,7 +45,7 @@ jobs:
 
       - name: Import GPG key
         id: import_gpg
-        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
+        uses: crazy-max/ghaction-import-gpg@cb9bde2e2525e640591a934b1fd28eef1dcaf5e5 # v6.2.0
         with:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.GPG_PASSPHRASE }}
@@ -66,7 +66,7 @@ jobs:
           git push origin $TAG
 
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
+        uses: goreleaser/goreleaser-action@90a3faa9d0182683851fbfa97ca1a2cb983bfca3 # v6.2.1
         with:
           version: '~> v2'
           args: release --clean

.github/workflows/scorecard.yml

@@ -33,6 +33,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
+        uses: github/codeql-action/upload-sarif@5f8171a638ada777af81d42b55959a643bb29017 # v3.28.12
         with:
           sarif_file: results.sarif

.github/workflows/update-deps.yml

@@ -63,7 +63,7 @@ jobs:
         git config --global user.name "External Secrets Operator"
         BRANCH=update-deps-$(date "+%s")
         make update-deps || true
-        make check-diff || true
+
         if git diff-index --quiet HEAD --; then
           echo "nothing changed. skipping."
           exit 0;

.golangci.yaml

@@ -115,6 +115,12 @@ issues:
       linters:
         - goheader
 
+    # excluding deprecation check introduced on purpose in #2884
+    - path: pkg/provider/fake/fake.go
+      text: 'SA1019: data.ValueMap is deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.'
+    - path: pkg/provider/fake/fake_test.go
+      text: 'SA1019: data.ValueMap is deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.'
+
   # Maximum issues count per one linter. Set to 0 to disable. Default is 50.
   max-issues-per-linter: 0
 

Dockerfile

@@ -1,4 +1,4 @@
-FROM gcr.io/distroless/static@sha256:3d0f463de06b7ddff27684ec3bfd0b54a425149d0f8685308b1fdf297b0265e9
+FROM gcr.io/distroless/static@sha256:95ea148e8e9edd11cc7f639dc11825f38af86a14e5c7361753c741ceadef2167
 ARG TARGETOS
 ARG TARGETARCH
 COPY bin/external-secrets-${TARGETOS}-${TARGETARCH} /bin/external-secrets

Dockerfile.standalone

@@ -1,6 +1,6 @@
 # This version of Dockerfile is for building without external dependencies.
 # Build a multi-platform image e.g. `docker buildx build --push --platform linux/arm64,linux/amd64 --tag external-secrets:dev --file Dockerfile.standalone .`
-FROM golang:1.24.2-alpine@sha256:7772cb5322baa875edd74705556d08f0eeca7b9c4b5367754ce3f2f00041ccee AS builder
+FROM golang:1.24.1-alpine@sha256:43c094ad24b6ac0546c62193baeb3e6e49ce14d3250845d166c77c25f64b0386 AS builder
 ARG TARGETOS
 ARG TARGETARCH
 ENV CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH}
@@ -12,7 +12,7 @@ COPY . /app/
 RUN go build -o external-secrets main.go
 
 
-FROM gcr.io/distroless/static@sha256:3d0f463de06b7ddff27684ec3bfd0b54a425149d0f8685308b1fdf297b0265e9 AS app
+FROM gcr.io/distroless/static@sha256:95ea148e8e9edd11cc7f639dc11825f38af86a14e5c7361753c741ceadef2167 AS app
 COPY --from=builder /app/external-secrets /bin/external-secrets
 
 # Run as UID for nobody

Makefile

@@ -179,7 +179,7 @@ tilt-up: tilt manifests ## Generates the local manifests that tilt will use to d
 
 helm.docs: ## Generate helm docs
 	@cd $(HELM_DIR); \
-	docker run --rm -v $(shell pwd)/$(HELM_DIR):/helm-docs -u $(shell id -u) docker.io/jnorwood/helm-docs:v1.7.0
+	docker run --rm -v $(shell pwd)/$(HELM_DIR):/helm-docs -u $(shell id -u) jnorwood/helm-docs:v1.7.0
 
 HELM_VERSION ?= $(shell helm show chart $(HELM_DIR) | grep 'version:' | sed 's/version: //g')
 

PROJECT

@@ -2,7 +2,17 @@ domain: io
 multigroup: true
 repo: github.com/external-secrets/external-secrets
 resources:
-- kind: ClusterSecretStore
+- group: external-secrets
+  kind: ClusterSecretStore
+  version: v1alpha1
+- group: external-secrets
+  kind: SecretStore
+  version: v1alpha1
+- group: external-secrets
+  kind: ExternalSecret
+  version: v1alpha1
+version: "2"
+  kind: ClusterSecretStore
   version: v1beta1
 - group: external-secrets
   kind: SecretStore
@@ -13,15 +23,4 @@ resources:
 - group: external-secrets
   kind: ClusterPushSecret
   version: v1alpha1
-- group: external-secrets
-  kind: PushSecret
-  version: v1alpha1
-- kind: ClusterSecretStore
-  version: v1
-- group: external-secrets
-  kind: SecretStore
-  version: v1
-- group: external-secrets
-  kind: ExternalSecret
-  version: v1
 version: "3"

apis/externalsecrets/v1/clusterexternalsecret_types.go

@@ -1,133 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import (
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-// ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
-type ClusterExternalSecretSpec struct {
-	// The spec for the ExternalSecrets to be created
-	ExternalSecretSpec ExternalSecretSpec `json:"externalSecretSpec"`
-
-	// The name of the external secrets to be created.
-	// Defaults to the name of the ClusterExternalSecret
-	// +optional
-	// +kubebuilder:validation:MinLength:=1
-	// +kubebuilder:validation:MaxLength:=253
-	// +kubebuilder:validation:Pattern:=^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
-	ExternalSecretName string `json:"externalSecretName,omitempty"`
-
-	// The metadata of the external secrets to be created
-	// +optional
-	ExternalSecretMetadata ExternalSecretMetadata `json:"externalSecretMetadata,omitempty"`
-
-	// The labels to select by to find the Namespaces to create the ExternalSecrets in.
-	// Deprecated: Use NamespaceSelectors instead.
-	// +optional
-	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
-
-	// A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
-	// +optional
-	NamespaceSelectors []*metav1.LabelSelector `json:"namespaceSelectors,omitempty"`
-
-	// Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
-	// Deprecated: Use NamespaceSelectors instead.
-	// +optional
-	// +kubebuilder:validation:items:MinLength:=1
-	// +kubebuilder:validation:items:MaxLength:=63
-	// +kubebuilder:validation:items:Pattern:=^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
-	Namespaces []string `json:"namespaces,omitempty"`
-
-	// The time in which the controller should reconcile its objects and recheck namespaces for labels.
-	RefreshInterval *metav1.Duration `json:"refreshTime,omitempty"`
-}
-
-// ExternalSecretMetadata defines metadata fields for the ExternalSecret generated by the ClusterExternalSecret.
-type ExternalSecretMetadata struct {
-	// +optional
-	Annotations map[string]string `json:"annotations,omitempty"`
-
-	// +optional
-	Labels map[string]string `json:"labels,omitempty"`
-}
-
-type ClusterExternalSecretConditionType string
-
-const ClusterExternalSecretReady ClusterExternalSecretConditionType = "Ready"
-
-type ClusterExternalSecretStatusCondition struct {
-	Type   ClusterExternalSecretConditionType `json:"type"`
-	Status corev1.ConditionStatus             `json:"status"`
-
-	// +optional
-	Message string `json:"message,omitempty"`
-}
-
-// ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
-type ClusterExternalSecretNamespaceFailure struct {
-
-	// Namespace is the namespace that failed when trying to apply an ExternalSecret
-	Namespace string `json:"namespace"`
-
-	// Reason is why the ExternalSecret failed to apply to the namespace
-	// +optional
-	Reason string `json:"reason,omitempty"`
-}
-
-// ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
-type ClusterExternalSecretStatus struct {
-	// ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
-	ExternalSecretName string `json:"externalSecretName,omitempty"`
-
-	// Failed namespaces are the namespaces that failed to apply an ExternalSecret
-	// +optional
-	FailedNamespaces []ClusterExternalSecretNamespaceFailure `json:"failedNamespaces,omitempty"`
-
-	// ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
-	// +optional
-	ProvisionedNamespaces []string `json:"provisionedNamespaces,omitempty"`
-
-	// +optional
-	Conditions []ClusterExternalSecretStatusCondition `json:"conditions,omitempty"`
-}
-
-// +kubebuilder:object:root=true
-// +kubebuilder:storageversion
-// +kubebuilder:resource:scope=Cluster,categories={external-secrets},shortName=ces
-// +kubebuilder:subresource:status
-// +kubebuilder:metadata:labels="external-secrets.io/component=controller"
-// +kubebuilder:printcolumn:name="Store",type=string,JSONPath=`.spec.externalSecretSpec.secretStoreRef.name`
-// +kubebuilder:printcolumn:name="Refresh Interval",type=string,JSONPath=`.spec.refreshTime`
-// +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].status`
-// ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
-type ClusterExternalSecret struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	Spec   ClusterExternalSecretSpec   `json:"spec,omitempty"`
-	Status ClusterExternalSecretStatus `json:"status,omitempty"`
-}
-
-//+kubebuilder:object:root=true
-
-// ClusterExternalSecretList contains a list of ClusterExternalSecret.
-type ClusterExternalSecretList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []ClusterExternalSecret `json:"items"`
-}

apis/externalsecrets/v1/externalsecret_types.go

@@ -1,546 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import (
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-// SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-type SecretStoreRef struct {
-	// Name of the SecretStore resource
-	// +kubebuilder:validation:MinLength:=1
-	// +kubebuilder:validation:MaxLength:=253
-	// +kubebuilder:validation:Pattern:=^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
-	Name string `json:"name,omitempty"`
-
-	// Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-	// Defaults to `SecretStore`
-	// +optional
-	// +kubebuilder:validation:Enum=SecretStore;ClusterSecretStore
-	Kind string `json:"kind,omitempty"`
-}
-
-// ExternalSecretCreationPolicy defines rules on how to create the resulting Secret.
-// +kubebuilder:validation:Enum=Owner;Orphan;Merge;None
-type ExternalSecretCreationPolicy string
-
-const (
-	// Owner creates the Secret and sets .metadata.ownerReferences to the ExternalSecret resource.
-	CreatePolicyOwner ExternalSecretCreationPolicy = "Owner"
-
-	// Orphan creates the Secret and does not set the ownerReference.
-	// I.e. it will be orphaned after the deletion of the ExternalSecret.
-	CreatePolicyOrphan ExternalSecretCreationPolicy = "Orphan"
-
-	// Merge does not create the Secret, but merges the data fields to the Secret.
-	CreatePolicyMerge ExternalSecretCreationPolicy = "Merge"
-
-	// None does not create a Secret (future use with injector).
-	CreatePolicyNone ExternalSecretCreationPolicy = "None"
-)
-
-// ExternalSecretDeletionPolicy defines rules on how to delete the resulting Secret.
-// +kubebuilder:validation:Enum=Delete;Merge;Retain
-type ExternalSecretDeletionPolicy string
-
-const (
-	// Delete deletes the secret if all provider secrets are deleted.
-	// If a secret gets deleted on the provider side and is not accessible
-	// anymore this is not considered an error and the ExternalSecret
-	// does not go into SecretSyncedError status.
-	DeletionPolicyDelete ExternalSecretDeletionPolicy = "Delete"
-
-	// Merge removes keys in the secret, but not the secret itself.
-	// If a secret gets deleted on the provider side and is not accessible
-	// anymore this is not considered an error and the ExternalSecret
-	// does not go into SecretSyncedError status.
-	DeletionPolicyMerge ExternalSecretDeletionPolicy = "Merge"
-
-	// Retain will retain the secret if all provider secrets have been deleted.
-	// If a provider secret does not exist the ExternalSecret gets into the
-	// SecretSyncedError status.
-	DeletionPolicyRetain ExternalSecretDeletionPolicy = "Retain"
-)
-
-// ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-type ExternalSecretTemplateMetadata struct {
-	// +optional
-	Annotations map[string]string `json:"annotations,omitempty"`
-
-	// +optional
-	Labels map[string]string `json:"labels,omitempty"`
-}
-
-// ExternalSecretTemplate defines a blueprint for the created Secret resource.
-// we can not use native corev1.Secret, it will have empty ObjectMeta values: https://github.com/kubernetes-sigs/controller-tools/issues/448
-type ExternalSecretTemplate struct {
-	// +optional
-	Type corev1.SecretType `json:"type,omitempty"`
-
-	// EngineVersion specifies the template engine version
-	// that should be used to compile/execute the
-	// template specified in .data and .templateFrom[].
-	// +kubebuilder:default="v2"
-	EngineVersion TemplateEngineVersion `json:"engineVersion,omitempty"`
-
-	// +optional
-	Metadata ExternalSecretTemplateMetadata `json:"metadata,omitempty"`
-
-	// +kubebuilder:default="Replace"
-	MergePolicy TemplateMergePolicy `json:"mergePolicy,omitempty"`
-
-	// +optional
-	Data map[string]string `json:"data,omitempty"`
-
-	// +optional
-	TemplateFrom []TemplateFrom `json:"templateFrom,omitempty"`
-}
-
-// +kubebuilder:validation:Enum=Replace;Merge
-type TemplateMergePolicy string
-
-const (
-	MergePolicyReplace TemplateMergePolicy = "Replace"
-	MergePolicyMerge   TemplateMergePolicy = "Merge"
-)
-
-// +kubebuilder:validation:Enum=v2
-type TemplateEngineVersion string
-
-const (
-	TemplateEngineV2 TemplateEngineVersion = "v2"
-)
-
-type TemplateFrom struct {
-	ConfigMap *TemplateRef `json:"configMap,omitempty"`
-	Secret    *TemplateRef `json:"secret,omitempty"`
-
-	// +optional
-	// +kubebuilder:default="Data"
-	Target TemplateTarget `json:"target,omitempty"`
-
-	// +optional
-	Literal *string `json:"literal,omitempty"`
-}
-
-// +kubebuilder:validation:Enum=Values;KeysAndValues
-type TemplateScope string
-
-const (
-	TemplateScopeValues        TemplateScope = "Values"
-	TemplateScopeKeysAndValues TemplateScope = "KeysAndValues"
-)
-
-// +kubebuilder:validation:Enum=Data;Annotations;Labels
-type TemplateTarget string
-
-const (
-	TemplateTargetData        TemplateTarget = "Data"
-	TemplateTargetAnnotations TemplateTarget = "Annotations"
-	TemplateTargetLabels      TemplateTarget = "Labels"
-)
-
-type TemplateRef struct {
-	// The name of the ConfigMap/Secret resource
-	// +kubebuilder:validation:MinLength:=1
-	// +kubebuilder:validation:MaxLength:=253
-	// +kubebuilder:validation:Pattern:=^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
-	Name string `json:"name"`
-
-	// A list of keys in the ConfigMap/Secret to use as templates for Secret data
-	Items []TemplateRefItem `json:"items"`
-}
-
-type TemplateRefItem struct {
-	// A key in the ConfigMap/Secret
-	// +kubebuilder:validation:MinLength:=1
-	// +kubebuilder:validation:MaxLength:=253
-	// +kubebuilder:validation:Pattern:=^[-._a-zA-Z0-9]+$
-	Key string `json:"key"`
-
-	// +kubebuilder:default="Values"
-	TemplateAs TemplateScope `json:"templateAs,omitempty"`
-}
-
-// ExternalSecretTarget defines the Kubernetes Secret to be created
-// There can be only one target per ExternalSecret.
-type ExternalSecretTarget struct {
-	// The name of the Secret resource to be managed.
-	// Defaults to the .metadata.name of the ExternalSecret resource
-	// +optional
-	// +kubebuilder:validation:MinLength:=1
-	// +kubebuilder:validation:MaxLength:=253
-	// +kubebuilder:validation:Pattern:=^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
-	Name string `json:"name,omitempty"`
-
-	// CreationPolicy defines rules on how to create the resulting Secret.
-	// Defaults to "Owner"
-	// +optional
-	// +kubebuilder:default="Owner"
-	CreationPolicy ExternalSecretCreationPolicy `json:"creationPolicy,omitempty"`
-
-	// DeletionPolicy defines rules on how to delete the resulting Secret.
-	// Defaults to "Retain"
-	// +optional
-	// +kubebuilder:default="Retain"
-	DeletionPolicy ExternalSecretDeletionPolicy `json:"deletionPolicy,omitempty"`
-
-	// Template defines a blueprint for the created Secret resource.
-	// +optional
-	Template *ExternalSecretTemplate `json:"template,omitempty"`
-
-	// Immutable defines if the final secret will be immutable
-	// +optional
-	Immutable bool `json:"immutable,omitempty"`
-}
-
-// ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
-type ExternalSecretData struct {
-	// The key in the Kubernetes Secret to store the value.
-	// +kubebuilder:validation:MinLength:=1
-	// +kubebuilder:validation:MaxLength:=253
-	// +kubebuilder:validation:Pattern:=^[-._a-zA-Z0-9]+$
-	SecretKey string `json:"secretKey"`
-
-	// RemoteRef points to the remote secret and defines
-	// which secret (version/property/..) to fetch.
-	RemoteRef ExternalSecretDataRemoteRef `json:"remoteRef"`
-
-	// SourceRef allows you to override the source
-	// from which the value will be pulled.
-	SourceRef *StoreSourceRef `json:"sourceRef,omitempty"`
-}
-
-// ExternalSecretDataRemoteRef defines Provider data location.
-type ExternalSecretDataRemoteRef struct {
-	// Key is the key used in the Provider, mandatory
-	Key string `json:"key"`
-
-	// +optional
-	// Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
-	// +kubebuilder:default="None"
-	MetadataPolicy ExternalSecretMetadataPolicy `json:"metadataPolicy,omitempty"`
-
-	// +optional
-	// Used to select a specific property of the Provider value (if a map), if supported
-	Property string `json:"property,omitempty"`
-
-	// +optional
-	// Used to select a specific version of the Provider value, if supported
-	Version string `json:"version,omitempty"`
-
-	// +optional
-	// Used to define a conversion Strategy
-	// +kubebuilder:default="Default"
-	ConversionStrategy ExternalSecretConversionStrategy `json:"conversionStrategy,omitempty"`
-
-	// +optional
-	// Used to define a decoding Strategy
-	// +kubebuilder:default="None"
-	DecodingStrategy ExternalSecretDecodingStrategy `json:"decodingStrategy,omitempty"`
-}
-
-// +kubebuilder:validation:Enum=None;Fetch
-type ExternalSecretMetadataPolicy string
-
-const (
-	ExternalSecretMetadataPolicyNone  ExternalSecretMetadataPolicy = "None"
-	ExternalSecretMetadataPolicyFetch ExternalSecretMetadataPolicy = "Fetch"
-)
-
-// +kubebuilder:validation:Enum=Default;Unicode
-type ExternalSecretConversionStrategy string
-
-const (
-	ExternalSecretConversionDefault ExternalSecretConversionStrategy = "Default"
-	ExternalSecretConversionUnicode ExternalSecretConversionStrategy = "Unicode"
-)
-
-// +kubebuilder:validation:Enum=Auto;Base64;Base64URL;None
-type ExternalSecretDecodingStrategy string
-
-const (
-	ExternalSecretDecodeAuto      ExternalSecretDecodingStrategy = "Auto"
-	ExternalSecretDecodeBase64    ExternalSecretDecodingStrategy = "Base64"
-	ExternalSecretDecodeBase64URL ExternalSecretDecodingStrategy = "Base64URL"
-	ExternalSecretDecodeNone      ExternalSecretDecodingStrategy = "None"
-)
-
-type ExternalSecretDataFromRemoteRef struct {
-	// Used to extract multiple key/value pairs from one secret
-	// Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
-	// +optional
-	Extract *ExternalSecretDataRemoteRef `json:"extract,omitempty"`
-	// Used to find secrets based on tags or regular expressions
-	// Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
-	// +optional
-	Find *ExternalSecretFind `json:"find,omitempty"`
-
-	// Used to rewrite secret Keys after getting them from the secret Provider
-	// Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
-	// +optional
-	Rewrite []ExternalSecretRewrite `json:"rewrite,omitempty"`
-
-	// SourceRef points to a store or generator
-	// which contains secret values ready to use.
-	// Use this in combination with Extract or Find pull values out of
-	// a specific SecretStore.
-	// When sourceRef points to a generator Extract or Find is not supported.
-	// The generator returns a static map of values
-	SourceRef *StoreGeneratorSourceRef `json:"sourceRef,omitempty"`
-}
-
-type ExternalSecretRewrite struct {
-	// Used to rewrite with regular expressions.
-	// The resulting key will be the output of a regexp.ReplaceAll operation.
-	// +optional
-	Regexp *ExternalSecretRewriteRegexp `json:"regexp,omitempty"`
-
-	// Used to apply string transformation on the secrets.
-	// The resulting key will be the output of the template applied by the operation.
-	// +optional
-	Transform *ExternalSecretRewriteTransform `json:"transform,omitempty"`
-}
-
-type ExternalSecretRewriteRegexp struct {
-	// Used to define the regular expression of a re.Compiler.
-	Source string `json:"source"`
-	// Used to define the target pattern of a ReplaceAll operation.
-	Target string `json:"target"`
-}
-
-type ExternalSecretRewriteTransform struct {
-	// Used to define the template to apply on the secret name.
-	// `.value ` will specify the secret name in the template.
-	Template string `json:"template"`
-}
-
-type ExternalSecretFind struct {
-	// A root path to start the find operations.
-	// +optional
-	Path *string `json:"path,omitempty"`
-
-	// Finds secrets based on the name.
-	// +optional
-	Name *FindName `json:"name,omitempty"`
-
-	// Find secrets based on tags.
-	// +optional
-	Tags map[string]string `json:"tags,omitempty"`
-
-	// +optional
-	// Used to define a conversion Strategy
-	// +kubebuilder:default="Default"
-	ConversionStrategy ExternalSecretConversionStrategy `json:"conversionStrategy,omitempty"`
-
-	// +optional
-	// Used to define a decoding Strategy
-	// +kubebuilder:default="None"
-	DecodingStrategy ExternalSecretDecodingStrategy `json:"decodingStrategy,omitempty"`
-}
-
-type FindName struct {
-	// Finds secrets base
-	// +optional
-	RegExp string `json:"regexp,omitempty"`
-}
-
-// +kubebuilder:validation:Enum=CreatedOnce;Periodic;OnChange
-type ExternalSecretRefreshPolicy string
-
-const (
-	RefreshPolicyCreatedOnce ExternalSecretRefreshPolicy = "CreatedOnce"
-	RefreshPolicyPeriodic    ExternalSecretRefreshPolicy = "Periodic"
-	RefreshPolicyOnChange    ExternalSecretRefreshPolicy = "OnChange"
-)
-
-// ExternalSecretSpec defines the desired state of ExternalSecret.
-type ExternalSecretSpec struct {
-	// +optional
-	SecretStoreRef SecretStoreRef `json:"secretStoreRef,omitempty"`
-
-	// +kubebuilder:default={creationPolicy:Owner,deletionPolicy:Retain}
-	// +optional
-	Target ExternalSecretTarget `json:"target,omitempty"`
-
-	// RefreshPolicy determines how the ExternalSecret should be refreshed:
-	// - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
-	// - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
-	//   No periodic updates occur if refreshInterval is 0.
-	// - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
-	// +optional
-	RefreshPolicy ExternalSecretRefreshPolicy `json:"refreshPolicy,omitempty"`
-
-	// RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
-	// specified as Golang Duration strings.
-	// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
-	// Example values: "1h", "2h30m", "10s"
-	// May be set to zero to fetch and create it once. Defaults to 1h.
-	// +kubebuilder:default="1h"
-	RefreshInterval *metav1.Duration `json:"refreshInterval,omitempty"`
-
-	// Data defines the connection between the Kubernetes Secret keys and the Provider data
-	// +optional
-	Data []ExternalSecretData `json:"data,omitempty"`
-
-	// DataFrom is used to fetch all properties from a specific Provider data
-	// If multiple entries are specified, the Secret keys are merged in the specified order
-	// +optional
-	DataFrom []ExternalSecretDataFromRemoteRef `json:"dataFrom,omitempty"`
-}
-
-// StoreSourceRef allows you to override the SecretStore source
-// from which the secret will be pulled from.
-// You can define at maximum one property.
-// +kubebuilder:validation:MaxProperties=1
-// +kubebuilder:validation:MinProperties=1
-type StoreSourceRef struct {
-	// +optional
-	SecretStoreRef SecretStoreRef `json:"storeRef,omitempty"`
-
-	// GeneratorRef points to a generator custom resource.
-	//
-	// Deprecated: The generatorRef is not implemented in .data[].
-	// this will be removed with v1.
-	GeneratorRef *GeneratorRef `json:"generatorRef,omitempty"`
-}
-
-// StoreGeneratorSourceRef allows you to override the source
-// from which the secret will be pulled from.
-// You can define at maximum one property.
-// +kubebuilder:validation:MaxProperties=1
-// +kubebuilder:validation:MinProperties=1
-type StoreGeneratorSourceRef struct {
-	// +optional
-	SecretStoreRef *SecretStoreRef `json:"storeRef,omitempty"`
-
-	// GeneratorRef points to a generator custom resource.
-	// +optional
-	GeneratorRef *GeneratorRef `json:"generatorRef,omitempty"`
-}
-
-// GeneratorRef points to a generator custom resource.
-type GeneratorRef struct {
-	// Specify the apiVersion of the generator resource
-	// +kubebuilder:default="generators.external-secrets.io/v1alpha1"
-	APIVersion string `json:"apiVersion,omitempty"`
-
-	// Specify the Kind of the generator resource
-	// +kubebuilder:validation:Enum=ACRAccessToken;ClusterGenerator;ECRAuthorizationToken;Fake;GCRAccessToken;GithubAccessToken;QuayAccessToken;Password;STSSessionToken;UUID;VaultDynamicSecret;Webhook;Grafana
-	Kind string `json:"kind"`
-
-	// Specify the name of the generator resource
-	// +kubebuilder:validation:MinLength:=1
-	// +kubebuilder:validation:MaxLength:=253
-	// +kubebuilder:validation:Pattern:=^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
-	Name string `json:"name"`
-}
-
-type ExternalSecretConditionType string
-
-const (
-	ExternalSecretReady   ExternalSecretConditionType = "Ready"
-	ExternalSecretDeleted ExternalSecretConditionType = "Deleted"
-)
-
-type ExternalSecretStatusCondition struct {
-	Type   ExternalSecretConditionType `json:"type"`
-	Status corev1.ConditionStatus      `json:"status"`
-
-	// +optional
-	Reason string `json:"reason,omitempty"`
-
-	// +optional
-	Message string `json:"message,omitempty"`
-
-	// +optional
-	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"`
-}
-
-const (
-	// ConditionReasonSecretSynced indicates that the secrets was synced.
-	ConditionReasonSecretSynced = "SecretSynced"
-	// ConditionReasonSecretSyncedError indicates that there was an error syncing the secret.
-	ConditionReasonSecretSyncedError = "SecretSyncedError"
-	// ConditionReasonSecretDeleted indicates that the secret has been deleted.
-	ConditionReasonSecretDeleted = "SecretDeleted"
-	// ConditionReasonSecretMissing indicates that the secret is missing.
-	ConditionReasonSecretMissing = "SecretMissing"
-
-	ReasonUpdateFailed          = "UpdateFailed"
-	ReasonDeprecated            = "ParameterDeprecated"
-	ReasonCreated               = "Created"
-	ReasonUpdated               = "Updated"
-	ReasonDeleted               = "Deleted"
-	ReasonMissingProviderSecret = "MissingProviderSecret"
-)
-
-type ExternalSecretStatus struct {
-	// +nullable
-	// refreshTime is the time and date the external secret was fetched and
-	// the target secret updated
-	RefreshTime metav1.Time `json:"refreshTime,omitempty"`
-
-	// SyncedResourceVersion keeps track of the last synced version
-	SyncedResourceVersion string `json:"syncedResourceVersion,omitempty"`
-
-	// +optional
-	Conditions []ExternalSecretStatusCondition `json:"conditions,omitempty"`
-
-	// Binding represents a servicebinding.io Provisioned Service reference to the secret
-	Binding corev1.LocalObjectReference `json:"binding,omitempty"`
-}
-
-// +kubebuilder:object:root=true
-// +kubebuilder:storageversion
-// ExternalSecret is the Schema for the external-secrets API.
-// +kubebuilder:subresource:status
-// +kubebuilder:metadata:labels="external-secrets.io/component=controller"
-// +kubebuilder:resource:scope=Namespaced,categories={external-secrets},shortName=es
-// +kubebuilder:printcolumn:name="StoreType",type=string,JSONPath=`.spec.secretStoreRef.kind`
-// +kubebuilder:printcolumn:name="Store",type=string,JSONPath=`.spec.secretStoreRef.name`
-// +kubebuilder:printcolumn:name="Refresh Interval",type=string,JSONPath=`.spec.refreshInterval`
-// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].reason`
-// +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].status`
-type ExternalSecret struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	Spec   ExternalSecretSpec   `json:"spec,omitempty"`
-	Status ExternalSecretStatus `json:"status,omitempty"`
-}
-
-const (
-	// AnnotationDataHash all secrets managed by an ExternalSecret have this annotation with the hash of their data.
-	AnnotationDataHash = "reconcile.external-secrets.io/data-hash"
-
-	// LabelManaged all secrets managed by an ExternalSecret will have this label equal to "true".
-	LabelManaged      = "reconcile.external-secrets.io/managed"
-	LabelManagedValue = "true"
-
-	// LabelOwner points to the owning ExternalSecret resource when CreationPolicy=Owner.
-	LabelOwner = "reconcile.external-secrets.io/created-by"
-)
-
-// +kubebuilder:object:root=true
-
-// ExternalSecretList contains a list of ExternalSecret resources.
-type ExternalSecretList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []ExternalSecret `json:"items"`
-}

apis/externalsecrets/v1/externalsecret_validator.go

@@ -1,124 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-	http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import (
-	"context"
-	"errors"
-	"fmt"
-
-	"k8s.io/apimachinery/pkg/runtime"
-	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
-)
-
-type ExternalSecretValidator struct{}
-
-func (esv *ExternalSecretValidator) ValidateCreate(_ context.Context, obj runtime.Object) (admission.Warnings, error) {
-	return validateExternalSecret(obj)
-}
-
-func (esv *ExternalSecretValidator) ValidateUpdate(_ context.Context, _, newObj runtime.Object) (admission.Warnings, error) {
-	return validateExternalSecret(newObj)
-}
-
-func (esv *ExternalSecretValidator) ValidateDelete(_ context.Context, _ runtime.Object) (admission.Warnings, error) {
-	return nil, nil
-}
-
-func validateExternalSecret(obj runtime.Object) (admission.Warnings, error) {
-	es, ok := obj.(*ExternalSecret)
-	if !ok {
-		return nil, errors.New("unexpected type")
-	}
-
-	var errs error
-	if err := validatePolicies(es); err != nil {
-		errs = errors.Join(errs, err)
-	}
-
-	if len(es.Spec.Data) == 0 && len(es.Spec.DataFrom) == 0 {
-		errs = errors.Join(errs, errors.New("either data or dataFrom should be specified"))
-	}
-
-	for _, ref := range es.Spec.DataFrom {
-		if err := validateExtractFindGenerator(ref); err != nil {
-			errs = errors.Join(errs, err)
-		}
-
-		if err := validateFindExtractSourceRef(ref); err != nil {
-			errs = errors.Join(errs, err)
-		}
-
-		if err := validateSourceRef(ref); err != nil {
-			errs = errors.Join(errs, err)
-		}
-	}
-
-	errs = validateDuplicateKeys(es, errs)
-	return nil, errs
-}
-
-func validateSourceRef(ref ExternalSecretDataFromRemoteRef) error {
-	if ref.SourceRef != nil && ref.SourceRef.GeneratorRef == nil && ref.SourceRef.SecretStoreRef == nil {
-		return errors.New("generatorRef or storeRef must be set when using sourceRef in dataFrom")
-	}
-
-	return nil
-}
-
-func validateFindExtractSourceRef(ref ExternalSecretDataFromRemoteRef) error {
-	if ref.Find == nil && ref.Extract == nil && ref.SourceRef == nil {
-		return errors.New("either extract, find, or sourceRef must be set to dataFrom")
-	}
-
-	return nil
-}
-
-func validateExtractFindGenerator(ref ExternalSecretDataFromRemoteRef) error {
-	generatorRef := ref.SourceRef != nil && ref.SourceRef.GeneratorRef != nil
-	if (ref.Find != nil && (ref.Extract != nil || generatorRef)) || (ref.Extract != nil && (ref.Find != nil || generatorRef)) || (generatorRef && (ref.Find != nil || ref.Extract != nil)) {
-		return errors.New("extract, find, or generatorRef cannot be set at the same time")
-	}
-
-	return nil
-}
-
-func validatePolicies(es *ExternalSecret) error {
-	var errs error
-	if (es.Spec.Target.DeletionPolicy == DeletionPolicyDelete && es.Spec.Target.CreationPolicy == CreatePolicyMerge) ||
-		(es.Spec.Target.DeletionPolicy == DeletionPolicyDelete && es.Spec.Target.CreationPolicy == CreatePolicyNone) {
-		errs = errors.Join(errs, errors.New("deletionPolicy=Delete must not be used when the controller doesn't own the secret. Please set creationPolicy=Owner"))
-	}
-
-	if es.Spec.Target.DeletionPolicy == DeletionPolicyMerge && es.Spec.Target.CreationPolicy == CreatePolicyNone {
-		errs = errors.Join(errs, errors.New("deletionPolicy=Merge must not be used with creationPolicy=None. There is no Secret to merge with"))
-	}
-
-	return errs
-}
-
-func validateDuplicateKeys(es *ExternalSecret, errs error) error {
-	if es.Spec.Target.DeletionPolicy == DeletionPolicyRetain {
-		seenKeys := make(map[string]struct{})
-		for _, data := range es.Spec.Data {
-			secretKey := data.SecretKey
-			if _, exists := seenKeys[secretKey]; exists {
-				errs = errors.Join(errs, fmt.Errorf("duplicate secretKey found: %s", secretKey))
-			}
-			seenKeys[secretKey] = struct{}{}
-		}
-	}
-	return errs
-}

apis/externalsecrets/v1/externalsecret_validator_test.go

@@ -1,224 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-	http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import (
-	"testing"
-
-	"k8s.io/apimachinery/pkg/runtime"
-)
-
-const (
-	errExtractFindGenerator = "extract, find, or generatorRef cannot be set at the same time"
-)
-
-func TestValidateExternalSecret(t *testing.T) {
-	tests := []struct {
-		name        string
-		obj         runtime.Object
-		expectedErr string
-	}{
-		{
-			name:        "nil",
-			obj:         nil,
-			expectedErr: "unexpected type",
-		},
-		{
-			name: "deletion policy delete",
-			obj: &ExternalSecret{
-				Spec: ExternalSecretSpec{
-					Target: ExternalSecretTarget{
-						DeletionPolicy: DeletionPolicyDelete,
-						CreationPolicy: CreatePolicyMerge,
-					},
-					Data: []ExternalSecretData{
-						{},
-					},
-				},
-			},
-			expectedErr: "deletionPolicy=Delete must not be used when the controller doesn't own the secret. Please set creationPolicy=Owner",
-		},
-		{
-			name: "deletion policy merge",
-			obj: &ExternalSecret{
-				Spec: ExternalSecretSpec{
-					Target: ExternalSecretTarget{
-						DeletionPolicy: DeletionPolicyMerge,
-						CreationPolicy: CreatePolicyNone,
-					},
-					Data: []ExternalSecretData{
-						{},
-					},
-				},
-			},
-			expectedErr: "deletionPolicy=Merge must not be used with creationPolicy=None. There is no Secret to merge with",
-		},
-		{
-			name: "both data and data_from are empty",
-			obj: &ExternalSecret{
-				Spec: ExternalSecretSpec{},
-			},
-			expectedErr: "either data or dataFrom should be specified",
-		},
-		{
-			name: "find with extract",
-			obj: &ExternalSecret{
-				Spec: ExternalSecretSpec{
-					DataFrom: []ExternalSecretDataFromRemoteRef{
-						{
-							Find:    &ExternalSecretFind{},
-							Extract: &ExternalSecretDataRemoteRef{},
-						},
-					},
-				},
-			},
-			expectedErr: errExtractFindGenerator,
-		},
-		{
-			name: "generator with find",
-			obj: &ExternalSecret{
-				Spec: ExternalSecretSpec{
-					DataFrom: []ExternalSecretDataFromRemoteRef{
-						{
-							Find: &ExternalSecretFind{},
-							SourceRef: &StoreGeneratorSourceRef{
-								GeneratorRef: &GeneratorRef{},
-							},
-						},
-					},
-				},
-			},
-			expectedErr: errExtractFindGenerator,
-		},
-		{
-			name: "generator with extract",
-			obj: &ExternalSecret{
-				Spec: ExternalSecretSpec{
-					DataFrom: []ExternalSecretDataFromRemoteRef{
-						{
-							Extract: &ExternalSecretDataRemoteRef{},
-							SourceRef: &StoreGeneratorSourceRef{
-								GeneratorRef: &GeneratorRef{},
-							},
-						},
-					},
-				},
-			},
-			expectedErr: errExtractFindGenerator,
-		},
-		{
-			name: "empty dataFrom",
-			obj: &ExternalSecret{
-				Spec: ExternalSecretSpec{
-					DataFrom: []ExternalSecretDataFromRemoteRef{
-						{},
-					},
-				},
-			},
-			expectedErr: "either extract, find, or sourceRef must be set to dataFrom",
-		},
-		{
-			name: "empty sourceRef",
-			obj: &ExternalSecret{
-				Spec: ExternalSecretSpec{
-					DataFrom: []ExternalSecretDataFromRemoteRef{
-						{
-							SourceRef: &StoreGeneratorSourceRef{},
-						},
-					},
-				},
-			},
-			expectedErr: "generatorRef or storeRef must be set when using sourceRef in dataFrom",
-		},
-		{
-			name: "multiple errors",
-			obj: &ExternalSecret{
-				Spec: ExternalSecretSpec{
-					Target: ExternalSecretTarget{
-						DeletionPolicy: DeletionPolicyMerge,
-						CreationPolicy: CreatePolicyNone,
-					},
-				},
-			},
-			expectedErr: `deletionPolicy=Merge must not be used with creationPolicy=None. There is no Secret to merge with
-either data or dataFrom should be specified`,
-		},
-		{
-			name: "valid",
-			obj: &ExternalSecret{
-				Spec: ExternalSecretSpec{
-					DataFrom: []ExternalSecretDataFromRemoteRef{
-						{
-							SourceRef: &StoreGeneratorSourceRef{
-								GeneratorRef: &GeneratorRef{},
-							},
-						},
-					},
-				},
-			},
-		},
-		{
-			name: "duplicate secretKeys",
-			obj: &ExternalSecret{
-				Spec: ExternalSecretSpec{
-					Target: ExternalSecretTarget{
-						DeletionPolicy: DeletionPolicyRetain,
-					},
-					Data: []ExternalSecretData{
-						{SecretKey: "SERVICE_NAME"},
-						{SecretKey: "SERVICE_NAME"},
-						{SecretKey: "SERVICE_NAME-2"},
-						{SecretKey: "SERVICE_NAME-2"},
-						{SecretKey: "NOT_DUPLICATE"},
-					},
-				},
-			},
-			expectedErr: "duplicate secretKey found: SERVICE_NAME\nduplicate secretKey found: SERVICE_NAME-2",
-		},
-		{
-			name: "duplicate secretKey",
-			obj: &ExternalSecret{
-				Spec: ExternalSecretSpec{
-					Target: ExternalSecretTarget{
-						DeletionPolicy: DeletionPolicyRetain,
-					},
-					Data: []ExternalSecretData{
-						{SecretKey: "SERVICE_NAME"},
-						{SecretKey: "SERVICE_NAME"},
-					},
-				},
-			},
-			expectedErr: "duplicate secretKey found: SERVICE_NAME",
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			_, err := validateExternalSecret(tt.obj)
-			if err != nil {
-				if tt.expectedErr == "" {
-					t.Fatalf("validateExternalSecret() returned an unexpected error: %v", err)
-				}
-
-				if err.Error() != tt.expectedErr {
-					t.Fatalf("validateExternalSecret() returned an unexpected error: got: %v, expected: %v", err, tt.expectedErr)
-				}
-				return
-			}
-			if tt.expectedErr != "" {
-				t.Errorf("validateExternalSecret() should have returned an error but got nil")
-			}
-		})
-	}
-}

apis/externalsecrets/v1/fakes/pushremoteref.go

@@ -1,106 +0,0 @@
-// Code generated by counterfeiter. DO NOT EDIT.
-package fakes
-
-import (
-	"sync"
-
-	"github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
-)
-
-type PushRemoteRef struct {
-	GetRemoteKeyStub        func() string
-	getRemoteKeyMutex       sync.RWMutex
-	getRemoteKeyArgsForCall []struct {
-	}
-	getRemoteKeyReturns struct {
-		result1 string
-	}
-	getRemoteKeyReturnsOnCall map[int]struct {
-		result1 string
-	}
-	invocations      map[string][][]any
-	invocationsMutex sync.RWMutex
-}
-
-func (fake *PushRemoteRef) GetRemoteKey() string {
-	fake.getRemoteKeyMutex.Lock()
-	ret, specificReturn := fake.getRemoteKeyReturnsOnCall[len(fake.getRemoteKeyArgsForCall)]
-	fake.getRemoteKeyArgsForCall = append(fake.getRemoteKeyArgsForCall, struct {
-	}{})
-	stub := fake.GetRemoteKeyStub
-	fakeReturns := fake.getRemoteKeyReturns
-	fake.recordInvocation("GetRemoteKey", []any{})
-	fake.getRemoteKeyMutex.Unlock()
-	if stub != nil {
-		return stub()
-	}
-	if specificReturn {
-		return ret.result1
-	}
-	return fakeReturns.result1
-}
-
-func (fake *PushRemoteRef) GetProperty() string {
-	return ""
-}
-
-func (fake *PushRemoteRef) GetRemoteKeyCallCount() int {
-	fake.getRemoteKeyMutex.RLock()
-	defer fake.getRemoteKeyMutex.RUnlock()
-	return len(fake.getRemoteKeyArgsForCall)
-}
-
-func (fake *PushRemoteRef) GetRemoteKeyCalls(stub func() string) {
-	fake.getRemoteKeyMutex.Lock()
-	defer fake.getRemoteKeyMutex.Unlock()
-	fake.GetRemoteKeyStub = stub
-}
-
-func (fake *PushRemoteRef) GetRemoteKeyReturns(result1 string) {
-	fake.getRemoteKeyMutex.Lock()
-	defer fake.getRemoteKeyMutex.Unlock()
-	fake.GetRemoteKeyStub = nil
-	fake.getRemoteKeyReturns = struct {
-		result1 string
-	}{result1}
-}
-
-func (fake *PushRemoteRef) GetRemoteKeyReturnsOnCall(i int, result1 string) {
-	fake.getRemoteKeyMutex.Lock()
-	defer fake.getRemoteKeyMutex.Unlock()
-	fake.GetRemoteKeyStub = nil
-	if fake.getRemoteKeyReturnsOnCall == nil {
-		fake.getRemoteKeyReturnsOnCall = make(map[int]struct {
-			result1 string
-		})
-	}
-	fake.getRemoteKeyReturnsOnCall[i] = struct {
-		result1 string
-	}{result1}
-}
-
-func (fake *PushRemoteRef) Invocations() map[string][][]any {
-	fake.invocationsMutex.RLock()
-	defer fake.invocationsMutex.RUnlock()
-	fake.getRemoteKeyMutex.RLock()
-	defer fake.getRemoteKeyMutex.RUnlock()
-	copiedInvocations := map[string][][]any{}
-	for key, value := range fake.invocations {
-		copiedInvocations[key] = value
-	}
-	return copiedInvocations
-}
-
-func (fake *PushRemoteRef) recordInvocation(key string, args []any) {
-	fake.invocationsMutex.Lock()
-	defer fake.invocationsMutex.Unlock()
-	if fake.invocations == nil {
-		fake.invocations = map[string][][]any{}
-	}
-	if fake.invocations[key] == nil {
-		fake.invocations[key] = [][]any{}
-	}
-	fake.invocations[key] = append(fake.invocations[key], args)
-}
-
-var _ v1.PushSecretRemoteRef = new(PushRemoteRef)

apis/externalsecrets/v1/provider.go

@@ -1,117 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import (
-	"context"
-
-	corev1 "k8s.io/api/core/v1"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
-)
-
-const (
-	// Ready indicates that the client is configured correctly
-	// and can be used.
-	ValidationResultReady ValidationResult = iota
-
-	// Unknown indicates that the client can be used
-	// but information is missing and it can not be validated.
-	ValidationResultUnknown
-
-	// Error indicates that there is a misconfiguration.
-	ValidationResultError
-)
-
-type ValidationResult uint8
-
-func (v ValidationResult) String() string {
-	return [...]string{"Ready", "Unknown", "Error"}[v]
-}
-
-// +kubebuilder:object:root=false
-// +kubebuilder:object:generate:false
-// +k8s:deepcopy-gen:interfaces=nil
-// +k8s:deepcopy-gen=nil
-
-// Provider is a common interface for interacting with secret backends.
-type Provider interface {
-	// NewClient constructs a SecretsManager Provider
-	NewClient(ctx context.Context, store GenericStore, kube client.Client, namespace string) (SecretsClient, error)
-
-	// ValidateStore checks if the provided store is valid
-	// The provider may return a warning and an error.
-	// The intended use of the warning to indicate a deprecation of behavior
-	// or other type of message that is NOT a validation failure but should be noticed by the user.
-	ValidateStore(store GenericStore) (admission.Warnings, error)
-
-	// Capabilities returns the provider Capabilities (Read, Write, ReadWrite)
-	Capabilities() SecretStoreCapabilities
-}
-
-// +kubebuilder:object:root=false
-// +kubebuilder:object:generate:false
-// +k8s:deepcopy-gen:interfaces=nil
-// +k8s:deepcopy-gen=nil
-
-// SecretsClient provides access to secrets.
-type SecretsClient interface {
-	// GetSecret returns a single secret from the provider
-	// if GetSecret returns an error with type NoSecretError
-	// then the secret entry will be deleted depending on the deletionPolicy.
-	GetSecret(ctx context.Context, ref ExternalSecretDataRemoteRef) ([]byte, error)
-
-	// PushSecret will write a single secret into the provider
-	PushSecret(ctx context.Context, secret *corev1.Secret, data PushSecretData) error
-
-	// DeleteSecret will delete the secret from a provider
-	DeleteSecret(ctx context.Context, remoteRef PushSecretRemoteRef) error
-
-	// SecretExists checks if a secret is already present in the provider at the given location.
-	SecretExists(ctx context.Context, remoteRef PushSecretRemoteRef) (bool, error)
-
-	// Validate checks if the client is configured correctly
-	// and is able to retrieve secrets from the provider.
-	// If the validation result is unknown it will be ignored.
-	Validate() (ValidationResult, error)
-
-	// GetSecretMap returns multiple k/v pairs from the provider
-	GetSecretMap(ctx context.Context, ref ExternalSecretDataRemoteRef) (map[string][]byte, error)
-
-	// GetAllSecrets returns multiple k/v pairs from the provider
-	GetAllSecrets(ctx context.Context, ref ExternalSecretFind) (map[string][]byte, error)
-
-	Close(ctx context.Context) error
-}
-
-var NoSecretErr = NoSecretError{}
-
-// NoSecretError shall be returned when a GetSecret can not find the
-// desired secret. This is used for deletionPolicy.
-type NoSecretError struct{}
-
-func (NoSecretError) Error() string {
-	return "Secret does not exist"
-}
-
-var NotModifiedErr = NotModifiedError{}
-
-// NotModifiedError to signal that the webhook received no changes,
-// and it should just return without doing anything.
-type NotModifiedError struct{}
-
-func (NotModifiedError) Error() string {
-	return "not modified"
-}

apis/externalsecrets/v1/provider_schema.go

@@ -1,123 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import (
-	"encoding/json"
-	"errors"
-	"fmt"
-	"sync"
-)
-
-var builder map[string]Provider
-var buildlock sync.RWMutex
-
-func init() {
-	builder = make(map[string]Provider)
-}
-
-// Register a store backend type. Register panics if a
-// backend with the same store is already registered.
-func Register(s Provider, storeSpec *SecretStoreProvider, maintenanceStatus MaintenanceStatus) {
-	storeName, err := getProviderName(storeSpec)
-	if err != nil {
-		panic(fmt.Sprintf("store error registering schema: %s", err.Error()))
-	}
-
-	RegisterMaintenanceStatus(maintenanceStatus, storeSpec)
-	buildlock.Lock()
-	defer buildlock.Unlock()
-	_, exists := builder[storeName]
-	if exists {
-		panic(fmt.Sprintf("store %q already registered", storeName))
-	}
-
-	builder[storeName] = s
-}
-
-// ForceRegister adds to store schema, overwriting a store if
-// already registered. Should only be used for testing.
-func ForceRegister(s Provider, storeSpec *SecretStoreProvider, maintenanceStatus MaintenanceStatus) {
-	storeName, err := getProviderName(storeSpec)
-	if err != nil {
-		panic(fmt.Sprintf("store error registering schema: %s", err.Error()))
-	}
-
-	buildlock.Lock()
-	builder[storeName] = s
-	buildlock.Unlock()
-	ForceRegisterMaintenanceStatus(maintenanceStatus, storeSpec)
-}
-
-// GetProviderByName returns the provider implementation by name.
-func GetProviderByName(name string) (Provider, bool) {
-	buildlock.RLock()
-	f, ok := builder[name]
-	buildlock.RUnlock()
-	return f, ok
-}
-
-// GetProvider returns the provider from the generic store.
-func GetProvider(s GenericStore) (Provider, error) {
-	if s == nil {
-		return nil, nil
-	}
-	spec := s.GetSpec()
-	if spec == nil {
-		// Note, this condition can never be reached, because
-		// the Spec is not a pointer in Kubernetes. It will
-		// always exist.
-		return nil, fmt.Errorf("no spec found in %#v", s)
-	}
-	storeName, err := getProviderName(spec.Provider)
-	if err != nil {
-		return nil, fmt.Errorf("store error for %s: %w", s.GetName(), err)
-	}
-
-	buildlock.RLock()
-	f, ok := builder[storeName]
-	buildlock.RUnlock()
-
-	if !ok {
-		return nil, fmt.Errorf("failed to find registered store backend for type: %s, name: %s", storeName, s.GetName())
-	}
-
-	return f, nil
-}
-
-// getProviderName returns the name of the configured provider
-// or an error if the provider is not configured.
-func getProviderName(storeSpec *SecretStoreProvider) (string, error) {
-	storeBytes, err := json.Marshal(storeSpec)
-	if err != nil || storeBytes == nil {
-		return "", fmt.Errorf("failed to marshal store spec: %w", err)
-	}
-
-	storeMap := make(map[string]any)
-	err = json.Unmarshal(storeBytes, &storeMap)
-	if err != nil {
-		return "", fmt.Errorf("failed to unmarshal store spec: %w", err)
-	}
-
-	if len(storeMap) != 1 {
-		return "", fmt.Errorf("secret stores must only have exactly one backend specified, found %d", len(storeMap))
-	}
-
-	for k := range storeMap {
-		return k, nil
-	}
-
-	return "", errors.New("failed to find registered store backend")
-}

apis/externalsecrets/v1/provider_schema_maintenance.go

@@ -1,89 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-	http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import (
-	"fmt"
-	"sync"
-)
-
-type MaintenanceStatus bool
-
-const (
-	MaintenanceStatusMaintained    MaintenanceStatus = true
-	MaintenanceStatusNotMaintained MaintenanceStatus = false
-)
-
-var maintenance map[string]MaintenanceStatus
-var mlock sync.RWMutex
-
-func init() {
-	maintenance = make(map[string]MaintenanceStatus)
-}
-
-func RegisterMaintenanceStatus(status MaintenanceStatus, storeSpec *SecretStoreProvider) {
-	storeName, err := getProviderName(storeSpec)
-	if err != nil {
-		panic(fmt.Sprintf("store error registering schema: %s", err.Error()))
-	}
-
-	mlock.Lock()
-	defer mlock.Unlock()
-	_, exists := maintenance[storeName]
-	if exists {
-		panic(fmt.Sprintf("store %q already registered", storeName))
-	}
-
-	maintenance[storeName] = status
-}
-
-func ForceRegisterMaintenanceStatus(status MaintenanceStatus, storeSpec *SecretStoreProvider) {
-	storeName, err := getProviderName(storeSpec)
-	if err != nil {
-		panic(fmt.Sprintf("store error registering schema: %s", err.Error()))
-	}
-
-	mlock.Lock()
-	defer mlock.Unlock()
-	maintenance[storeName] = status
-}
-
-// GetMaintenanceStatus returns the maintenance status of the provider from the generic store.
-func GetMaintenanceStatus(s GenericStore) (MaintenanceStatus, error) {
-	if s == nil {
-		return MaintenanceStatusNotMaintained, nil
-	}
-	spec := s.GetSpec()
-	if spec == nil {
-		// Note, this condition can never be reached, because
-		// the Spec is not a pointer in Kubernetes. It will
-		// always exist.
-		return MaintenanceStatusNotMaintained, fmt.Errorf("no spec found in %#v", s)
-	}
-	storeName, err := getProviderName(spec.Provider)
-	if err != nil {
-		return MaintenanceStatusNotMaintained, fmt.Errorf("store error for %s: %w", s.GetName(), err)
-	}
-
-	mlock.RLock()
-	status, ok := maintenance[storeName]
-	mlock.RUnlock()
-
-	if !ok {
-		return MaintenanceStatusNotMaintained, fmt.Errorf("failed to find registered store backend for type: %s, name: %s", storeName, s.GetName())
-	}
-
-	return status, nil
-}

apis/externalsecrets/v1/provider_schema_test.go

@@ -1,206 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-	http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import (
-	"context"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	corev1 "k8s.io/api/core/v1"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
-)
-
-type PP struct{}
-
-const shouldBeRegistered = "provider should be registered"
-
-func (p *PP) Capabilities() SecretStoreCapabilities {
-	return SecretStoreReadOnly
-}
-
-// New constructs a SecretsManager Provider.
-func (p *PP) NewClient(_ context.Context, _ GenericStore, _ client.Client, _ string) (SecretsClient, error) {
-	return p, nil
-}
-
-// PushSecret writes a single secret into a provider.
-func (p *PP) PushSecret(_ context.Context, _ *corev1.Secret, _ PushSecretData) error {
-	return nil
-}
-
-// DeleteSecret deletes a single secret from a provider.
-func (p *PP) DeleteSecret(_ context.Context, _ PushSecretRemoteRef) error {
-	return nil
-}
-
-// Exists checks if a secret is already present in the provider at the given location.
-func (p *PP) SecretExists(_ context.Context, _ PushSecretRemoteRef) (bool, error) {
-	return false, nil
-}
-
-// GetSecret returns a single secret from the provider.
-func (p *PP) GetSecret(_ context.Context, _ ExternalSecretDataRemoteRef) ([]byte, error) {
-	return []byte("NOOP"), nil
-}
-
-// GetSecretMap returns multiple k/v pairs from the provider.
-func (p *PP) GetSecretMap(_ context.Context, _ ExternalSecretDataRemoteRef) (map[string][]byte, error) {
-	return map[string][]byte{}, nil
-}
-
-// Empty GetAllSecrets.
-func (p *PP) GetAllSecrets(_ context.Context, _ ExternalSecretFind) (map[string][]byte, error) {
-	// TO be implemented
-	return map[string][]byte{}, nil
-}
-
-func (p *PP) Close(_ context.Context) error {
-	return nil
-}
-
-func (p *PP) Validate() (ValidationResult, error) {
-	return ValidationResultReady, nil
-}
-
-func (p *PP) ValidateStore(_ GenericStore) (admission.Warnings, error) {
-	return nil, nil
-}
-
-// TestRegister tests if the Register function
-// (1) panics if it tries to register something invalid
-// (2) stores the correct provider.
-func TestRegister(t *testing.T) {
-	tbl := []struct {
-		test      string
-		name      string
-		expPanic  bool
-		expExists bool
-		provider  *SecretStoreProvider
-	}{
-		{
-			test:      "should panic when given an invalid provider",
-			name:      "aws",
-			expPanic:  true,
-			expExists: false,
-			provider:  &SecretStoreProvider{},
-		},
-		{
-			test:      "should register an correct provider",
-			name:      "aws",
-			expExists: false,
-			provider: &SecretStoreProvider{
-				AWS: &AWSProvider{
-					Service: AWSServiceSecretsManager,
-				},
-			},
-		},
-		{
-			test:      "should panic if already exists",
-			name:      "aws",
-			expPanic:  true,
-			expExists: true,
-			provider: &SecretStoreProvider{
-				AWS: &AWSProvider{
-					Service: AWSServiceSecretsManager,
-				},
-			},
-		},
-	}
-	for i := range tbl {
-		row := tbl[i]
-		t.Run(row.test, func(t *testing.T) {
-			runTest(t,
-				row.name,
-				row.provider,
-				row.expPanic,
-			)
-		})
-	}
-}
-
-func runTest(t *testing.T, name string, provider *SecretStoreProvider, expPanic bool) {
-	testProvider := &PP{}
-	secretStore := &SecretStore{
-		Spec: SecretStoreSpec{
-			Provider: provider,
-		},
-	}
-	if expPanic {
-		defer func() {
-			if r := recover(); r == nil {
-				t.Errorf("Register should panic")
-			}
-		}()
-	}
-	Register(testProvider, secretStore.Spec.Provider, MaintenanceStatusMaintained)
-	p1, ok := GetProviderByName(name)
-	assert.True(t, ok, shouldBeRegistered)
-	assert.Equal(t, testProvider, p1)
-	p2, err := GetProvider(secretStore)
-	assert.Nil(t, err)
-	assert.Equal(t, testProvider, p2)
-}
-
-// ForceRegister is used by other tests, we should ensure it works as expected.
-func TestForceRegister(t *testing.T) {
-	testProvider := &PP{}
-	provider := &SecretStoreProvider{
-		AWS: &AWSProvider{
-			Service: AWSServiceParameterStore,
-		},
-	}
-	secretStore := &SecretStore{
-		Spec: SecretStoreSpec{
-			Provider: provider,
-		},
-	}
-	ForceRegister(testProvider, &SecretStoreProvider{
-		AWS: &AWSProvider{
-			Service: AWSServiceParameterStore,
-		},
-	}, MaintenanceStatusMaintained)
-	p1, ok := GetProviderByName("aws")
-	assert.True(t, ok, shouldBeRegistered)
-	assert.Equal(t, testProvider, p1)
-	p2, err := GetProvider(secretStore)
-	assert.Nil(t, err)
-	assert.Equal(t, testProvider, p2)
-}
-
-func TestRegisterGCP(t *testing.T) {
-	p, ok := GetProviderByName("gcpsm")
-	assert.Nil(t, p)
-	assert.False(t, ok, "provider should not be registered")
-
-	testProvider := &PP{}
-	secretStore := &SecretStore{
-		Spec: SecretStoreSpec{
-			Provider: &SecretStoreProvider{
-				GCPSM: &GCPSMProvider{},
-			},
-		},
-	}
-
-	ForceRegister(testProvider, secretStore.Spec.Provider, MaintenanceStatusMaintained)
-	p1, ok := GetProviderByName("gcpsm")
-	assert.True(t, ok, shouldBeRegistered)
-	assert.Equal(t, testProvider, p1)
-
-	p2, err := GetProvider(secretStore)
-	assert.Nil(t, err)
-	assert.Equal(t, testProvider, p2)
-}

apis/externalsecrets/v1/pushsecret_interfaces.go

@@ -1,41 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-	http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
-
-// +kubebuilder:object:root=false
-// +kubebuilder:object:generate:false
-// +k8s:deepcopy-gen:interfaces=nil
-// +k8s:deepcopy-gen=nil
-
-// PushSecretData is an interface to allow using v1alpha1.PushSecretData content in Provider registered in v1.
-type PushSecretData interface {
-	GetMetadata() *apiextensionsv1.JSON
-	GetSecretKey() string
-	GetRemoteKey() string
-	GetProperty() string
-}
-
-// +kubebuilder:object:root=false
-// +kubebuilder:object:generate:false
-// +k8s:deepcopy-gen:interfaces=nil
-// +k8s:deepcopy-gen=nil
-
-// PushSecretRemoteRef is an interface to allow using v1alpha1.PushSecretRemoteRef in Provider registered in v1.
-type PushSecretRemoteRef interface {
-	GetRemoteKey() string
-	GetProperty() string
-}

apis/externalsecrets/v1/register.go

@@ -1,76 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import (
-	"reflect"
-
-	"k8s.io/apimachinery/pkg/runtime/schema"
-	"sigs.k8s.io/controller-runtime/pkg/scheme"
-)
-
-// Package type metadata.
-const (
-	Group   = "external-secrets.io"
-	Version = "v1"
-)
-
-var (
-	// SchemeGroupVersion is group version used to register these objects.
-	SchemeGroupVersion = schema.GroupVersion{Group: Group, Version: Version}
-
-	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
-	SchemeBuilder = &scheme.Builder{GroupVersion: SchemeGroupVersion}
-	AddToScheme   = SchemeBuilder.AddToScheme
-)
-
-// ExternalSecret type metadata.
-var (
-	ExtSecretKind             = reflect.TypeOf(ExternalSecret{}).Name()
-	ExtSecretGroupKind        = schema.GroupKind{Group: Group, Kind: ExtSecretKind}.String()
-	ExtSecretKindAPIVersion   = ExtSecretKind + "." + SchemeGroupVersion.String()
-	ExtSecretGroupVersionKind = SchemeGroupVersion.WithKind(ExtSecretKind)
-)
-
-// ClusterExternalSecret type metadata.
-var (
-	ClusterExtSecretKind             = reflect.TypeOf(ClusterExternalSecret{}).Name()
-	ClusterExtSecretGroupKind        = schema.GroupKind{Group: Group, Kind: ClusterExtSecretKind}.String()
-	ClusterExtSecretKindAPIVersion   = ClusterExtSecretKind + "." + SchemeGroupVersion.String()
-	ClusterExtSecretGroupVersionKind = SchemeGroupVersion.WithKind(ClusterExtSecretKind)
-)
-
-// SecretStore type metadata.
-var (
-	SecretStoreKind             = reflect.TypeOf(SecretStore{}).Name()
-	SecretStoreGroupKind        = schema.GroupKind{Group: Group, Kind: SecretStoreKind}.String()
-	SecretStoreKindAPIVersion   = SecretStoreKind + "." + SchemeGroupVersion.String()
-	SecretStoreGroupVersionKind = SchemeGroupVersion.WithKind(SecretStoreKind)
-)
-
-// ClusterSecretStore type metadata.
-var (
-	ClusterSecretStoreKind             = reflect.TypeOf(ClusterSecretStore{}).Name()
-	ClusterSecretStoreGroupKind        = schema.GroupKind{Group: Group, Kind: ClusterSecretStoreKind}.String()
-	ClusterSecretStoreKindAPIVersion   = ClusterSecretStoreKind + "." + SchemeGroupVersion.String()
-	ClusterSecretStoreGroupVersionKind = SchemeGroupVersion.WithKind(ClusterSecretStoreKind)
-)
-
-func init() {
-	SchemeBuilder.Register(&ExternalSecret{}, &ExternalSecretList{})
-	SchemeBuilder.Register(&ClusterExternalSecret{}, &ClusterExternalSecretList{})
-	SchemeBuilder.Register(&SecretStore{}, &SecretStoreList{})
-	SchemeBuilder.Register(&ClusterSecretStore{}, &ClusterSecretStoreList{})
-}

apis/externalsecrets/v1/secretsstore_bitwarden_types.go

@@ -1,50 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-    http://www.apache.org/licenses/LICENSE-2.0
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import (
-	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-)
-
-// BitwardenSecretsManagerProvider configures a store to sync secrets with a Bitwarden Secrets Manager instance.
-type BitwardenSecretsManagerProvider struct {
-	APIURL                string `json:"apiURL,omitempty"`
-	IdentityURL           string `json:"identityURL,omitempty"`
-	BitwardenServerSDKURL string `json:"bitwardenServerSDKURL,omitempty"`
-	// Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
-	// can be performed.
-	// +optional
-	CABundle string `json:"caBundle,omitempty"`
-	// see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider
-	// +optional
-	CAProvider *CAProvider `json:"caProvider,omitempty"`
-	// OrganizationID determines which organization this secret store manages.
-	OrganizationID string `json:"organizationID"`
-	// ProjectID determines which project this secret store manages.
-	ProjectID string `json:"projectID"`
-	// Auth configures how secret-manager authenticates with a bitwarden machine account instance.
-	// Make sure that the token being used has permissions on the given secret.
-	Auth BitwardenSecretsManagerAuth `json:"auth"`
-}
-
-// BitwardenSecretsManagerAuth contains the ref to the secret that contains the machine account token.
-type BitwardenSecretsManagerAuth struct {
-	SecretRef BitwardenSecretsManagerSecretRef `json:"secretRef"`
-}
-
-// BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
-type BitwardenSecretsManagerSecretRef struct {
-	// AccessToken used for the bitwarden instance.
-	// +required
-	Credentials esmeta.SecretKeySelector `json:"credentials"`
-}

apis/externalsecrets/v1/secretsstore_delinea_types.go

@@ -1,51 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-
-type DelineaProviderSecretRef struct {
-
-	// Value can be specified directly to set a value without using a secret.
-	// +optional
-	Value string `json:"value,omitempty"`
-
-	// SecretRef references a key in a secret that will be used as value.
-	// +optional
-	SecretRef *esmeta.SecretKeySelector `json:"secretRef,omitempty"`
-}
-
-// See https://github.com/DelineaXPM/dsv-sdk-go/blob/main/vault/vault.go.
-type DelineaProvider struct {
-
-	// ClientID is the non-secret part of the credential.
-	ClientID *DelineaProviderSecretRef `json:"clientId"`
-
-	// ClientSecret is the secret part of the credential.
-	ClientSecret *DelineaProviderSecretRef `json:"clientSecret"`
-
-	// Tenant is the chosen hostname / site name.
-	Tenant string `json:"tenant"`
-
-	// URLTemplate
-	// If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
-	// +optional
-	URLTemplate string `json:"urlTemplate,omitempty"`
-
-	// TLD is based on the server location that was chosen during provisioning.
-	// If unset, defaults to "com".
-	// +optional
-	TLD string `json:"tld,omitempty"`
-}

apis/externalsecrets/v1/secretsstore_infisical_types.go

@@ -1,66 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import (
-	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-)
-
-type UniversalAuthCredentials struct {
-	// +kubebuilder:validation:Required
-	ClientID esmeta.SecretKeySelector `json:"clientId"`
-	// +kubebuilder:validation:Required
-	ClientSecret esmeta.SecretKeySelector `json:"clientSecret"`
-}
-
-type InfisicalAuth struct {
-	// +optional
-	UniversalAuthCredentials *UniversalAuthCredentials `json:"universalAuthCredentials,omitempty"`
-}
-
-type MachineIdentityScopeInWorkspace struct {
-	// SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
-	// +kubebuilder:default="/"
-	// +optional
-	SecretsPath string `json:"secretsPath,omitempty"`
-	// Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
-	// +kubebuilder:default=false
-	// +optional
-	Recursive bool `json:"recursive,omitempty"`
-	// EnvironmentSlug is the required slug identifier for the environment.
-	// +kubebuilder:validation:Required
-	EnvironmentSlug string `json:"environmentSlug"`
-	// ProjectSlug is the required slug identifier for the project.
-	// +kubebuilder:validation:Required
-	ProjectSlug string `json:"projectSlug"`
-	// ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
-	// +kubebuilder:default=true
-	// +optional
-	ExpandSecretReferences bool `json:"expandSecretReferences,omitempty"`
-}
-
-// InfisicalProvider configures a store to sync secrets using the Infisical provider.
-type InfisicalProvider struct {
-	// Auth configures how the Operator authenticates with the Infisical API
-	// +kubebuilder:validation:Required
-	Auth InfisicalAuth `json:"auth"`
-	// SecretsScope defines the scope of the secrets within the workspace
-	// +kubebuilder:validation:Required
-	SecretsScope MachineIdentityScopeInWorkspace `json:"secretsScope"`
-	// HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
-	// +kubebuilder:default="https://app.infisical.com/api"
-	// +optional
-	HostAPI string `json:"hostAPI,omitempty"`
-}

apis/externalsecrets/v1/secretsstore_passbolt_types.go

@@ -1,32 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-	http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import (
-	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-)
-
-// Passbolt contains a secretRef for the passbolt credentials.
-type PassboltAuth struct {
-	PasswordSecretRef   *esmeta.SecretKeySelector `json:"passwordSecretRef"`
-	PrivateKeySecretRef *esmeta.SecretKeySelector `json:"privateKeySecretRef"`
-}
-
-type PassboltProvider struct {
-	// Auth defines the information necessary to authenticate against Passbolt Server
-	Auth *PassboltAuth `json:"auth"`
-	// Host defines the Passbolt Server to connect to
-	Host string `json:"host"`
-}

apis/externalsecrets/v1/secretsstore_secretserver_types.go

@@ -1,45 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-
-type SecretServerProviderRef struct {
-
-	// Value can be specified directly to set a value without using a secret.
-	// +optional
-	Value string `json:"value,omitempty"`
-
-	// SecretRef references a key in a secret that will be used as value.
-	// +optional
-	SecretRef *esmeta.SecretKeySelector `json:"secretRef,omitempty"`
-}
-
-// See https://github.com/DelineaXPM/tss-sdk-go/blob/main/server/server.go.
-type SecretServerProvider struct {
-
-	// Username is the secret server account username.
-	// +required
-	Username *SecretServerProviderRef `json:"username"`
-
-	// Password is the secret server account password.
-	// +required
-	Password *SecretServerProviderRef `json:"password"`
-
-	// ServerURL
-	// URL to your secret server installation
-	// +required
-	ServerURL string `json:"serverURL"`
-}

apis/externalsecrets/v1/secretstore_beyondtrust_types.go

@@ -1,67 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-
-type BeyondTrustProviderSecretRef struct {
-
-	// Value can be specified directly to set a value without using a secret.
-	// +optional
-	Value string `json:"value,omitempty"`
-
-	// SecretRef references a key in a secret that will be used as value.
-	// +optional
-	SecretRef *esmeta.SecretKeySelector `json:"secretRef,omitempty"`
-}
-
-// Configures a store to sync secrets using BeyondTrust Password Safe.
-type BeyondtrustAuth struct {
-	// APIKey If not provided then ClientID/ClientSecret become required.
-	APIKey *BeyondTrustProviderSecretRef `json:"apiKey,omitempty"`
-	// ClientID is the API OAuth Client ID.
-	ClientID *BeyondTrustProviderSecretRef `json:"clientId,omitempty"`
-	// ClientSecret is the API OAuth Client Secret.
-	ClientSecret *BeyondTrustProviderSecretRef `json:"clientSecret,omitempty"`
-	// Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
-	Certificate *BeyondTrustProviderSecretRef `json:"certificate,omitempty"`
-	// Certificate private key (key.pem). For use when authenticating with an OAuth client Id
-	CertificateKey *BeyondTrustProviderSecretRef `json:"certificateKey,omitempty"`
-}
-
-// Configures a store to sync secrets using BeyondTrust Password Safe.
-type BeyondtrustServer struct {
-	// +required - BeyondTrust Password Safe API URL. https://example.com:443/beyondtrust/api/public/V3.
-	APIURL string `json:"apiUrl"`
-	// +optional - The recommended version is 3.1. If no version is specified, the default API version 3.0 will be used
-	APIVersion string `json:"apiVersion,omitempty"`
-	// The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
-	RetrievalType string `json:"retrievalType,omitempty"`
-	// A character that separates the folder names.
-	Separator string `json:"separator,omitempty"`
-	// +required - Indicates whether to verify the certificate authority on the Secrets Safe instance. Warning - false is insecure, instructs the BT provider not to verify the certificate authority.
-	VerifyCA bool `json:"verifyCA"`
-	// Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
-	ClientTimeOutSeconds int `json:"clientTimeOutSeconds,omitempty"`
-}
-
-type BeyondtrustProvider struct {
-
-	// Auth configures how the operator authenticates with Beyondtrust.
-	Auth *BeyondtrustAuth `json:"auth"`
-
-	// Auth configures how API server works.
-	Server *BeyondtrustServer `json:"server"`
-}

apis/externalsecrets/v1/secretstore_chef_types.go

@@ -1,38 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-    http://www.apache.org/licenses/LICENSE-2.0
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import (
-	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-)
-
-// ChefAuth contains a secretRef for credentials.
-type ChefAuth struct {
-	SecretRef ChefAuthSecretRef `json:"secretRef"`
-}
-
-// ChefAuthSecretRef holds secret references for chef server login credentials.
-type ChefAuthSecretRef struct {
-	// SecretKey is the Signing Key in PEM format, used for authentication.
-	SecretKey esmeta.SecretKeySelector `json:"privateKeySecretRef"`
-}
-
-// ChefProvider configures a store to sync secrets using basic chef server connection credentials.
-type ChefProvider struct {
-	// Auth defines the information necessary to authenticate against chef Server
-	Auth *ChefAuth `json:"auth"`
-	// UserName should be the user ID on the chef server
-	UserName string `json:"username"`
-	// ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
-	ServerURL string `json:"serverUrl"`
-}

apis/externalsecrets/v1/secretstore_cloudru_types.go

@@ -1,41 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import (
-	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-)
-
-// CSMAuth contains a secretRef for credentials.
-type CSMAuth struct {
-	// +optional
-	SecretRef *CSMAuthSecretRef `json:"secretRef,omitempty"`
-}
-
-// CSMAuthSecretRef holds secret references for Cloud.ru credentials.
-type CSMAuthSecretRef struct {
-	// The AccessKeyID is used for authentication
-	AccessKeyID esmeta.SecretKeySelector `json:"accessKeyIDSecretRef"`
-	// The AccessKeySecret is used for authentication
-	AccessKeySecret esmeta.SecretKeySelector `json:"accessKeySecretSecretRef"`
-}
-
-// CloudruSMProvider configures a store to sync secrets using the Cloud.ru Secret Manager provider.
-type CloudruSMProvider struct {
-	Auth CSMAuth `json:"auth"`
-
-	// ProjectID is the project, which the secrets are stored in.
-	ProjectID string `json:"projectID,omitempty"`
-}

apis/externalsecrets/v1/secretstore_conjur_types.go

@@ -1,81 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-
-type ConjurProvider struct {
-	// URL is the endpoint of the Conjur instance.
-	URL string `json:"url"`
-
-	// CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
-	// +optional
-	CABundle string `json:"caBundle,omitempty"`
-
-	// Used to provide custom certificate authority (CA) certificates
-	// for a secret store. The CAProvider points to a Secret or ConfigMap resource
-	// that contains a PEM-encoded certificate.
-	// +optional
-	CAProvider *CAProvider `json:"caProvider,omitempty"`
-
-	// Defines authentication settings for connecting to Conjur.
-	Auth ConjurAuth `json:"auth"`
-}
-
-type ConjurAuth struct {
-	// Authenticates with Conjur using an API key.
-	// +optional
-	APIKey *ConjurAPIKey `json:"apikey,omitempty"`
-
-	// Jwt enables JWT authentication using Kubernetes service account tokens.
-	// +optional
-	Jwt *ConjurJWT `json:"jwt,omitempty"`
-}
-
-type ConjurAPIKey struct {
-	// Account is the Conjur organization account name.
-	Account string `json:"account"`
-
-	// A reference to a specific 'key' containing the Conjur username
-	// within a Secret resource. In some instances, `key` is a required field.
-	UserRef *esmeta.SecretKeySelector `json:"userRef"`
-
-	// A reference to a specific 'key' containing the Conjur API key
-	// within a Secret resource. In some instances, `key` is a required field.
-	APIKeyRef *esmeta.SecretKeySelector `json:"apiKeyRef"`
-}
-
-type ConjurJWT struct {
-	// Account is the Conjur organization account name.
-	Account string `json:"account"`
-
-	// The conjur authn jwt webservice id
-	ServiceID string `json:"serviceID"`
-
-	// Optional HostID for JWT authentication. This may be used depending
-	// on how the Conjur JWT authenticator policy is configured.
-	// +optional
-	HostID string `json:"hostId"`
-
-	// Optional SecretRef that refers to a key in a Secret resource containing JWT token to
-	// authenticate with Conjur using the JWT authentication method.
-	// +optional
-	SecretRef *esmeta.SecretKeySelector `json:"secretRef,omitempty"`
-
-	// Optional ServiceAccountRef specifies the Kubernetes service account for which to request
-	// a token for with the `TokenRequest` API.
-	// +optional
-	ServiceAccountRef *esmeta.ServiceAccountSelector `json:"serviceAccountRef,omitempty"`
-}

apis/externalsecrets/v1/secretstore_device42_types.go

@@ -1,38 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import (
-	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-)
-
-// Device42Provider configures a store to sync secrets with a Device42 instance.
-type Device42Provider struct {
-	// URL configures the Device42 instance URL.
-	Host string `json:"host"`
-
-	// Auth configures how secret-manager authenticates with a Device42 instance.
-	Auth Device42Auth `json:"auth"`
-}
-
-type Device42Auth struct {
-	SecretRef Device42SecretRef `json:"secretRef"`
-}
-
-type Device42SecretRef struct {
-	// Username / Password is used for authentication.
-	// +optional
-	Credentials esmeta.SecretKeySelector `json:"credentials,omitempty"`
-}

apis/externalsecrets/v1/secretstore_doppler_types.go

@@ -1,57 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import (
-	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-)
-
-// Set DOPPLER_BASE_URL and DOPPLER_VERIFY_TLS environment variables to override defaults
-
-type DopplerAuth struct {
-	SecretRef DopplerAuthSecretRef `json:"secretRef"`
-}
-
-type DopplerAuthSecretRef struct {
-	// The DopplerToken is used for authentication.
-	// See https://docs.doppler.com/reference/api#authentication for auth token types.
-	// The Key attribute defaults to dopplerToken if not specified.
-	DopplerToken esmeta.SecretKeySelector `json:"dopplerToken"`
-}
-
-// DopplerProvider configures a store to sync secrets using the Doppler provider.
-// Project and Config are required if not using a Service Token.
-type DopplerProvider struct {
-	// Auth configures how the Operator authenticates with the Doppler API
-	Auth *DopplerAuth `json:"auth"`
-
-	// Doppler project (required if not using a Service Token)
-	// +optional
-	Project string `json:"project,omitempty"`
-
-	// Doppler config (required if not using a Service Token)
-	// +optional
-	Config string `json:"config,omitempty"`
-
-	// Environment variable compatible name transforms that change secret names to a different format
-	// +kubebuilder:validation:Enum=upper-camel;camel;lower-snake;tf-var;dotnet-env;lower-kebab
-	// +optional
-	NameTransformer string `json:"nameTransformer,omitempty"`
-
-	// Format enables the downloading of secrets as a file (string)
-	// +kubebuilder:validation:Enum=json;dotnet-json;env;yaml;docker
-	// +optional
-	Format string `json:"format,omitempty"`
-}

apis/externalsecrets/v1/secretstore_fortanix_types.go

@@ -1,29 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-	http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-package v1
-
-import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-
-type FortanixProvider struct {
-	// APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
-	APIURL string `json:"apiUrl,omitempty"`
-
-	// APIKey is the API token to access SDKMS Applications.
-	APIKey *FortanixProviderSecretRef `json:"apiKey,omitempty"`
-}
-
-type FortanixProviderSecretRef struct {
-	// SecretRef is a reference to a secret containing the SDKMS API Key.
-	SecretRef *esmeta.SecretKeySelector `json:"secretRef,omitempty"`
-}

apis/externalsecrets/v1/secretstore_github_types.go

@@ -1,52 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import (
-	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-)
-
-// Configures a store to push secrets to Github Actions.
-type GithubProvider struct {
-	// URL configures the Github instance URL. Defaults to https://github.com/.
-	//+kubebuilder:default="https://github.com/"
-	URL string `json:"url,omitempty"`
-	// Upload URL for enterprise instances. Default to URL.
-	//+optional
-	UploadURL string `json:"uploadURL,omitempty"`
-	// auth configures how secret-manager authenticates with a Github instance.
-	Auth GithubAppAuth `json:"auth"`
-
-	// appID specifies the Github APP that will be used to authenticate the client
-	AppID int64 `json:"appID"`
-
-	// installationID specifies the Github APP installation that will be used to authenticate the client
-	InstallationID int64 `json:"installationID"`
-
-	// organization will be used to fetch secrets from the Github organization
-	Organization string `json:"organization"`
-
-	// repository will be used to fetch secrets from the Github repository within an organization
-	//+optional
-	Repository string `json:"repository,omitempty"`
-
-	// environment will be used to fetch secrets from a particular environment within a github repository
-	//+optional
-	Environment string `json:"environment,omitempty"`
-}
-
-type GithubAppAuth struct {
-	PrivateKey esmeta.SecretKeySelector `json:"privateKey"`
-}

apis/externalsecrets/v1/secretstore_onboardbase_types.go

@@ -1,50 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import (
-	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-)
-
-// OnboardbaseAuthSecretRef holds secret references for onboardbase API Key credentials.
-type OnboardbaseAuthSecretRef struct {
-	// OnboardbaseAPIKey is the APIKey generated by an admin account.
-	// It is used to recognize and authorize access to a project and environment within onboardbase
-	// +kubebuilder:validation:Required
-	OnboardbaseAPIKeyRef esmeta.SecretKeySelector `json:"apiKeyRef"`
-	// OnboardbasePasscode is the passcode attached to the API Key
-	// +kubebuilder:validation:Required
-	OnboardbasePasscodeRef esmeta.SecretKeySelector `json:"passcodeRef"`
-}
-
-// OnboardbaseProvider configures a store to sync secrets using the Onboardbase provider.
-// Project and Config are required if not using a Service Token.
-type OnboardbaseProvider struct {
-	// Auth configures how the Operator authenticates with the Onboardbase API
-	Auth *OnboardbaseAuthSecretRef `json:"auth"`
-
-	// APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
-	// +kubebuilder:default:="https://public.onboardbase.com/api/v1/"
-	APIHost string `json:"apiHost"`
-
-	// Project is an onboardbase project that the secrets should be pulled from
-	// +kubebuilder:validation:Required
-	// +kubebuilder:default:="development"
-	Project string `json:"project"`
-	// Environment is the name of an environmnent within a project to pull the secrets from
-	// +kubebuilder:validation:Required
-	// +kubebuilder:default:="development"
-	Environment string `json:"environment"`
-}

apis/externalsecrets/v1/secretstore_onepassword_types.go

@@ -1,40 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import (
-	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-)
-
-// OnePasswordAuth contains a secretRef for credentials.
-type OnePasswordAuth struct {
-	SecretRef *OnePasswordAuthSecretRef `json:"secretRef"`
-}
-
-// OnePasswordAuthSecretRef holds secret references for 1Password credentials.
-type OnePasswordAuthSecretRef struct {
-	// The ConnectToken is used for authentication to a 1Password Connect Server.
-	ConnectToken esmeta.SecretKeySelector `json:"connectTokenSecretRef"`
-}
-
-// OnePasswordProvider configures a store to sync secrets using the 1Password Secret Manager provider.
-type OnePasswordProvider struct {
-	// Auth defines the information necessary to authenticate against OnePassword Connect Server
-	Auth *OnePasswordAuth `json:"auth"`
-	// ConnectHost defines the OnePassword Connect Server to connect to
-	ConnectHost string `json:"connectHost"`
-	// Vaults defines which OnePassword vaults to search in which order
-	Vaults map[string]int `json:"vaults"`
-}

apis/externalsecrets/v1/secretstore_previder_types.go

@@ -1,38 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import (
-	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-)
-
-// PreviderProvider configures a store to sync secrets using the Previder Secret Manager provider.
-type PreviderProvider struct {
-	Auth PreviderAuth `json:"auth"`
-	// +optional
-	BaseURI string `json:"baseUri,omitempty"`
-}
-
-// PreviderAuth contains a secretRef for credentials.
-type PreviderAuth struct {
-	// +optional
-	SecretRef *PreviderAuthSecretRef `json:"secretRef,omitempty"`
-}
-
-// PreviderAuthSecretRef holds secret references for Previder Vault credentials.
-type PreviderAuthSecretRef struct {
-	// The AccessToken is used for authentication
-	AccessToken esmeta.SecretKeySelector `json:"accessToken"`
-}

apis/externalsecrets/v1/secretstore_pulumi_types.go

@@ -1,45 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import (
-	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-)
-
-type PulumiProvider struct {
-	// APIURL is the URL of the Pulumi API.
-	// +kubebuilder:default="https://api.pulumi.com/api/esc"
-	APIURL string `json:"apiUrl,omitempty"`
-
-	// AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
-	AccessToken *PulumiProviderSecretRef `json:"accessToken"`
-
-	// Organization are a space to collaborate on shared projects and stacks.
-	// To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
-	Organization string `json:"organization"`
-
-	// Project is the name of the Pulumi ESC project the environment belongs to.
-	Project string `json:"project"`
-	// Environment are YAML documents composed of static key-value pairs, programmatic expressions,
-	// dynamically retrieved values from supported providers including all major clouds,
-	// and other Pulumi ESC environments.
-	// To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
-	Environment string `json:"environment"`
-}
-
-type PulumiProviderSecretRef struct {
-	// SecretRef is a reference to a secret containing the Pulumi API token.
-	SecretRef *esmeta.SecretKeySelector `json:"secretRef,omitempty"`
-}

apis/externalsecrets/v1/secretstore_scaleway_types.go

@@ -1,47 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-
-type ScalewayProviderSecretRef struct {
-
-	// Value can be specified directly to set a value without using a secret.
-	// +optional
-	Value string `json:"value,omitempty"`
-
-	// SecretRef references a key in a secret that will be used as value.
-	// +optional
-	SecretRef *esmeta.SecretKeySelector `json:"secretRef,omitempty"`
-}
-
-type ScalewayProvider struct {
-
-	// APIURL is the url of the api to use. Defaults to https://api.scaleway.com
-	// +optional
-	APIURL string `json:"apiUrl,omitempty"`
-
-	// Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone
-	Region string `json:"region"`
-
-	// ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings
-	ProjectID string `json:"projectId"`
-
-	// AccessKey is the non-secret part of the api key.
-	AccessKey *ScalewayProviderSecretRef `json:"accessKey"`
-
-	// SecretKey is the non-secret part of the api key.
-	SecretKey *ScalewayProviderSecretRef `json:"secretKey"`
-}

apis/externalsecrets/v1/secretstore_senhasegura_types.go

@@ -1,57 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-
-/*
-SenhaseguraAuth tells the controller how to do auth in senhasegura.
-*/
-type SenhaseguraAuth struct {
-	ClientID     string                   `json:"clientId"`
-	ClientSecret esmeta.SecretKeySelector `json:"clientSecretSecretRef"`
-}
-
-/*
-SenhaseguraModuleType enum defines senhasegura target module to fetch secrets
-+kubebuilder:validation:Enum=DSM
-*/
-type SenhaseguraModuleType string
-
-const (
-	/*
-		SenhaseguraModuleDSM is the senhasegura DevOps Secrets Management module
-		see: https://senhasegura.com/devops
-	*/
-	SenhaseguraModuleDSM SenhaseguraModuleType = "DSM"
-)
-
-/*
-SenhaseguraProvider setup a store to sync secrets with senhasegura.
-*/
-type SenhaseguraProvider struct {
-	/* URL of senhasegura */
-	URL string `json:"url"`
-
-	/* Module defines which senhasegura module should be used to get secrets */
-	Module SenhaseguraModuleType `json:"module"`
-
-	/* Auth defines parameters to authenticate in senhasegura */
-	Auth SenhaseguraAuth `json:"auth"`
-
-	// IgnoreSslCertificate defines if SSL certificate must be ignored
-	// +kubebuilder:default=false
-	IgnoreSslCertificate bool `json:"ignoreSslCertificate,omitempty"`
-}

apis/externalsecrets/v1/secretstore_types.go

@@ -1,348 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import (
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-// SecretStoreSpec defines the desired state of SecretStore.
-type SecretStoreSpec struct {
-	// Used to select the correct ESO controller (think: ingress.ingressClassName)
-	// The ESO controller is instantiated with a specific controller name and filters ES based on this property
-	// +optional
-	Controller string `json:"controller,omitempty"`
-
-	// Used to configure the provider. Only one provider may be set
-	Provider *SecretStoreProvider `json:"provider"`
-
-	// Used to configure http retries if failed
-	// +optional
-	RetrySettings *SecretStoreRetrySettings `json:"retrySettings,omitempty"`
-
-	// Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
-	// +optional
-	RefreshInterval int `json:"refreshInterval,omitempty"`
-
-	// Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
-	// +optional
-	Conditions []ClusterSecretStoreCondition `json:"conditions,omitempty"`
-}
-
-// ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
-// for a ClusterSecretStore instance.
-type ClusterSecretStoreCondition struct {
-	// Choose namespace using a labelSelector
-	// +optional
-	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
-
-	// Choose namespaces by name
-	// +optional
-	// +kubebuilder:validation:items:MinLength:=1
-	// +kubebuilder:validation:items:MaxLength:=63
-	// +kubebuilder:validation:items:Pattern:=^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
-	Namespaces []string `json:"namespaces,omitempty"`
-
-	// Choose namespaces by using regex matching
-	// +optional
-	NamespaceRegexes []string `json:"namespaceRegexes,omitempty"`
-}
-
-// SecretStoreProvider contains the provider-specific configuration.
-// +kubebuilder:validation:MinProperties=1
-// +kubebuilder:validation:MaxProperties=1
-type SecretStoreProvider struct {
-	// AWS configures this store to sync secrets using AWS Secret Manager provider
-	// +optional
-	AWS *AWSProvider `json:"aws,omitempty"`
-
-	// AzureKV configures this store to sync secrets using Azure Key Vault provider
-	// +optional
-	AzureKV *AzureKVProvider `json:"azurekv,omitempty"`
-
-	// Akeyless configures this store to sync secrets using Akeyless Vault provider
-	// +optional
-	Akeyless *AkeylessProvider `json:"akeyless,omitempty"`
-
-	// BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
-	// +optional
-	BitwardenSecretsManager *BitwardenSecretsManagerProvider `json:"bitwardensecretsmanager,omitempty"`
-
-	// Vault configures this store to sync secrets using Hashi provider
-	// +optional
-	Vault *VaultProvider `json:"vault,omitempty"`
-
-	// GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-	// +optional
-	GCPSM *GCPSMProvider `json:"gcpsm,omitempty"`
-
-	// Oracle configures this store to sync secrets using Oracle Vault provider
-	// +optional
-	Oracle *OracleProvider `json:"oracle,omitempty"`
-
-	// IBM configures this store to sync secrets using IBM Cloud provider
-	// +optional
-	IBM *IBMProvider `json:"ibm,omitempty"`
-
-	// YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
-	// +optional
-	YandexCertificateManager *YandexCertificateManagerProvider `json:"yandexcertificatemanager,omitempty"`
-
-	// YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-	// +optional
-	YandexLockbox *YandexLockboxProvider `json:"yandexlockbox,omitempty"`
-
-	// Github configures this store to push Github Action secrets using Github API provider
-	// +optional
-	Github *GithubProvider `json:"github,omitempty"`
-
-	// GitLab configures this store to sync secrets using GitLab Variables provider
-	// +optional
-	Gitlab *GitlabProvider `json:"gitlab,omitempty"`
-
-	// Alibaba configures this store to sync secrets using Alibaba Cloud provider
-	// +optional
-	Alibaba *AlibabaProvider `json:"alibaba,omitempty"`
-
-	// OnePassword configures this store to sync secrets using the 1Password Cloud provider
-	// +optional
-	OnePassword *OnePasswordProvider `json:"onepassword,omitempty"`
-
-	// Webhook configures this store to sync secrets using a generic templated webhook
-	// +optional
-	Webhook *WebhookProvider `json:"webhook,omitempty"`
-
-	// Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-	// +optional
-	Kubernetes *KubernetesProvider `json:"kubernetes,omitempty"`
-
-	// Fake configures a store with static key/value pairs
-	// +optional
-	Fake *FakeProvider `json:"fake,omitempty"`
-
-	// Senhasegura configures this store to sync secrets using senhasegura provider
-	// +optional
-	Senhasegura *SenhaseguraProvider `json:"senhasegura,omitempty"`
-
-	// Scaleway
-	// +optional
-	Scaleway *ScalewayProvider `json:"scaleway,omitempty"`
-
-	// Doppler configures this store to sync secrets using the Doppler provider
-	// +optional
-	Doppler *DopplerProvider `json:"doppler,omitempty"`
-
-	// Previder configures this store to sync secrets using the Previder provider
-	// +optional
-	Previder *PreviderProvider `json:"previder,omitempty"`
-
-	// Onboardbase configures this store to sync secrets using the Onboardbase provider
-	// +optional
-	Onboardbase *OnboardbaseProvider `json:"onboardbase,omitempty"`
-
-	// KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
-	// +optional
-	KeeperSecurity *KeeperSecurityProvider `json:"keepersecurity,omitempty"`
-
-	// Conjur configures this store to sync secrets using conjur provider
-	// +optional
-	Conjur *ConjurProvider `json:"conjur,omitempty"`
-
-	// Delinea DevOps Secrets Vault
-	// https://docs.delinea.com/online-help/products/devops-secrets-vault/current
-	// +optional
-	Delinea *DelineaProvider `json:"delinea,omitempty"`
-
-	// SecretServer configures this store to sync secrets using SecretServer provider
-	// https://docs.delinea.com/online-help/secret-server/start.htm
-	// +optional
-	SecretServer *SecretServerProvider `json:"secretserver,omitempty"`
-
-	// Chef configures this store to sync secrets with chef server
-	// +optional
-	Chef *ChefProvider `json:"chef,omitempty"`
-
-	// Pulumi configures this store to sync secrets using the Pulumi provider
-	// +optional
-	Pulumi *PulumiProvider `json:"pulumi,omitempty"`
-
-	// Fortanix configures this store to sync secrets using the Fortanix provider
-	// +optional
-	Fortanix *FortanixProvider `json:"fortanix,omitempty"`
-
-	// +optional
-	PasswordDepot *PasswordDepotProvider `json:"passworddepot,omitempty"`
-
-	// +optional
-	Passbolt *PassboltProvider `json:"passbolt,omitempty"`
-
-	// Device42 configures this store to sync secrets using the Device42 provider
-	// +optional
-	Device42 *Device42Provider `json:"device42,omitempty"`
-
-	// Infisical configures this store to sync secrets using the Infisical provider
-	// +optional
-	Infisical *InfisicalProvider `json:"infisical,omitempty"`
-
-	// Beyondtrust configures this store to sync secrets using Password Safe provider.
-	// +optional
-	Beyondtrust *BeyondtrustProvider `json:"beyondtrust,omitempty"`
-
-	// CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
-	// +optional
-	CloudruSM *CloudruSMProvider `json:"cloudrusm,omitempty"`
-}
-
-type CAProviderType string
-
-const (
-	CAProviderTypeSecret    CAProviderType = "Secret"
-	CAProviderTypeConfigMap CAProviderType = "ConfigMap"
-)
-
-// Used to provide custom certificate authority (CA) certificates
-// for a secret store. The CAProvider points to a Secret or ConfigMap resource
-// that contains a PEM-encoded certificate.
-type CAProvider struct {
-	// The type of provider to use such as "Secret", or "ConfigMap".
-	// +kubebuilder:validation:Enum="Secret";"ConfigMap"
-	Type CAProviderType `json:"type"`
-
-	// The name of the object located at the provider type.
-	// +kubebuilder:validation:MinLength:=1
-	// +kubebuilder:validation:MaxLength:=253
-	// +kubebuilder:validation:Pattern:=^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
-	Name string `json:"name"`
-
-	// The key where the CA certificate can be found in the Secret or ConfigMap.
-	// +kubebuilder:validation:Optional
-	// +kubebuilder:validation:MinLength:=1
-	// +kubebuilder:validation:MaxLength:=253
-	// +kubebuilder:validation:Pattern:=^[-._a-zA-Z0-9]+$
-	Key string `json:"key,omitempty"`
-
-	// The namespace the Provider type is in.
-	// Can only be defined when used in a ClusterSecretStore.
-	// +optional
-	// +kubebuilder:validation:MinLength:=1
-	// +kubebuilder:validation:MaxLength:=63
-	// +kubebuilder:validation:Pattern:=^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
-	Namespace *string `json:"namespace,omitempty"`
-}
-
-type SecretStoreRetrySettings struct {
-	MaxRetries    *int32  `json:"maxRetries,omitempty"`
-	RetryInterval *string `json:"retryInterval,omitempty"`
-}
-
-type SecretStoreConditionType string
-
-const (
-	SecretStoreReady SecretStoreConditionType = "Ready"
-
-	ReasonInvalidStore          = "InvalidStoreConfiguration"
-	ReasonInvalidProviderConfig = "InvalidProviderConfig"
-	ReasonValidationFailed      = "ValidationFailed"
-	ReasonStoreValid            = "Valid"
-	StoreUnmaintained           = "StoreUnmaintained"
-)
-
-type SecretStoreStatusCondition struct {
-	Type   SecretStoreConditionType `json:"type"`
-	Status corev1.ConditionStatus   `json:"status"`
-
-	// +optional
-	Reason string `json:"reason,omitempty"`
-
-	// +optional
-	Message string `json:"message,omitempty"`
-
-	// +optional
-	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"`
-}
-
-// SecretStoreCapabilities defines the possible operations a SecretStore can do.
-type SecretStoreCapabilities string
-
-const (
-	SecretStoreReadOnly  SecretStoreCapabilities = "ReadOnly"
-	SecretStoreWriteOnly SecretStoreCapabilities = "WriteOnly"
-	SecretStoreReadWrite SecretStoreCapabilities = "ReadWrite"
-)
-
-// SecretStoreStatus defines the observed state of the SecretStore.
-type SecretStoreStatus struct {
-	// +optional
-	Conditions []SecretStoreStatusCondition `json:"conditions,omitempty"`
-	// +optional
-	Capabilities SecretStoreCapabilities `json:"capabilities,omitempty"`
-}
-
-// +kubebuilder:object:root=true
-// +kubebuilder:storageversion
-
-// SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
-// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].reason`
-// +kubebuilder:printcolumn:name="Capabilities",type=string,JSONPath=`.status.capabilities`
-// +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].status`
-// +kubebuilder:subresource:status
-// +kubebuilder:metadata:labels="external-secrets.io/component=controller"
-// +kubebuilder:resource:scope=Namespaced,categories={external-secrets},shortName=ss
-type SecretStore struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	Spec   SecretStoreSpec   `json:"spec,omitempty"`
-	Status SecretStoreStatus `json:"status,omitempty"`
-}
-
-// +kubebuilder:object:root=true
-
-// SecretStoreList contains a list of SecretStore resources.
-type SecretStoreList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []SecretStore `json:"items"`
-}
-
-// +kubebuilder:object:root=true
-// +kubebuilder:storageversion
-
-// ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
-// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].reason`
-// +kubebuilder:printcolumn:name="Capabilities",type=string,JSONPath=`.status.capabilities`
-// +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].status`
-// +kubebuilder:subresource:status
-// +kubebuilder:metadata:labels="external-secrets.io/component=controller"
-// +kubebuilder:resource:scope=Cluster,categories={external-secrets},shortName=css
-type ClusterSecretStore struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	Spec   SecretStoreSpec   `json:"spec,omitempty"`
-	Status SecretStoreStatus `json:"status,omitempty"`
-}
-
-// +kubebuilder:object:root=true
-
-// ClusterSecretStoreList contains a list of ClusterSecretStore resources.
-type ClusterSecretStoreList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []ClusterSecretStore `json:"items"`
-}

apis/externalsecrets/v1/secretstore_validator.go

@@ -1,90 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"regexp"
-
-	"k8s.io/apimachinery/pkg/runtime"
-	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
-)
-
-var _ admission.CustomValidator = &GenericStoreValidator{}
-
-const (
-	errInvalidStore       = "invalid store"
-	warnStoreUnmaintained = "store %s isn't currently maintained. Please plan and prepare accordingly."
-)
-
-type GenericStoreValidator struct{}
-
-// ValidateCreate implements webhook.Validator so a webhook will be registered for the type.
-func (r *GenericStoreValidator) ValidateCreate(_ context.Context, obj runtime.Object) (admission.Warnings, error) {
-	st, ok := obj.(GenericStore)
-	if !ok {
-		return nil, errors.New(errInvalidStore)
-	}
-	return validateStore(st)
-}
-
-// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type.
-func (r *GenericStoreValidator) ValidateUpdate(_ context.Context, _, newObj runtime.Object) (admission.Warnings, error) {
-	st, ok := newObj.(GenericStore)
-	if !ok {
-		return nil, errors.New(errInvalidStore)
-	}
-	return validateStore(st)
-}
-
-// ValidateDelete implements webhook.Validator so a webhook will be registered for the type.
-func (r *GenericStoreValidator) ValidateDelete(_ context.Context, _ runtime.Object) (admission.Warnings, error) {
-	return nil, nil
-}
-
-func validateStore(store GenericStore) (admission.Warnings, error) {
-	if err := validateConditions(store); err != nil {
-		return nil, err
-	}
-
-	provider, err := GetProvider(store)
-	if err != nil {
-		return nil, err
-	}
-	isMaintained, err := GetMaintenanceStatus(store)
-	if err != nil {
-		return nil, err
-	}
-	warns, err := provider.ValidateStore(store)
-	if !isMaintained {
-		warns = append(warns, fmt.Sprintf(warnStoreUnmaintained, store.GetName()))
-	}
-	return warns, err
-}
-
-func validateConditions(store GenericStore) error {
-	var errs error
-	for ci, condition := range store.GetSpec().Conditions {
-		for ri, r := range condition.NamespaceRegexes {
-			if _, err := regexp.Compile(r); err != nil {
-				errs = errors.Join(errs, fmt.Errorf("failed to compile %dth namespace regex in %dth condition: %w", ri, ci, err))
-			}
-		}
-	}
-
-	return errs
-}

apis/externalsecrets/v1/secretstore_validator_test.go

@@ -1,196 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-	http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import (
-	"fmt"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
-)
-
-// ValidationProvider is a simple provider that we can use without cyclic import.
-type ValidationProvider struct {
-	Provider
-}
-
-func (v *ValidationProvider) ValidateStore(_ GenericStore) (admission.Warnings, error) {
-	return nil, nil
-}
-
-func TestValidateSecretStore(t *testing.T) {
-	tests := []struct {
-		name        string
-		obj         *SecretStore
-		mock        func()
-		assertWarns func(t *testing.T, warns admission.Warnings)
-		assertErr   func(t *testing.T, err error)
-	}{
-		{
-			name: "valid regex",
-			obj: &SecretStore{
-				Spec: SecretStoreSpec{
-					Conditions: []ClusterSecretStoreCondition{
-						{
-							NamespaceRegexes: []string{`.*`},
-						},
-					},
-					Provider: &SecretStoreProvider{
-						AWS: &AWSProvider{},
-					},
-				},
-			},
-			mock: func() {
-				ForceRegister(&ValidationProvider{}, &SecretStoreProvider{
-					AWS: &AWSProvider{},
-				}, MaintenanceStatusMaintained)
-			},
-			assertErr: func(t *testing.T, err error) {
-				require.NoError(t, err)
-			},
-			assertWarns: func(t *testing.T, warns admission.Warnings) {
-				require.Equal(t, 0, len(warns))
-			},
-		},
-		{
-			name: "invalid regex",
-			obj: &SecretStore{
-				Spec: SecretStoreSpec{
-					Conditions: []ClusterSecretStoreCondition{
-						{
-							NamespaceRegexes: []string{`\1`},
-						},
-					},
-					Provider: &SecretStoreProvider{
-						AWS: &AWSProvider{},
-					},
-				},
-			},
-			mock: func() {
-				ForceRegister(&ValidationProvider{}, &SecretStoreProvider{
-					AWS: &AWSProvider{},
-				}, MaintenanceStatusMaintained)
-			},
-			assertErr: func(t *testing.T, err error) {
-				assert.EqualError(t, err, "failed to compile 0th namespace regex in 0th condition: error parsing regexp: invalid escape sequence: `\\1`")
-			},
-			assertWarns: func(t *testing.T, warns admission.Warnings) {
-				require.Equal(t, 0, len(warns))
-			},
-		},
-		{
-			name: "multiple errors",
-			obj: &SecretStore{
-				Spec: SecretStoreSpec{
-					Conditions: []ClusterSecretStoreCondition{
-						{
-							NamespaceRegexes: []string{`\1`, `\2`},
-						},
-					},
-					Provider: &SecretStoreProvider{
-						AWS: &AWSProvider{},
-					},
-				},
-			},
-			assertWarns: func(t *testing.T, warns admission.Warnings) {
-				require.Equal(t, 0, len(warns))
-			},
-
-			mock: func() {
-				ForceRegister(&ValidationProvider{}, &SecretStoreProvider{
-					AWS: &AWSProvider{},
-				}, MaintenanceStatusMaintained)
-			},
-			assertErr: func(t *testing.T, err error) {
-				assert.EqualError(t, err, "failed to compile 0th namespace regex in 0th condition: error parsing regexp: invalid escape sequence: `\\1`\nfailed to compile 1th namespace regex in 0th condition: error parsing regexp: invalid escape sequence: `\\2`")
-			},
-		},
-		{
-			name: "secret store must have only a single backend",
-			obj: &SecretStore{
-				Spec: SecretStoreSpec{
-					Provider: &SecretStoreProvider{
-						AWS:   &AWSProvider{},
-						GCPSM: &GCPSMProvider{},
-					},
-				},
-			},
-			assertErr: func(t *testing.T, err error) {
-				assert.EqualError(t, err, "store error for : secret stores must only have exactly one backend specified, found 2")
-			},
-			assertWarns: func(t *testing.T, warns admission.Warnings) {
-				require.Equal(t, 0, len(warns))
-			},
-		},
-		{
-			name: "no registered store backend",
-			obj: &SecretStore{
-				Spec: SecretStoreSpec{
-					Conditions: []ClusterSecretStoreCondition{
-						{
-							Namespaces: []string{"default"},
-						},
-					},
-				},
-			},
-			assertErr: func(t *testing.T, err error) {
-				assert.EqualError(t, err, "store error for : secret stores must only have exactly one backend specified, found 0")
-			},
-			assertWarns: func(t *testing.T, warns admission.Warnings) {
-				require.Equal(t, 0, len(warns))
-			},
-		},
-		{
-			name: "unmaintained warning",
-			obj: &SecretStore{
-				Spec: SecretStoreSpec{
-					Conditions: []ClusterSecretStoreCondition{
-						{
-							NamespaceRegexes: []string{`.*`},
-						},
-					},
-					Provider: &SecretStoreProvider{
-						AWS: &AWSProvider{},
-					},
-				},
-			},
-			mock: func() {
-				ForceRegister(&ValidationProvider{}, &SecretStoreProvider{
-					AWS: &AWSProvider{},
-				}, MaintenanceStatusNotMaintained)
-			},
-			assertErr: func(t *testing.T, err error) {
-				require.NoError(t, err)
-			},
-			assertWarns: func(t *testing.T, warns admission.Warnings) {
-				require.Equal(t, 1, len(warns))
-				assert.Equal(t, warns[0], fmt.Sprintf(warnStoreUnmaintained, ""))
-			},
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if tt.mock != nil {
-				tt.mock()
-			}
-
-			warns, err := validateStore(tt.obj)
-			tt.assertErr(t, err)
-			tt.assertWarns(t, warns)
-		})
-	}
-}

apis/externalsecrets/v1/secretstore_yandexcertificatemanager_types.go

@@ -1,43 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1
-
-import (
-	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-)
-
-type YandexCertificateManagerAuth struct {
-	// The authorized key used for authentication
-	// +optional
-	AuthorizedKey esmeta.SecretKeySelector `json:"authorizedKeySecretRef,omitempty"`
-}
-
-type YandexCertificateManagerCAProvider struct {
-	Certificate esmeta.SecretKeySelector `json:"certSecretRef,omitempty"`
-}
-
-// YandexCertificateManagerProvider Configures a store to sync secrets using the Yandex Certificate Manager provider.
-type YandexCertificateManagerProvider struct {
-	// Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
-	// +optional
-	APIEndpoint string `json:"apiEndpoint,omitempty"`
-
-	// Auth defines the information necessary to authenticate against Yandex Certificate Manager
-	Auth YandexCertificateManagerAuth `json:"auth"`
-
-	// The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
-	// +optional
-	CAProvider *YandexCertificateManagerCAProvider `json:"caProvider,omitempty"`
-}

apis/externalsecrets/v1/zz_generated.deepcopy.go

@@ -1,3702 +0,0 @@
-//go:build !ignore_autogenerated
-
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by controller-gen. DO NOT EDIT.
-
-package v1
-
-import (
-	apismetav1 "github.com/external-secrets/external-secrets/apis/meta/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
-)
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AWSAuth) DeepCopyInto(out *AWSAuth) {
-	*out = *in
-	if in.SecretRef != nil {
-		in, out := &in.SecretRef, &out.SecretRef
-		*out = new(AWSAuthSecretRef)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.JWTAuth != nil {
-		in, out := &in.JWTAuth, &out.JWTAuth
-		*out = new(AWSJWTAuth)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSAuth.
-func (in *AWSAuth) DeepCopy() *AWSAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(AWSAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AWSAuthSecretRef) DeepCopyInto(out *AWSAuthSecretRef) {
-	*out = *in
-	in.AccessKeyID.DeepCopyInto(&out.AccessKeyID)
-	in.SecretAccessKey.DeepCopyInto(&out.SecretAccessKey)
-	if in.SessionToken != nil {
-		in, out := &in.SessionToken, &out.SessionToken
-		*out = new(apismetav1.SecretKeySelector)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSAuthSecretRef.
-func (in *AWSAuthSecretRef) DeepCopy() *AWSAuthSecretRef {
-	if in == nil {
-		return nil
-	}
-	out := new(AWSAuthSecretRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AWSJWTAuth) DeepCopyInto(out *AWSJWTAuth) {
-	*out = *in
-	if in.ServiceAccountRef != nil {
-		in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
-		*out = new(apismetav1.ServiceAccountSelector)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSJWTAuth.
-func (in *AWSJWTAuth) DeepCopy() *AWSJWTAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(AWSJWTAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AWSProvider) DeepCopyInto(out *AWSProvider) {
-	*out = *in
-	in.Auth.DeepCopyInto(&out.Auth)
-	if in.AdditionalRoles != nil {
-		in, out := &in.AdditionalRoles, &out.AdditionalRoles
-		*out = make([]string, len(*in))
-		copy(*out, *in)
-	}
-	if in.SessionTags != nil {
-		in, out := &in.SessionTags, &out.SessionTags
-		*out = make([]*Tag, len(*in))
-		for i := range *in {
-			if (*in)[i] != nil {
-				in, out := &(*in)[i], &(*out)[i]
-				*out = new(Tag)
-				**out = **in
-			}
-		}
-	}
-	if in.SecretsManager != nil {
-		in, out := &in.SecretsManager, &out.SecretsManager
-		*out = new(SecretsManager)
-		**out = **in
-	}
-	if in.TransitiveTagKeys != nil {
-		in, out := &in.TransitiveTagKeys, &out.TransitiveTagKeys
-		*out = make([]*string, len(*in))
-		for i := range *in {
-			if (*in)[i] != nil {
-				in, out := &(*in)[i], &(*out)[i]
-				*out = new(string)
-				**out = **in
-			}
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSProvider.
-func (in *AWSProvider) DeepCopy() *AWSProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(AWSProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AkeylessAuth) DeepCopyInto(out *AkeylessAuth) {
-	*out = *in
-	in.SecretRef.DeepCopyInto(&out.SecretRef)
-	if in.KubernetesAuth != nil {
-		in, out := &in.KubernetesAuth, &out.KubernetesAuth
-		*out = new(AkeylessKubernetesAuth)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AkeylessAuth.
-func (in *AkeylessAuth) DeepCopy() *AkeylessAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(AkeylessAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AkeylessAuthSecretRef) DeepCopyInto(out *AkeylessAuthSecretRef) {
-	*out = *in
-	in.AccessID.DeepCopyInto(&out.AccessID)
-	in.AccessType.DeepCopyInto(&out.AccessType)
-	in.AccessTypeParam.DeepCopyInto(&out.AccessTypeParam)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AkeylessAuthSecretRef.
-func (in *AkeylessAuthSecretRef) DeepCopy() *AkeylessAuthSecretRef {
-	if in == nil {
-		return nil
-	}
-	out := new(AkeylessAuthSecretRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AkeylessKubernetesAuth) DeepCopyInto(out *AkeylessKubernetesAuth) {
-	*out = *in
-	if in.ServiceAccountRef != nil {
-		in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
-		*out = new(apismetav1.ServiceAccountSelector)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.SecretRef != nil {
-		in, out := &in.SecretRef, &out.SecretRef
-		*out = new(apismetav1.SecretKeySelector)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AkeylessKubernetesAuth.
-func (in *AkeylessKubernetesAuth) DeepCopy() *AkeylessKubernetesAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(AkeylessKubernetesAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AkeylessProvider) DeepCopyInto(out *AkeylessProvider) {
-	*out = *in
-	if in.AkeylessGWApiURL != nil {
-		in, out := &in.AkeylessGWApiURL, &out.AkeylessGWApiURL
-		*out = new(string)
-		**out = **in
-	}
-	if in.Auth != nil {
-		in, out := &in.Auth, &out.Auth
-		*out = new(AkeylessAuth)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.CABundle != nil {
-		in, out := &in.CABundle, &out.CABundle
-		*out = make([]byte, len(*in))
-		copy(*out, *in)
-	}
-	if in.CAProvider != nil {
-		in, out := &in.CAProvider, &out.CAProvider
-		*out = new(CAProvider)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AkeylessProvider.
-func (in *AkeylessProvider) DeepCopy() *AkeylessProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(AkeylessProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AlibabaAuth) DeepCopyInto(out *AlibabaAuth) {
-	*out = *in
-	if in.SecretRef != nil {
-		in, out := &in.SecretRef, &out.SecretRef
-		*out = new(AlibabaAuthSecretRef)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.RRSAAuth != nil {
-		in, out := &in.RRSAAuth, &out.RRSAAuth
-		*out = new(AlibabaRRSAAuth)
-		**out = **in
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AlibabaAuth.
-func (in *AlibabaAuth) DeepCopy() *AlibabaAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(AlibabaAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AlibabaAuthSecretRef) DeepCopyInto(out *AlibabaAuthSecretRef) {
-	*out = *in
-	in.AccessKeyID.DeepCopyInto(&out.AccessKeyID)
-	in.AccessKeySecret.DeepCopyInto(&out.AccessKeySecret)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AlibabaAuthSecretRef.
-func (in *AlibabaAuthSecretRef) DeepCopy() *AlibabaAuthSecretRef {
-	if in == nil {
-		return nil
-	}
-	out := new(AlibabaAuthSecretRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AlibabaProvider) DeepCopyInto(out *AlibabaProvider) {
-	*out = *in
-	in.Auth.DeepCopyInto(&out.Auth)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AlibabaProvider.
-func (in *AlibabaProvider) DeepCopy() *AlibabaProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(AlibabaProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AlibabaRRSAAuth) DeepCopyInto(out *AlibabaRRSAAuth) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AlibabaRRSAAuth.
-func (in *AlibabaRRSAAuth) DeepCopy() *AlibabaRRSAAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(AlibabaRRSAAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AzureKVAuth) DeepCopyInto(out *AzureKVAuth) {
-	*out = *in
-	if in.ClientID != nil {
-		in, out := &in.ClientID, &out.ClientID
-		*out = new(apismetav1.SecretKeySelector)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.TenantID != nil {
-		in, out := &in.TenantID, &out.TenantID
-		*out = new(apismetav1.SecretKeySelector)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.ClientSecret != nil {
-		in, out := &in.ClientSecret, &out.ClientSecret
-		*out = new(apismetav1.SecretKeySelector)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.ClientCertificate != nil {
-		in, out := &in.ClientCertificate, &out.ClientCertificate
-		*out = new(apismetav1.SecretKeySelector)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureKVAuth.
-func (in *AzureKVAuth) DeepCopy() *AzureKVAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(AzureKVAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AzureKVProvider) DeepCopyInto(out *AzureKVProvider) {
-	*out = *in
-	if in.AuthType != nil {
-		in, out := &in.AuthType, &out.AuthType
-		*out = new(AzureAuthType)
-		**out = **in
-	}
-	if in.VaultURL != nil {
-		in, out := &in.VaultURL, &out.VaultURL
-		*out = new(string)
-		**out = **in
-	}
-	if in.TenantID != nil {
-		in, out := &in.TenantID, &out.TenantID
-		*out = new(string)
-		**out = **in
-	}
-	if in.AuthSecretRef != nil {
-		in, out := &in.AuthSecretRef, &out.AuthSecretRef
-		*out = new(AzureKVAuth)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.ServiceAccountRef != nil {
-		in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
-		*out = new(apismetav1.ServiceAccountSelector)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.IdentityID != nil {
-		in, out := &in.IdentityID, &out.IdentityID
-		*out = new(string)
-		**out = **in
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureKVProvider.
-func (in *AzureKVProvider) DeepCopy() *AzureKVProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(AzureKVProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *BeyondTrustProviderSecretRef) DeepCopyInto(out *BeyondTrustProviderSecretRef) {
-	*out = *in
-	if in.SecretRef != nil {
-		in, out := &in.SecretRef, &out.SecretRef
-		*out = new(apismetav1.SecretKeySelector)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BeyondTrustProviderSecretRef.
-func (in *BeyondTrustProviderSecretRef) DeepCopy() *BeyondTrustProviderSecretRef {
-	if in == nil {
-		return nil
-	}
-	out := new(BeyondTrustProviderSecretRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *BeyondtrustAuth) DeepCopyInto(out *BeyondtrustAuth) {
-	*out = *in
-	if in.APIKey != nil {
-		in, out := &in.APIKey, &out.APIKey
-		*out = new(BeyondTrustProviderSecretRef)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.ClientID != nil {
-		in, out := &in.ClientID, &out.ClientID
-		*out = new(BeyondTrustProviderSecretRef)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.ClientSecret != nil {
-		in, out := &in.ClientSecret, &out.ClientSecret
-		*out = new(BeyondTrustProviderSecretRef)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Certificate != nil {
-		in, out := &in.Certificate, &out.Certificate
-		*out = new(BeyondTrustProviderSecretRef)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.CertificateKey != nil {
-		in, out := &in.CertificateKey, &out.CertificateKey
-		*out = new(BeyondTrustProviderSecretRef)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BeyondtrustAuth.
-func (in *BeyondtrustAuth) DeepCopy() *BeyondtrustAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(BeyondtrustAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *BeyondtrustProvider) DeepCopyInto(out *BeyondtrustProvider) {
-	*out = *in
-	if in.Auth != nil {
-		in, out := &in.Auth, &out.Auth
-		*out = new(BeyondtrustAuth)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Server != nil {
-		in, out := &in.Server, &out.Server
-		*out = new(BeyondtrustServer)
-		**out = **in
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BeyondtrustProvider.
-func (in *BeyondtrustProvider) DeepCopy() *BeyondtrustProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(BeyondtrustProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *BeyondtrustServer) DeepCopyInto(out *BeyondtrustServer) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BeyondtrustServer.
-func (in *BeyondtrustServer) DeepCopy() *BeyondtrustServer {
-	if in == nil {
-		return nil
-	}
-	out := new(BeyondtrustServer)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *BitwardenSecretsManagerAuth) DeepCopyInto(out *BitwardenSecretsManagerAuth) {
-	*out = *in
-	in.SecretRef.DeepCopyInto(&out.SecretRef)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BitwardenSecretsManagerAuth.
-func (in *BitwardenSecretsManagerAuth) DeepCopy() *BitwardenSecretsManagerAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(BitwardenSecretsManagerAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *BitwardenSecretsManagerProvider) DeepCopyInto(out *BitwardenSecretsManagerProvider) {
-	*out = *in
-	if in.CAProvider != nil {
-		in, out := &in.CAProvider, &out.CAProvider
-		*out = new(CAProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	in.Auth.DeepCopyInto(&out.Auth)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BitwardenSecretsManagerProvider.
-func (in *BitwardenSecretsManagerProvider) DeepCopy() *BitwardenSecretsManagerProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(BitwardenSecretsManagerProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *BitwardenSecretsManagerSecretRef) DeepCopyInto(out *BitwardenSecretsManagerSecretRef) {
-	*out = *in
-	in.Credentials.DeepCopyInto(&out.Credentials)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BitwardenSecretsManagerSecretRef.
-func (in *BitwardenSecretsManagerSecretRef) DeepCopy() *BitwardenSecretsManagerSecretRef {
-	if in == nil {
-		return nil
-	}
-	out := new(BitwardenSecretsManagerSecretRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CAProvider) DeepCopyInto(out *CAProvider) {
-	*out = *in
-	if in.Namespace != nil {
-		in, out := &in.Namespace, &out.Namespace
-		*out = new(string)
-		**out = **in
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CAProvider.
-func (in *CAProvider) DeepCopy() *CAProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(CAProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CSMAuth) DeepCopyInto(out *CSMAuth) {
-	*out = *in
-	if in.SecretRef != nil {
-		in, out := &in.SecretRef, &out.SecretRef
-		*out = new(CSMAuthSecretRef)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CSMAuth.
-func (in *CSMAuth) DeepCopy() *CSMAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(CSMAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CSMAuthSecretRef) DeepCopyInto(out *CSMAuthSecretRef) {
-	*out = *in
-	in.AccessKeyID.DeepCopyInto(&out.AccessKeyID)
-	in.AccessKeySecret.DeepCopyInto(&out.AccessKeySecret)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CSMAuthSecretRef.
-func (in *CSMAuthSecretRef) DeepCopy() *CSMAuthSecretRef {
-	if in == nil {
-		return nil
-	}
-	out := new(CSMAuthSecretRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CertAuth) DeepCopyInto(out *CertAuth) {
-	*out = *in
-	in.ClientCert.DeepCopyInto(&out.ClientCert)
-	in.ClientKey.DeepCopyInto(&out.ClientKey)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertAuth.
-func (in *CertAuth) DeepCopy() *CertAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(CertAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ChefAuth) DeepCopyInto(out *ChefAuth) {
-	*out = *in
-	in.SecretRef.DeepCopyInto(&out.SecretRef)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ChefAuth.
-func (in *ChefAuth) DeepCopy() *ChefAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(ChefAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ChefAuthSecretRef) DeepCopyInto(out *ChefAuthSecretRef) {
-	*out = *in
-	in.SecretKey.DeepCopyInto(&out.SecretKey)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ChefAuthSecretRef.
-func (in *ChefAuthSecretRef) DeepCopy() *ChefAuthSecretRef {
-	if in == nil {
-		return nil
-	}
-	out := new(ChefAuthSecretRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ChefProvider) DeepCopyInto(out *ChefProvider) {
-	*out = *in
-	if in.Auth != nil {
-		in, out := &in.Auth, &out.Auth
-		*out = new(ChefAuth)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ChefProvider.
-func (in *ChefProvider) DeepCopy() *ChefProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(ChefProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CloudruSMProvider) DeepCopyInto(out *CloudruSMProvider) {
-	*out = *in
-	in.Auth.DeepCopyInto(&out.Auth)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloudruSMProvider.
-func (in *CloudruSMProvider) DeepCopy() *CloudruSMProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(CloudruSMProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ClusterExternalSecret) DeepCopyInto(out *ClusterExternalSecret) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	in.Spec.DeepCopyInto(&out.Spec)
-	in.Status.DeepCopyInto(&out.Status)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterExternalSecret.
-func (in *ClusterExternalSecret) DeepCopy() *ClusterExternalSecret {
-	if in == nil {
-		return nil
-	}
-	out := new(ClusterExternalSecret)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *ClusterExternalSecret) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ClusterExternalSecretList) DeepCopyInto(out *ClusterExternalSecretList) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]ClusterExternalSecret, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterExternalSecretList.
-func (in *ClusterExternalSecretList) DeepCopy() *ClusterExternalSecretList {
-	if in == nil {
-		return nil
-	}
-	out := new(ClusterExternalSecretList)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *ClusterExternalSecretList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ClusterExternalSecretNamespaceFailure) DeepCopyInto(out *ClusterExternalSecretNamespaceFailure) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterExternalSecretNamespaceFailure.
-func (in *ClusterExternalSecretNamespaceFailure) DeepCopy() *ClusterExternalSecretNamespaceFailure {
-	if in == nil {
-		return nil
-	}
-	out := new(ClusterExternalSecretNamespaceFailure)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ClusterExternalSecretSpec) DeepCopyInto(out *ClusterExternalSecretSpec) {
-	*out = *in
-	in.ExternalSecretSpec.DeepCopyInto(&out.ExternalSecretSpec)
-	in.ExternalSecretMetadata.DeepCopyInto(&out.ExternalSecretMetadata)
-	if in.NamespaceSelector != nil {
-		in, out := &in.NamespaceSelector, &out.NamespaceSelector
-		*out = new(metav1.LabelSelector)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.NamespaceSelectors != nil {
-		in, out := &in.NamespaceSelectors, &out.NamespaceSelectors
-		*out = make([]*metav1.LabelSelector, len(*in))
-		for i := range *in {
-			if (*in)[i] != nil {
-				in, out := &(*in)[i], &(*out)[i]
-				*out = new(metav1.LabelSelector)
-				(*in).DeepCopyInto(*out)
-			}
-		}
-	}
-	if in.Namespaces != nil {
-		in, out := &in.Namespaces, &out.Namespaces
-		*out = make([]string, len(*in))
-		copy(*out, *in)
-	}
-	if in.RefreshInterval != nil {
-		in, out := &in.RefreshInterval, &out.RefreshInterval
-		*out = new(metav1.Duration)
-		**out = **in
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterExternalSecretSpec.
-func (in *ClusterExternalSecretSpec) DeepCopy() *ClusterExternalSecretSpec {
-	if in == nil {
-		return nil
-	}
-	out := new(ClusterExternalSecretSpec)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ClusterExternalSecretStatus) DeepCopyInto(out *ClusterExternalSecretStatus) {
-	*out = *in
-	if in.FailedNamespaces != nil {
-		in, out := &in.FailedNamespaces, &out.FailedNamespaces
-		*out = make([]ClusterExternalSecretNamespaceFailure, len(*in))
-		copy(*out, *in)
-	}
-	if in.ProvisionedNamespaces != nil {
-		in, out := &in.ProvisionedNamespaces, &out.ProvisionedNamespaces
-		*out = make([]string, len(*in))
-		copy(*out, *in)
-	}
-	if in.Conditions != nil {
-		in, out := &in.Conditions, &out.Conditions
-		*out = make([]ClusterExternalSecretStatusCondition, len(*in))
-		copy(*out, *in)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterExternalSecretStatus.
-func (in *ClusterExternalSecretStatus) DeepCopy() *ClusterExternalSecretStatus {
-	if in == nil {
-		return nil
-	}
-	out := new(ClusterExternalSecretStatus)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ClusterExternalSecretStatusCondition) DeepCopyInto(out *ClusterExternalSecretStatusCondition) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterExternalSecretStatusCondition.
-func (in *ClusterExternalSecretStatusCondition) DeepCopy() *ClusterExternalSecretStatusCondition {
-	if in == nil {
-		return nil
-	}
-	out := new(ClusterExternalSecretStatusCondition)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ClusterSecretStore) DeepCopyInto(out *ClusterSecretStore) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	in.Spec.DeepCopyInto(&out.Spec)
-	in.Status.DeepCopyInto(&out.Status)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterSecretStore.
-func (in *ClusterSecretStore) DeepCopy() *ClusterSecretStore {
-	if in == nil {
-		return nil
-	}
-	out := new(ClusterSecretStore)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *ClusterSecretStore) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ClusterSecretStoreCondition) DeepCopyInto(out *ClusterSecretStoreCondition) {
-	*out = *in
-	if in.NamespaceSelector != nil {
-		in, out := &in.NamespaceSelector, &out.NamespaceSelector
-		*out = new(metav1.LabelSelector)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Namespaces != nil {
-		in, out := &in.Namespaces, &out.Namespaces
-		*out = make([]string, len(*in))
-		copy(*out, *in)
-	}
-	if in.NamespaceRegexes != nil {
-		in, out := &in.NamespaceRegexes, &out.NamespaceRegexes
-		*out = make([]string, len(*in))
-		copy(*out, *in)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterSecretStoreCondition.
-func (in *ClusterSecretStoreCondition) DeepCopy() *ClusterSecretStoreCondition {
-	if in == nil {
-		return nil
-	}
-	out := new(ClusterSecretStoreCondition)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ClusterSecretStoreList) DeepCopyInto(out *ClusterSecretStoreList) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]ClusterSecretStore, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterSecretStoreList.
-func (in *ClusterSecretStoreList) DeepCopy() *ClusterSecretStoreList {
-	if in == nil {
-		return nil
-	}
-	out := new(ClusterSecretStoreList)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *ClusterSecretStoreList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ConjurAPIKey) DeepCopyInto(out *ConjurAPIKey) {
-	*out = *in
-	if in.UserRef != nil {
-		in, out := &in.UserRef, &out.UserRef
-		*out = new(apismetav1.SecretKeySelector)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.APIKeyRef != nil {
-		in, out := &in.APIKeyRef, &out.APIKeyRef
-		*out = new(apismetav1.SecretKeySelector)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConjurAPIKey.
-func (in *ConjurAPIKey) DeepCopy() *ConjurAPIKey {
-	if in == nil {
-		return nil
-	}
-	out := new(ConjurAPIKey)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ConjurAuth) DeepCopyInto(out *ConjurAuth) {
-	*out = *in
-	if in.APIKey != nil {
-		in, out := &in.APIKey, &out.APIKey
-		*out = new(ConjurAPIKey)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Jwt != nil {
-		in, out := &in.Jwt, &out.Jwt
-		*out = new(ConjurJWT)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConjurAuth.
-func (in *ConjurAuth) DeepCopy() *ConjurAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(ConjurAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ConjurJWT) DeepCopyInto(out *ConjurJWT) {
-	*out = *in
-	if in.SecretRef != nil {
-		in, out := &in.SecretRef, &out.SecretRef
-		*out = new(apismetav1.SecretKeySelector)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.ServiceAccountRef != nil {
-		in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
-		*out = new(apismetav1.ServiceAccountSelector)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConjurJWT.
-func (in *ConjurJWT) DeepCopy() *ConjurJWT {
-	if in == nil {
-		return nil
-	}
-	out := new(ConjurJWT)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ConjurProvider) DeepCopyInto(out *ConjurProvider) {
-	*out = *in
-	if in.CAProvider != nil {
-		in, out := &in.CAProvider, &out.CAProvider
-		*out = new(CAProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	in.Auth.DeepCopyInto(&out.Auth)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConjurProvider.
-func (in *ConjurProvider) DeepCopy() *ConjurProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(ConjurProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *DelineaProvider) DeepCopyInto(out *DelineaProvider) {
-	*out = *in
-	if in.ClientID != nil {
-		in, out := &in.ClientID, &out.ClientID
-		*out = new(DelineaProviderSecretRef)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.ClientSecret != nil {
-		in, out := &in.ClientSecret, &out.ClientSecret
-		*out = new(DelineaProviderSecretRef)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DelineaProvider.
-func (in *DelineaProvider) DeepCopy() *DelineaProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(DelineaProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *DelineaProviderSecretRef) DeepCopyInto(out *DelineaProviderSecretRef) {
-	*out = *in
-	if in.SecretRef != nil {
-		in, out := &in.SecretRef, &out.SecretRef
-		*out = new(apismetav1.SecretKeySelector)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DelineaProviderSecretRef.
-func (in *DelineaProviderSecretRef) DeepCopy() *DelineaProviderSecretRef {
-	if in == nil {
-		return nil
-	}
-	out := new(DelineaProviderSecretRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *Device42Auth) DeepCopyInto(out *Device42Auth) {
-	*out = *in
-	in.SecretRef.DeepCopyInto(&out.SecretRef)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Device42Auth.
-func (in *Device42Auth) DeepCopy() *Device42Auth {
-	if in == nil {
-		return nil
-	}
-	out := new(Device42Auth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *Device42Provider) DeepCopyInto(out *Device42Provider) {
-	*out = *in
-	in.Auth.DeepCopyInto(&out.Auth)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Device42Provider.
-func (in *Device42Provider) DeepCopy() *Device42Provider {
-	if in == nil {
-		return nil
-	}
-	out := new(Device42Provider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *Device42SecretRef) DeepCopyInto(out *Device42SecretRef) {
-	*out = *in
-	in.Credentials.DeepCopyInto(&out.Credentials)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Device42SecretRef.
-func (in *Device42SecretRef) DeepCopy() *Device42SecretRef {
-	if in == nil {
-		return nil
-	}
-	out := new(Device42SecretRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *DopplerAuth) DeepCopyInto(out *DopplerAuth) {
-	*out = *in
-	in.SecretRef.DeepCopyInto(&out.SecretRef)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DopplerAuth.
-func (in *DopplerAuth) DeepCopy() *DopplerAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(DopplerAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *DopplerAuthSecretRef) DeepCopyInto(out *DopplerAuthSecretRef) {
-	*out = *in
-	in.DopplerToken.DeepCopyInto(&out.DopplerToken)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DopplerAuthSecretRef.
-func (in *DopplerAuthSecretRef) DeepCopy() *DopplerAuthSecretRef {
-	if in == nil {
-		return nil
-	}
-	out := new(DopplerAuthSecretRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *DopplerProvider) DeepCopyInto(out *DopplerProvider) {
-	*out = *in
-	if in.Auth != nil {
-		in, out := &in.Auth, &out.Auth
-		*out = new(DopplerAuth)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DopplerProvider.
-func (in *DopplerProvider) DeepCopy() *DopplerProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(DopplerProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExternalSecret) DeepCopyInto(out *ExternalSecret) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	in.Spec.DeepCopyInto(&out.Spec)
-	in.Status.DeepCopyInto(&out.Status)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecret.
-func (in *ExternalSecret) DeepCopy() *ExternalSecret {
-	if in == nil {
-		return nil
-	}
-	out := new(ExternalSecret)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *ExternalSecret) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExternalSecretData) DeepCopyInto(out *ExternalSecretData) {
-	*out = *in
-	out.RemoteRef = in.RemoteRef
-	if in.SourceRef != nil {
-		in, out := &in.SourceRef, &out.SourceRef
-		*out = new(StoreSourceRef)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretData.
-func (in *ExternalSecretData) DeepCopy() *ExternalSecretData {
-	if in == nil {
-		return nil
-	}
-	out := new(ExternalSecretData)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExternalSecretDataFromRemoteRef) DeepCopyInto(out *ExternalSecretDataFromRemoteRef) {
-	*out = *in
-	if in.Extract != nil {
-		in, out := &in.Extract, &out.Extract
-		*out = new(ExternalSecretDataRemoteRef)
-		**out = **in
-	}
-	if in.Find != nil {
-		in, out := &in.Find, &out.Find
-		*out = new(ExternalSecretFind)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Rewrite != nil {
-		in, out := &in.Rewrite, &out.Rewrite
-		*out = make([]ExternalSecretRewrite, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.SourceRef != nil {
-		in, out := &in.SourceRef, &out.SourceRef
-		*out = new(StoreGeneratorSourceRef)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretDataFromRemoteRef.
-func (in *ExternalSecretDataFromRemoteRef) DeepCopy() *ExternalSecretDataFromRemoteRef {
-	if in == nil {
-		return nil
-	}
-	out := new(ExternalSecretDataFromRemoteRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExternalSecretDataRemoteRef) DeepCopyInto(out *ExternalSecretDataRemoteRef) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretDataRemoteRef.
-func (in *ExternalSecretDataRemoteRef) DeepCopy() *ExternalSecretDataRemoteRef {
-	if in == nil {
-		return nil
-	}
-	out := new(ExternalSecretDataRemoteRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExternalSecretFind) DeepCopyInto(out *ExternalSecretFind) {
-	*out = *in
-	if in.Path != nil {
-		in, out := &in.Path, &out.Path
-		*out = new(string)
-		**out = **in
-	}
-	if in.Name != nil {
-		in, out := &in.Name, &out.Name
-		*out = new(FindName)
-		**out = **in
-	}
-	if in.Tags != nil {
-		in, out := &in.Tags, &out.Tags
-		*out = make(map[string]string, len(*in))
-		for key, val := range *in {
-			(*out)[key] = val
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretFind.
-func (in *ExternalSecretFind) DeepCopy() *ExternalSecretFind {
-	if in == nil {
-		return nil
-	}
-	out := new(ExternalSecretFind)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExternalSecretList) DeepCopyInto(out *ExternalSecretList) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]ExternalSecret, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretList.
-func (in *ExternalSecretList) DeepCopy() *ExternalSecretList {
-	if in == nil {
-		return nil
-	}
-	out := new(ExternalSecretList)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *ExternalSecretList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExternalSecretMetadata) DeepCopyInto(out *ExternalSecretMetadata) {
-	*out = *in
-	if in.Annotations != nil {
-		in, out := &in.Annotations, &out.Annotations
-		*out = make(map[string]string, len(*in))
-		for key, val := range *in {
-			(*out)[key] = val
-		}
-	}
-	if in.Labels != nil {
-		in, out := &in.Labels, &out.Labels
-		*out = make(map[string]string, len(*in))
-		for key, val := range *in {
-			(*out)[key] = val
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretMetadata.
-func (in *ExternalSecretMetadata) DeepCopy() *ExternalSecretMetadata {
-	if in == nil {
-		return nil
-	}
-	out := new(ExternalSecretMetadata)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExternalSecretRewrite) DeepCopyInto(out *ExternalSecretRewrite) {
-	*out = *in
-	if in.Regexp != nil {
-		in, out := &in.Regexp, &out.Regexp
-		*out = new(ExternalSecretRewriteRegexp)
-		**out = **in
-	}
-	if in.Transform != nil {
-		in, out := &in.Transform, &out.Transform
-		*out = new(ExternalSecretRewriteTransform)
-		**out = **in
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretRewrite.
-func (in *ExternalSecretRewrite) DeepCopy() *ExternalSecretRewrite {
-	if in == nil {
-		return nil
-	}
-	out := new(ExternalSecretRewrite)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExternalSecretRewriteRegexp) DeepCopyInto(out *ExternalSecretRewriteRegexp) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretRewriteRegexp.
-func (in *ExternalSecretRewriteRegexp) DeepCopy() *ExternalSecretRewriteRegexp {
-	if in == nil {
-		return nil
-	}
-	out := new(ExternalSecretRewriteRegexp)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExternalSecretRewriteTransform) DeepCopyInto(out *ExternalSecretRewriteTransform) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretRewriteTransform.
-func (in *ExternalSecretRewriteTransform) DeepCopy() *ExternalSecretRewriteTransform {
-	if in == nil {
-		return nil
-	}
-	out := new(ExternalSecretRewriteTransform)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExternalSecretSpec) DeepCopyInto(out *ExternalSecretSpec) {
-	*out = *in
-	out.SecretStoreRef = in.SecretStoreRef
-	in.Target.DeepCopyInto(&out.Target)
-	if in.RefreshInterval != nil {
-		in, out := &in.RefreshInterval, &out.RefreshInterval
-		*out = new(metav1.Duration)
-		**out = **in
-	}
-	if in.Data != nil {
-		in, out := &in.Data, &out.Data
-		*out = make([]ExternalSecretData, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.DataFrom != nil {
-		in, out := &in.DataFrom, &out.DataFrom
-		*out = make([]ExternalSecretDataFromRemoteRef, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretSpec.
-func (in *ExternalSecretSpec) DeepCopy() *ExternalSecretSpec {
-	if in == nil {
-		return nil
-	}
-	out := new(ExternalSecretSpec)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExternalSecretStatus) DeepCopyInto(out *ExternalSecretStatus) {
-	*out = *in
-	in.RefreshTime.DeepCopyInto(&out.RefreshTime)
-	if in.Conditions != nil {
-		in, out := &in.Conditions, &out.Conditions
-		*out = make([]ExternalSecretStatusCondition, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	out.Binding = in.Binding
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretStatus.
-func (in *ExternalSecretStatus) DeepCopy() *ExternalSecretStatus {
-	if in == nil {
-		return nil
-	}
-	out := new(ExternalSecretStatus)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExternalSecretStatusCondition) DeepCopyInto(out *ExternalSecretStatusCondition) {
-	*out = *in
-	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretStatusCondition.
-func (in *ExternalSecretStatusCondition) DeepCopy() *ExternalSecretStatusCondition {
-	if in == nil {
-		return nil
-	}
-	out := new(ExternalSecretStatusCondition)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExternalSecretTarget) DeepCopyInto(out *ExternalSecretTarget) {
-	*out = *in
-	if in.Template != nil {
-		in, out := &in.Template, &out.Template
-		*out = new(ExternalSecretTemplate)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretTarget.
-func (in *ExternalSecretTarget) DeepCopy() *ExternalSecretTarget {
-	if in == nil {
-		return nil
-	}
-	out := new(ExternalSecretTarget)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExternalSecretTemplate) DeepCopyInto(out *ExternalSecretTemplate) {
-	*out = *in
-	in.Metadata.DeepCopyInto(&out.Metadata)
-	if in.Data != nil {
-		in, out := &in.Data, &out.Data
-		*out = make(map[string]string, len(*in))
-		for key, val := range *in {
-			(*out)[key] = val
-		}
-	}
-	if in.TemplateFrom != nil {
-		in, out := &in.TemplateFrom, &out.TemplateFrom
-		*out = make([]TemplateFrom, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretTemplate.
-func (in *ExternalSecretTemplate) DeepCopy() *ExternalSecretTemplate {
-	if in == nil {
-		return nil
-	}
-	out := new(ExternalSecretTemplate)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExternalSecretTemplateMetadata) DeepCopyInto(out *ExternalSecretTemplateMetadata) {
-	*out = *in
-	if in.Annotations != nil {
-		in, out := &in.Annotations, &out.Annotations
-		*out = make(map[string]string, len(*in))
-		for key, val := range *in {
-			(*out)[key] = val
-		}
-	}
-	if in.Labels != nil {
-		in, out := &in.Labels, &out.Labels
-		*out = make(map[string]string, len(*in))
-		for key, val := range *in {
-			(*out)[key] = val
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretTemplateMetadata.
-func (in *ExternalSecretTemplateMetadata) DeepCopy() *ExternalSecretTemplateMetadata {
-	if in == nil {
-		return nil
-	}
-	out := new(ExternalSecretTemplateMetadata)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExternalSecretValidator) DeepCopyInto(out *ExternalSecretValidator) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretValidator.
-func (in *ExternalSecretValidator) DeepCopy() *ExternalSecretValidator {
-	if in == nil {
-		return nil
-	}
-	out := new(ExternalSecretValidator)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FakeProvider) DeepCopyInto(out *FakeProvider) {
-	*out = *in
-	if in.Data != nil {
-		in, out := &in.Data, &out.Data
-		*out = make([]FakeProviderData, len(*in))
-		copy(*out, *in)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FakeProvider.
-func (in *FakeProvider) DeepCopy() *FakeProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(FakeProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FakeProviderData) DeepCopyInto(out *FakeProviderData) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FakeProviderData.
-func (in *FakeProviderData) DeepCopy() *FakeProviderData {
-	if in == nil {
-		return nil
-	}
-	out := new(FakeProviderData)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FindName) DeepCopyInto(out *FindName) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FindName.
-func (in *FindName) DeepCopy() *FindName {
-	if in == nil {
-		return nil
-	}
-	out := new(FindName)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FortanixProvider) DeepCopyInto(out *FortanixProvider) {
-	*out = *in
-	if in.APIKey != nil {
-		in, out := &in.APIKey, &out.APIKey
-		*out = new(FortanixProviderSecretRef)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FortanixProvider.
-func (in *FortanixProvider) DeepCopy() *FortanixProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(FortanixProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FortanixProviderSecretRef) DeepCopyInto(out *FortanixProviderSecretRef) {
-	*out = *in
-	if in.SecretRef != nil {
-		in, out := &in.SecretRef, &out.SecretRef
-		*out = new(apismetav1.SecretKeySelector)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FortanixProviderSecretRef.
-func (in *FortanixProviderSecretRef) DeepCopy() *FortanixProviderSecretRef {
-	if in == nil {
-		return nil
-	}
-	out := new(FortanixProviderSecretRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *GCPSMAuth) DeepCopyInto(out *GCPSMAuth) {
-	*out = *in
-	if in.SecretRef != nil {
-		in, out := &in.SecretRef, &out.SecretRef
-		*out = new(GCPSMAuthSecretRef)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.WorkloadIdentity != nil {
-		in, out := &in.WorkloadIdentity, &out.WorkloadIdentity
-		*out = new(GCPWorkloadIdentity)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCPSMAuth.
-func (in *GCPSMAuth) DeepCopy() *GCPSMAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(GCPSMAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *GCPSMAuthSecretRef) DeepCopyInto(out *GCPSMAuthSecretRef) {
-	*out = *in
-	in.SecretAccessKey.DeepCopyInto(&out.SecretAccessKey)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCPSMAuthSecretRef.
-func (in *GCPSMAuthSecretRef) DeepCopy() *GCPSMAuthSecretRef {
-	if in == nil {
-		return nil
-	}
-	out := new(GCPSMAuthSecretRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *GCPSMProvider) DeepCopyInto(out *GCPSMProvider) {
-	*out = *in
-	in.Auth.DeepCopyInto(&out.Auth)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCPSMProvider.
-func (in *GCPSMProvider) DeepCopy() *GCPSMProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(GCPSMProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *GCPWorkloadIdentity) DeepCopyInto(out *GCPWorkloadIdentity) {
-	*out = *in
-	in.ServiceAccountRef.DeepCopyInto(&out.ServiceAccountRef)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCPWorkloadIdentity.
-func (in *GCPWorkloadIdentity) DeepCopy() *GCPWorkloadIdentity {
-	if in == nil {
-		return nil
-	}
-	out := new(GCPWorkloadIdentity)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *GeneratorRef) DeepCopyInto(out *GeneratorRef) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GeneratorRef.
-func (in *GeneratorRef) DeepCopy() *GeneratorRef {
-	if in == nil {
-		return nil
-	}
-	out := new(GeneratorRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *GenericStoreValidator) DeepCopyInto(out *GenericStoreValidator) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GenericStoreValidator.
-func (in *GenericStoreValidator) DeepCopy() *GenericStoreValidator {
-	if in == nil {
-		return nil
-	}
-	out := new(GenericStoreValidator)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *GithubAppAuth) DeepCopyInto(out *GithubAppAuth) {
-	*out = *in
-	in.PrivateKey.DeepCopyInto(&out.PrivateKey)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GithubAppAuth.
-func (in *GithubAppAuth) DeepCopy() *GithubAppAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(GithubAppAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *GithubProvider) DeepCopyInto(out *GithubProvider) {
-	*out = *in
-	in.Auth.DeepCopyInto(&out.Auth)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GithubProvider.
-func (in *GithubProvider) DeepCopy() *GithubProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(GithubProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *GitlabAuth) DeepCopyInto(out *GitlabAuth) {
-	*out = *in
-	in.SecretRef.DeepCopyInto(&out.SecretRef)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitlabAuth.
-func (in *GitlabAuth) DeepCopy() *GitlabAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(GitlabAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *GitlabProvider) DeepCopyInto(out *GitlabProvider) {
-	*out = *in
-	in.Auth.DeepCopyInto(&out.Auth)
-	if in.GroupIDs != nil {
-		in, out := &in.GroupIDs, &out.GroupIDs
-		*out = make([]string, len(*in))
-		copy(*out, *in)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitlabProvider.
-func (in *GitlabProvider) DeepCopy() *GitlabProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(GitlabProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *GitlabSecretRef) DeepCopyInto(out *GitlabSecretRef) {
-	*out = *in
-	in.AccessToken.DeepCopyInto(&out.AccessToken)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitlabSecretRef.
-func (in *GitlabSecretRef) DeepCopy() *GitlabSecretRef {
-	if in == nil {
-		return nil
-	}
-	out := new(GitlabSecretRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *IBMAuth) DeepCopyInto(out *IBMAuth) {
-	*out = *in
-	if in.SecretRef != nil {
-		in, out := &in.SecretRef, &out.SecretRef
-		*out = new(IBMAuthSecretRef)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.ContainerAuth != nil {
-		in, out := &in.ContainerAuth, &out.ContainerAuth
-		*out = new(IBMAuthContainerAuth)
-		**out = **in
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IBMAuth.
-func (in *IBMAuth) DeepCopy() *IBMAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(IBMAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *IBMAuthContainerAuth) DeepCopyInto(out *IBMAuthContainerAuth) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IBMAuthContainerAuth.
-func (in *IBMAuthContainerAuth) DeepCopy() *IBMAuthContainerAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(IBMAuthContainerAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *IBMAuthSecretRef) DeepCopyInto(out *IBMAuthSecretRef) {
-	*out = *in
-	in.SecretAPIKey.DeepCopyInto(&out.SecretAPIKey)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IBMAuthSecretRef.
-func (in *IBMAuthSecretRef) DeepCopy() *IBMAuthSecretRef {
-	if in == nil {
-		return nil
-	}
-	out := new(IBMAuthSecretRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *IBMProvider) DeepCopyInto(out *IBMProvider) {
-	*out = *in
-	in.Auth.DeepCopyInto(&out.Auth)
-	if in.ServiceURL != nil {
-		in, out := &in.ServiceURL, &out.ServiceURL
-		*out = new(string)
-		**out = **in
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IBMProvider.
-func (in *IBMProvider) DeepCopy() *IBMProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(IBMProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *InfisicalAuth) DeepCopyInto(out *InfisicalAuth) {
-	*out = *in
-	if in.UniversalAuthCredentials != nil {
-		in, out := &in.UniversalAuthCredentials, &out.UniversalAuthCredentials
-		*out = new(UniversalAuthCredentials)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InfisicalAuth.
-func (in *InfisicalAuth) DeepCopy() *InfisicalAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(InfisicalAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *InfisicalProvider) DeepCopyInto(out *InfisicalProvider) {
-	*out = *in
-	in.Auth.DeepCopyInto(&out.Auth)
-	out.SecretsScope = in.SecretsScope
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InfisicalProvider.
-func (in *InfisicalProvider) DeepCopy() *InfisicalProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(InfisicalProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *KeeperSecurityProvider) DeepCopyInto(out *KeeperSecurityProvider) {
-	*out = *in
-	in.Auth.DeepCopyInto(&out.Auth)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KeeperSecurityProvider.
-func (in *KeeperSecurityProvider) DeepCopy() *KeeperSecurityProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(KeeperSecurityProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *KubernetesAuth) DeepCopyInto(out *KubernetesAuth) {
-	*out = *in
-	if in.Cert != nil {
-		in, out := &in.Cert, &out.Cert
-		*out = new(CertAuth)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Token != nil {
-		in, out := &in.Token, &out.Token
-		*out = new(TokenAuth)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.ServiceAccount != nil {
-		in, out := &in.ServiceAccount, &out.ServiceAccount
-		*out = new(apismetav1.ServiceAccountSelector)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesAuth.
-func (in *KubernetesAuth) DeepCopy() *KubernetesAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(KubernetesAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *KubernetesProvider) DeepCopyInto(out *KubernetesProvider) {
-	*out = *in
-	in.Server.DeepCopyInto(&out.Server)
-	in.Auth.DeepCopyInto(&out.Auth)
-	if in.AuthRef != nil {
-		in, out := &in.AuthRef, &out.AuthRef
-		*out = new(apismetav1.SecretKeySelector)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesProvider.
-func (in *KubernetesProvider) DeepCopy() *KubernetesProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(KubernetesProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *KubernetesServer) DeepCopyInto(out *KubernetesServer) {
-	*out = *in
-	if in.CABundle != nil {
-		in, out := &in.CABundle, &out.CABundle
-		*out = make([]byte, len(*in))
-		copy(*out, *in)
-	}
-	if in.CAProvider != nil {
-		in, out := &in.CAProvider, &out.CAProvider
-		*out = new(CAProvider)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesServer.
-func (in *KubernetesServer) DeepCopy() *KubernetesServer {
-	if in == nil {
-		return nil
-	}
-	out := new(KubernetesServer)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *MachineIdentityScopeInWorkspace) DeepCopyInto(out *MachineIdentityScopeInWorkspace) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineIdentityScopeInWorkspace.
-func (in *MachineIdentityScopeInWorkspace) DeepCopy() *MachineIdentityScopeInWorkspace {
-	if in == nil {
-		return nil
-	}
-	out := new(MachineIdentityScopeInWorkspace)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *NoSecretError) DeepCopyInto(out *NoSecretError) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NoSecretError.
-func (in *NoSecretError) DeepCopy() *NoSecretError {
-	if in == nil {
-		return nil
-	}
-	out := new(NoSecretError)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *NotModifiedError) DeepCopyInto(out *NotModifiedError) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NotModifiedError.
-func (in *NotModifiedError) DeepCopy() *NotModifiedError {
-	if in == nil {
-		return nil
-	}
-	out := new(NotModifiedError)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *OnboardbaseAuthSecretRef) DeepCopyInto(out *OnboardbaseAuthSecretRef) {
-	*out = *in
-	in.OnboardbaseAPIKeyRef.DeepCopyInto(&out.OnboardbaseAPIKeyRef)
-	in.OnboardbasePasscodeRef.DeepCopyInto(&out.OnboardbasePasscodeRef)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OnboardbaseAuthSecretRef.
-func (in *OnboardbaseAuthSecretRef) DeepCopy() *OnboardbaseAuthSecretRef {
-	if in == nil {
-		return nil
-	}
-	out := new(OnboardbaseAuthSecretRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *OnboardbaseProvider) DeepCopyInto(out *OnboardbaseProvider) {
-	*out = *in
-	if in.Auth != nil {
-		in, out := &in.Auth, &out.Auth
-		*out = new(OnboardbaseAuthSecretRef)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OnboardbaseProvider.
-func (in *OnboardbaseProvider) DeepCopy() *OnboardbaseProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(OnboardbaseProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *OnePasswordAuth) DeepCopyInto(out *OnePasswordAuth) {
-	*out = *in
-	if in.SecretRef != nil {
-		in, out := &in.SecretRef, &out.SecretRef
-		*out = new(OnePasswordAuthSecretRef)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OnePasswordAuth.
-func (in *OnePasswordAuth) DeepCopy() *OnePasswordAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(OnePasswordAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *OnePasswordAuthSecretRef) DeepCopyInto(out *OnePasswordAuthSecretRef) {
-	*out = *in
-	in.ConnectToken.DeepCopyInto(&out.ConnectToken)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OnePasswordAuthSecretRef.
-func (in *OnePasswordAuthSecretRef) DeepCopy() *OnePasswordAuthSecretRef {
-	if in == nil {
-		return nil
-	}
-	out := new(OnePasswordAuthSecretRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *OnePasswordProvider) DeepCopyInto(out *OnePasswordProvider) {
-	*out = *in
-	if in.Auth != nil {
-		in, out := &in.Auth, &out.Auth
-		*out = new(OnePasswordAuth)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Vaults != nil {
-		in, out := &in.Vaults, &out.Vaults
-		*out = make(map[string]int, len(*in))
-		for key, val := range *in {
-			(*out)[key] = val
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OnePasswordProvider.
-func (in *OnePasswordProvider) DeepCopy() *OnePasswordProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(OnePasswordProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *OracleAuth) DeepCopyInto(out *OracleAuth) {
-	*out = *in
-	in.SecretRef.DeepCopyInto(&out.SecretRef)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OracleAuth.
-func (in *OracleAuth) DeepCopy() *OracleAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(OracleAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *OracleProvider) DeepCopyInto(out *OracleProvider) {
-	*out = *in
-	if in.Auth != nil {
-		in, out := &in.Auth, &out.Auth
-		*out = new(OracleAuth)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.ServiceAccountRef != nil {
-		in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
-		*out = new(apismetav1.ServiceAccountSelector)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OracleProvider.
-func (in *OracleProvider) DeepCopy() *OracleProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(OracleProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *OracleSecretRef) DeepCopyInto(out *OracleSecretRef) {
-	*out = *in
-	in.PrivateKey.DeepCopyInto(&out.PrivateKey)
-	in.Fingerprint.DeepCopyInto(&out.Fingerprint)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OracleSecretRef.
-func (in *OracleSecretRef) DeepCopy() *OracleSecretRef {
-	if in == nil {
-		return nil
-	}
-	out := new(OracleSecretRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PassboltAuth) DeepCopyInto(out *PassboltAuth) {
-	*out = *in
-	if in.PasswordSecretRef != nil {
-		in, out := &in.PasswordSecretRef, &out.PasswordSecretRef
-		*out = new(apismetav1.SecretKeySelector)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.PrivateKeySecretRef != nil {
-		in, out := &in.PrivateKeySecretRef, &out.PrivateKeySecretRef
-		*out = new(apismetav1.SecretKeySelector)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PassboltAuth.
-func (in *PassboltAuth) DeepCopy() *PassboltAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(PassboltAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PassboltProvider) DeepCopyInto(out *PassboltProvider) {
-	*out = *in
-	if in.Auth != nil {
-		in, out := &in.Auth, &out.Auth
-		*out = new(PassboltAuth)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PassboltProvider.
-func (in *PassboltProvider) DeepCopy() *PassboltProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(PassboltProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PasswordDepotAuth) DeepCopyInto(out *PasswordDepotAuth) {
-	*out = *in
-	in.SecretRef.DeepCopyInto(&out.SecretRef)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PasswordDepotAuth.
-func (in *PasswordDepotAuth) DeepCopy() *PasswordDepotAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(PasswordDepotAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PasswordDepotProvider) DeepCopyInto(out *PasswordDepotProvider) {
-	*out = *in
-	in.Auth.DeepCopyInto(&out.Auth)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PasswordDepotProvider.
-func (in *PasswordDepotProvider) DeepCopy() *PasswordDepotProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(PasswordDepotProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PasswordDepotSecretRef) DeepCopyInto(out *PasswordDepotSecretRef) {
-	*out = *in
-	in.Credentials.DeepCopyInto(&out.Credentials)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PasswordDepotSecretRef.
-func (in *PasswordDepotSecretRef) DeepCopy() *PasswordDepotSecretRef {
-	if in == nil {
-		return nil
-	}
-	out := new(PasswordDepotSecretRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PreviderAuth) DeepCopyInto(out *PreviderAuth) {
-	*out = *in
-	if in.SecretRef != nil {
-		in, out := &in.SecretRef, &out.SecretRef
-		*out = new(PreviderAuthSecretRef)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PreviderAuth.
-func (in *PreviderAuth) DeepCopy() *PreviderAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(PreviderAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PreviderAuthSecretRef) DeepCopyInto(out *PreviderAuthSecretRef) {
-	*out = *in
-	in.AccessToken.DeepCopyInto(&out.AccessToken)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PreviderAuthSecretRef.
-func (in *PreviderAuthSecretRef) DeepCopy() *PreviderAuthSecretRef {
-	if in == nil {
-		return nil
-	}
-	out := new(PreviderAuthSecretRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PreviderProvider) DeepCopyInto(out *PreviderProvider) {
-	*out = *in
-	in.Auth.DeepCopyInto(&out.Auth)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PreviderProvider.
-func (in *PreviderProvider) DeepCopy() *PreviderProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(PreviderProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PulumiProvider) DeepCopyInto(out *PulumiProvider) {
-	*out = *in
-	if in.AccessToken != nil {
-		in, out := &in.AccessToken, &out.AccessToken
-		*out = new(PulumiProviderSecretRef)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PulumiProvider.
-func (in *PulumiProvider) DeepCopy() *PulumiProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(PulumiProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PulumiProviderSecretRef) DeepCopyInto(out *PulumiProviderSecretRef) {
-	*out = *in
-	if in.SecretRef != nil {
-		in, out := &in.SecretRef, &out.SecretRef
-		*out = new(apismetav1.SecretKeySelector)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PulumiProviderSecretRef.
-func (in *PulumiProviderSecretRef) DeepCopy() *PulumiProviderSecretRef {
-	if in == nil {
-		return nil
-	}
-	out := new(PulumiProviderSecretRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ScalewayProvider) DeepCopyInto(out *ScalewayProvider) {
-	*out = *in
-	if in.AccessKey != nil {
-		in, out := &in.AccessKey, &out.AccessKey
-		*out = new(ScalewayProviderSecretRef)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.SecretKey != nil {
-		in, out := &in.SecretKey, &out.SecretKey
-		*out = new(ScalewayProviderSecretRef)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScalewayProvider.
-func (in *ScalewayProvider) DeepCopy() *ScalewayProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(ScalewayProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ScalewayProviderSecretRef) DeepCopyInto(out *ScalewayProviderSecretRef) {
-	*out = *in
-	if in.SecretRef != nil {
-		in, out := &in.SecretRef, &out.SecretRef
-		*out = new(apismetav1.SecretKeySelector)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScalewayProviderSecretRef.
-func (in *ScalewayProviderSecretRef) DeepCopy() *ScalewayProviderSecretRef {
-	if in == nil {
-		return nil
-	}
-	out := new(ScalewayProviderSecretRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretServerProvider) DeepCopyInto(out *SecretServerProvider) {
-	*out = *in
-	if in.Username != nil {
-		in, out := &in.Username, &out.Username
-		*out = new(SecretServerProviderRef)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Password != nil {
-		in, out := &in.Password, &out.Password
-		*out = new(SecretServerProviderRef)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretServerProvider.
-func (in *SecretServerProvider) DeepCopy() *SecretServerProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(SecretServerProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretServerProviderRef) DeepCopyInto(out *SecretServerProviderRef) {
-	*out = *in
-	if in.SecretRef != nil {
-		in, out := &in.SecretRef, &out.SecretRef
-		*out = new(apismetav1.SecretKeySelector)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretServerProviderRef.
-func (in *SecretServerProviderRef) DeepCopy() *SecretServerProviderRef {
-	if in == nil {
-		return nil
-	}
-	out := new(SecretServerProviderRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretStore) DeepCopyInto(out *SecretStore) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	in.Spec.DeepCopyInto(&out.Spec)
-	in.Status.DeepCopyInto(&out.Status)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStore.
-func (in *SecretStore) DeepCopy() *SecretStore {
-	if in == nil {
-		return nil
-	}
-	out := new(SecretStore)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *SecretStore) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretStoreList) DeepCopyInto(out *SecretStoreList) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]SecretStore, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreList.
-func (in *SecretStoreList) DeepCopy() *SecretStoreList {
-	if in == nil {
-		return nil
-	}
-	out := new(SecretStoreList)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *SecretStoreList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretStoreProvider) DeepCopyInto(out *SecretStoreProvider) {
-	*out = *in
-	if in.AWS != nil {
-		in, out := &in.AWS, &out.AWS
-		*out = new(AWSProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.AzureKV != nil {
-		in, out := &in.AzureKV, &out.AzureKV
-		*out = new(AzureKVProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Akeyless != nil {
-		in, out := &in.Akeyless, &out.Akeyless
-		*out = new(AkeylessProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.BitwardenSecretsManager != nil {
-		in, out := &in.BitwardenSecretsManager, &out.BitwardenSecretsManager
-		*out = new(BitwardenSecretsManagerProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Vault != nil {
-		in, out := &in.Vault, &out.Vault
-		*out = new(VaultProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.GCPSM != nil {
-		in, out := &in.GCPSM, &out.GCPSM
-		*out = new(GCPSMProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Oracle != nil {
-		in, out := &in.Oracle, &out.Oracle
-		*out = new(OracleProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.IBM != nil {
-		in, out := &in.IBM, &out.IBM
-		*out = new(IBMProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.YandexCertificateManager != nil {
-		in, out := &in.YandexCertificateManager, &out.YandexCertificateManager
-		*out = new(YandexCertificateManagerProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.YandexLockbox != nil {
-		in, out := &in.YandexLockbox, &out.YandexLockbox
-		*out = new(YandexLockboxProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Github != nil {
-		in, out := &in.Github, &out.Github
-		*out = new(GithubProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Gitlab != nil {
-		in, out := &in.Gitlab, &out.Gitlab
-		*out = new(GitlabProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Alibaba != nil {
-		in, out := &in.Alibaba, &out.Alibaba
-		*out = new(AlibabaProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.OnePassword != nil {
-		in, out := &in.OnePassword, &out.OnePassword
-		*out = new(OnePasswordProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Webhook != nil {
-		in, out := &in.Webhook, &out.Webhook
-		*out = new(WebhookProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Kubernetes != nil {
-		in, out := &in.Kubernetes, &out.Kubernetes
-		*out = new(KubernetesProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Fake != nil {
-		in, out := &in.Fake, &out.Fake
-		*out = new(FakeProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Senhasegura != nil {
-		in, out := &in.Senhasegura, &out.Senhasegura
-		*out = new(SenhaseguraProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Scaleway != nil {
-		in, out := &in.Scaleway, &out.Scaleway
-		*out = new(ScalewayProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Doppler != nil {
-		in, out := &in.Doppler, &out.Doppler
-		*out = new(DopplerProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Previder != nil {
-		in, out := &in.Previder, &out.Previder
-		*out = new(PreviderProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Onboardbase != nil {
-		in, out := &in.Onboardbase, &out.Onboardbase
-		*out = new(OnboardbaseProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.KeeperSecurity != nil {
-		in, out := &in.KeeperSecurity, &out.KeeperSecurity
-		*out = new(KeeperSecurityProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Conjur != nil {
-		in, out := &in.Conjur, &out.Conjur
-		*out = new(ConjurProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Delinea != nil {
-		in, out := &in.Delinea, &out.Delinea
-		*out = new(DelineaProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.SecretServer != nil {
-		in, out := &in.SecretServer, &out.SecretServer
-		*out = new(SecretServerProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Chef != nil {
-		in, out := &in.Chef, &out.Chef
-		*out = new(ChefProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Pulumi != nil {
-		in, out := &in.Pulumi, &out.Pulumi
-		*out = new(PulumiProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Fortanix != nil {
-		in, out := &in.Fortanix, &out.Fortanix
-		*out = new(FortanixProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.PasswordDepot != nil {
-		in, out := &in.PasswordDepot, &out.PasswordDepot
-		*out = new(PasswordDepotProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Passbolt != nil {
-		in, out := &in.Passbolt, &out.Passbolt
-		*out = new(PassboltProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Device42 != nil {
-		in, out := &in.Device42, &out.Device42
-		*out = new(Device42Provider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Infisical != nil {
-		in, out := &in.Infisical, &out.Infisical
-		*out = new(InfisicalProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Beyondtrust != nil {
-		in, out := &in.Beyondtrust, &out.Beyondtrust
-		*out = new(BeyondtrustProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.CloudruSM != nil {
-		in, out := &in.CloudruSM, &out.CloudruSM
-		*out = new(CloudruSMProvider)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreProvider.
-func (in *SecretStoreProvider) DeepCopy() *SecretStoreProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(SecretStoreProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretStoreRef) DeepCopyInto(out *SecretStoreRef) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreRef.
-func (in *SecretStoreRef) DeepCopy() *SecretStoreRef {
-	if in == nil {
-		return nil
-	}
-	out := new(SecretStoreRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretStoreRetrySettings) DeepCopyInto(out *SecretStoreRetrySettings) {
-	*out = *in
-	if in.MaxRetries != nil {
-		in, out := &in.MaxRetries, &out.MaxRetries
-		*out = new(int32)
-		**out = **in
-	}
-	if in.RetryInterval != nil {
-		in, out := &in.RetryInterval, &out.RetryInterval
-		*out = new(string)
-		**out = **in
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreRetrySettings.
-func (in *SecretStoreRetrySettings) DeepCopy() *SecretStoreRetrySettings {
-	if in == nil {
-		return nil
-	}
-	out := new(SecretStoreRetrySettings)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretStoreSpec) DeepCopyInto(out *SecretStoreSpec) {
-	*out = *in
-	if in.Provider != nil {
-		in, out := &in.Provider, &out.Provider
-		*out = new(SecretStoreProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.RetrySettings != nil {
-		in, out := &in.RetrySettings, &out.RetrySettings
-		*out = new(SecretStoreRetrySettings)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Conditions != nil {
-		in, out := &in.Conditions, &out.Conditions
-		*out = make([]ClusterSecretStoreCondition, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreSpec.
-func (in *SecretStoreSpec) DeepCopy() *SecretStoreSpec {
-	if in == nil {
-		return nil
-	}
-	out := new(SecretStoreSpec)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretStoreStatus) DeepCopyInto(out *SecretStoreStatus) {
-	*out = *in
-	if in.Conditions != nil {
-		in, out := &in.Conditions, &out.Conditions
-		*out = make([]SecretStoreStatusCondition, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreStatus.
-func (in *SecretStoreStatus) DeepCopy() *SecretStoreStatus {
-	if in == nil {
-		return nil
-	}
-	out := new(SecretStoreStatus)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretStoreStatusCondition) DeepCopyInto(out *SecretStoreStatusCondition) {
-	*out = *in
-	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreStatusCondition.
-func (in *SecretStoreStatusCondition) DeepCopy() *SecretStoreStatusCondition {
-	if in == nil {
-		return nil
-	}
-	out := new(SecretStoreStatusCondition)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretsManager) DeepCopyInto(out *SecretsManager) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsManager.
-func (in *SecretsManager) DeepCopy() *SecretsManager {
-	if in == nil {
-		return nil
-	}
-	out := new(SecretsManager)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SenhaseguraAuth) DeepCopyInto(out *SenhaseguraAuth) {
-	*out = *in
-	in.ClientSecret.DeepCopyInto(&out.ClientSecret)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SenhaseguraAuth.
-func (in *SenhaseguraAuth) DeepCopy() *SenhaseguraAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(SenhaseguraAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SenhaseguraProvider) DeepCopyInto(out *SenhaseguraProvider) {
-	*out = *in
-	in.Auth.DeepCopyInto(&out.Auth)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SenhaseguraProvider.
-func (in *SenhaseguraProvider) DeepCopy() *SenhaseguraProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(SenhaseguraProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *StoreGeneratorSourceRef) DeepCopyInto(out *StoreGeneratorSourceRef) {
-	*out = *in
-	if in.SecretStoreRef != nil {
-		in, out := &in.SecretStoreRef, &out.SecretStoreRef
-		*out = new(SecretStoreRef)
-		**out = **in
-	}
-	if in.GeneratorRef != nil {
-		in, out := &in.GeneratorRef, &out.GeneratorRef
-		*out = new(GeneratorRef)
-		**out = **in
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StoreGeneratorSourceRef.
-func (in *StoreGeneratorSourceRef) DeepCopy() *StoreGeneratorSourceRef {
-	if in == nil {
-		return nil
-	}
-	out := new(StoreGeneratorSourceRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *StoreSourceRef) DeepCopyInto(out *StoreSourceRef) {
-	*out = *in
-	out.SecretStoreRef = in.SecretStoreRef
-	if in.GeneratorRef != nil {
-		in, out := &in.GeneratorRef, &out.GeneratorRef
-		*out = new(GeneratorRef)
-		**out = **in
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StoreSourceRef.
-func (in *StoreSourceRef) DeepCopy() *StoreSourceRef {
-	if in == nil {
-		return nil
-	}
-	out := new(StoreSourceRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *Tag) DeepCopyInto(out *Tag) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Tag.
-func (in *Tag) DeepCopy() *Tag {
-	if in == nil {
-		return nil
-	}
-	out := new(Tag)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *TemplateFrom) DeepCopyInto(out *TemplateFrom) {
-	*out = *in
-	if in.ConfigMap != nil {
-		in, out := &in.ConfigMap, &out.ConfigMap
-		*out = new(TemplateRef)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Secret != nil {
-		in, out := &in.Secret, &out.Secret
-		*out = new(TemplateRef)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Literal != nil {
-		in, out := &in.Literal, &out.Literal
-		*out = new(string)
-		**out = **in
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TemplateFrom.
-func (in *TemplateFrom) DeepCopy() *TemplateFrom {
-	if in == nil {
-		return nil
-	}
-	out := new(TemplateFrom)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *TemplateRef) DeepCopyInto(out *TemplateRef) {
-	*out = *in
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]TemplateRefItem, len(*in))
-		copy(*out, *in)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TemplateRef.
-func (in *TemplateRef) DeepCopy() *TemplateRef {
-	if in == nil {
-		return nil
-	}
-	out := new(TemplateRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *TemplateRefItem) DeepCopyInto(out *TemplateRefItem) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TemplateRefItem.
-func (in *TemplateRefItem) DeepCopy() *TemplateRefItem {
-	if in == nil {
-		return nil
-	}
-	out := new(TemplateRefItem)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *TokenAuth) DeepCopyInto(out *TokenAuth) {
-	*out = *in
-	in.BearerToken.DeepCopyInto(&out.BearerToken)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenAuth.
-func (in *TokenAuth) DeepCopy() *TokenAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(TokenAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *UniversalAuthCredentials) DeepCopyInto(out *UniversalAuthCredentials) {
-	*out = *in
-	in.ClientID.DeepCopyInto(&out.ClientID)
-	in.ClientSecret.DeepCopyInto(&out.ClientSecret)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UniversalAuthCredentials.
-func (in *UniversalAuthCredentials) DeepCopy() *UniversalAuthCredentials {
-	if in == nil {
-		return nil
-	}
-	out := new(UniversalAuthCredentials)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *VaultAppRole) DeepCopyInto(out *VaultAppRole) {
-	*out = *in
-	if in.RoleRef != nil {
-		in, out := &in.RoleRef, &out.RoleRef
-		*out = new(apismetav1.SecretKeySelector)
-		(*in).DeepCopyInto(*out)
-	}
-	in.SecretRef.DeepCopyInto(&out.SecretRef)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAppRole.
-func (in *VaultAppRole) DeepCopy() *VaultAppRole {
-	if in == nil {
-		return nil
-	}
-	out := new(VaultAppRole)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *VaultAuth) DeepCopyInto(out *VaultAuth) {
-	*out = *in
-	if in.Namespace != nil {
-		in, out := &in.Namespace, &out.Namespace
-		*out = new(string)
-		**out = **in
-	}
-	if in.TokenSecretRef != nil {
-		in, out := &in.TokenSecretRef, &out.TokenSecretRef
-		*out = new(apismetav1.SecretKeySelector)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.AppRole != nil {
-		in, out := &in.AppRole, &out.AppRole
-		*out = new(VaultAppRole)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Kubernetes != nil {
-		in, out := &in.Kubernetes, &out.Kubernetes
-		*out = new(VaultKubernetesAuth)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Ldap != nil {
-		in, out := &in.Ldap, &out.Ldap
-		*out = new(VaultLdapAuth)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Jwt != nil {
-		in, out := &in.Jwt, &out.Jwt
-		*out = new(VaultJwtAuth)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Cert != nil {
-		in, out := &in.Cert, &out.Cert
-		*out = new(VaultCertAuth)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Iam != nil {
-		in, out := &in.Iam, &out.Iam
-		*out = new(VaultIamAuth)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.UserPass != nil {
-		in, out := &in.UserPass, &out.UserPass
-		*out = new(VaultUserPassAuth)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAuth.
-func (in *VaultAuth) DeepCopy() *VaultAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(VaultAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *VaultAwsAuth) DeepCopyInto(out *VaultAwsAuth) {
-	*out = *in
-	if in.SecretRef != nil {
-		in, out := &in.SecretRef, &out.SecretRef
-		*out = new(VaultAwsAuthSecretRef)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.JWTAuth != nil {
-		in, out := &in.JWTAuth, &out.JWTAuth
-		*out = new(VaultAwsJWTAuth)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAwsAuth.
-func (in *VaultAwsAuth) DeepCopy() *VaultAwsAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(VaultAwsAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *VaultAwsAuthSecretRef) DeepCopyInto(out *VaultAwsAuthSecretRef) {
-	*out = *in
-	in.AccessKeyID.DeepCopyInto(&out.AccessKeyID)
-	in.SecretAccessKey.DeepCopyInto(&out.SecretAccessKey)
-	if in.SessionToken != nil {
-		in, out := &in.SessionToken, &out.SessionToken
-		*out = new(apismetav1.SecretKeySelector)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAwsAuthSecretRef.
-func (in *VaultAwsAuthSecretRef) DeepCopy() *VaultAwsAuthSecretRef {
-	if in == nil {
-		return nil
-	}
-	out := new(VaultAwsAuthSecretRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *VaultAwsJWTAuth) DeepCopyInto(out *VaultAwsJWTAuth) {
-	*out = *in
-	if in.ServiceAccountRef != nil {
-		in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
-		*out = new(apismetav1.ServiceAccountSelector)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAwsJWTAuth.
-func (in *VaultAwsJWTAuth) DeepCopy() *VaultAwsJWTAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(VaultAwsJWTAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *VaultCertAuth) DeepCopyInto(out *VaultCertAuth) {
-	*out = *in
-	in.ClientCert.DeepCopyInto(&out.ClientCert)
-	in.SecretRef.DeepCopyInto(&out.SecretRef)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultCertAuth.
-func (in *VaultCertAuth) DeepCopy() *VaultCertAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(VaultCertAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *VaultClientTLS) DeepCopyInto(out *VaultClientTLS) {
-	*out = *in
-	if in.CertSecretRef != nil {
-		in, out := &in.CertSecretRef, &out.CertSecretRef
-		*out = new(apismetav1.SecretKeySelector)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.KeySecretRef != nil {
-		in, out := &in.KeySecretRef, &out.KeySecretRef
-		*out = new(apismetav1.SecretKeySelector)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultClientTLS.
-func (in *VaultClientTLS) DeepCopy() *VaultClientTLS {
-	if in == nil {
-		return nil
-	}
-	out := new(VaultClientTLS)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *VaultIamAuth) DeepCopyInto(out *VaultIamAuth) {
-	*out = *in
-	if in.SecretRef != nil {
-		in, out := &in.SecretRef, &out.SecretRef
-		*out = new(VaultAwsAuthSecretRef)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.JWTAuth != nil {
-		in, out := &in.JWTAuth, &out.JWTAuth
-		*out = new(VaultAwsJWTAuth)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultIamAuth.
-func (in *VaultIamAuth) DeepCopy() *VaultIamAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(VaultIamAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *VaultJwtAuth) DeepCopyInto(out *VaultJwtAuth) {
-	*out = *in
-	if in.SecretRef != nil {
-		in, out := &in.SecretRef, &out.SecretRef
-		*out = new(apismetav1.SecretKeySelector)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.KubernetesServiceAccountToken != nil {
-		in, out := &in.KubernetesServiceAccountToken, &out.KubernetesServiceAccountToken
-		*out = new(VaultKubernetesServiceAccountTokenAuth)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultJwtAuth.
-func (in *VaultJwtAuth) DeepCopy() *VaultJwtAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(VaultJwtAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth) {
-	*out = *in
-	if in.ServiceAccountRef != nil {
-		in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
-		*out = new(apismetav1.ServiceAccountSelector)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.SecretRef != nil {
-		in, out := &in.SecretRef, &out.SecretRef
-		*out = new(apismetav1.SecretKeySelector)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultKubernetesAuth.
-func (in *VaultKubernetesAuth) DeepCopy() *VaultKubernetesAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(VaultKubernetesAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *VaultKubernetesServiceAccountTokenAuth) DeepCopyInto(out *VaultKubernetesServiceAccountTokenAuth) {
-	*out = *in
-	in.ServiceAccountRef.DeepCopyInto(&out.ServiceAccountRef)
-	if in.Audiences != nil {
-		in, out := &in.Audiences, &out.Audiences
-		*out = new([]string)
-		if **in != nil {
-			in, out := *in, *out
-			*out = make([]string, len(*in))
-			copy(*out, *in)
-		}
-	}
-	if in.ExpirationSeconds != nil {
-		in, out := &in.ExpirationSeconds, &out.ExpirationSeconds
-		*out = new(int64)
-		**out = **in
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultKubernetesServiceAccountTokenAuth.
-func (in *VaultKubernetesServiceAccountTokenAuth) DeepCopy() *VaultKubernetesServiceAccountTokenAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(VaultKubernetesServiceAccountTokenAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *VaultLdapAuth) DeepCopyInto(out *VaultLdapAuth) {
-	*out = *in
-	in.SecretRef.DeepCopyInto(&out.SecretRef)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultLdapAuth.
-func (in *VaultLdapAuth) DeepCopy() *VaultLdapAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(VaultLdapAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *VaultProvider) DeepCopyInto(out *VaultProvider) {
-	*out = *in
-	if in.Auth != nil {
-		in, out := &in.Auth, &out.Auth
-		*out = new(VaultAuth)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Path != nil {
-		in, out := &in.Path, &out.Path
-		*out = new(string)
-		**out = **in
-	}
-	if in.Namespace != nil {
-		in, out := &in.Namespace, &out.Namespace
-		*out = new(string)
-		**out = **in
-	}
-	if in.CABundle != nil {
-		in, out := &in.CABundle, &out.CABundle
-		*out = make([]byte, len(*in))
-		copy(*out, *in)
-	}
-	in.ClientTLS.DeepCopyInto(&out.ClientTLS)
-	if in.CAProvider != nil {
-		in, out := &in.CAProvider, &out.CAProvider
-		*out = new(CAProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Headers != nil {
-		in, out := &in.Headers, &out.Headers
-		*out = make(map[string]string, len(*in))
-		for key, val := range *in {
-			(*out)[key] = val
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultProvider.
-func (in *VaultProvider) DeepCopy() *VaultProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(VaultProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *VaultUserPassAuth) DeepCopyInto(out *VaultUserPassAuth) {
-	*out = *in
-	in.SecretRef.DeepCopyInto(&out.SecretRef)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultUserPassAuth.
-func (in *VaultUserPassAuth) DeepCopy() *VaultUserPassAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(VaultUserPassAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *WebhookCAProvider) DeepCopyInto(out *WebhookCAProvider) {
-	*out = *in
-	if in.Namespace != nil {
-		in, out := &in.Namespace, &out.Namespace
-		*out = new(string)
-		**out = **in
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookCAProvider.
-func (in *WebhookCAProvider) DeepCopy() *WebhookCAProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(WebhookCAProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *WebhookProvider) DeepCopyInto(out *WebhookProvider) {
-	*out = *in
-	if in.Headers != nil {
-		in, out := &in.Headers, &out.Headers
-		*out = make(map[string]string, len(*in))
-		for key, val := range *in {
-			(*out)[key] = val
-		}
-	}
-	if in.Timeout != nil {
-		in, out := &in.Timeout, &out.Timeout
-		*out = new(metav1.Duration)
-		**out = **in
-	}
-	out.Result = in.Result
-	if in.Secrets != nil {
-		in, out := &in.Secrets, &out.Secrets
-		*out = make([]WebhookSecret, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.CABundle != nil {
-		in, out := &in.CABundle, &out.CABundle
-		*out = make([]byte, len(*in))
-		copy(*out, *in)
-	}
-	if in.CAProvider != nil {
-		in, out := &in.CAProvider, &out.CAProvider
-		*out = new(WebhookCAProvider)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookProvider.
-func (in *WebhookProvider) DeepCopy() *WebhookProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(WebhookProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *WebhookResult) DeepCopyInto(out *WebhookResult) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookResult.
-func (in *WebhookResult) DeepCopy() *WebhookResult {
-	if in == nil {
-		return nil
-	}
-	out := new(WebhookResult)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *WebhookSecret) DeepCopyInto(out *WebhookSecret) {
-	*out = *in
-	in.SecretRef.DeepCopyInto(&out.SecretRef)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookSecret.
-func (in *WebhookSecret) DeepCopy() *WebhookSecret {
-	if in == nil {
-		return nil
-	}
-	out := new(WebhookSecret)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *YandexCertificateManagerAuth) DeepCopyInto(out *YandexCertificateManagerAuth) {
-	*out = *in
-	in.AuthorizedKey.DeepCopyInto(&out.AuthorizedKey)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new YandexCertificateManagerAuth.
-func (in *YandexCertificateManagerAuth) DeepCopy() *YandexCertificateManagerAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(YandexCertificateManagerAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *YandexCertificateManagerCAProvider) DeepCopyInto(out *YandexCertificateManagerCAProvider) {
-	*out = *in
-	in.Certificate.DeepCopyInto(&out.Certificate)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new YandexCertificateManagerCAProvider.
-func (in *YandexCertificateManagerCAProvider) DeepCopy() *YandexCertificateManagerCAProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(YandexCertificateManagerCAProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *YandexCertificateManagerProvider) DeepCopyInto(out *YandexCertificateManagerProvider) {
-	*out = *in
-	in.Auth.DeepCopyInto(&out.Auth)
-	if in.CAProvider != nil {
-		in, out := &in.CAProvider, &out.CAProvider
-		*out = new(YandexCertificateManagerCAProvider)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new YandexCertificateManagerProvider.
-func (in *YandexCertificateManagerProvider) DeepCopy() *YandexCertificateManagerProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(YandexCertificateManagerProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *YandexLockboxAuth) DeepCopyInto(out *YandexLockboxAuth) {
-	*out = *in
-	in.AuthorizedKey.DeepCopyInto(&out.AuthorizedKey)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new YandexLockboxAuth.
-func (in *YandexLockboxAuth) DeepCopy() *YandexLockboxAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(YandexLockboxAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *YandexLockboxCAProvider) DeepCopyInto(out *YandexLockboxCAProvider) {
-	*out = *in
-	in.Certificate.DeepCopyInto(&out.Certificate)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new YandexLockboxCAProvider.
-func (in *YandexLockboxCAProvider) DeepCopy() *YandexLockboxCAProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(YandexLockboxCAProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *YandexLockboxProvider) DeepCopyInto(out *YandexLockboxProvider) {
-	*out = *in
-	in.Auth.DeepCopyInto(&out.Auth)
-	if in.CAProvider != nil {
-		in, out := &in.CAProvider, &out.CAProvider
-		*out = new(YandexLockboxCAProvider)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new YandexLockboxProvider.
-func (in *YandexLockboxProvider) DeepCopy() *YandexLockboxProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(YandexLockboxProvider)
-	in.DeepCopyInto(out)
-	return out
-}

apis/externalsecrets/v1alpha1/externalsecret_conversion.go

@@ -0,0 +1,129 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"encoding/json"
+
+	"sigs.k8s.io/controller-runtime/pkg/conversion"
+
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
+)
+
+func (alpha *ExternalSecret) ConvertTo(betaRaw conversion.Hub) error {
+	beta := betaRaw.(*esv1beta1.ExternalSecret)
+	// Actual converted code that needs to be like this
+	v1beta1DataFrom := make([]esv1beta1.ExternalSecretDataFromRemoteRef, 0)
+	for _, v1alpha1RemoteRef := range alpha.Spec.DataFrom {
+		v1beta1RemoteRef := esv1beta1.ExternalSecretDataFromRemoteRef{
+			Extract: &esv1beta1.ExternalSecretDataRemoteRef{
+				Key:      v1alpha1RemoteRef.Key,
+				Property: v1alpha1RemoteRef.Property,
+				Version:  v1alpha1RemoteRef.Version,
+			},
+		}
+		v1beta1DataFrom = append(v1beta1DataFrom, v1beta1RemoteRef)
+	}
+	beta.Spec.DataFrom = v1beta1DataFrom
+	tmp, err := json.Marshal(alpha.Spec.Data)
+	if err != nil {
+		return err
+	}
+	data := make([]esv1beta1.ExternalSecretData, 0)
+	err = json.Unmarshal(tmp, &data)
+	if err != nil {
+		return err
+	}
+	beta.Spec.Data = data
+
+	tmp, err = json.Marshal(alpha.Spec.Target)
+	if err != nil {
+		return err
+	}
+	target := esv1beta1.ExternalSecretTarget{}
+	err = json.Unmarshal(tmp, &target)
+	if err != nil {
+		return err
+	}
+	beta.Spec.Target = target
+	beta.Spec.RefreshInterval = alpha.Spec.RefreshInterval
+	beta.Spec.SecretStoreRef = esv1beta1.SecretStoreRef(alpha.Spec.SecretStoreRef)
+	beta.ObjectMeta = alpha.ObjectMeta
+	tmp, err = json.Marshal(alpha.Status)
+	if err != nil {
+		return err
+	}
+	status := esv1beta1.ExternalSecretStatus{}
+	err = json.Unmarshal(tmp, &status)
+	if err != nil {
+		return err
+	}
+	beta.Status = status
+	return nil
+}
+
+func (alpha *ExternalSecret) ConvertFrom(betaRaw conversion.Hub) error {
+	beta := betaRaw.(*esv1beta1.ExternalSecret)
+	v1alpha1DataFrom := make([]ExternalSecretDataRemoteRef, 0)
+	for _, v1beta1RemoteRef := range beta.Spec.DataFrom {
+		if v1beta1RemoteRef.Extract != nil {
+			if v1beta1RemoteRef.Extract.Key != "" {
+				v1alpha1RemoteRef := ExternalSecretDataRemoteRef{
+					Key:      v1beta1RemoteRef.Extract.Key,
+					Property: v1beta1RemoteRef.Extract.Property,
+					Version:  v1beta1RemoteRef.Extract.Version,
+				}
+				v1alpha1DataFrom = append(v1alpha1DataFrom, v1alpha1RemoteRef)
+			}
+		}
+	}
+	alpha.Spec.DataFrom = v1alpha1DataFrom
+
+	tmp, err := json.Marshal(beta.Spec.Data)
+	if err != nil {
+		return err
+	}
+	data := make([]ExternalSecretData, 0)
+	err = json.Unmarshal(tmp, &data)
+	if err != nil {
+		return err
+	}
+	alpha.Spec.Data = data
+
+	tmp, err = json.Marshal(beta.Spec.Target)
+	if err != nil {
+		return err
+	}
+	target := ExternalSecretTarget{}
+	err = json.Unmarshal(tmp, &target)
+	if err != nil {
+		return err
+	}
+	alpha.Spec.Target = target
+	alpha.Spec.RefreshInterval = beta.Spec.RefreshInterval
+	alpha.Spec.SecretStoreRef = SecretStoreRef(beta.Spec.SecretStoreRef)
+	alpha.ObjectMeta = beta.ObjectMeta
+	tmp, err = json.Marshal(beta.Status)
+	if err != nil {
+		return err
+	}
+	status := ExternalSecretStatus{}
+	err = json.Unmarshal(tmp, &status)
+	if err != nil {
+		return err
+	}
+	alpha.Status = status
+	return nil
+}

apis/externalsecrets/v1alpha1/externalsecret_conversion_test.go

@@ -0,0 +1,228 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
+)
+
+const (
+	keyName    = "my-key"
+	testTarget = "test-target"
+)
+
+func newExternalSecretV1Alpha1() *ExternalSecret {
+	return &ExternalSecret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "full-es",
+			Namespace: "my-ns",
+		},
+		Status: ExternalSecretStatus{
+			SyncedResourceVersion: "123",
+			Conditions: []ExternalSecretStatusCondition{
+				{
+					Type:    ExternalSecretReady,
+					Status:  corev1.ConditionTrue,
+					Reason:  "it's a mock, it's always ready",
+					Message: "...why wouldn't it be?",
+				},
+			},
+			Binding: corev1.LocalObjectReference{
+				Name: testTarget,
+			},
+		},
+		Spec: ExternalSecretSpec{
+			SecretStoreRef: SecretStoreRef{
+				Name: "test-secret-store",
+				Kind: "ClusterSecretStore",
+			},
+			Target: ExternalSecretTarget{
+				Name:           testTarget,
+				CreationPolicy: Owner,
+				Immutable:      false,
+				Template: &ExternalSecretTemplate{
+					Type: corev1.SecretTypeOpaque,
+					Metadata: ExternalSecretTemplateMetadata{
+						Annotations: map[string]string{
+							"foo": "bar",
+						},
+						Labels: map[string]string{
+							"foolbl": "barlbl",
+						},
+					},
+					Data: map[string]string{
+						keyName: "{{.data | toString}}",
+					},
+					TemplateFrom: []TemplateFrom{
+						{
+							ConfigMap: &TemplateRef{
+								Name: "test-configmap",
+								Items: []TemplateRefItem{
+									{
+										Key: keyName,
+									},
+								},
+							},
+							Secret: &TemplateRef{
+								Name: "test-secret",
+								Items: []TemplateRefItem{
+									{
+										Key: keyName,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			Data: []ExternalSecretData{
+				{
+					SecretKey: keyName,
+					RemoteRef: ExternalSecretDataRemoteRef{
+						Key:      "datakey",
+						Property: "dataproperty",
+						Version:  "dataversion",
+					},
+				},
+			},
+			DataFrom: []ExternalSecretDataRemoteRef{
+				{
+					Key:      "key",
+					Property: "property",
+					Version:  "version",
+				},
+			},
+		},
+	}
+}
+
+func newExternalSecretV1Beta1() *esv1beta1.ExternalSecret {
+	return &esv1beta1.ExternalSecret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "full-es",
+			Namespace: "my-ns",
+		},
+		Status: esv1beta1.ExternalSecretStatus{
+			SyncedResourceVersion: "123",
+			Conditions: []esv1beta1.ExternalSecretStatusCondition{
+				{
+					Type:    esv1beta1.ExternalSecretReady,
+					Status:  corev1.ConditionTrue,
+					Reason:  "it's a mock, it's always ready",
+					Message: "...why wouldn't it be?",
+				},
+			},
+			Binding: corev1.LocalObjectReference{
+				Name: testTarget,
+			},
+		},
+		Spec: esv1beta1.ExternalSecretSpec{
+			SecretStoreRef: esv1beta1.SecretStoreRef{
+				Name: "test-secret-store",
+				Kind: "ClusterSecretStore",
+			},
+			Target: esv1beta1.ExternalSecretTarget{
+				Name:           testTarget,
+				CreationPolicy: esv1beta1.CreatePolicyOwner,
+				Immutable:      false,
+				Template: &esv1beta1.ExternalSecretTemplate{
+					Type: corev1.SecretTypeOpaque,
+					Metadata: esv1beta1.ExternalSecretTemplateMetadata{
+						Annotations: map[string]string{
+							"foo": "bar",
+						},
+						Labels: map[string]string{
+							"foolbl": "barlbl",
+						},
+					},
+					Data: map[string]string{
+						keyName: "{{.data | toString}}",
+					},
+					TemplateFrom: []esv1beta1.TemplateFrom{
+						{
+							ConfigMap: &esv1beta1.TemplateRef{
+								Name: "test-configmap",
+								Items: []esv1beta1.TemplateRefItem{
+									{
+										Key: keyName,
+									},
+								},
+							},
+							Secret: &esv1beta1.TemplateRef{
+								Name: "test-secret",
+								Items: []esv1beta1.TemplateRefItem{
+									{
+										Key: keyName,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			Data: []esv1beta1.ExternalSecretData{
+				{
+					SecretKey: keyName,
+					RemoteRef: esv1beta1.ExternalSecretDataRemoteRef{
+						Key:      "datakey",
+						Property: "dataproperty",
+						Version:  "dataversion",
+					},
+				},
+			},
+			DataFrom: []esv1beta1.ExternalSecretDataFromRemoteRef{
+				{
+					Extract: &esv1beta1.ExternalSecretDataRemoteRef{
+						Key:      "key",
+						Property: "property",
+						Version:  "version",
+					},
+				},
+			},
+		},
+	}
+}
+
+func TestExternalSecretConvertFrom(t *testing.T) {
+	given := newExternalSecretV1Beta1()
+	want := newExternalSecretV1Alpha1()
+	got := &ExternalSecret{}
+	err := got.ConvertFrom(given)
+	if err != nil {
+		t.Errorf("test failed with error: %v", err)
+	}
+	if !assert.Equal(t, want, got) {
+		t.Errorf("test failed, expected: %v, got: %v", want, got)
+	}
+}
+
+func TestExternalSecretConvertTo(t *testing.T) {
+	want := newExternalSecretV1Beta1()
+	given := newExternalSecretV1Alpha1()
+	got := &esv1beta1.ExternalSecret{}
+	err := given.ConvertTo(got)
+	if err != nil {
+		t.Errorf("test failed with error: %v", err)
+	}
+	if !assert.Equal(t, want, got) {
+		t.Errorf("test failed, expected: %v, got: %v", want, got)
+	}
+}

apis/externalsecrets/v1alpha1/externalsecret_types.go

@@ -0,0 +1,284 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
+type SecretStoreRef struct {
+	// Name of the SecretStore resource
+	// +kubebuilder:validation:MinLength:=1
+	// +kubebuilder:validation:MaxLength:=253
+	// +kubebuilder:validation:Pattern:=^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+	Name string `json:"name,omitempty"`
+
+	// Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
+	// Defaults to `SecretStore`
+	// +optional
+	// +kubebuilder:validation:Enum=SecretStore;ClusterSecretStore
+	Kind string `json:"kind,omitempty"`
+}
+
+// ExternalSecretCreationPolicy defines rules on how to create the resulting Secret.
+// +kubebuilder:validation:Enum=Owner;Merge;None
+type ExternalSecretCreationPolicy string
+
+const (
+	// Owner creates the Secret and sets .metadata.ownerReferences to the ExternalSecret resource.
+	Owner ExternalSecretCreationPolicy = "Owner"
+
+	// Merge does not create the Secret, but merges the data fields to the Secret.
+	Merge ExternalSecretCreationPolicy = "Merge"
+
+	// None does not create a Secret (future use with injector).
+	None ExternalSecretCreationPolicy = "None"
+)
+
+// ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
+type ExternalSecretTemplateMetadata struct {
+	// +optional
+	Annotations map[string]string `json:"annotations,omitempty"`
+
+	// +optional
+	Labels map[string]string `json:"labels,omitempty"`
+}
+
+// ExternalSecretTemplate defines a blueprint for the created Secret resource.
+// we can not use native corev1.Secret, it will have empty ObjectMeta values: https://github.com/kubernetes-sigs/controller-tools/issues/448
+type ExternalSecretTemplate struct {
+	// +optional
+	Type corev1.SecretType `json:"type,omitempty"`
+
+	// EngineVersion specifies the template engine version
+	// that should be used to compile/execute the
+	// template specified in .data and .templateFrom[].
+	// +kubebuilder:default="v1"
+	EngineVersion TemplateEngineVersion `json:"engineVersion,omitempty"`
+
+	// +optional
+	Metadata ExternalSecretTemplateMetadata `json:"metadata,omitempty"`
+
+	// +optional
+	Data map[string]string `json:"data,omitempty"`
+
+	// +optional
+	TemplateFrom []TemplateFrom `json:"templateFrom,omitempty"`
+}
+
+// +kubebuilder:validation:Enum=v1;v2
+type TemplateEngineVersion string
+
+const (
+	TemplateEngineV1 TemplateEngineVersion = "v1"
+	TemplateEngineV2 TemplateEngineVersion = "v2"
+)
+
+// +kubebuilder:validation:MinProperties=1
+// +kubebuilder:validation:MaxProperties=1
+type TemplateFrom struct {
+	ConfigMap *TemplateRef `json:"configMap,omitempty"`
+	Secret    *TemplateRef `json:"secret,omitempty"`
+}
+
+type TemplateRef struct {
+	// The name of the ConfigMap/Secret resource
+	// +kubebuilder:validation:MinLength:=1
+	// +kubebuilder:validation:MaxLength:=253
+	// +kubebuilder:validation:Pattern:=^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+	Name string `json:"name"`
+
+	// A list of keys in the ConfigMap/Secret to use as templates for Secret data
+	Items []TemplateRefItem `json:"items"`
+}
+
+type TemplateRefItem struct {
+	// A key in the ConfigMap/Secret
+	// +kubebuilder:validation:MinLength:=1
+	// +kubebuilder:validation:MaxLength:=253
+	// +kubebuilder:validation:Pattern:=^[-._a-zA-Z0-9]+$
+	Key string `json:"key"`
+}
+
+// ExternalSecretTarget defines the Kubernetes Secret to be created
+// There can be only one target per ExternalSecret.
+type ExternalSecretTarget struct {
+	// The name of the Secret resource to be managed.
+	// Defaults to the .metadata.name of the ExternalSecret resource
+	// +optional
+	// +kubebuilder:validation:MinLength:=1
+	// +kubebuilder:validation:MaxLength:=253
+	// +kubebuilder:validation:Pattern:=^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+	Name string `json:"name,omitempty"`
+
+	// CreationPolicy defines rules on how to create the resulting Secret.
+	// Defaults to "Owner"
+	// +optional
+	// +kubebuilder:default="Owner"
+	CreationPolicy ExternalSecretCreationPolicy `json:"creationPolicy,omitempty"`
+
+	// Template defines a blueprint for the created Secret resource.
+	// +optional
+	Template *ExternalSecretTemplate `json:"template,omitempty"`
+
+	// Immutable defines if the final secret will be immutable
+	// +optional
+	Immutable bool `json:"immutable,omitempty"`
+}
+
+// ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
+type ExternalSecretData struct {
+	// The key in the Kubernetes Secret to store the value.
+	// +kubebuilder:validation:MinLength:=1
+	// +kubebuilder:validation:MaxLength:=253
+	// +kubebuilder:validation:Pattern:=^[-._a-zA-Z0-9]+$
+	SecretKey string `json:"secretKey"`
+
+	RemoteRef ExternalSecretDataRemoteRef `json:"remoteRef"`
+}
+
+// ExternalSecretDataRemoteRef defines Provider data location.
+type ExternalSecretDataRemoteRef struct {
+	// Key is the key used in the Provider, mandatory
+	Key string `json:"key"`
+
+	// Used to select a specific version of the Provider value, if supported
+	// +optional
+	Version string `json:"version,omitempty"`
+
+	// Used to select a specific property of the Provider value (if a map), if supported
+	// +optional
+	Property string `json:"property,omitempty"`
+
+	// Used to define a conversion Strategy
+	// +optional
+	// +kubebuilder:default="Default"
+	ConversionStrategy ExternalSecretConversionStrategy `json:"conversionStrategy,omitempty"`
+}
+
+// +kubebuilder:validation:Enum=Default;Unicode
+type ExternalSecretConversionStrategy string
+
+const (
+	ExternalSecretConversionDefault ExternalSecretConversionStrategy = "Default"
+	ExternalSecretConversionUnicode ExternalSecretConversionStrategy = "Unicode"
+)
+
+// ExternalSecretSpec defines the desired state of ExternalSecret.
+type ExternalSecretSpec struct {
+	SecretStoreRef SecretStoreRef `json:"secretStoreRef"`
+
+	Target ExternalSecretTarget `json:"target"`
+
+	// RefreshInterval is the amount of time before the values are read again from the SecretStore provider
+	// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
+	// May be set to zero to fetch and create it once. Defaults to 1h.
+	// +kubebuilder:default="1h"
+	RefreshInterval *metav1.Duration `json:"refreshInterval,omitempty"`
+
+	// Data defines the connection between the Kubernetes Secret keys and the Provider data
+	// +optional
+	Data []ExternalSecretData `json:"data,omitempty"`
+
+	// DataFrom is used to fetch all properties from a specific Provider data
+	// If multiple entries are specified, the Secret keys are merged in the specified order
+	// +optional
+	DataFrom []ExternalSecretDataRemoteRef `json:"dataFrom,omitempty"`
+}
+
+type ExternalSecretConditionType string
+
+const (
+	ExternalSecretReady   ExternalSecretConditionType = "Ready"
+	ExternalSecretDeleted ExternalSecretConditionType = "Deleted"
+)
+
+type ExternalSecretStatusCondition struct {
+	Type   ExternalSecretConditionType `json:"type"`
+	Status corev1.ConditionStatus      `json:"status"`
+
+	// +optional
+	Reason string `json:"reason,omitempty"`
+
+	// +optional
+	Message string `json:"message,omitempty"`
+
+	// +optional
+	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"`
+}
+
+const (
+	// ConditionReasonSecretSynced indicates that the secrets was synced.
+	ConditionReasonSecretSynced = "SecretSynced"
+	// ConditionReasonSecretSyncedError indicates that there was an error syncing the secret.
+	ConditionReasonSecretSyncedError = "SecretSyncedError"
+	// ConditionReasonSecretDeleted indicates that the secret has been deleted.
+	ConditionReasonSecretDeleted = "SecretDeleted"
+
+	ReasonInvalidStoreRef      = "InvalidStoreRef"
+	ReasonProviderClientConfig = "InvalidProviderClientConfig"
+	ReasonUpdateFailed         = "UpdateFailed"
+	ReasonUpdated              = "Updated"
+)
+
+type ExternalSecretStatus struct {
+	// +nullable
+	// refreshTime is the time and date the external secret was fetched and
+	// the target secret updated
+	RefreshTime metav1.Time `json:"refreshTime,omitempty"`
+
+	// SyncedResourceVersion keeps track of the last synced version
+	SyncedResourceVersion string `json:"syncedResourceVersion,omitempty"`
+
+	// +optional
+	Conditions []ExternalSecretStatusCondition `json:"conditions,omitempty"`
+
+	// Binding represents a servicebinding.io Provisioned Service reference to the secret
+	Binding corev1.LocalObjectReference `json:"binding,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// ExternalSecret is the Schema for the external-secrets API.
+// +kubebuilder:subresource:status
+// +kubebuilder:deprecatedversion
+// +kubebuilder:resource:scope=Namespaced,categories={external-secrets},shortName=es
+// +kubebuilder:printcolumn:name="Store",type=string,JSONPath=`.spec.secretStoreRef.kind`
+// +kubebuilder:printcolumn:name="Store",type=string,JSONPath=`.spec.secretStoreRef.name`
+// +kubebuilder:printcolumn:name="Refresh Interval",type=string,JSONPath=`.spec.refreshInterval`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].reason`
+type ExternalSecret struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   ExternalSecretSpec   `json:"spec,omitempty"`
+	Status ExternalSecretStatus `json:"status,omitempty"`
+}
+
+const (
+	// AnnotationDataHash is used to ensure consistency.
+	AnnotationDataHash = "reconcile.external-secrets.io/data-hash"
+)
+
+// +kubebuilder:object:root=true
+
+// ExternalSecretList contains a list of ExternalSecret resources.
+type ExternalSecretList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []ExternalSecret `json:"items"`
+}

apis/externalsecrets/v1/externalsecret_webhook.go → apis/externalsecrets/v1alpha1/externalsecret_webhook.go

@@ -12,15 +12,14 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1
+package v1alpha1
 
 import (
 	ctrl "sigs.k8s.io/controller-runtime"
 )
 
-func (es *ExternalSecret) SetupWebhookWithManager(mgr ctrl.Manager) error {
+func (alpha *ExternalSecret) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
-		For(es).
-		WithValidator(&ExternalSecretValidator{}).
+		For(alpha).
 		Complete()
 }

apis/externalsecrets/v1/generic_store.go → apis/externalsecrets/v1alpha1/generic_store.go

@@ -12,7 +12,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1
+package v1alpha1
 
 import (
 	"fmt"
@@ -34,7 +34,6 @@ type GenericStore interface {
 
 	GetObjectMeta() *metav1.ObjectMeta
 	GetTypeMeta() *metav1.TypeMeta
-	GetKind() string
 
 	GetSpec() *SecretStoreSpec
 	GetNamespacedName() string
@@ -71,10 +70,6 @@ func (c *SecretStore) GetNamespacedName() string {
 	return fmt.Sprintf("%s/%s", c.Namespace, c.Name)
 }
 
-func (c *SecretStore) GetKind() string {
-	return SecretStoreKind
-}
-
 func (c *SecretStore) Copy() GenericStore {
 	return c.DeepCopy()
 }
@@ -110,7 +105,3 @@ func (c *ClusterSecretStore) SetStatus(status SecretStoreStatus) {
 func (c *ClusterSecretStore) GetNamespacedName() string {
 	return fmt.Sprintf("%s/%s", c.Namespace, c.Name)
 }
-
-func (c *ClusterSecretStore) GetKind() string {
-	return ClusterSecretStoreKind
-}

apis/externalsecrets/v1alpha1/pushsecret_types.go

@@ -19,7 +19,7 @@ import (
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 )
 
 const (
@@ -96,7 +96,7 @@ type PushSecretSpec struct {
 
 	// Template defines a blueprint for the created Secret resource.
 	// +optional
-	Template *esv1.ExternalSecretTemplate `json:"template,omitempty"`
+	Template *esv1beta1.ExternalSecretTemplate `json:"template,omitempty"`
 }
 
 type PushSecretSecret struct {
@@ -122,7 +122,7 @@ type PushSecretSelector struct {
 
 	// Point to a generator to create a Secret.
 	// +optional
-	GeneratorRef *esv1.GeneratorRef `json:"generatorRef,omitempty"`
+	GeneratorRef *esv1beta1.GeneratorRef `json:"generatorRef,omitempty"`
 }
 
 type PushSecretRemoteRef struct {

apis/externalsecrets/v1alpha1/register.go

@@ -36,6 +36,30 @@ var (
 	AddToScheme   = SchemeBuilder.AddToScheme
 )
 
+// ExternalSecret type metadata.
+var (
+	ExtSecretKind             = reflect.TypeOf(ExternalSecret{}).Name()
+	ExtSecretGroupKind        = schema.GroupKind{Group: Group, Kind: ExtSecretKind}.String()
+	ExtSecretKindAPIVersion   = ExtSecretKind + "." + SchemeGroupVersion.String()
+	ExtSecretGroupVersionKind = SchemeGroupVersion.WithKind(ExtSecretKind)
+)
+
+// SecretStore type metadata.
+var (
+	SecretStoreKind             = reflect.TypeOf(SecretStore{}).Name()
+	SecretStoreGroupKind        = schema.GroupKind{Group: Group, Kind: SecretStoreKind}.String()
+	SecretStoreKindAPIVersion   = SecretStoreKind + "." + SchemeGroupVersion.String()
+	SecretStoreGroupVersionKind = SchemeGroupVersion.WithKind(SecretStoreKind)
+)
+
+// ClusterSecretStore type metadata.
+var (
+	ClusterSecretStoreKind             = reflect.TypeOf(ClusterSecretStore{}).Name()
+	ClusterSecretStoreGroupKind        = schema.GroupKind{Group: Group, Kind: ClusterSecretStoreKind}.String()
+	ClusterSecretStoreKindAPIVersion   = ClusterSecretStoreKind + "." + SchemeGroupVersion.String()
+	ClusterSecretStoreGroupVersionKind = SchemeGroupVersion.WithKind(ClusterSecretStoreKind)
+)
+
 var (
 	PushSecretKind             = reflect.TypeOf(PushSecret{}).Name()
 	PushSecretGroupKind        = schema.GroupKind{Group: Group, Kind: PushSecretKind}.String()
@@ -51,6 +75,9 @@ var (
 )
 
 func init() {
+	SchemeBuilder.Register(&ExternalSecret{}, &ExternalSecretList{})
+	SchemeBuilder.Register(&SecretStore{}, &SecretStoreList{})
+	SchemeBuilder.Register(&ClusterSecretStore{}, &ClusterSecretStoreList{})
 	SchemeBuilder.Register(&PushSecret{}, &PushSecretList{})
 	SchemeBuilder.Register(&ClusterPushSecret{}, &ClusterPushSecretList{})
 }

apis/externalsecrets/v1/secretstore_akeyless_types.go → apis/externalsecrets/v1alpha1/secretstore_akeyless_types.go

@@ -12,7 +12,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1
+package v1alpha1
 
 import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"

apis/externalsecrets/v1/secretstore_alibaba_types.go → apis/externalsecrets/v1alpha1/secretstore_alibaba_types.go

@@ -12,7 +12,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1
+package v1alpha1
 
 import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
@@ -26,14 +26,6 @@ type AlibabaAuth struct {
 	RRSAAuth *AlibabaRRSAAuth `json:"rrsa,omitempty"`
 }
 
-// AlibabaAuthSecretRef holds secret references for Alibaba credentials.
-type AlibabaAuthSecretRef struct {
-	// The AccessKeyID is used for authentication
-	AccessKeyID esmeta.SecretKeySelector `json:"accessKeyIDSecretRef"`
-	// The AccessKeySecret is used for authentication
-	AccessKeySecret esmeta.SecretKeySelector `json:"accessKeySecretSecretRef"`
-}
-
 // Authenticate against Alibaba using RRSA.
 type AlibabaRRSAAuth struct {
 	OIDCProviderARN   string `json:"oidcProviderArn"`
@@ -42,6 +34,14 @@ type AlibabaRRSAAuth struct {
 	SessionName       string `json:"sessionName"`
 }
 
+// AlibabaAuthSecretRef holds secret references for Alibaba credentials.
+type AlibabaAuthSecretRef struct {
+	// The AccessKeyID is used for authentication
+	AccessKeyID esmeta.SecretKeySelector `json:"accessKeyIDSecretRef"`
+	// The AccessKeySecret is used for authentication
+	AccessKeySecret esmeta.SecretKeySelector `json:"accessKeySecretSecretRef"`
+}
+
 // AlibabaProvider configures a store to sync secrets using the Alibaba Secret Manager provider.
 type AlibabaProvider struct {
 	Auth AlibabaAuth `json:"auth"`

apis/externalsecrets/v1/secretstore_aws_types.go → apis/externalsecrets/v1alpha1/secretstore_aws_types.go

@@ -12,7 +12,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1
+package v1alpha1
 
 import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
@@ -36,12 +36,6 @@ type AWSAuthSecretRef struct {
 
 	// The SecretAccessKey is used for authentication
 	SecretAccessKey esmeta.SecretKeySelector `json:"secretAccessKeySecretRef,omitempty"`
-
-	// The SessionToken used for authentication
-	// This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
-	// see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
-	// +Optional
-	SessionToken *esmeta.SecretKeySelector `json:"sessionTokenSecretRef,omitempty"`
 }
 
 // Authenticate against AWS using service account tokens.
@@ -54,40 +48,14 @@ type AWSJWTAuth struct {
 type AWSServiceType string
 
 const (
-	// AWSServiceSecretsManager is the AWS SecretsManager service.
+	// AWSServiceSecretsManager is the AWS SecretsManager.
 	// see: https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html
 	AWSServiceSecretsManager AWSServiceType = "SecretsManager"
-	// AWSServiceParameterStore is the AWS SystemsManager ParameterStore service.
+	// AWSServiceParameterStore is the AWS SystemsManager ParameterStore.
 	// see: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html
 	AWSServiceParameterStore AWSServiceType = "ParameterStore"
 )
 
-// SecretsManager defines how the provider behaves when interacting with AWS
-// SecretsManager. Some of these settings are only applicable to controlling how
-// secrets are deleted, and hence only apply to PushSecret (and only when
-// deletionPolicy is set to Delete).
-type SecretsManager struct {
-	// Specifies whether to delete the secret without any recovery window. You
-	// can't use both this parameter and RecoveryWindowInDays in the same call.
-	// If you don't use either, then by default Secrets Manager uses a 30 day
-	// recovery window.
-	// see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
-	// +optional
-	ForceDeleteWithoutRecovery bool `json:"forceDeleteWithoutRecovery,omitempty"`
-	// The number of days from 7 to 30 that Secrets Manager waits before
-	// permanently deleting the secret. You can't use both this parameter and
-	// ForceDeleteWithoutRecovery in the same call. If you don't use either,
-	// then by default Secrets Manager uses a 30 day recovery window.
-	// see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
-	// +optional
-	RecoveryWindowInDays int64 `json:"recoveryWindowInDays,omitempty"`
-}
-
-type Tag struct {
-	Key   string `json:"key"`
-	Value string `json:"value"`
-}
-
 // AWSProvider configures a store to sync secrets with AWS.
 type AWSProvider struct {
 	// Service defines which service should be used to fetch the secrets
@@ -99,33 +67,10 @@ type AWSProvider struct {
 	// +optional
 	Auth AWSAuth `json:"auth,omitempty"`
 
-	// Role is a Role ARN which the provider will assume
+	// Role is a Role ARN which the SecretManager provider will assume
 	// +optional
 	Role string `json:"role,omitempty"`
 
 	// AWS Region to be used for the provider
 	Region string `json:"region"`
-
-	// AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
-	// +optional
-	AdditionalRoles []string `json:"additionalRoles,omitempty"`
-
-	// AWS External ID set on assumed IAM roles
-	ExternalID string `json:"externalID,omitempty"`
-
-	// AWS STS assume role session tags
-	// +optional
-	SessionTags []*Tag `json:"sessionTags,omitempty"`
-
-	// SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
-	// +optional
-	SecretsManager *SecretsManager `json:"secretsManager,omitempty"`
-
-	// AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
-	// +optional
-	TransitiveTagKeys []*string `json:"transitiveTagKeys,omitempty"`
-
-	// Prefix adds a prefix to all retrieved values.
-	// +optional
-	Prefix string `json:"prefix,omitempty"`
 }

apis/externalsecrets/v1/secretstore_azurekv_types.go → apis/externalsecrets/v1alpha1/secretstore_azurekv_types.go

@@ -12,7 +12,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1
+package v1alpha1
 
 import smmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 
@@ -34,20 +34,6 @@ const (
 	AzureWorkloadIdentity AzureAuthType = "WorkloadIdentity"
 )
 
-// AzureEnvironmentType specifies the Azure cloud environment endpoints to use for
-// connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
-// The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
-// PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
-// +kubebuilder:validation:Enum=PublicCloud;USGovernmentCloud;ChinaCloud;GermanCloud
-type AzureEnvironmentType string
-
-const (
-	AzureEnvironmentPublicCloud       AzureEnvironmentType = "PublicCloud"
-	AzureEnvironmentUSGovernmentCloud AzureEnvironmentType = "USGovernmentCloud"
-	AzureEnvironmentChinaCloud        AzureEnvironmentType = "ChinaCloud"
-	AzureEnvironmentGermanCloud       AzureEnvironmentType = "GermanCloud"
-)
-
 // Configures an store to sync secrets using Azure KV.
 type AzureKVProvider struct {
 	// Auth type defines how to authenticate to the keyvault service.
@@ -61,18 +47,11 @@ type AzureKVProvider struct {
 	// Vault Url from which the secrets to be fetched from.
 	VaultURL *string `json:"vaultUrl"`
 
-	// TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
+	// TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
 	// +optional
 	TenantID *string `json:"tenantId,omitempty"`
 
-	// EnvironmentType specifies the Azure cloud environment endpoints to use for
-	// connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
-	// The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
-	// PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
-	// +kubebuilder:default=PublicCloud
-	EnvironmentType AzureEnvironmentType `json:"environmentType,omitempty"`
-
-	// Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
+	// Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
 	// +optional
 	AuthSecretRef *AzureKVAuth `json:"authSecretRef,omitempty"`
 
@@ -88,19 +67,11 @@ type AzureKVProvider struct {
 
 // Configuration used to authenticate with Azure.
 type AzureKVAuth struct {
-	// The Azure clientId of the service principle or managed identity used for authentication.
+	// The Azure clientId of the service principle used for authentication.
 	// +optional
 	ClientID *smmeta.SecretKeySelector `json:"clientId,omitempty"`
 
-	// The Azure tenantId of the managed identity used for authentication.
-	// +optional
-	TenantID *smmeta.SecretKeySelector `json:"tenantId,omitempty"`
-
 	// The Azure ClientSecret of the service principle used for authentication.
 	// +optional
 	ClientSecret *smmeta.SecretKeySelector `json:"clientSecret,omitempty"`
-
-	// The Azure ClientCertificate of the service principle used for authentication.
-	// +optional
-	ClientCertificate *smmeta.SecretKeySelector `json:"clientCertificate,omitempty"`
 }

apis/externalsecrets/v1alpha1/secretstore_conversion.go

@@ -0,0 +1,91 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"encoding/json"
+
+	"sigs.k8s.io/controller-runtime/pkg/conversion"
+
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
+)
+
+func (c *SecretStore) ConvertTo(betaRaw conversion.Hub) error {
+	beta := betaRaw.(*esv1beta1.SecretStore)
+	tmp := &esv1beta1.SecretStore{}
+	alphajson, err := json.Marshal(c)
+	if err != nil {
+		return err
+	}
+	err = json.Unmarshal(alphajson, tmp)
+	if err != nil {
+		return err
+	}
+	beta.Spec = tmp.Spec
+	beta.ObjectMeta = tmp.ObjectMeta
+	beta.Status = tmp.Status
+	return nil
+}
+
+func (c *SecretStore) ConvertFrom(betaRaw conversion.Hub) error {
+	beta := betaRaw.(*esv1beta1.SecretStore)
+	tmp := &SecretStore{}
+	betajson, err := json.Marshal(beta)
+	if err != nil {
+		return err
+	}
+	err = json.Unmarshal(betajson, tmp)
+	if err != nil {
+		return err
+	}
+	c.Spec = tmp.Spec
+	c.ObjectMeta = tmp.ObjectMeta
+	c.Status = tmp.Status
+	return nil
+}
+
+func (c *ClusterSecretStore) ConvertTo(betaRaw conversion.Hub) error {
+	beta := betaRaw.(*esv1beta1.ClusterSecretStore)
+	tmp := &esv1beta1.ClusterSecretStore{}
+	alphajson, err := json.Marshal(c)
+	if err != nil {
+		return err
+	}
+	err = json.Unmarshal(alphajson, tmp)
+	if err != nil {
+		return err
+	}
+	beta.Spec = tmp.Spec
+	beta.ObjectMeta = tmp.ObjectMeta
+	beta.Status = tmp.Status
+	return nil
+}
+
+func (c *ClusterSecretStore) ConvertFrom(betaRaw conversion.Hub) error {
+	beta := betaRaw.(*esv1beta1.ClusterSecretStore)
+	tmp := &ClusterSecretStore{}
+	betajson, err := json.Marshal(beta)
+	if err != nil {
+		return err
+	}
+	err = json.Unmarshal(betajson, tmp)
+	if err != nil {
+		return err
+	}
+	c.Spec = tmp.Spec
+	c.ObjectMeta = tmp.ObjectMeta
+	c.Status = tmp.Status
+	return nil
+}

apis/externalsecrets/v1alpha1/secretstore_conversion_test.go

@@ -0,0 +1,259 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+const (
+	storeName                = "secret-store"
+	storeNamespace           = "my-namespace"
+	storeReason              = "it's a mock, it's always ready"
+	storeMessage             = "...why wouldn't it be?"
+	storeAWSRegion           = "us-east-1"
+	storeAWSRole             = "arn:aws:iam::123456789012:role/my-role"
+	storeAccessName          = "my-access"
+	storeKey                 = "my-key"
+	storeSecretName          = "my-secret"
+	defaultErrorMessage      = "test failed with error: %v"
+	defaultComparisonMessage = "test failed, expected: %v, got: %v"
+)
+
+func newSecretStoreV1Alpha1() *SecretStore {
+	return &SecretStore{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      storeName,
+			Namespace: storeNamespace,
+		},
+		Status: SecretStoreStatus{
+			Conditions: []SecretStoreStatusCondition{
+				{
+					Type:    SecretStoreReady,
+					Status:  corev1.ConditionTrue,
+					Reason:  storeReason,
+					Message: storeMessage,
+				},
+			},
+		},
+		Spec: SecretStoreSpec{
+			Controller: "dev",
+			Provider: &SecretStoreProvider{
+				AWS: &AWSProvider{
+					Service: AWSServiceSecretsManager,
+					Region:  storeAWSRegion,
+					Role:    storeAWSRole,
+					Auth: AWSAuth{
+						SecretRef: &AWSAuthSecretRef{
+							AccessKeyID: esmeta.SecretKeySelector{
+								Name: storeAccessName,
+								Key:  storeKey,
+							},
+							SecretAccessKey: esmeta.SecretKeySelector{
+								Name: storeSecretName,
+								Key:  storeKey,
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func newSecretStoreV1Beta1() *esv1beta1.SecretStore {
+	return &esv1beta1.SecretStore{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      storeName,
+			Namespace: storeNamespace,
+		},
+		Status: esv1beta1.SecretStoreStatus{
+			Conditions: []esv1beta1.SecretStoreStatusCondition{
+				{
+					Type:    esv1beta1.SecretStoreReady,
+					Status:  corev1.ConditionTrue,
+					Reason:  storeReason,
+					Message: storeMessage,
+				},
+			},
+		},
+		Spec: esv1beta1.SecretStoreSpec{
+			Controller: "dev",
+			Provider: &esv1beta1.SecretStoreProvider{
+				AWS: &esv1beta1.AWSProvider{
+					Service: esv1beta1.AWSServiceSecretsManager,
+					Region:  storeAWSRegion,
+					Role:    storeAWSRole,
+					Auth: esv1beta1.AWSAuth{
+						SecretRef: &esv1beta1.AWSAuthSecretRef{
+							AccessKeyID: esmeta.SecretKeySelector{
+								Name: storeAccessName,
+								Key:  storeKey,
+							},
+							SecretAccessKey: esmeta.SecretKeySelector{
+								Name: storeSecretName,
+								Key:  storeKey,
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func newClusterSecretStoreV1Alpha1() *ClusterSecretStore {
+	ns := storeNamespace
+	return &ClusterSecretStore{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: storeName,
+		},
+		Status: SecretStoreStatus{
+			Conditions: []SecretStoreStatusCondition{
+				{
+					Type:    SecretStoreReady,
+					Status:  corev1.ConditionTrue,
+					Reason:  storeReason,
+					Message: storeMessage,
+				},
+			},
+		},
+		Spec: SecretStoreSpec{
+			Controller: "dev",
+			Provider: &SecretStoreProvider{
+				AWS: &AWSProvider{
+					Service: AWSServiceSecretsManager,
+					Region:  storeAWSRegion,
+					Role:    storeAWSRole,
+					Auth: AWSAuth{
+						SecretRef: &AWSAuthSecretRef{
+							AccessKeyID: esmeta.SecretKeySelector{
+								Name:      storeAccessName,
+								Key:       storeKey,
+								Namespace: &ns,
+							},
+							SecretAccessKey: esmeta.SecretKeySelector{
+								Name:      storeSecretName,
+								Key:       storeKey,
+								Namespace: &ns,
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func newClusterSecretStoreV1Beta1() *esv1beta1.ClusterSecretStore {
+	ns := storeNamespace
+	return &esv1beta1.ClusterSecretStore{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: storeName,
+		},
+		Status: esv1beta1.SecretStoreStatus{
+			Conditions: []esv1beta1.SecretStoreStatusCondition{
+				{
+					Type:    esv1beta1.SecretStoreReady,
+					Status:  corev1.ConditionTrue,
+					Reason:  storeReason,
+					Message: storeMessage,
+				},
+			},
+		},
+		Spec: esv1beta1.SecretStoreSpec{
+			Controller: "dev",
+			Provider: &esv1beta1.SecretStoreProvider{
+				AWS: &esv1beta1.AWSProvider{
+					Service: esv1beta1.AWSServiceSecretsManager,
+					Region:  storeAWSRegion,
+					Role:    storeAWSRole,
+					Auth: esv1beta1.AWSAuth{
+						SecretRef: &esv1beta1.AWSAuthSecretRef{
+							AccessKeyID: esmeta.SecretKeySelector{
+								Name:      storeAccessName,
+								Key:       storeKey,
+								Namespace: &ns,
+							},
+							SecretAccessKey: esmeta.SecretKeySelector{
+								Name:      storeSecretName,
+								Key:       storeKey,
+								Namespace: &ns,
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+func TestSecretStoreConvertFrom(t *testing.T) {
+	given := newSecretStoreV1Beta1()
+	want := newSecretStoreV1Alpha1()
+	got := &SecretStore{}
+	err := got.ConvertFrom(given)
+	if err != nil {
+		t.Errorf(defaultErrorMessage, err)
+	}
+	if !assert.Equal(t, want, got) {
+		t.Errorf("test failed, expected: %v, got: %v", want, got)
+	}
+}
+
+func TestSecretStoreConvertTo(t *testing.T) {
+	want := newSecretStoreV1Beta1()
+	given := newSecretStoreV1Alpha1()
+	got := &esv1beta1.SecretStore{}
+	err := given.ConvertTo(got)
+	if err != nil {
+		t.Errorf(defaultErrorMessage, err)
+	}
+	if !assert.Equal(t, want, got) {
+		t.Errorf(defaultComparisonMessage, want, got)
+	}
+}
+
+func TestClusterSecretStoreConvertFrom(t *testing.T) {
+	given := newClusterSecretStoreV1Beta1()
+	want := newClusterSecretStoreV1Alpha1()
+	got := &ClusterSecretStore{}
+	err := got.ConvertFrom(given)
+	if err != nil {
+		t.Errorf(defaultErrorMessage, err)
+	}
+	if !assert.Equal(t, want, got) {
+		t.Errorf(defaultComparisonMessage, want, got)
+	}
+}
+
+func TestClusterSecretStoreConvertTo(t *testing.T) {
+	want := newClusterSecretStoreV1Beta1()
+	given := newClusterSecretStoreV1Alpha1()
+	got := &esv1beta1.ClusterSecretStore{}
+	err := given.ConvertTo(got)
+	if err != nil {
+		t.Errorf(defaultErrorMessage, err)
+	}
+	if !assert.Equal(t, want, got) {
+		t.Errorf(defaultComparisonMessage, want, got)
+	}
+}

apis/externalsecrets/v1/secretstore_fake_types.go → apis/externalsecrets/v1alpha1/secretstore_fake_types.go

@@ -12,7 +12,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1
+package v1alpha1
 
 // FakeProvider configures a fake provider that returns static values.
 type FakeProvider struct {
@@ -20,7 +20,8 @@ type FakeProvider struct {
 }
 
 type FakeProviderData struct {
-	Key     string `json:"key"`
-	Value   string `json:"value"`
-	Version string `json:"version,omitempty"`
+	Key      string            `json:"key"`
+	Value    string            `json:"value,omitempty"`
+	ValueMap map[string]string `json:"valueMap,omitempty"`
+	Version  string            `json:"version,omitempty"`
 }

apis/externalsecrets/v1/secretstore_gcpsm_types.go → apis/externalsecrets/v1alpha1/secretstore_gcpsm_types.go

@@ -12,7 +12,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1
+package v1alpha1
 
 import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
@@ -32,20 +32,10 @@ type GCPSMAuthSecretRef struct {
 }
 
 type GCPWorkloadIdentity struct {
-	// +kubebuilder:validation:Required
 	ServiceAccountRef esmeta.ServiceAccountSelector `json:"serviceAccountRef"`
-	// ClusterLocation is the location of the cluster
-	// If not specified, it fetches information from the metadata server
-	// +optional
-	ClusterLocation string `json:"clusterLocation,omitempty"`
-	// ClusterName is the name of the cluster
-	// If not specified, it fetches information from the metadata server
-	// +optional
-	ClusterName string `json:"clusterName,omitempty"`
-	// ClusterProjectID is the project ID of the cluster
-	// If not specified, it fetches information from the metadata server
-	// +optional
-	ClusterProjectID string `json:"clusterProjectID,omitempty"`
+	ClusterLocation   string                        `json:"clusterLocation"`
+	ClusterName       string                        `json:"clusterName"`
+	ClusterProjectID  string                        `json:"clusterProjectID,omitempty"`
 }
 
 // GCPSMProvider Configures a store to sync secrets using the GCP Secret Manager provider.
@@ -56,7 +46,4 @@ type GCPSMProvider struct {
 
 	// ProjectID project where secret is located
 	ProjectID string `json:"projectID,omitempty"`
-
-	// Location optionally defines a location for a secret
-	Location string `json:"location,omitempty"`
 }

apis/externalsecrets/v1/secretstore_gitlab_types.go → apis/externalsecrets/v1alpha1/secretstore_gitlab_types.go

@@ -12,7 +12,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1
+package v1alpha1
 
 import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
@@ -28,15 +28,6 @@ type GitlabProvider struct {
 
 	// ProjectID specifies a project where secrets are located.
 	ProjectID string `json:"projectID,omitempty"`
-
-	// InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
-	InheritFromGroups bool `json:"inheritFromGroups,omitempty"`
-
-	// GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
-	GroupIDs []string `json:"groupIDs,omitempty"`
-
-	// Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
-	Environment string `json:"environment,omitempty"`
 }
 
 type GitlabAuth struct {

apis/externalsecrets/v1/secretstore_ibm_types.go → apis/externalsecrets/v1alpha1/secretstore_ibm_types.go

@@ -12,7 +12,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1
+package v1alpha1
 
 import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
@@ -28,25 +28,12 @@ type IBMProvider struct {
 	ServiceURL *string `json:"serviceUrl,omitempty"`
 }
 
-// +kubebuilder:validation:MinProperties=1
-// +kubebuilder:validation:MaxProperties=1
 type IBMAuth struct {
-	SecretRef     *IBMAuthSecretRef     `json:"secretRef,omitempty"`
-	ContainerAuth *IBMAuthContainerAuth `json:"containerAuth,omitempty"`
+	SecretRef IBMAuthSecretRef `json:"secretRef"`
 }
 
 type IBMAuthSecretRef struct {
 	// The SecretAccessKey is used for authentication
+	// +optional
 	SecretAPIKey esmeta.SecretKeySelector `json:"secretApiKeySecretRef,omitempty"`
 }
-
-// IBM Container-based auth with IAM Trusted Profile.
-type IBMAuthContainerAuth struct {
-	// the IBM Trusted Profile
-	Profile string `json:"profile"`
-
-	// Location the token is mounted on the pod
-	TokenLocation string `json:"tokenLocation,omitempty"`
-
-	IAMEndpoint string `json:"iamEndpoint,omitempty"`
-}

apis/externalsecrets/v1/secretstore_kubernetes_types.go → apis/externalsecrets/v1alpha1/secretstore_kubernetes_types.go

@@ -12,7 +12,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1
+package v1alpha1
 
 import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
@@ -32,22 +32,23 @@ type KubernetesServer struct {
 	// see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider
 	// +optional
 	CAProvider *CAProvider `json:"caProvider,omitempty"`
+
+	// there's still room for impersonation or proxy settings:
+	// Impersonate-User
+	// Impersonate-Group
+	// Impersonate-Extra-( extra name )
+	// Impersonate-Uid
+	// Proxy Settings
 }
 
 // Configures a store to sync secrets with a Kubernetes instance.
 type KubernetesProvider struct {
 	// configures the Kubernetes server Address.
-	// +optional
 	Server KubernetesServer `json:"server,omitempty"`
 
 	// Auth configures how secret-manager authenticates with a Kubernetes instance.
-	// +optional
 	Auth KubernetesAuth `json:"auth"`
 
-	// A reference to a secret that contains the auth information.
-	// +optional
-	AuthRef *esmeta.SecretKeySelector `json:"authRef,omitempty"`
-
 	// Remote namespace to fetch the secrets from
 	// +optional
 	// +kubebuilder:default=default
@@ -70,7 +71,9 @@ type KubernetesAuth struct {
 
 	// points to a service account that should be used for authentication
 	// +optional
-	ServiceAccount *esmeta.ServiceAccountSelector `json:"serviceAccount,omitempty"`
+	ServiceAccount *ServiceAccountAuth `json:"serviceAccount,omitempty"`
+
+	// possibly exec or webhook
 }
 
 type CertAuth struct {
@@ -81,3 +84,7 @@ type CertAuth struct {
 type TokenAuth struct {
 	BearerToken esmeta.SecretKeySelector `json:"bearerToken,omitempty"`
 }
+
+type ServiceAccountAuth struct {
+	ServiceAccountRef esmeta.ServiceAccountSelector `json:"serviceAccount,omitempty"`
+}

apis/externalsecrets/v1/secretstore_oracle_types.go → apis/externalsecrets/v1alpha1/secretstore_oracle_types.go

@@ -10,7 +10,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1
+package v1alpha1
 
 import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
@@ -54,7 +54,8 @@ type OracleProvider struct {
 	PrincipalType OraclePrincipalType `json:"principalType,omitempty"`
 
 	// Auth configures how secret-manager authenticates with the Oracle Vault.
-	// If empty, use the instance principal, otherwise the user credentials specified in Auth.
+	// If empty, instance principal is used. Optionally, the authenticating principal type
+	// and/or user data may be supplied for the use of workload identity and user principal.
 	// +optional
 	Auth *OracleAuth `json:"auth,omitempty"`
 
@@ -65,7 +66,6 @@ type OracleProvider struct {
 }
 
 type OracleAuth struct {
-
 	// Tenancy is the tenancy OCID where user is located.
 	Tenancy string `json:"tenancy"`
 

apis/externalsecrets/v1/secretstore_passworddeport_types.go → apis/externalsecrets/v1alpha1/secretstore_passworddepot_types.go

@@ -12,7 +12,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1
+package v1alpha1
 
 import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
@@ -36,6 +36,5 @@ type PasswordDepotAuth struct {
 
 type PasswordDepotSecretRef struct {
 	// Username / Password is used for authentication.
-	// +optional
 	Credentials esmeta.SecretKeySelector `json:"credentials,omitempty"`
 }

apis/externalsecrets/v1alpha1/secretstore_types.go

@@ -0,0 +1,180 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// SecretStoreSpec defines the desired state of SecretStore.
+type SecretStoreSpec struct {
+	// Used to select the correct ESO controller (think: ingress.ingressClassName)
+	// The ESO controller is instantiated with a specific controller name and filters ES based on this property
+	// +optional
+	Controller string `json:"controller,omitempty"`
+
+	// Used to configure the provider. Only one provider may be set
+	Provider *SecretStoreProvider `json:"provider"`
+
+	// Used to configure http retries if failed
+	// +optional
+	RetrySettings *SecretStoreRetrySettings `json:"retrySettings,omitempty"`
+}
+
+// SecretStoreProvider contains the provider-specific configration.
+// +kubebuilder:validation:MinProperties=1
+// +kubebuilder:validation:MaxProperties=1
+type SecretStoreProvider struct {
+	// AWS configures this store to sync secrets using AWS Secret Manager provider
+	// +optional
+	AWS *AWSProvider `json:"aws,omitempty"`
+
+	// AzureKV configures this store to sync secrets using Azure Key Vault provider
+	// +optional
+	AzureKV *AzureKVProvider `json:"azurekv,omitempty"`
+
+	// Akeyless configures this store to sync secrets using Akeyless Vault provider
+	// +optional
+	Akeyless *AkeylessProvider `json:"akeyless,omitempty"`
+
+	// Vault configures this store to sync secrets using Hashi provider
+	// +optional
+	Vault *VaultProvider `json:"vault,omitempty"`
+
+	// GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
+	// +optional
+	GCPSM *GCPSMProvider `json:"gcpsm,omitempty"`
+
+	// Oracle configures this store to sync secrets using Oracle Vault provider
+	// +optional
+	Oracle *OracleProvider `json:"oracle,omitempty"`
+
+	// IBM configures this store to sync secrets using IBM Cloud provider
+	// +optional
+	IBM *IBMProvider `json:"ibm,omitempty"`
+
+	// YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
+	// +optional
+	YandexLockbox *YandexLockboxProvider `json:"yandexlockbox,omitempty"`
+
+	// GitLab configures this store to sync secrets using GitLab Variables provider
+	// +optional
+	Gitlab *GitlabProvider `json:"gitlab,omitempty"`
+
+	// Alibaba configures this store to sync secrets using Alibaba Cloud provider
+	// +optional
+	Alibaba *AlibabaProvider `json:"alibaba,omitempty"`
+
+	// Webhook configures this store to sync secrets using a generic templated webhook
+	// +optional
+	Webhook *WebhookProvider `json:"webhook,omitempty"`
+
+	// Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
+	// +optional
+	Kubernetes *KubernetesProvider `json:"kubernetes,omitempty"`
+
+	PasswordDepot *PasswordDepotProvider `json:"passworddepot,omitempty"`
+
+	// Fake configures a store with static key/value pairs
+	// +optional
+	Fake *FakeProvider `json:"fake,omitempty"`
+}
+
+type SecretStoreRetrySettings struct {
+	MaxRetries    *int32  `json:"maxRetries,omitempty"`
+	RetryInterval *string `json:"retryInterval,omitempty"`
+}
+
+type SecretStoreConditionType string
+
+const (
+	SecretStoreReady SecretStoreConditionType = "Ready"
+
+	ReasonInvalidStore          = "InvalidStoreConfiguration"
+	ReasonInvalidProviderConfig = "InvalidProviderConfig"
+	ReasonValidationFailed      = "ValidationFailed"
+	ReasonStoreValid            = "Valid"
+)
+
+type SecretStoreStatusCondition struct {
+	Type   SecretStoreConditionType `json:"type"`
+	Status corev1.ConditionStatus   `json:"status"`
+
+	// +optional
+	Reason string `json:"reason,omitempty"`
+
+	// +optional
+	Message string `json:"message,omitempty"`
+
+	// +optional
+	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"`
+}
+
+// SecretStoreStatus defines the observed state of the SecretStore.
+type SecretStoreStatus struct {
+	// +optional
+	Conditions []SecretStoreStatusCondition `json:"conditions,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
+// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].reason`
+// +kubebuilder:subresource:status
+// +kubebuilder:deprecatedversion
+// +kubebuilder:resource:scope=Namespaced,categories={external-secrets},shortName=ss
+type SecretStore struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   SecretStoreSpec   `json:"spec,omitempty"`
+	Status SecretStoreStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// SecretStoreList contains a list of SecretStore resources.
+type SecretStoreList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []SecretStore `json:"items"`
+}
+
+// +kubebuilder:object:root=true
+
+// ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
+// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].reason`
+// +kubebuilder:deprecatedversion
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:scope=Cluster,categories={external-secrets},shortName=css
+type ClusterSecretStore struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   SecretStoreSpec   `json:"spec,omitempty"`
+	Status SecretStoreStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// ClusterSecretStoreList contains a list of ClusterSecretStore resources.
+type ClusterSecretStoreList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []ClusterSecretStore `json:"items"`
+}

apis/externalsecrets/v1/secretstore_vault_types.go → apis/externalsecrets/v1alpha1/secretstore_vault_types.go

@@ -12,7 +12,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1
+package v1alpha1
 
 import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
@@ -25,11 +25,45 @@ const (
 	VaultKVStoreV2 VaultKVStoreVersion = "v2"
 )
 
+type CAProviderType string
+
+const (
+	CAProviderTypeSecret    CAProviderType = "Secret"
+	CAProviderTypeConfigMap CAProviderType = "ConfigMap"
+)
+
+// Defines a location to fetch the cert for the vault provider from.
+type CAProvider struct {
+	// The type of provider to use such as "Secret", or "ConfigMap".
+	// +kubebuilder:validation:Enum="Secret";"ConfigMap"
+	Type CAProviderType `json:"type"`
+
+	// The name of the object located at the provider type.
+	// +kubebuilder:validation:MinLength:=1
+	// +kubebuilder:validation:MaxLength:=253
+	// +kubebuilder:validation:Pattern:=^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+	Name string `json:"name"`
+
+	// The key where the CA certificate can be found in the Secret or ConfigMap.
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:MinLength:=1
+	// +kubebuilder:validation:MaxLength:=253
+	// +kubebuilder:validation:Pattern:=^[-._a-zA-Z0-9]+$
+	Key string `json:"key,omitempty"`
+
+	// The namespace the Provider type is in.
+	// +optional
+	// +kubebuilder:validation:MinLength:=1
+	// +kubebuilder:validation:MaxLength:=63
+	// +kubebuilder:validation:Pattern:=^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+	Namespace *string `json:"namespace,omitempty"`
+}
+
 // Configures an store to sync secrets using a HashiCorp Vault
 // KV backend.
 type VaultProvider struct {
 	// Auth configures how secret-manager authenticates with the Vault server.
-	Auth *VaultAuth `json:"auth,omitempty"`
+	Auth VaultAuth `json:"auth"`
 
 	// Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
 	Server string `json:"server"`
@@ -61,14 +95,6 @@ type VaultProvider struct {
 	// +optional
 	CABundle []byte `json:"caBundle,omitempty"`
 
-	// The configuration used for client side related TLS communication, when the Vault server
-	// requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
-	// This parameter is ignored for plain HTTP protocol connection.
-	// It's worth noting this configuration is different from the "TLS certificates auth method",
-	// which is available under the `auth.cert` section.
-	// +optional
-	ClientTLS VaultClientTLS `json:"tls,omitempty"`
-
 	// The provider for the CA bundle to use to validate Vault server certificate.
 	// +optional
 	CAProvider *CAProvider `json:"caProvider,omitempty"`
@@ -86,40 +112,12 @@ type VaultProvider struct {
 	// https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
 	// +optional
 	ForwardInconsistent bool `json:"forwardInconsistent,omitempty"`
-
-	// Headers to be added in Vault request
-	// +optional
-	Headers map[string]string `json:"headers,omitempty"`
-}
-
-// VaultClientTLS is the configuration used for client side related TLS communication,
-// when the Vault server requires mutual authentication.
-type VaultClientTLS struct {
-	// CertSecretRef is a certificate added to the transport layer
-	// when communicating with the Vault server.
-	// If no key for the Secret is specified, external-secret will default to 'tls.crt'.
-	// +optional
-	CertSecretRef *esmeta.SecretKeySelector `json:"certSecretRef,omitempty"`
-
-	// KeySecretRef to a key in a Secret resource containing client private key
-	// added to the transport layer when communicating with the Vault server.
-	// If no key for the Secret is specified, external-secret will default to 'tls.key'.
-	// +optional
-	KeySecretRef *esmeta.SecretKeySelector `json:"keySecretRef,omitempty"`
 }
 
 // VaultAuth is the configuration used to authenticate with a Vault server.
-// Only one of `tokenSecretRef`, `appRole`,  `kubernetes`, `ldap`, `userPass`, `jwt` or `cert`
-// can be specified. A namespace to authenticate against can optionally be specified.
+// Only one of `tokenSecretRef`, `appRole`,  `kubernetes`, `ldap`, `jwt` or `cert`
+// can be specified.
 type VaultAuth struct {
-	// Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
-	// Namespaces is a set of features within Vault Enterprise that allows
-	// Vault environments to support Secure Multi-tenancy. e.g: "ns1".
-	// More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
-	// This will default to Vault.Namespace field if set, or empty otherwise
-	// +optional
-	Namespace *string `json:"namespace,omitempty"`
-
 	// TokenSecretRef authenticates with Vault by presenting a token.
 	// +optional
 	TokenSecretRef *esmeta.SecretKeySelector `json:"tokenSecretRef,omitempty"`
@@ -148,15 +146,6 @@ type VaultAuth struct {
 	// Cert authentication method
 	// +optional
 	Cert *VaultCertAuth `json:"cert,omitempty"`
-
-	// Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
-	// AWS IAM authentication method
-	// +optional
-	Iam *VaultIamAuth `json:"iam,omitempty"`
-
-	// UserPass authenticates with Vault by passing username/password pair
-	// +optional
-	UserPass *VaultUserPassAuth `json:"userPass,omitempty"`
 }
 
 // VaultAppRole authenticates with Vault using the App Role auth mechanism,
@@ -169,15 +158,7 @@ type VaultAppRole struct {
 
 	// RoleID configured in the App Role authentication backend when setting
 	// up the authentication backend in Vault.
-	//+optional
-	RoleID string `json:"roleId,omitempty"`
-
-	// Reference to a key in a Secret that contains the App Role ID used
-	// to authenticate with Vault.
-	// The `key` field must be specified and denotes which entry within the Secret
-	// resource is used as the app role id.
-	//+optional
-	RoleRef *esmeta.SecretKeySelector `json:"roleRef,omitempty"`
+	RoleID string `json:"roleId"`
 
 	// Reference to a key in a Secret that contains the App Role secret used
 	// to authenticate with Vault.
@@ -221,51 +202,16 @@ type VaultLdapAuth struct {
 	// +kubebuilder:default=ldap
 	Path string `json:"path"`
 
-	// Username is an LDAP username used to authenticate using the LDAP Vault
+	// Username is a LDAP user name used to authenticate using the LDAP Vault
 	// authentication method
 	Username string `json:"username"`
 
 	// SecretRef to a key in a Secret resource containing password for the LDAP
 	// user used to authenticate with Vault using the LDAP authentication
 	// method
-	// +optional
 	SecretRef esmeta.SecretKeySelector `json:"secretRef,omitempty"`
 }
 
-// VaultAwsAuth tells the controller how to do authentication with aws.
-// Only one of secretRef or jwt can be specified.
-// if none is specified the controller will try to load credentials from its own service account assuming it is IRSA enabled.
-type VaultAwsAuth struct {
-	// +optional
-	SecretRef *VaultAwsAuthSecretRef `json:"secretRef,omitempty"`
-	// +optional
-	JWTAuth *VaultAwsJWTAuth `json:"jwt,omitempty"`
-}
-
-// VaultAWSAuthSecretRef holds secret references for AWS credentials
-// both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
-type VaultAwsAuthSecretRef struct {
-	// The AccessKeyID is used for authentication
-	// +optional
-	AccessKeyID esmeta.SecretKeySelector `json:"accessKeyIDSecretRef,omitempty"`
-
-	// The SecretAccessKey is used for authentication
-	// +optional
-	SecretAccessKey esmeta.SecretKeySelector `json:"secretAccessKeySecretRef,omitempty"`
-
-	// The SessionToken used for authentication
-	// This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
-	// see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
-	// +optional
-	SessionToken *esmeta.SecretKeySelector `json:"sessionTokenSecretRef,omitempty"`
-}
-
-// VaultAwsJWTAuth Authenticate against AWS using service account tokens.
-type VaultAwsJWTAuth struct {
-	// +optional
-	ServiceAccountRef *esmeta.ServiceAccountSelector `json:"serviceAccountRef,omitempty"`
-}
-
 // VaultKubernetesServiceAccountTokenAuth authenticates with Vault using a temporary
 // Kubernetes service account token retrieved by the `TokenRequest` API.
 type VaultKubernetesServiceAccountTokenAuth struct {
@@ -275,14 +221,12 @@ type VaultKubernetesServiceAccountTokenAuth struct {
 	// Optional audiences field that will be used to request a temporary Kubernetes service
 	// account token for the service account referenced by `serviceAccountRef`.
 	// Defaults to a single audience `vault` it not specified.
-	// Deprecated: use serviceAccountRef.Audiences instead
 	// +optional
 	Audiences *[]string `json:"audiences,omitempty"`
 
 	// Optional expiration time in seconds that will be used to request a temporary
 	// Kubernetes service account token for the service account referenced by
 	// `serviceAccountRef`.
-	// Deprecated: this will be removed in the future.
 	// Defaults to 10 minutes.
 	// +optional
 	ExpirationSeconds *int64 `json:"expirationSeconds,omitempty"`
@@ -313,7 +257,7 @@ type VaultJwtAuth struct {
 	KubernetesServiceAccountToken *VaultKubernetesServiceAccountTokenAuth `json:"kubernetesServiceAccountToken,omitempty"`
 }
 
-// VaultCertAuth authenticates with Vault using the JWT/OIDC authentication
+// VaultJwtAuth authenticates with Vault using the JWT/OIDC authentication
 // method, with the role name and token stored in a Kubernetes Secret resource.
 type VaultCertAuth struct {
 	// ClientCert is a certificate to authenticate using the Cert Vault
@@ -323,51 +267,5 @@ type VaultCertAuth struct {
 
 	// SecretRef to a key in a Secret resource containing client private key to
 	// authenticate with Vault using the Cert authentication method
-	// +optional
-	SecretRef esmeta.SecretKeySelector `json:"secretRef,omitempty"`
-}
-
-// VaultIamAuth authenticates with Vault using the Vault's AWS IAM authentication method. Refer: https://developer.hashicorp.com/vault/docs/auth/aws
-type VaultIamAuth struct {
-	// Path where the AWS auth method is enabled in Vault, e.g: "aws"
-	// +optional
-	Path string `json:"path,omitempty"`
-	// AWS region
-	// +optional
-	Region string `json:"region,omitempty"`
-	// This is the AWS role to be assumed before talking to vault
-	// +optional
-	AWSIAMRole string `json:"role,omitempty"`
-	// Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
-	Role string `json:"vaultRole"`
-	// AWS External ID set on assumed IAM roles
-	ExternalID string `json:"externalID,omitempty"`
-	// X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws
-	// +optional
-	VaultAWSIAMServerID string `json:"vaultAwsIamServerID,omitempty"`
-	// Specify credentials in a Secret object
-	// +optional
-	SecretRef *VaultAwsAuthSecretRef `json:"secretRef,omitempty"`
-	// Specify a service account with IRSA enabled
-	// +optional
-	JWTAuth *VaultAwsJWTAuth `json:"jwt,omitempty"`
-}
-
-// VaultUserPassAuth authenticates with Vault using UserPass authentication method,
-// with the username and password stored in a Kubernetes Secret resource.
-type VaultUserPassAuth struct {
-	// Path where the UserPassword authentication backend is mounted
-	// in Vault, e.g: "userpass"
-	// +kubebuilder:default=userpass
-	Path string `json:"path"`
-
-	// Username is a username used to authenticate using the UserPass Vault
-	// authentication method
-	Username string `json:"username"`
-
-	// SecretRef to a key in a Secret resource containing password for the
-	// user used to authenticate with Vault using the UserPass authentication
-	// method
-	// +optional
 	SecretRef esmeta.SecretKeySelector `json:"secretRef,omitempty"`
 }

apis/externalsecrets/v1/secretstore_webhook.go → apis/externalsecrets/v1alpha1/secretstore_webhook.go

@@ -12,7 +12,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1
+package v1alpha1
 
 import (
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -21,13 +21,11 @@ import (
 func (c *SecretStore) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(c).
-		WithValidator(&GenericStoreValidator{}).
 		Complete()
 }
 
 func (c *ClusterSecretStore) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(c).
-		WithValidator(&GenericStoreValidator{}).
 		Complete()
 }

apis/externalsecrets/v1/secretstore_webhook_types.go → apis/externalsecrets/v1alpha1/secretstore_webhook_types.go

@@ -12,7 +12,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1
+package v1alpha1
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

apis/externalsecrets/v1/secretstore_yandexlockbox_types.go → apis/externalsecrets/v1alpha1/secretstore_yandexlockbox_types.go

@@ -12,7 +12,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1
+package v1alpha1
 
 import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"

apis/externalsecrets/v1beta1/clusterexternalsecret_types.go

@@ -107,6 +107,7 @@ type ClusterExternalSecretStatus struct {
 }
 
 // +kubebuilder:object:root=true
+// +kubebuilder:storageversion
 // +kubebuilder:resource:scope=Cluster,categories={external-secrets},shortName=ces
 // +kubebuilder:subresource:status
 // +kubebuilder:metadata:labels="external-secrets.io/component=controller"

apis/externalsecrets/v1/doc.go → apis/externalsecrets/v1beta1/externalsecret_conversion.go

@@ -12,8 +12,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// Package v1 contains resources for external-secrets
-// +kubebuilder:object:generate=true
-// +groupName=external-secrets.io
-// +versionName=v1
-package v1
+package v1beta1
+
+func (*ExternalSecret) Hub() {
+	// This empty method defines the Hub convertible interface.
+}

apis/externalsecrets/v1beta1/externalsecret_types.go

@@ -118,10 +118,11 @@ const (
 	MergePolicyMerge   TemplateMergePolicy = "Merge"
 )
 
-// +kubebuilder:validation:Enum=v2
+// +kubebuilder:validation:Enum=v1;v2
 type TemplateEngineVersion string
 
 const (
+	TemplateEngineV1 TemplateEngineVersion = "v1"
 	TemplateEngineV2 TemplateEngineVersion = "v2"
 )
 
@@ -359,15 +360,6 @@ type FindName struct {
 	RegExp string `json:"regexp,omitempty"`
 }
 
-// +kubebuilder:validation:Enum=CreatedOnce;Periodic;OnChange
-type ExternalSecretRefreshPolicy string
-
-const (
-	RefreshPolicyCreatedOnce ExternalSecretRefreshPolicy = "CreatedOnce"
-	RefreshPolicyPeriodic    ExternalSecretRefreshPolicy = "Periodic"
-	RefreshPolicyOnChange    ExternalSecretRefreshPolicy = "OnChange"
-)
-
 // ExternalSecretSpec defines the desired state of ExternalSecret.
 type ExternalSecretSpec struct {
 	// +optional
@@ -377,18 +369,10 @@ type ExternalSecretSpec struct {
 	// +optional
 	Target ExternalSecretTarget `json:"target,omitempty"`
 
-	// RefreshPolicy determines how the ExternalSecret should be refreshed:
-	// - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
-	// - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
-	//   No periodic updates occur if refreshInterval is 0.
-	// - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
-	// +optional
-	RefreshPolicy ExternalSecretRefreshPolicy `json:"refreshPolicy,omitempty"`
-
 	// RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
 	// specified as Golang Duration strings.
 	// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
-	// Example values: "1h", "2h30m", "10s"
+	// Example values: "1h", "2h30m", "5d", "10s"
 	// May be set to zero to fetch and create it once. Defaults to 1h.
 	// +kubebuilder:default="1h"
 	RefreshInterval *metav1.Duration `json:"refreshInterval,omitempty"`
@@ -506,6 +490,7 @@ type ExternalSecretStatus struct {
 }
 
 // +kubebuilder:object:root=true
+// +kubebuilder:storageversion
 // ExternalSecret is the Schema for the external-secrets API.
 // +kubebuilder:subresource:status
 // +kubebuilder:metadata:labels="external-secrets.io/component=controller"

apis/externalsecrets/v1beta1/fakes/pushremoteref.go

@@ -4,7 +4,7 @@ package fakes
 import (
 	"sync"
 
-	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
+	"github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 )
 
 type PushRemoteRef struct {
@@ -103,4 +103,4 @@ func (fake *PushRemoteRef) recordInvocation(key string, args []any) {
 	fake.invocations[key] = append(fake.invocations[key], args)
 }
 
-var _ esv1.PushSecretRemoteRef = new(PushRemoteRef)
+var _ v1beta1.PushSecretRemoteRef = new(PushRemoteRef)

apis/externalsecrets/v1/secretstore_keepersecurity_types.go → apis/externalsecrets/v1beta1/secretstore_conversion.go

@@ -12,12 +12,12 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1
+package v1beta1
 
-import smmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+func (*SecretStore) Hub() {
+	// Hub() method to be compliant with the conversion Hub interface
+}
 
-// KeeperSecurityProvider Configures a store to sync secrets using Keeper Security.
-type KeeperSecurityProvider struct {
-	Auth     smmeta.SecretKeySelector `json:"authRef"`
-	FolderID string                   `json:"folderID"`
+func (*ClusterSecretStore) Hub() {
+	// Hub() method to be compliant with the conversion Hub interface
 }

apis/externalsecrets/v1beta1/secretstore_fake_types.go

@@ -20,7 +20,9 @@ type FakeProvider struct {
 }
 
 type FakeProviderData struct {
-	Key     string `json:"key"`
-	Value   string `json:"value"`
-	Version string `json:"version,omitempty"`
+	Key   string `json:"key"`
+	Value string `json:"value,omitempty"`
+	// Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.
+	ValueMap map[string]string `json:"valueMap,omitempty"`
+	Version  string            `json:"version,omitempty"`
 }

apis/externalsecrets/v1beta1/secretstore_gcpsm_types.go

@@ -32,20 +32,10 @@ type GCPSMAuthSecretRef struct {
 }
 
 type GCPWorkloadIdentity struct {
-	// +kubebuilder:validation:Required
 	ServiceAccountRef esmeta.ServiceAccountSelector `json:"serviceAccountRef"`
-	// ClusterLocation is the location of the cluster
-	// If not specified, it fetches information from the metadata server
-	// +optional
-	ClusterLocation string `json:"clusterLocation,omitempty"`
-	// ClusterName is the name of the cluster
-	// If not specified, it fetches information from the metadata server
-	// +optional
-	ClusterName string `json:"clusterName,omitempty"`
-	// ClusterProjectID is the project ID of the cluster
-	// If not specified, it fetches information from the metadata server
-	// +optional
-	ClusterProjectID string `json:"clusterProjectID,omitempty"`
+	ClusterLocation   string                        `json:"clusterLocation"`
+	ClusterName       string                        `json:"clusterName"`
+	ClusterProjectID  string                        `json:"clusterProjectID,omitempty"`
 }
 
 // GCPSMProvider Configures a store to sync secrets using the GCP Secret Manager provider.

apis/externalsecrets/v1beta1/secretstore_types.go

@@ -291,6 +291,7 @@ type SecretStoreStatus struct {
 }
 
 // +kubebuilder:object:root=true
+// +kubebuilder:storageversion
 
 // SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
 // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
@@ -318,6 +319,7 @@ type SecretStoreList struct {
 }
 
 // +kubebuilder:object:root=true
+// +kubebuilder:storageversion
 
 // ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
 // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"

apis/externalsecrets/v1beta1/zz_generated.deepcopy.go

@@ -1602,7 +1602,9 @@ func (in *FakeProvider) DeepCopyInto(out *FakeProvider) {
 	if in.Data != nil {
 		in, out := &in.Data, &out.Data
 		*out = make([]FakeProviderData, len(*in))
-		copy(*out, *in)
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
 }
 
@@ -1619,6 +1621,13 @@ func (in *FakeProvider) DeepCopy() *FakeProvider {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FakeProviderData) DeepCopyInto(out *FakeProviderData) {
 	*out = *in
+	if in.ValueMap != nil {
+		in, out := &in.ValueMap, &out.ValueMap
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FakeProviderData.

apis/generators/v1alpha1/types_acr.go

@@ -17,7 +17,7 @@ package v1alpha1
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
+	"github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	smmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
@@ -50,7 +50,7 @@ type ACRAccessTokenSpec struct {
 	// The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
 	// PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
 	// +kubebuilder:default=PublicCloud
-	EnvironmentType esv1.AzureEnvironmentType `json:"environmentType,omitempty"`
+	EnvironmentType v1beta1.AzureEnvironmentType `json:"environmentType,omitempty"`
 }
 
 type ACRAuth struct {

apis/generators/v1alpha1/types_vault.go

@@ -18,7 +18,7 @@ import (
 	apiextensions "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 )
 
 type VaultDynamicSecretSpec struct {
@@ -44,10 +44,10 @@ type VaultDynamicSecretSpec struct {
 
 	// Used to configure http retries if failed
 	// +optional
-	RetrySettings *esv1.SecretStoreRetrySettings `json:"retrySettings,omitempty"`
+	RetrySettings *esv1beta1.SecretStoreRetrySettings `json:"retrySettings,omitempty"`
 
 	// Vault provider common spec
-	Provider *esv1.VaultProvider `json:"provider"`
+	Provider *esv1beta1.VaultProvider `json:"provider"`
 
 	// Vault path to obtain the dynamic secret from
 	Path string `json:"path"`

apis/generators/v1alpha1/zz_generated.deepcopy.go

@@ -19,7 +19,7 @@ limitations under the License.
 package v1alpha1
 
 import (
-	externalsecretsv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
+	"github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	metav1 "github.com/external-secrets/external-secrets/apis/meta/v1"
 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	apismetav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -1563,12 +1563,12 @@ func (in *VaultDynamicSecretSpec) DeepCopyInto(out *VaultDynamicSecretSpec) {
 	}
 	if in.RetrySettings != nil {
 		in, out := &in.RetrySettings, &out.RetrySettings
-		*out = new(externalsecretsv1.SecretStoreRetrySettings)
+		*out = new(v1beta1.SecretStoreRetrySettings)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.Provider != nil {
 		in, out := &in.Provider, &out.Provider
-		*out = new(externalsecretsv1.VaultProvider)
+		*out = new(v1beta1.VaultProvider)
 		(*in).DeepCopyInto(*out)
 	}
 }

cmd/controller/root.go

@@ -33,8 +33,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/metrics/server"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
-	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 	"github.com/external-secrets/external-secrets/pkg/controllers/clusterexternalsecret"
 	"github.com/external-secrets/external-secrets/pkg/controllers/clusterexternalsecret/cesmetrics"
@@ -103,7 +103,7 @@ func init() {
 	utilruntime.Must(apiextensionsv1.AddToScheme(scheme))
 
 	// external-secrets schemes
-	utilruntime.Must(esv1.AddToScheme(scheme))
+	utilruntime.Must(esv1beta1.AddToScheme(scheme))
 	utilruntime.Must(esv1alpha1.AddToScheme(scheme))
 	utilruntime.Must(genv1alpha1.AddToScheme(scheme))
 }

cmd/controller/webhook.go

@@ -34,7 +34,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/metrics/server"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
-	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	"github.com/external-secrets/external-secrets/pkg/controllers/crds"
@@ -49,7 +48,6 @@ func init() {
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
 
 	// external-secrets schemes
-	utilruntime.Must(esv1.AddToScheme(scheme))
 	utilruntime.Must(esv1beta1.AddToScheme(scheme))
 	utilruntime.Must(esv1alpha1.AddToScheme(scheme))
 }
@@ -125,16 +123,28 @@ var webhookCmd = &cobra.Command{
 			setupLog.Error(err, "unable to start manager")
 			os.Exit(1)
 		}
-		if err = (&esv1.ExternalSecret{}).SetupWebhookWithManager(mgr); err != nil {
-			setupLog.Error(err, errCreateWebhook, "webhook", "ExternalSecret-v1")
+		if err = (&esv1beta1.ExternalSecret{}).SetupWebhookWithManager(mgr); err != nil {
+			setupLog.Error(err, errCreateWebhook, "webhook", "ExternalSecret-v1beta1")
 			os.Exit(1)
 		}
-		if err = (&esv1.SecretStore{}).SetupWebhookWithManager(mgr); err != nil {
-			setupLog.Error(err, errCreateWebhook, "webhook", "SecretStore-v1")
+		if err = (&esv1beta1.SecretStore{}).SetupWebhookWithManager(mgr); err != nil {
+			setupLog.Error(err, errCreateWebhook, "webhook", "SecretStore-v1beta1")
 			os.Exit(1)
 		}
-		if err = (&esv1.ClusterSecretStore{}).SetupWebhookWithManager(mgr); err != nil {
-			setupLog.Error(err, errCreateWebhook, "webhook", "ClusterSecretStore-v1")
+		if err = (&esv1beta1.ClusterSecretStore{}).SetupWebhookWithManager(mgr); err != nil {
+			setupLog.Error(err, errCreateWebhook, "webhook", "ClusterSecretStore-v1beta1")
+			os.Exit(1)
+		}
+		if err = (&esv1alpha1.ExternalSecret{}).SetupWebhookWithManager(mgr); err != nil {
+			setupLog.Error(err, errCreateWebhook, "webhook", "ExternalSecret-v1alpha1")
+			os.Exit(1)
+		}
+		if err = (&esv1alpha1.SecretStore{}).SetupWebhookWithManager(mgr); err != nil {
+			setupLog.Error(err, errCreateWebhook, "webhook", "SecretStore-v1alpha1")
+			os.Exit(1)
+		}
+		if err = (&esv1alpha1.ClusterSecretStore{}).SetupWebhookWithManager(mgr); err != nil {
+			setupLog.Error(err, errCreateWebhook, "webhook", "ClusterSecretStore-v1alpha1")
 			os.Exit(1)
 		}
 

cmd/esoctl/template.go

@@ -27,8 +27,8 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"sigs.k8s.io/yaml"
 
-	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	"github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	"github.com/external-secrets/external-secrets/pkg/controllers/templating"
 	"github.com/external-secrets/external-secrets/pkg/template"
 )
@@ -143,11 +143,11 @@ func templateRun(_ *cobra.Command, _ []string) error {
 	return err
 }
 
-func fetchTemplateFromSourceObject(obj *unstructured.Unstructured) (*esv1.ExternalSecretTemplate, error) {
-	var tmpl *esv1.ExternalSecretTemplate
+func fetchTemplateFromSourceObject(obj *unstructured.Unstructured) (*esv1beta1.ExternalSecretTemplate, error) {
+	var tmpl *esv1beta1.ExternalSecretTemplate
 	switch obj.GetKind() {
 	case "ExternalSecret":
-		es := &esv1.ExternalSecret{}
+		es := &esv1beta1.ExternalSecret{}
 		if err := runtime.DefaultUnstructuredConverter.FromUnstructured(obj.Object, es); err != nil {
 			return nil, err
 		}
@@ -167,7 +167,7 @@ func fetchTemplateFromSourceObject(obj *unstructured.Unstructured) (*esv1.Extern
 	return tmpl, nil
 }
 
-func executeTemplate(p *templating.Parser, ctx context.Context, tmpl *esv1.ExternalSecretTemplate) error {
+func executeTemplate(p *templating.Parser, ctx context.Context, tmpl *esv1beta1.ExternalSecretTemplate) error {
 	// apply templates defined in template.templateFrom
 	err := p.MergeTemplateFrom(ctx, "default", tmpl)
 	if err != nil {
@@ -176,21 +176,21 @@ func executeTemplate(p *templating.Parser, ctx context.Context, tmpl *esv1.Exter
 
 	// apply data templates
 	// NOTE: explicitly defined template.data templates take precedence over templateFrom
-	err = p.MergeMap(tmpl.Data, esv1.TemplateTargetData)
+	err = p.MergeMap(tmpl.Data, esv1beta1.TemplateTargetData)
 	if err != nil {
 		return fmt.Errorf("could not merge data: %w", err)
 	}
 
 	// apply templates for labels
 	// NOTE: this only works for v2 templates
-	err = p.MergeMap(tmpl.Metadata.Labels, esv1.TemplateTargetLabels)
+	err = p.MergeMap(tmpl.Metadata.Labels, esv1beta1.TemplateTargetLabels)
 	if err != nil {
 		return fmt.Errorf("could not merge labels: %w", err)
 	}
 
 	// apply template for annotations
 	// NOTE: this only works for v2 templates
-	err = p.MergeMap(tmpl.Metadata.Annotations, esv1.TemplateTargetAnnotations)
+	err = p.MergeMap(tmpl.Metadata.Annotations, esv1beta1.TemplateTargetAnnotations)
 	if err != nil {
 		return fmt.Errorf("could not merge annotations: %w", err)
 	}

config/crds/bases/external-secrets.io_clusterexternalsecrets.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.3
+    controller-gen.kubebuilder.io/version: v0.17.2
   labels:
     external-secrets.io/component: controller
   name: clusterexternalsecrets.external-secrets.io
@@ -19,764 +19,6 @@ spec:
     singular: clusterexternalsecret
   scope: Cluster
   versions:
-  - additionalPrinterColumns:
-    - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
-      name: Store
-      type: string
-    - jsonPath: .spec.refreshTime
-      name: Refresh Interval
-      type: string
-    - jsonPath: .status.conditions[?(@.type=="Ready")].status
-      name: Ready
-      type: string
-    name: v1
-    schema:
-      openAPIV3Schema:
-        description: ClusterExternalSecret is the Schema for the clusterexternalsecrets
-          API.
-        properties:
-          apiVersion:
-            description: |-
-              APIVersion defines the versioned schema of this representation of an object.
-              Servers should convert recognized schemas to the latest internal value, and
-              may reject unrecognized values.
-              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
-            type: string
-          kind:
-            description: |-
-              Kind is a string value representing the REST resource this object represents.
-              Servers may infer this from the endpoint the client submits requests to.
-              Cannot be updated.
-              In CamelCase.
-              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
-            properties:
-              externalSecretMetadata:
-                description: The metadata of the external secrets to be created
-                properties:
-                  annotations:
-                    additionalProperties:
-                      type: string
-                    type: object
-                  labels:
-                    additionalProperties:
-                      type: string
-                    type: object
-                type: object
-              externalSecretName:
-                description: |-
-                  The name of the external secrets to be created.
-                  Defaults to the name of the ClusterExternalSecret
-                maxLength: 253
-                minLength: 1
-                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
-                type: string
-              externalSecretSpec:
-                description: The spec for the ExternalSecrets to be created
-                properties:
-                  data:
-                    description: Data defines the connection between the Kubernetes
-                      Secret keys and the Provider data
-                    items:
-                      description: ExternalSecretData defines the connection between
-                        the Kubernetes Secret key (spec.data.<key>) and the Provider
-                        data.
-                      properties:
-                        remoteRef:
-                          description: |-
-                            RemoteRef points to the remote secret and defines
-                            which secret (version/property/..) to fetch.
-                          properties:
-                            conversionStrategy:
-                              default: Default
-                              description: Used to define a conversion Strategy
-                              enum:
-                              - Default
-                              - Unicode
-                              type: string
-                            decodingStrategy:
-                              default: None
-                              description: Used to define a decoding Strategy
-                              enum:
-                              - Auto
-                              - Base64
-                              - Base64URL
-                              - None
-                              type: string
-                            key:
-                              description: Key is the key used in the Provider, mandatory
-                              type: string
-                            metadataPolicy:
-                              default: None
-                              description: Policy for fetching tags/labels from provider
-                                secrets, possible options are Fetch, None. Defaults
-                                to None
-                              enum:
-                              - None
-                              - Fetch
-                              type: string
-                            property:
-                              description: Used to select a specific property of the
-                                Provider value (if a map), if supported
-                              type: string
-                            version:
-                              description: Used to select a specific version of the
-                                Provider value, if supported
-                              type: string
-                          required:
-                          - key
-                          type: object
-                        secretKey:
-                          description: The key in the Kubernetes Secret to store the
-                            value.
-                          maxLength: 253
-                          minLength: 1
-                          pattern: ^[-._a-zA-Z0-9]+$
-                          type: string
-                        sourceRef:
-                          description: |-
-                            SourceRef allows you to override the source
-                            from which the value will be pulled.
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            generatorRef:
-                              description: |-
-                                GeneratorRef points to a generator custom resource.
-
-                                Deprecated: The generatorRef is not implemented in .data[].
-                                this will be removed with v1.
-                              properties:
-                                apiVersion:
-                                  default: generators.external-secrets.io/v1alpha1
-                                  description: Specify the apiVersion of the generator
-                                    resource
-                                  type: string
-                                kind:
-                                  description: Specify the Kind of the generator resource
-                                  enum:
-                                  - ACRAccessToken
-                                  - ClusterGenerator
-                                  - ECRAuthorizationToken
-                                  - Fake
-                                  - GCRAccessToken
-                                  - GithubAccessToken
-                                  - QuayAccessToken
-                                  - Password
-                                  - STSSessionToken
-                                  - UUID
-                                  - VaultDynamicSecret
-                                  - Webhook
-                                  - Grafana
-                                  type: string
-                                name:
-                                  description: Specify the name of the generator resource
-                                  maxLength: 253
-                                  minLength: 1
-                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
-                                  type: string
-                              required:
-                              - kind
-                              - name
-                              type: object
-                            storeRef:
-                              description: SecretStoreRef defines which SecretStore
-                                to fetch the ExternalSecret data.
-                              properties:
-                                kind:
-                                  description: |-
-                                    Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                                    Defaults to `SecretStore`
-                                  enum:
-                                  - SecretStore
-                                  - ClusterSecretStore
-                                  type: string
-                                name:
-                                  description: Name of the SecretStore resource
-                                  maxLength: 253
-                                  minLength: 1
-                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
-                                  type: string
-                              type: object
-                          type: object
-                      required:
-                      - remoteRef
-                      - secretKey
-                      type: object
-                    type: array
-                  dataFrom:
-                    description: |-
-                      DataFrom is used to fetch all properties from a specific Provider data
-                      If multiple entries are specified, the Secret keys are merged in the specified order
-                    items:
-                      properties:
-                        extract:
-                          description: |-
-                            Used to extract multiple key/value pairs from one secret
-                            Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
-                          properties:
-                            conversionStrategy:
-                              default: Default
-                              description: Used to define a conversion Strategy
-                              enum:
-                              - Default
-                              - Unicode
-                              type: string
-                            decodingStrategy:
-                              default: None
-                              description: Used to define a decoding Strategy
-                              enum:
-                              - Auto
-                              - Base64
-                              - Base64URL
-                              - None
-                              type: string
-                            key:
-                              description: Key is the key used in the Provider, mandatory
-                              type: string
-                            metadataPolicy:
-                              default: None
-                              description: Policy for fetching tags/labels from provider
-                                secrets, possible options are Fetch, None. Defaults
-                                to None
-                              enum:
-                              - None
-                              - Fetch
-                              type: string
-                            property:
-                              description: Used to select a specific property of the
-                                Provider value (if a map), if supported
-                              type: string
-                            version:
-                              description: Used to select a specific version of the
-                                Provider value, if supported
-                              type: string
-                          required:
-                          - key
-                          type: object
-                        find:
-                          description: |-
-                            Used to find secrets based on tags or regular expressions
-                            Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
-                          properties:
-                            conversionStrategy:
-                              default: Default
-                              description: Used to define a conversion Strategy
-                              enum:
-                              - Default
-                              - Unicode
-                              type: string
-                            decodingStrategy:
-                              default: None
-                              description: Used to define a decoding Strategy
-                              enum:
-                              - Auto
-                              - Base64
-                              - Base64URL
-                              - None
-                              type: string
-                            name:
-                              description: Finds secrets based on the name.
-                              properties:
-                                regexp:
-                                  description: Finds secrets base
-                                  type: string
-                              type: object
-                            path:
-                              description: A root path to start the find operations.
-                              type: string
-                            tags:
-                              additionalProperties:
-                                type: string
-                              description: Find secrets based on tags.
-                              type: object
-                          type: object
-                        rewrite:
-                          description: |-
-                            Used to rewrite secret Keys after getting them from the secret Provider
-                            Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
-                          items:
-                            properties:
-                              regexp:
-                                description: |-
-                                  Used to rewrite with regular expressions.
-                                  The resulting key will be the output of a regexp.ReplaceAll operation.
-                                properties:
-                                  source:
-                                    description: Used to define the regular expression
-                                      of a re.Compiler.
-                                    type: string
-                                  target:
-                                    description: Used to define the target pattern
-                                      of a ReplaceAll operation.
-                                    type: string
-                                required:
-                                - source
-                                - target
-                                type: object
-                              transform:
-                                description: |-
-                                  Used to apply string transformation on the secrets.
-                                  The resulting key will be the output of the template applied by the operation.
-                                properties:
-                                  template:
-                                    description: |-
-                                      Used to define the template to apply on the secret name.
-                                      `.value ` will specify the secret name in the template.
-                                    type: string
-                                required:
-                                - template
-                                type: object
-                            type: object
-                          type: array
-                        sourceRef:
-                          description: |-
-                            SourceRef points to a store or generator
-                            which contains secret values ready to use.
-                            Use this in combination with Extract or Find pull values out of
-                            a specific SecretStore.
-                            When sourceRef points to a generator Extract or Find is not supported.
-                            The generator returns a static map of values
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            generatorRef:
-                              description: GeneratorRef points to a generator custom
-                                resource.
-                              properties:
-                                apiVersion:
-                                  default: generators.external-secrets.io/v1alpha1
-                                  description: Specify the apiVersion of the generator
-                                    resource
-                                  type: string
-                                kind:
-                                  description: Specify the Kind of the generator resource
-                                  enum:
-                                  - ACRAccessToken
-                                  - ClusterGenerator
-                                  - ECRAuthorizationToken
-                                  - Fake
-                                  - GCRAccessToken
-                                  - GithubAccessToken
-                                  - QuayAccessToken
-                                  - Password
-                                  - STSSessionToken
-                                  - UUID
-                                  - VaultDynamicSecret
-                                  - Webhook
-                                  - Grafana
-                                  type: string
-                                name:
-                                  description: Specify the name of the generator resource
-                                  maxLength: 253
-                                  minLength: 1
-                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
-                                  type: string
-                              required:
-                              - kind
-                              - name
-                              type: object
-                            storeRef:
-                              description: SecretStoreRef defines which SecretStore
-                                to fetch the ExternalSecret data.
-                              properties:
-                                kind:
-                                  description: |-
-                                    Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                                    Defaults to `SecretStore`
-                                  enum:
-                                  - SecretStore
-                                  - ClusterSecretStore
-                                  type: string
-                                name:
-                                  description: Name of the SecretStore resource
-                                  maxLength: 253
-                                  minLength: 1
-                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
-                                  type: string
-                              type: object
-                          type: object
-                      type: object
-                    type: array
-                  refreshInterval:
-                    default: 1h
-                    description: |-
-                      RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
-                      specified as Golang Duration strings.
-                      Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
-                      Example values: "1h", "2h30m", "10s"
-                      May be set to zero to fetch and create it once. Defaults to 1h.
-                    type: string
-                  refreshPolicy:
-                    description: |-
-                      RefreshPolicy determines how the ExternalSecret should be refreshed:
-                      - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
-                      - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
-                        No periodic updates occur if refreshInterval is 0.
-                      - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
-                    enum:
-                    - CreatedOnce
-                    - Periodic
-                    - OnChange
-                    type: string
-                  secretStoreRef:
-                    description: SecretStoreRef defines which SecretStore to fetch
-                      the ExternalSecret data.
-                    properties:
-                      kind:
-                        description: |-
-                          Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                          Defaults to `SecretStore`
-                        enum:
-                        - SecretStore
-                        - ClusterSecretStore
-                        type: string
-                      name:
-                        description: Name of the SecretStore resource
-                        maxLength: 253
-                        minLength: 1
-                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
-                        type: string
-                    type: object
-                  target:
-                    default:
-                      creationPolicy: Owner
-                      deletionPolicy: Retain
-                    description: |-
-                      ExternalSecretTarget defines the Kubernetes Secret to be created
-                      There can be only one target per ExternalSecret.
-                    properties:
-                      creationPolicy:
-                        default: Owner
-                        description: |-
-                          CreationPolicy defines rules on how to create the resulting Secret.
-                          Defaults to "Owner"
-                        enum:
-                        - Owner
-                        - Orphan
-                        - Merge
-                        - None
-                        type: string
-                      deletionPolicy:
-                        default: Retain
-                        description: |-
-                          DeletionPolicy defines rules on how to delete the resulting Secret.
-                          Defaults to "Retain"
-                        enum:
-                        - Delete
-                        - Merge
-                        - Retain
-                        type: string
-                      immutable:
-                        description: Immutable defines if the final secret will be
-                          immutable
-                        type: boolean
-                      name:
-                        description: |-
-                          The name of the Secret resource to be managed.
-                          Defaults to the .metadata.name of the ExternalSecret resource
-                        maxLength: 253
-                        minLength: 1
-                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
-                        type: string
-                      template:
-                        description: Template defines a blueprint for the created
-                          Secret resource.
-                        properties:
-                          data:
-                            additionalProperties:
-                              type: string
-                            type: object
-                          engineVersion:
-                            default: v2
-                            description: |-
-                              EngineVersion specifies the template engine version
-                              that should be used to compile/execute the
-                              template specified in .data and .templateFrom[].
-                            enum:
-                            - v2
-                            type: string
-                          mergePolicy:
-                            default: Replace
-                            enum:
-                            - Replace
-                            - Merge
-                            type: string
-                          metadata:
-                            description: ExternalSecretTemplateMetadata defines metadata
-                              fields for the Secret blueprint.
-                            properties:
-                              annotations:
-                                additionalProperties:
-                                  type: string
-                                type: object
-                              labels:
-                                additionalProperties:
-                                  type: string
-                                type: object
-                            type: object
-                          templateFrom:
-                            items:
-                              properties:
-                                configMap:
-                                  properties:
-                                    items:
-                                      description: A list of keys in the ConfigMap/Secret
-                                        to use as templates for Secret data
-                                      items:
-                                        properties:
-                                          key:
-                                            description: A key in the ConfigMap/Secret
-                                            maxLength: 253
-                                            minLength: 1
-                                            pattern: ^[-._a-zA-Z0-9]+$
-                                            type: string
-                                          templateAs:
-                                            default: Values
-                                            enum:
-                                            - Values
-                                            - KeysAndValues
-                                            type: string
-                                        required:
-                                        - key
-                                        type: object
-                                      type: array
-                                    name:
-                                      description: The name of the ConfigMap/Secret
-                                        resource
-                                      maxLength: 253
-                                      minLength: 1
-                                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
-                                      type: string
-                                  required:
-                                  - items
-                                  - name
-                                  type: object
-                                literal:
-                                  type: string
-                                secret:
-                                  properties:
-                                    items:
-                                      description: A list of keys in the ConfigMap/Secret
-                                        to use as templates for Secret data
-                                      items:
-                                        properties:
-                                          key:
-                                            description: A key in the ConfigMap/Secret
-                                            maxLength: 253
-                                            minLength: 1
-                                            pattern: ^[-._a-zA-Z0-9]+$
-                                            type: string
-                                          templateAs:
-                                            default: Values
-                                            enum:
-                                            - Values
-                                            - KeysAndValues
-                                            type: string
-                                        required:
-                                        - key
-                                        type: object
-                                      type: array
-                                    name:
-                                      description: The name of the ConfigMap/Secret
-                                        resource
-                                      maxLength: 253
-                                      minLength: 1
-                                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
-                                      type: string
-                                  required:
-                                  - items
-                                  - name
-                                  type: object
-                                target:
-                                  default: Data
-                                  enum:
-                                  - Data
-                                  - Annotations
-                                  - Labels
-                                  type: string
-                              type: object
-                            type: array
-                          type:
-                            type: string
-                        type: object
-                    type: object
-                type: object
-              namespaceSelector:
-                description: |-
-                  The labels to select by to find the Namespaces to create the ExternalSecrets in.
-                  Deprecated: Use NamespaceSelectors instead.
-                properties:
-                  matchExpressions:
-                    description: matchExpressions is a list of label selector requirements.
-                      The requirements are ANDed.
-                    items:
-                      description: |-
-                        A label selector requirement is a selector that contains values, a key, and an operator that
-                        relates the key and values.
-                      properties:
-                        key:
-                          description: key is the label key that the selector applies
-                            to.
-                          type: string
-                        operator:
-                          description: |-
-                            operator represents a key's relationship to a set of values.
-                            Valid operators are In, NotIn, Exists and DoesNotExist.
-                          type: string
-                        values:
-                          description: |-
-                            values is an array of string values. If the operator is In or NotIn,
-                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                            the values array must be empty. This array is replaced during a strategic
-                            merge patch.
-                          items:
-                            type: string
-                          type: array
-                          x-kubernetes-list-type: atomic
-                      required:
-                      - key
-                      - operator
-                      type: object
-                    type: array
-                    x-kubernetes-list-type: atomic
-                  matchLabels:
-                    additionalProperties:
-                      type: string
-                    description: |-
-                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                      map is equivalent to an element of matchExpressions, whose key field is "key", the
-                      operator is "In", and the values array contains only "value". The requirements are ANDed.
-                    type: object
-                type: object
-                x-kubernetes-map-type: atomic
-              namespaceSelectors:
-                description: A list of labels to select by to find the Namespaces
-                  to create the ExternalSecrets in. The selectors are ORed.
-                items:
-                  description: |-
-                    A label selector is a label query over a set of resources. The result of matchLabels and
-                    matchExpressions are ANDed. An empty label selector matches all objects. A null
-                    label selector matches no objects.
-                  properties:
-                    matchExpressions:
-                      description: matchExpressions is a list of label selector requirements.
-                        The requirements are ANDed.
-                      items:
-                        description: |-
-                          A label selector requirement is a selector that contains values, a key, and an operator that
-                          relates the key and values.
-                        properties:
-                          key:
-                            description: key is the label key that the selector applies
-                              to.
-                            type: string
-                          operator:
-                            description: |-
-                              operator represents a key's relationship to a set of values.
-                              Valid operators are In, NotIn, Exists and DoesNotExist.
-                            type: string
-                          values:
-                            description: |-
-                              values is an array of string values. If the operator is In or NotIn,
-                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
-                              the values array must be empty. This array is replaced during a strategic
-                              merge patch.
-                            items:
-                              type: string
-                            type: array
-                            x-kubernetes-list-type: atomic
-                        required:
-                        - key
-                        - operator
-                        type: object
-                      type: array
-                      x-kubernetes-list-type: atomic
-                    matchLabels:
-                      additionalProperties:
-                        type: string
-                      description: |-
-                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
-                        map is equivalent to an element of matchExpressions, whose key field is "key", the
-                        operator is "In", and the values array contains only "value". The requirements are ANDed.
-                      type: object
-                  type: object
-                  x-kubernetes-map-type: atomic
-                type: array
-              namespaces:
-                description: |-
-                  Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
-                  Deprecated: Use NamespaceSelectors instead.
-                items:
-                  maxLength: 63
-                  minLength: 1
-                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
-                  type: string
-                type: array
-              refreshTime:
-                description: The time in which the controller should reconcile its
-                  objects and recheck namespaces for labels.
-                type: string
-            required:
-            - externalSecretSpec
-            type: object
-          status:
-            description: ClusterExternalSecretStatus defines the observed state of
-              ClusterExternalSecret.
-            properties:
-              conditions:
-                items:
-                  properties:
-                    message:
-                      type: string
-                    status:
-                      type: string
-                    type:
-                      type: string
-                  required:
-                  - status
-                  - type
-                  type: object
-                type: array
-              externalSecretName:
-                description: ExternalSecretName is the name of the ExternalSecrets
-                  created by the ClusterExternalSecret
-                type: string
-              failedNamespaces:
-                description: Failed namespaces are the namespaces that failed to apply
-                  an ExternalSecret
-                items:
-                  description: ClusterExternalSecretNamespaceFailure represents a
-                    failed namespace deployment and it's reason.
-                  properties:
-                    namespace:
-                      description: Namespace is the namespace that failed when trying
-                        to apply an ExternalSecret
-                      type: string
-                    reason:
-                      description: Reason is why the ExternalSecret failed to apply
-                        to the namespace
-                      type: string
-                  required:
-                  - namespace
-                  type: object
-                type: array
-              provisionedNamespaces:
-                description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret
-                  has secrets
-                items:
-                  type: string
-                type: array
-            type: object
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}
   - additionalPrinterColumns:
     - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
       name: Store
@@ -1166,21 +408,9 @@ spec:
                       RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
                       specified as Golang Duration strings.
                       Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
-                      Example values: "1h", "2h30m", "10s"
+                      Example values: "1h", "2h30m", "5d", "10s"
                       May be set to zero to fetch and create it once. Defaults to 1h.
                     type: string
-                  refreshPolicy:
-                    description: |-
-                      RefreshPolicy determines how the ExternalSecret should be refreshed:
-                      - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
-                      - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
-                        No periodic updates occur if refreshInterval is 0.
-                      - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
-                    enum:
-                    - CreatedOnce
-                    - Periodic
-                    - OnChange
-                    type: string
                   secretStoreRef:
                     description: SecretStoreRef defines which SecretStore to fetch
                       the ExternalSecret data.
@@ -1256,6 +486,7 @@ spec:
                               that should be used to compile/execute the
                               template specified in .data and .templateFrom[].
                             enum:
+                            - v1
                             - v2
                             type: string
                           mergePolicy:
@@ -1532,6 +763,6 @@ spec:
             type: object
         type: object
     served: true
-    storage: false
+    storage: true
     subresources:
       status: {}

config/crds/bases/external-secrets.io_clusterpushsecrets.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.3
+    controller-gen.kubebuilder.io/version: v0.17.2
   labels:
     external-secrets.io/component: controller
   name: clusterpushsecrets.external-secrets.io
@@ -359,6 +359,7 @@ spec:
                           that should be used to compile/execute the
                           template specified in .data and .templateFrom[].
                         enum:
+                        - v1
                         - v2
                         type: string
                       mergePolicy:

config/crds/bases/external-secrets.io_externalsecrets.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.3
+    controller-gen.kubebuilder.io/version: v0.17.2
   labels:
     external-secrets.io/component: controller
   name: externalsecrets.external-secrets.io
@@ -21,7 +21,7 @@ spec:
   versions:
   - additionalPrinterColumns:
     - jsonPath: .spec.secretStoreRef.kind
-      name: StoreType
+      name: Store
       type: string
     - jsonPath: .spec.secretStoreRef.name
       name: Store
@@ -32,10 +32,8 @@ spec:
     - jsonPath: .status.conditions[?(@.type=="Ready")].reason
       name: Status
       type: string
-    - jsonPath: .status.conditions[?(@.type=="Ready")].status
-      name: Ready
-      type: string
-    name: v1
+    deprecated: true
+    name: v1alpha1
     schema:
       openAPIV3Schema:
         description: ExternalSecret is the Schema for the external-secrets API.
@@ -68,9 +66,8 @@ spec:
                     Kubernetes Secret key (spec.data.<key>) and the Provider data.
                   properties:
                     remoteRef:
-                      description: |-
-                        RemoteRef points to the remote secret and defines
-                        which secret (version/property/..) to fetch.
+                      description: ExternalSecretDataRemoteRef defines Provider data
+                        location.
                       properties:
                         conversionStrategy:
                           default: Default
@@ -79,27 +76,9 @@ spec:
                           - Default
                           - Unicode
                           type: string
-                        decodingStrategy:
-                          default: None
-                          description: Used to define a decoding Strategy
-                          enum:
-                          - Auto
-                          - Base64
-                          - Base64URL
-                          - None
-                          type: string
                         key:
                           description: Key is the key used in the Provider, mandatory
                           type: string
-                        metadataPolicy:
-                          default: None
-                          description: Policy for fetching tags/labels from provider
-                            secrets, possible options are Fetch, None. Defaults to
-                            None
-                          enum:
-                          - None
-                          - Fetch
-                          type: string
                         property:
                           description: Used to select a specific property of the Provider
                             value (if a map), if supported
@@ -117,72 +96,6 @@ spec:
                       minLength: 1
                       pattern: ^[-._a-zA-Z0-9]+$
                       type: string
-                    sourceRef:
-                      description: |-
-                        SourceRef allows you to override the source
-                        from which the value will be pulled.
-                      maxProperties: 1
-                      minProperties: 1
-                      properties:
-                        generatorRef:
-                          description: |-
-                            GeneratorRef points to a generator custom resource.
-
-                            Deprecated: The generatorRef is not implemented in .data[].
-                            this will be removed with v1.
-                          properties:
-                            apiVersion:
-                              default: generators.external-secrets.io/v1alpha1
-                              description: Specify the apiVersion of the generator
-                                resource
-                              type: string
-                            kind:
-                              description: Specify the Kind of the generator resource
-                              enum:
-                              - ACRAccessToken
-                              - ClusterGenerator
-                              - ECRAuthorizationToken
-                              - Fake
-                              - GCRAccessToken
-                              - GithubAccessToken
-                              - QuayAccessToken
-                              - Password
-                              - STSSessionToken
-                              - UUID
-                              - VaultDynamicSecret
-                              - Webhook
-                              - Grafana
-                              type: string
-                            name:
-                              description: Specify the name of the generator resource
-                              maxLength: 253
-                              minLength: 1
-                              pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
-                              type: string
-                          required:
-                          - kind
-                          - name
-                          type: object
-                        storeRef:
-                          description: SecretStoreRef defines which SecretStore to
-                            fetch the ExternalSecret data.
-                          properties:
-                            kind:
-                              description: |-
-                                Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                                Defaults to `SecretStore`
-                              enum:
-                              - SecretStore
-                              - ClusterSecretStore
-                              type: string
-                            name:
-                              description: Name of the SecretStore resource
-                              maxLength: 253
-                              minLength: 1
-                              pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
-                              type: string
-                          type: object
-                      type: object
                   required:
                   - remoteRef
                   - secretKey
@@ -193,215 +106,37 @@ spec:
                   DataFrom is used to fetch all properties from a specific Provider data
                   If multiple entries are specified, the Secret keys are merged in the specified order
                 items:
+                  description: ExternalSecretDataRemoteRef defines Provider data location.
                   properties:
-                    extract:
-                      description: |-
-                        Used to extract multiple key/value pairs from one secret
-                        Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
-                      properties:
-                        conversionStrategy:
-                          default: Default
-                          description: Used to define a conversion Strategy
-                          enum:
-                          - Default
-                          - Unicode
-                          type: string
-                        decodingStrategy:
-                          default: None
-                          description: Used to define a decoding Strategy
-                          enum:
-                          - Auto
-                          - Base64
-                          - Base64URL
-                          - None
-                          type: string
-                        key:
-                          description: Key is the key used in the Provider, mandatory
-                          type: string
-                        metadataPolicy:
-                          default: None
-                          description: Policy for fetching tags/labels from provider
-                            secrets, possible options are Fetch, None. Defaults to
-                            None
-                          enum:
-                          - None
-                          - Fetch
-                          type: string
-                        property:
-                          description: Used to select a specific property of the Provider
-                            value (if a map), if supported
-                          type: string
-                        version:
-                          description: Used to select a specific version of the Provider
-                            value, if supported
-                          type: string
-                      required:
-                      - key
-                      type: object
-                    find:
-                      description: |-
-                        Used to find secrets based on tags or regular expressions
-                        Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
-                      properties:
-                        conversionStrategy:
-                          default: Default
-                          description: Used to define a conversion Strategy
-                          enum:
-                          - Default
-                          - Unicode
-                          type: string
-                        decodingStrategy:
-                          default: None
-                          description: Used to define a decoding Strategy
-                          enum:
-                          - Auto
-                          - Base64
-                          - Base64URL
-                          - None
-                          type: string
-                        name:
-                          description: Finds secrets based on the name.
-                          properties:
-                            regexp:
-                              description: Finds secrets base
-                              type: string
-                          type: object
-                        path:
-                          description: A root path to start the find operations.
-                          type: string
-                        tags:
-                          additionalProperties:
-                            type: string
-                          description: Find secrets based on tags.
-                          type: object
-                      type: object
-                    rewrite:
-                      description: |-
-                        Used to rewrite secret Keys after getting them from the secret Provider
-                        Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
-                      items:
-                        properties:
-                          regexp:
-                            description: |-
-                              Used to rewrite with regular expressions.
-                              The resulting key will be the output of a regexp.ReplaceAll operation.
-                            properties:
-                              source:
-                                description: Used to define the regular expression
-                                  of a re.Compiler.
-                                type: string
-                              target:
-                                description: Used to define the target pattern of
-                                  a ReplaceAll operation.
-                                type: string
-                            required:
-                            - source
-                            - target
-                            type: object
-                          transform:
-                            description: |-
-                              Used to apply string transformation on the secrets.
-                              The resulting key will be the output of the template applied by the operation.
-                            properties:
-                              template:
-                                description: |-
-                                  Used to define the template to apply on the secret name.
-                                  `.value ` will specify the secret name in the template.
-                                type: string
-                            required:
-                            - template
-                            type: object
-                        type: object
-                      type: array
-                    sourceRef:
-                      description: |-
-                        SourceRef points to a store or generator
-                        which contains secret values ready to use.
-                        Use this in combination with Extract or Find pull values out of
-                        a specific SecretStore.
-                        When sourceRef points to a generator Extract or Find is not supported.
-                        The generator returns a static map of values
-                      maxProperties: 1
-                      minProperties: 1
-                      properties:
-                        generatorRef:
-                          description: GeneratorRef points to a generator custom resource.
-                          properties:
-                            apiVersion:
-                              default: generators.external-secrets.io/v1alpha1
-                              description: Specify the apiVersion of the generator
-                                resource
-                              type: string
-                            kind:
-                              description: Specify the Kind of the generator resource
-                              enum:
-                              - ACRAccessToken
-                              - ClusterGenerator
-                              - ECRAuthorizationToken
-                              - Fake
-                              - GCRAccessToken
-                              - GithubAccessToken
-                              - QuayAccessToken
-                              - Password
-                              - STSSessionToken
-                              - UUID
-                              - VaultDynamicSecret
-                              - Webhook
-                              - Grafana
-                              type: string
-                            name:
-                              description: Specify the name of the generator resource
-                              maxLength: 253
-                              minLength: 1
-                              pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
-                              type: string
-                          required:
-                          - kind
-                          - name
-                          type: object
-                        storeRef:
-                          description: SecretStoreRef defines which SecretStore to
-                            fetch the ExternalSecret data.
-                          properties:
-                            kind:
-                              description: |-
-                                Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-                                Defaults to `SecretStore`
-                              enum:
-                              - SecretStore
-                              - ClusterSecretStore
-                              type: string
-                            name:
-                              description: Name of the SecretStore resource
-                              maxLength: 253
-                              minLength: 1
-                              pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
-                              type: string
-                          type: object
-                      type: object
+                    conversionStrategy:
+                      default: Default
+                      description: Used to define a conversion Strategy
+                      enum:
+                      - Default
+                      - Unicode
+                      type: string
+                    key:
+                      description: Key is the key used in the Provider, mandatory
+                      type: string
+                    property:
+                      description: Used to select a specific property of the Provider
+                        value (if a map), if supported
+                      type: string
+                    version:
+                      description: Used to select a specific version of the Provider
+                        value, if supported
+                      type: string
+                  required:
+                  - key
                   type: object
                 type: array
               refreshInterval:
                 default: 1h
                 description: |-
-                  RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
-                  specified as Golang Duration strings.
+                  RefreshInterval is the amount of time before the values are read again from the SecretStore provider
                   Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
-                  Example values: "1h", "2h30m", "10s"
                   May be set to zero to fetch and create it once. Defaults to 1h.
                 type: string
-              refreshPolicy:
-                description: |-
-                  RefreshPolicy determines how the ExternalSecret should be refreshed:
-                  - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
-                  - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
-                    No periodic updates occur if refreshInterval is 0.
-                  - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
-                enum:
-                - CreatedOnce
-                - Periodic
-                - OnChange
-                type: string
               secretStoreRef:
                 description: SecretStoreRef defines which SecretStore to fetch the
                   ExternalSecret data.
@@ -422,9 +157,6 @@ spec:
                     type: string
                 type: object
               target:
-                default:
-                  creationPolicy: Owner
-                  deletionPolicy: Retain
                 description: |-
                   ExternalSecretTarget defines the Kubernetes Secret to be created
                   There can be only one target per ExternalSecret.
@@ -436,20 +168,9 @@ spec:
                       Defaults to "Owner"
                     enum:
                     - Owner
-                    - Orphan
                     - Merge
                     - None
                     type: string
-                  deletionPolicy:
-                    default: Retain
-                    description: |-
-                      DeletionPolicy defines rules on how to delete the resulting Secret.
-                      Defaults to "Retain"
-                    enum:
-                    - Delete
-                    - Merge
-                    - Retain
-                    type: string
                   immutable:
                     description: Immutable defines if the final secret will be immutable
                     type: boolean
@@ -470,20 +191,15 @@ spec:
                           type: string
                         type: object
                       engineVersion:
-                        default: v2
+                        default: v1
                         description: |-
                           EngineVersion specifies the template engine version
                           that should be used to compile/execute the
                           template specified in .data and .templateFrom[].
                         enum:
+                        - v1
                         - v2
                         type: string
-                      mergePolicy:
-                        default: Replace
-                        enum:
-                        - Replace
-                        - Merge
-                        type: string
                       metadata:
                         description: ExternalSecretTemplateMetadata defines metadata
                           fields for the Secret blueprint.
@@ -499,6 +215,8 @@ spec:
                         type: object
                       templateFrom:
                         items:
+                          maxProperties: 1
+                          minProperties: 1
                           properties:
                             configMap:
                               properties:
@@ -513,12 +231,6 @@ spec:
                                         minLength: 1
                                         pattern: ^[-._a-zA-Z0-9]+$
                                         type: string
-                                      templateAs:
-                                        default: Values
-                                        enum:
-                                        - Values
-                                        - KeysAndValues
-                                        type: string
                                     required:
                                     - key
                                     type: object
@@ -533,8 +245,6 @@ spec:
                               - items
                               - name
                               type: object
-                            literal:
-                              type: string
                             secret:
                               properties:
                                 items:
@@ -548,12 +258,6 @@ spec:
                                         minLength: 1
                                         pattern: ^[-._a-zA-Z0-9]+$
                                         type: string
-                                      templateAs:
-                                        default: Values
-                                        enum:
-                                        - Values
-                                        - KeysAndValues
-                                        type: string
                                     required:
                                     - key
                                     type: object
@@ -568,19 +272,15 @@ spec:
                               - items
                               - name
                               type: object
-                            target:
-                              default: Data
-                              enum:
-                              - Data
-                              - Annotations
-                              - Labels
-                              type: string
                           type: object
                         type: array
                       type:
                         type: string
                     type: object
                 type: object
+            required:
+            - secretStoreRef
+            - target
             type: object
           status:
             properties:
@@ -632,7 +332,7 @@ spec:
             type: object
         type: object
     served: true
-    storage: true
+    storage: false
     subresources:
       status: {}
   - additionalPrinterColumns:
@@ -1003,21 +703,9 @@ spec:
                   RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
                   specified as Golang Duration strings.
                   Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
-                  Example values: "1h", "2h30m", "10s"
+                  Example values: "1h", "2h30m", "5d", "10s"
                   May be set to zero to fetch and create it once. Defaults to 1h.
                 type: string
-              refreshPolicy:
-                description: |-
-                  RefreshPolicy determines how the ExternalSecret should be refreshed:
-                  - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
-                  - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
-                    No periodic updates occur if refreshInterval is 0.
-                  - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
-                enum:
-                - CreatedOnce
-                - Periodic
-                - OnChange
-                type: string
               secretStoreRef:
                 description: SecretStoreRef defines which SecretStore to fetch the
                   ExternalSecret data.
@@ -1092,6 +780,7 @@ spec:
                           that should be used to compile/execute the
                           template specified in .data and .templateFrom[].
                         enum:
+                        - v1
                         - v2
                         type: string
                       mergePolicy:
@@ -1248,6 +937,6 @@ spec:
             type: object
         type: object
     served: true
-    storage: false
+    storage: true
     subresources:
       status: {}

config/crds/bases/external-secrets.io_pushsecrets.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.3
+    controller-gen.kubebuilder.io/version: v0.17.2
   labels:
     external-secrets.io/component: controller
   name: pushsecrets.external-secrets.io
@@ -282,6 +282,7 @@ spec:
                       that should be used to compile/execute the
                       template specified in .data and .templateFrom[].
                     enum:
+                    - v1
                     - v2
                     type: string
                   mergePolicy:

config/crds/bases/generators.external-secrets.io_acraccesstokens.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.3
+    controller-gen.kubebuilder.io/version: v0.17.2
   labels:
     external-secrets.io/component: controller
   name: acraccesstokens.generators.external-secrets.io

config/crds/bases/generators.external-secrets.io_clustergenerators.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.3
+    controller-gen.kubebuilder.io/version: v0.17.2
   labels:
     external-secrets.io/component: controller
   name: clustergenerators.generators.external-secrets.io

config/crds/bases/generators.external-secrets.io_ecrauthorizationtokens.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.3
+    controller-gen.kubebuilder.io/version: v0.17.2
   labels:
     external-secrets.io/component: controller
   name: ecrauthorizationtokens.generators.external-secrets.io

config/crds/bases/generators.external-secrets.io_fakes.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.3
+    controller-gen.kubebuilder.io/version: v0.17.2
   labels:
     external-secrets.io/component: controller
   name: fakes.generators.external-secrets.io

config/crds/bases/generators.external-secrets.io_gcraccesstokens.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.3
+    controller-gen.kubebuilder.io/version: v0.17.2
   labels:
     external-secrets.io/component: controller
   name: gcraccesstokens.generators.external-secrets.io

config/crds/bases/generators.external-secrets.io_generatorstates.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.17.3
+    controller-gen.kubebuilder.io/version: v0.17.2
   labels:
     external-secrets.io/component: controller
   name: generatorstates.generators.external-secrets.io