feat: add support matrix, refactor docs (#1508)

Signed-off-by: Moritz Johner <Moritz.Johner@form3.tech>

docs/api-clustersecretstore.md

@@ -1,4 +1,4 @@
-![ClusterSecretStore](./pictures/diagrams-high-level-cluster-detail.png)
+![ClusterSecretStore](../pictures/diagrams-high-level-cluster-detail.png)
 
 The `ClusterSecretStore` is a cluster scoped SecretStore that can be referenced by all
 `ExternalSecrets` from all namespaces. Use it to offer a central gateway to your secret backend.

docs/api-externalsecret.md

@@ -9,7 +9,7 @@ be transformed and saved as a `Kind=Secret`:
 
 ## Template
 
-When the controller reconciles the `ExternalSecret` it will use the `spec.template` as a blueprint to construct a new `Kind=Secret`. You can use golang templates to define the blueprint and use template functions to transform secret values. You can also pull in `ConfigMaps` that contain golang-template data using `templateFrom`. See [advanced templating](guides-templating.md) for details.
+When the controller reconciles the `ExternalSecret` it will use the `spec.template` as a blueprint to construct a new `Kind=Secret`. You can use golang templates to define the blueprint and use template functions to transform secret values. You can also pull in `ConfigMaps` that contain golang-template data using `templateFrom`. See [advanced templating](../guides/templating.md) for details.
 
 ## Update Behavior
 

docs/api-secretstore.md

@@ -1,4 +1,4 @@
-![SecretStore](./pictures/diagrams-high-level-ns-detail.png)
+![SecretStore](../pictures/diagrams-high-level-ns-detail.png)
 
 
 The `SecretStore` is namespaced and specifies how to access the external API.

docs/contributing-devguide.md

@@ -102,7 +102,7 @@ helm upgrade --install external-secrets ./deploy/charts/external-secrets/ --set
 ```
 
 !!! note "Contributing Flow"
-    The HOW TO guide for contributing is at the [Contributing Process](contributing-process.md) page.
+    The HOW TO guide for contributing is at the [Contributing Process](process.md) page.
 
 
 ## Documentation

docs/contributing-process.md

@@ -150,4 +150,4 @@ We use labels to identify GitHub Issues. Specifically for managing support cases
 
 ## Cutting Releases
 
-The external-secrets project is released on a as-needed basis. Feel free to open a issue to request a release. Details on how to cut a release can be found in the [release](contributing-release.md) page.
+The external-secrets project is released on a as-needed basis. Feel free to open a issue to request a release. Details on how to cut a release can be found in the [release](release.md) page.

docs/examples-gitops-using-fluxcd.md

@@ -21,7 +21,7 @@ FluxCD is composed by several controllers dedicated to manage different custom r
 ones are **Kustomization** (to clarify, Flux one, not Kubernetes' one) and **HelmRelease** to deploy using the approaches
 of the same names.
 
-External Secrets can be deployed using Helm [as explained here](guides-getting-started.md). The deployment includes the
+External Secrets can be deployed using Helm [as explained here](../guides/getting-started.md). The deployment includes the
 CRDs if enabled on the `values.yaml`, but after this, you need to deploy some `SecretStore` to start
 getting credentials from your secrets manager with External Secrets.
 
@@ -130,4 +130,4 @@ for example, a manifest `clusterSecretStore.yaml` to reach your Hashicorp Vault
 
 At the end, the required files tree is shown in the following picture:
 
-![FluxCD files tree](./pictures/screenshot_gitops_final_directory_tree.png)
+![FluxCD files tree](../pictures/screenshot_gitops_final_directory_tree.png)

docs/guides-introduction.md

@@ -1,8 +0,0 @@
-# Guides
-
-The following guides demonstrate use-cases and provide examples of how to use
-the API. Please pick one of the following guides:
-
-* [Getting started](guides-getting-started.md)
-* [Advanced Templating](guides-templating.md)
-* [Multi-Tenancy Design Considerations](guides-multi-tenancy.md)

docs/guides-all-keys-one-secret.md

@@ -2,11 +2,11 @@
 
 To get multiple key-values from an external secret, not having to worry about how many, or what these keys are, we have to use the dataFrom field of the ExternalSecret resource, instead of the data field. We will give an example here with the gcp provider (should work with other providers in the same way).
 
-Please follow the authentication and SecretStore steps of the [Google Cloud Secrets Manager guide](provider-google-secrets-manager.md) to setup access to your google cloud account first.
+Please follow the authentication and SecretStore steps of the [Google Cloud Secrets Manager guide](../provider/google-secrets-manager.md) to setup access to your google cloud account first.
 
 Then create a secret in Google Cloud Secret Manager that contains a JSON string with multiple key values like this:
 
-![secret-value](./pictures/screenshot_json_string_gcp_secret_value.png)
+![secret-value](../pictures/screenshot_json_string_gcp_secret_value.png)
 
 Let's call this secret all-keys-example-secret on Google Cloud.
 

docs/guides-common-k8s-secret-types.md

@@ -1,15 +1,15 @@
 # A few common k8s secret types examples
 
-Here we will give some examples of how to work with a few common k8s secret types. We will give this examples here with the gcp provider (should work with other providers in the same way). Please also check the guides on [Advanced Templating](guides-templating.md) to understand the details.
+Here we will give some examples of how to work with a few common k8s secret types. We will give this examples here with the gcp provider (should work with other providers in the same way). Please also check the guides on [Advanced Templating](templating.md) to understand the details.
 
-Please follow the authentication and SecretStore steps of the [Google Cloud Secrets Manager guide](provider-google-secrets-manager.md) to setup access to your google cloud account first.
+Please follow the authentication and SecretStore steps of the [Google Cloud Secrets Manager guide](../provider/google-secrets-manager.md) to setup access to your google cloud account first.
 
 
 ## Dockerconfigjson example
 
 First create a secret in Google Cloud Secrets Manager containing your docker config:
 
-![iam](./pictures/screenshot_docker_config_json_example.png)
+![iam](../pictures/screenshot_docker_config_json_example.png)
 
 Let's call this secret docker-config-example on Google Cloud.
 
@@ -45,7 +45,7 @@ openssl pkcs12 -export -out certificate.p12 -inkey privkey.pem -in cert.pem
 
 With a certificate.p12 you can upload it to Google Cloud Secrets Manager:
 
-![p12](./pictures/screenshot_ssl_certificate_p12_example.png)
+![p12](../pictures/screenshot_ssl_certificate_p12_example.png)
 
 And now you can create an ExternalSecret that gets it. You will end up with a k8s secret of type tls with pem values.
 
@@ -65,7 +65,7 @@ kubectl get secret secret-to-be-created -n <namespace> | -o jsonpath="{.data.tls
 
 Add the ssh privkey to a new Google Cloud Secrets Manager secret:
 
-![ssh](./pictures/screenshot_ssh_privkey_example.png)
+![ssh](../pictures/screenshot_ssh_privkey_example.png)
 
 And now you can create an ExternalSecret that gets it. You will end up with a k8s secret of type ssh-auth with the privatekey value.
 

docs/guides-getallsecrets.md

@@ -31,10 +31,10 @@ This will match any secrets containing all of the metadata labels in the `tags`
 Some providers support filtering out a find operation only to a given path, instead of the root path. In order to use this feature, you can pass `find.path` to filter out these secrets into only this path, instead of the root path.
 
 ### Avoiding name conflicts
-By default, kubernetes Secrets accepts only a given range of characters. `Find` operations will automatically replace any not allowed character with a `_`. So if we have a given secret `a_c` and `a/c` would lead to a naming conflict. 
+By default, kubernetes Secrets accepts only a given range of characters. `Find` operations will automatically replace any not allowed character with a `_`. So if we have a given secret `a_c` and `a/c` would lead to a naming conflict.
 
 
-If you happen to have a case where a conflict is happening, you can use the `rewrite` block to apply a regexp on one of the find operations (for more information please refer to [Rewriting Keys from DataFrom](guides-datafrom-rewrite.md)).
+If you happen to have a case where a conflict is happening, you can use the `rewrite` block to apply a regexp on one of the find operations (for more information please refer to [Rewriting Keys from DataFrom](datafrom-rewrite.md)).
 
 You can also set  `dataFrom.find.conversionStrategy: Unicode` to reduce the collistion probability. When using `Unicode`, any invalid character will be replaced by its unicode, in the form of `_UXXXX_`. In this case, the available kubernetes keys would be `a_c` and `a_U2215_c`, hence avoiding most of possible conflicts.
 

docs/guides-getting-started.md

@@ -75,7 +75,7 @@ Events:                    <none>
 ```
 
 For more advanced examples, please read the other
-[guides](guides-introduction.md).
+[guides](introduction.md).
 
 ## Installing with OLM
 

docs/guides/introduction.md

@@ -0,0 +1,8 @@
+# Guides
+
+The following guides demonstrate use-cases and provide examples of how to use
+the API. Please pick one of the following guides:
+
+* [Getting started](getting-started.md)
+* [Advanced Templating](templating.md)
+* [Multi-Tenancy Design Considerations](multi-tenancy.md)

docs/guides-multi-tenancy.md

@@ -21,7 +21,7 @@ techniques for tenant isolation.
 
 ### Shared ClusterSecretStore
 
-![Shared CSS](./pictures/diagrams-multi-tenancy-shared.png)
+![Shared CSS](../pictures/diagrams-multi-tenancy-shared.png)
 
 A Cluster Administrator deploys a `ClusterSecretStore` (CSS) and manages access
 to the external API. The CSS is shared by all tenants within the cluster.
@@ -39,7 +39,7 @@ is very simple but does not scale very well.
 
 ### Managed SecretStore per Namespace
 
-![Shared CSS](./pictures/diagrams-multi-tenancy-managed-store.png)
+![Shared CSS](../pictures/diagrams-multi-tenancy-managed-store.png)
 
 Cluster Administrators manage one or multiple `SecretStores` per Namespace. Each
 SecretStore uses it's own *role* that limits access to a small set of keys. The
@@ -51,7 +51,7 @@ secrets.
 
 
 ### ESO as a Service
-![Shared CSS](./pictures/diagrams-multi-tenancy-self-service.png)
+![Shared CSS](../pictures/diagrams-multi-tenancy-self-service.png)
 
 Every namespace is self-contained. Application developers manage `SecretStore`,
 `ExternalSecret` and secret infrastructure on their own. Cluster Administrators

docs/guides-templating-v1.md

@@ -2,7 +2,7 @@
 
 !!! warning
 
-    Templating Engine v1 is **deprecated** and will be removed in the future. Please migrate to engine v2 and take a look at our [upgrade guide](guides-templating.md#migrating-from-v1) for changes.
+    Templating Engine v1 is **deprecated** and will be removed in the future. Please migrate to engine v2 and take a look at our [upgrade guide](templating.md#migrating-from-v1) for changes.
 
 
 With External Secrets Operator you can transform the data from the external secret provider before it is stored as `Kind=Secret`. You can do this with the `Spec.Target.Template`. Each data value is interpreted as a [golang template](https://golang.org/pkg/text/template/).

docs/guides-templating.md

@@ -79,7 +79,7 @@ You can achieve that by using the `filterPEM` function to extract a specific typ
 
 We provide a couple of convenience functions that help you transform your secrets. This is useful when dealing with PKCS#12 archives or JSON Web Keys (JWK).
 
-In addition to that you can use over 200+ [sprig functions](http://masterminds.github.io/sprig/). If you feel a function is missing or might be valuable feel free to open an issue and submit a [pull request](contributing-process.md#submitting-a-pull-request).
+In addition to that you can use over 200+ [sprig functions](http://masterminds.github.io/sprig/). If you feel a function is missing or might be valuable feel free to open an issue and submit a [pull request](../contributing/process.md#submitting-a-pull-request).
 
 <br/>
 

docs/index.md

@@ -22,10 +22,10 @@ lifecycle of the secrets for you.
 
 ### Where to get started
 
-To get started, please read through [API overview](api-overview.md) this should
+To get started, please read through [API overview](overview.md) this should
 give you a high-level overview to understand the API and use-cases. After that
-please follow one of our [guides](guides-introduction.md) to get a jump start
-using the operator. See our [getting started guide](guides-getting-started.md) for installation instructions.
+please follow one of our [guides](guides/introduction.md) to get a jump start
+using the operator. See our [getting started guide](guides/getting-started.md) for installation instructions.
 
 For a complete reference of the API types please refer to our [API
 Reference](spec.md).
@@ -43,7 +43,7 @@ How to get involved:
   ([agenda](https://hackmd.io/GSGEpTVdRZCP6LDxV3FHJA), [jitsi call](https://meet.jit.si/eso-community-meeting))
 - [Kubernetes Slack
   #external-secrets](https://kubernetes.slack.com/messages/external-secrets)
-- [Contributing Process](contributing-process.md)
+- [Contributing Process](contributing/process.md)
 - [Twitter](https://twitter.com/ExtSecretsOptr)
 
 ### Kicked off by

docs/api-overview.md

@@ -25,7 +25,7 @@ to.
 
 ### SecretStore
 
-The idea behind the [SecretStore](api-secretstore.md) resource is to separate concerns of
+The idea behind the [SecretStore](api/secretstore.md) resource is to separate concerns of
 authentication/access and the actual Secret and configuration needed for
 workloads. The ExternalSecret specifies what to fetch, the SecretStore specifies
 how to access. This resource is namespaced.
@@ -37,7 +37,7 @@ The `SecretStore` contains references to secrets which hold credentials to
 access the external API.
 
 ### ExternalSecret
-An [ExternalSecret](api-externalsecret.md) declares what data to fetch. It has a reference to a
+An [ExternalSecret](api/externalsecret.md) declares what data to fetch. It has a reference to a
 `SecretStore` which knows how to access that data. The controller uses that
 `ExternalSecret` as a blueprint to create secrets.
 
@@ -47,7 +47,7 @@ An [ExternalSecret](api-externalsecret.md) declares what data to fetch. It has a
 
 ### ClusterSecretStore
 
-The [ClusterSecretStore](api-clustersecretstore.md) is a global, cluster-wide SecretStore that can be
+The [ClusterSecretStore](api/clustersecretstore.md) is a global, cluster-wide SecretStore that can be
 referenced from all namespaces. You can use it to provide a central gateway to your secret provider.
 
 ## Behavior

docs/provider-1password-automation.md

@@ -72,7 +72,7 @@ _Also see [examples below](#examples) for matching SecretStore and ExternalSecre
 1. Set what you want `remoteRef.property` to be in the field sections where is says 'label', and values where it says 'new field'.
 1. Click the 'Save' button.
 
-![create-password-screenshot](./pictures/screenshot_1password_create_password.png)
+![create-password-screenshot](../pictures/screenshot_1password_create_password.png)
 #### Manually (Document type)
 * Click the plus button to create a new Document type Item.
 * Choose the file to upload and upload it.
@@ -80,7 +80,7 @@ _Also see [examples below](#examples) for matching SecretStore and ExternalSecre
 * Click the 'Add New File' button to add more files.
 * Click the 'Save' button.
 
-![create-document-screenshot](./pictures/screenshot_1password_create_document.png)
+![create-document-screenshot](../pictures/screenshot_1password_create_document.png)
 #### Scripting (Password type with op [CLI](https://developer.1password.com/docs/cli/v1/get-started/))
 * Create `file.json` with the following contents, swapping in your keys and values. Note: `section.name`'s and `section.title`'s values are ignored by the Operator, but cannot be empty for the `op` CLI
     ```json
@@ -114,7 +114,7 @@ _Also see [examples below](#examples) for matching SecretStore and ExternalSecre
 #### In-built field labeled `password` on Password type Items
 * TL;DR if you need a field labeled `password`, use the in-built one rather than the one in a fields Section.
 
-![password-field-example](./pictures/screenshot_1password_password_field.png)
+![password-field-example](../pictures/screenshot_1password_password_field.png)
 
 * 1Password automatically adds a field labeled `password` on every Password type Item, whether it's created through a GUI or the API or `op` CLI.
 * There's no problem with using this field just like any other field, _just make sure you don't end up with two fields with the same label_. (For example, by automating the `op` CLI to create Items.)

docs/provider-aws-parameter-store.md

@@ -1,5 +1,5 @@
 
-![aws sm](./pictures/diagrams-provider-aws-ssm-parameter-store.png)
+![aws sm](../pictures/diagrams-provider-aws-ssm-parameter-store.png)
 
 ## Parameter Store
 

docs/provider-aws-secrets-manager.md

@@ -1,5 +1,5 @@
 
-![aws sm](./pictures/eso-az-kv-aws-sm.png)
+![aws sm](../pictures/eso-az-kv-aws-sm.png)
 
 ## Secrets Manager
 

docs/provider-azure-key-vault.md

@@ -1,5 +1,5 @@
 
-![aws sm](./pictures/eso-az-kv-azure-kv.png)
+![aws sm](../pictures/eso-az-kv-azure-kv.png)
 
 ## Azure Key vault
 
@@ -73,7 +73,7 @@ azwi serviceaccount create phase federated-identity \
 With these prerequisites met you can configure `ESO` to use that Service Account. You have two options:
 
 ##### Mounted Service Account
-You run the controller and mount that particular service account into the pod. That grants _everyone_ who is able to create a secret store or reference a correctly configured one the ability to read secrets. **This approach is usually not recommended**. But may make sense when you want to share an identity with multiple namespaces. Also see our [Multi-Tenancy Guide](guides-multi-tenancy.md) for design considerations.
+You run the controller and mount that particular service account into the pod. That grants _everyone_ who is able to create a secret store or reference a correctly configured one the ability to read secrets. **This approach is usually not recommended**. But may make sense when you want to share an identity with multiple namespaces. Also see our [Multi-Tenancy Guide](../guides/multi-tenancy.md) for design considerations.
 
 ```yaml
 {% include 'azkv-workload-identity-mounted.yaml' %}
@@ -107,8 +107,8 @@ Azure KeyVault manages different [object types](https://docs.microsoft.com/en-us
 | Object Type   | Return Value                                                                                                                                                                                                                      |
 | ------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | `secret`      | the raw secret value.                                                                                                                                                                                                             |
-| `key`         | A JWK which contains the public key. Azure KeyVault does **not** export the private key. You may want to use [template functions](guides-templating.md) to transform this JWK into PEM encoded PKIX ASN.1 DER format. |
-| `certificate` | The raw CER contents of the x509 certificate. You may want to use [template functions](guides-templating.md) to transform this into your desired encoding                                                             |
+| `key`         | A JWK which contains the public key. Azure KeyVault does **not** export the private key. You may want to use [template functions](../guides/templating.md) to transform this JWK into PEM encoded PKIX ASN.1 DER format. |
+| `certificate` | The raw CER contents of the x509 certificate. You may want to use [template functions](../guides/templating.md) to transform this into your desired encoding                                                             |
 
 ### Creating external secret
 

docs/provider-gitlab-project-variables.md

@@ -6,10 +6,10 @@ External Secrets Operator integrates with [Gitlab API](https://docs.gitlab.com/e
 
 The API requires an access token and project ID. To create a new access token, go to your user settings and select 'access tokens'. Give your token a name, expiration date, and select the permissions required (Note 'api' is required).
 
-![token-details](./pictures/screenshot_gitlab_token.png)
+![token-details](../pictures/screenshot_gitlab_token.png)
 
 Click 'Create personal access token', and your token will be generated and displayed on screen. Copy or save this token since you can't access it again.
-![token-created](./pictures/screenshot_gitlab_token_created.png)
+![token-created](../pictures/screenshot_gitlab_token_created.png)
 
 
 
@@ -30,7 +30,7 @@ Be sure the `gitlab` provider is listed in the `Kind=SecretStore` and the Projec
 **NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `accessToken` with the namespace where the secret resides.
 
 Your project ID can be found on your project's page.
-![projectID](./pictures/screenshot_gitlab_projectID.png)
+![projectID](../pictures/screenshot_gitlab_projectID.png)
 
 ### Creating external secret
 

docs/provider-hashicorp-vault.md

@@ -1,4 +1,4 @@
-![HCP Vault](./pictures/diagrams-provider-vault.png)
+![HCP Vault](../pictures/diagrams-provider-vault.png)
 
 ## Hashicorp Vault
 
@@ -197,15 +197,15 @@ metadata:
   name: vault-example
 spec:
   # ...
-  dataFrom: 
-  - find: #will return every secret with 'dev' in it (including paths) 
-      name: 
+  dataFrom:
+  - find: #will return every secret with 'dev' in it (including paths)
+      name:
         regexp: dev
-  - find: #will return every secret matching environment:dev tags from dev/ folder and beyond 
-      tags: 
+  - find: #will return every secret matching environment:dev tags from dev/ folder and beyond
+      tags:
         environment: dev
 ```
-will generate a secret with: 
+will generate a secret with:
 ```json
 {
   "dev_config":"{\"foo\":{\"nested\":{\"bar\":\"mysecret\",\"baz\":\"bang\"}}}"
@@ -220,14 +220,14 @@ metadata:
   name: vault-example
 spec:
   # ...
-  dataFrom: 
-  - find: #will return every secret from dev/ folder 
+  dataFrom:
+  - find: #will return every secret from dev/ folder
       path: dev
-      name: 
+      name:
         regexp: ".*"
   - find: #will return every secret matching environment:dev tags from dev/ folder
       path: dev
-      tags: 
+      tags:
         environment: dev
 ```
 Will generate a secret with:
@@ -341,23 +341,23 @@ spec:
 
 #### Read Your Writes
 
-Vault 1.10.0 and later encodes information in the token to detect the case 
-when a server is behind. If a Vault server does not have information about 
-the provided token, [Vault returns a 412 error](https://www.vaultproject.io/docs/faq/ssct#q-is-there-anything-else-i-need-to-consider-to-achieve-consistency-besides-upgrading-to-vault-1-10) 
+Vault 1.10.0 and later encodes information in the token to detect the case
+when a server is behind. If a Vault server does not have information about
+the provided token, [Vault returns a 412 error](https://www.vaultproject.io/docs/faq/ssct#q-is-there-anything-else-i-need-to-consider-to-achieve-consistency-besides-upgrading-to-vault-1-10)
 so clients know to retry.
 
-A method supported in versions Vault 1.7 and later is to utilize the 
-`X-Vault-Index` header returned on all write requests (including logins). 
-Passing this header back on subsequent requests instructs the Vault client 
-to retry the request until the server has an index greater than or equal 
+A method supported in versions Vault 1.7 and later is to utilize the
+`X-Vault-Index` header returned on all write requests (including logins).
+Passing this header back on subsequent requests instructs the Vault client
+to retry the request until the server has an index greater than or equal
 to that returned with the last write. Obviously though, this has a performance
 hit because the read is blocked until the follower's local state has caught up.
 
 #### Forward Inconsistent
 
-Vault also supports proxying inconsistent requests to the current cluster leader 
+Vault also supports proxying inconsistent requests to the current cluster leader
 for immediate read-after-write consistency.
- 
+
 Vault 1.10.0 and later [support a replication configuration](https://www.vaultproject.io/docs/faq/ssct#q-is-there-a-new-configuration-that-this-feature-introduces) that detects when forwarding should occur and does it transparently to the client.
 
 In Vault 1.7 forwarding can be achieved by setting the `X-Vault-Inconsistent`

docs/provider-ibm-secrets-manager.md

@@ -10,23 +10,23 @@ We support API key and trusted profile container authentication for this provide
 
 To generate your key (for test purposes we are going to generate from your user), first got to your (Access IAM) page:
 
-![iam](./pictures/screenshot_api_keys_iam.png)
+![iam](../pictures/screenshot_api_keys_iam.png)
 
 On the left, click "IBM Cloud API Keys":
 
-![iam-left](./pictures/screenshot_api_keys_iam_left.png)
+![iam-left](../pictures/screenshot_api_keys_iam_left.png)
 
 Press "Create an IBM Cloud API Key":
 
-![iam-create-button](./pictures/screenshot_api_keys_create_button.png)
+![iam-create-button](../pictures/screenshot_api_keys_create_button.png)
 
 Pick a name and description for your key:
 
-![iam-create-key](./pictures/screenshot_api_keys_create.png)
+![iam-create-key](../pictures/screenshot_api_keys_create.png)
 
 You have created a key. Press the eyeball to show the key. Copy or save it because keys can't be displayed or downloaded twice.
 
-![iam-create-success](./pictures/screenshot_api_keys_create_successful.png)
+![iam-create-success](../pictures/screenshot_api_keys_create_successful.png)
 
 Create a secret containing your apiKey:
 
@@ -38,51 +38,51 @@ kubectl create secret generic ibm-secret --from-literal=apiKey='API_KEY_VALUE'
 
 To create the trusted profile, first got to your (Access IAM) page:
 
-![iam](./pictures/screenshot_api_keys_iam.png)
+![iam](../pictures/screenshot_api_keys_iam.png)
 
 On the left, click "Access groups":
 
-![iam-left](./pictures/screenshot_container_auth_create_group.png)
+![iam-left](../pictures/screenshot_container_auth_create_group.png)
 
 Pick a name and description for your group:
 
-![iam-left](./pictures/screenshot_container_auth_create_group_1.png)
+![iam-left](../pictures/screenshot_container_auth_create_group_1.png)
 
 Click on "Access Policies":
 
-![iam-left](./pictures/screenshot_container_auth_create_group_2.png)
+![iam-left](../pictures/screenshot_container_auth_create_group_2.png)
 
 Click on "Assign Access", select "IAM services", and pick "Secrets Manager" from the pick-list:
 
-![iam-left](./pictures/screenshot_container_auth_create_group_3.png)
+![iam-left](../pictures/screenshot_container_auth_create_group_3.png)
 
 Scope to "All resources" or "Resources based on selected attributes", select "SecretsReader":
 
-![iam-left](./pictures/screenshot_container_auth_create_group_4.png)
+![iam-left](../pictures/screenshot_container_auth_create_group_4.png)
 
 Click "Add" and "Assign" to save the access group.
 
 Next, on the left, click "Trusted profiles":
 
-![iam-left](./pictures/screenshot_container_auth_iam_left.png)
+![iam-left](../pictures/screenshot_container_auth_iam_left.png)
 
 Press "Create":
 
-![iam-create-button](./pictures/screenshot_container_auth_create_button.png)
+![iam-create-button](../pictures/screenshot_container_auth_create_button.png)
 
 Pick a name and description for your profile:
 
-![iam-create-key](./pictures/screenshot_container_auth_create_1.png)
+![iam-create-key](../pictures/screenshot_container_auth_create_1.png)
 
 Scope the profile's access.
 
 The compute service type will be "Red Hat OpenShift on IBM Cloud".  Additional restriction can be configured based on cloud or cluster metadata, or if "Specific resources" is selected, restriction to a specific cluster.
 
-![iam-create-key](./pictures/screenshot_container_auth_create_2.png)
+![iam-create-key](../pictures/screenshot_container_auth_create_2.png)
 
 Click "Add" next to the previously created access group and then "Create", to associate the necessary service permissions.
 
-![iam-create-key](./pictures/screenshot_container_auth_create_3.png)
+![iam-create-key](../pictures/screenshot_container_auth_create_3.png)
 
 To use the container-based authentication, it is necessary to map the API server `serviceAccountToken` auth token to the "external-secrets" and "external-secrets-webhook" deployment descriptors. Example below:
 
@@ -105,18 +105,18 @@ To find your serviceURL, under your Secrets Manager resource, go to "Endpoints"
 Note: Use the url without the `/api` suffix that is presented in the UI.
 See here for a list of [publicly available endpoints](https://cloud.ibm.com/apidocs/secrets-manager#getting-started-endpoints).
 
-![iam-create-success](./pictures/screenshot_service_url.png)
+![iam-create-success](../pictures/screenshot_service_url.png)
 
 ### Secret Types
 We support the following secret types of [IBM Secrets Manager](https://cloud.ibm.com/apidocs/secrets-manager):
 
-* `arbitrary` 
+* `arbitrary`
 * `username_password`
 * `iam_credentials`
 * `imported_cert`
 * `public_cert`
 * `private_cert`
-* `kv` 
+* `kv`
 
 To define the type of secret you would like to sync you need to prefix the secret id with the desired type. If the secret type is not specified it is defaulted to `arbitrary`:
 

docs/provider-oracle-vault.md

@@ -10,13 +10,13 @@ For using a specific user credentials, userOCID, tenancyOCID, fingerprint and pr
 The fingerprint and key file should be supplied in the secret with the rest being provided in the secret store.
 
 See url for what region you you are accessing.
-![userOCID-details](./pictures/screenshot_region.png)
+![userOCID-details](../pictures/screenshot_region.png)
 
 Select tenancy in the top right to see your user OCID as shown below.
-![tenancyOCID-details](./pictures/screenshot_tenancy_OCID.png)
+![tenancyOCID-details](../pictures/screenshot_tenancy_OCID.png)
 
 Select your user in the top right to see your user OCID as shown below.
-![region-details](./pictures/screenshot_user_OCID.png)
+![region-details](../pictures/screenshot_user_OCID.png)
 
 
 #### Service account key authentication
@@ -28,11 +28,11 @@ Create a secret containing your private key and fingerprint:
 ```
 
 Your fingerprint will be attatched to your API key, once it has been generated. Found on the same page as the user OCID.
-![fingerprint-details](./pictures/screenshot_fingerprint.png)
+![fingerprint-details](../pictures/screenshot_fingerprint.png)
 
 Once you click "Add API Key" you will be shown the following, where you can download the RSA key in the necessary PEM format for API requests.
 This will automatically generate a fingerprint.
-![API-key-details](./pictures/screenshot_API_key.png)
+![API-key-details](../pictures/screenshot_API_key.png)
 
 ### Update secret store
 Be sure the `oracle` provider is listed in the `Kind=SecretStore`.

docs/snippets/provider-aws-access.md

@@ -2,7 +2,7 @@
 
 ### Controller's Pod Identity
 
-![Pod Identity Authentication](./pictures/diagrams-provider-aws-auth-pod-identity.png)
+![Pod Identity Authentication](../pictures/diagrams-provider-aws-auth-pod-identity.png)
 
 Note: If you are using Parameter Store replace `service: SecretsManager` with `service: ParameterStore` in all examples below.
 
@@ -28,7 +28,7 @@ spec:
 
 ### Access Key ID & Secret Access Key
 
-![SecretRef](./pictures/diagrams-provider-aws-auth-secret-ref.png)
+![SecretRef](../pictures/diagrams-provider-aws-auth-secret-ref.png)
 
 You can store Access Key ID & Secret Access Key in a `Kind=Secret` and reference it from a SecretStore.
 
@@ -58,7 +58,7 @@ spec:
 
 ### EKS Service Account credentials
 
-![Service Account](./pictures/diagrams-provider-aws-auth-service-account.png)
+![Service Account](../pictures/diagrams-provider-aws-auth-service-account.png)
 
 This feature lets you use short-lived service account tokens to authenticate with AWS.
 You must have [Service Account Volume Projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection) enabled - it is by default on EKS. See [EKS guide](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html) on how to set up IAM roles for service accounts.

docs/stability-support.md

@@ -14,23 +14,46 @@ We are currently in beta and support **only the latest release** for the time be
 
 The following table describes the stability level of each provider and who's responsible.
 
-| Provider                                                                                                   | Stability |                                                                                                                                                                Maintainer |
-| ---------------------------------------------------------------------------------------------------------- | :-------: | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------: |
-| [AWS Secrets Manager](https://external-secrets.io/latest/provider-aws-secrets-manager/)                    |  stable   |                                                                                                                   [external-secrets](https://github.com/external-secrets) |
-| [AWS Parameter Store](https://external-secrets.io/latest/provider-aws-parameter-store/)                    |  stable   |                                                                                                                   [external-secrets](https://github.com/external-secrets) |
-| [Hashicorp Vault](https://external-secrets.io/latest/provider-hashicorp-vault/)                            |  stable   |                                                                                                                   [external-secrets](https://github.com/external-secrets) |
-| [GCP Secret Manager](https://external-secrets.io/latest/provider-google-secrets-manager/)                  |  stable   |                                                                                                                   [external-secrets](https://github.com/external-secrets) |
-| [Azure Keyvault](https://external-secrets.io/latest/provider-azure-key-vault/)                             |   stable    | [external-secrets](https://github.com/external-secrets) |
-| [Kubernetes](https://external-secrets.io/latest/provider-kubernetes) |   alpha   |                                                                                                                                      [external-secrets](https://github.com/external-secrets) |
-| [IBM Secrets Manager](https://external-secrets.io/latest/provider-ibm-secrets-manager/)                    |   alpha   |                            [@knelasevero](https://github.com/knelasevero) [@sebagomez](https://github.com/sebagomez) [@ricardoptcosta](https://github.com/ricardoptcosta) |
-| [Yandex Lockbox](https://external-secrets.io/latest/provider-yandex-lockbox/)                              |   alpha   |                                                                       [@AndreyZamyslov](https://github.com/AndreyZamyslov) [@knelasevero](https://github.com/knelasevero) |
-| [Gitlab Project Variables](https://external-secrets.io/latest/provider-gitlab-project-variables/)          |   alpha   |                                                                                                                                    [@Jabray5](https://github.com/Jabray5) |
-| Alibaba Cloud KMS                                                                                          |   alpha   |                                                                                                                            [@ElsaChelala](https://github.com/ElsaChelala) |
-| [Oracle Vault](https://external-secrets.io/latest/provider-oracle-vault)                                   |   alpha   |                                                                                   [@KianTigger](https://github.com/KianTigger) [@EladGabay](https://github.com/EladGabay) |
-| [Akeyless](https://external-secrets.io/latest/provider-akeyless)                                           |   alpha   |                                                                                                                      [@renanaAkeyless](https://github.com/renanaAkeyless) |
-| [1Password](https://external-secrets.io/latest/provider-1password-automation)                              |   alpha   |                                                                         [@SimSpaceCorp](https://github.com/Simspace) [@snarlysodboxer](https://github.com/snarlysodboxer) |
-| [Generic Webhook](https://external-secrets.io/latest/provider-webhook)                                     |   alpha   |                                                                                                                                    [@willemm](https://github.com/willemm) |
-| [senhasegura DevOps Secrets Management (DSM)](https://external-secrets.io/latest/provider-senhasegura-dsm) |   alpha   |                                                                                                                                      [@lfraga](https://github.com/lfraga) |
+| Provider                                                                                                   | Stability |                                                                                                                                     Maintainer |
+| ---------------------------------------------------------------------------------------------------------- | :-------: | ---------------------------------------------------------------------------------------------------------------------------------------------: |
+| [AWS Secrets Manager](https://external-secrets.io/latest/provider-aws-secrets-manager/)                    |  stable   |                                                                                        [external-secrets](https://github.com/external-secrets) |
+| [AWS Parameter Store](https://external-secrets.io/latest/provider-aws-parameter-store/)                    |  stable   |                                                                                        [external-secrets](https://github.com/external-secrets) |
+| [Hashicorp Vault](https://external-secrets.io/latest/provider-hashicorp-vault/)                            |  stable   |                                                                                        [external-secrets](https://github.com/external-secrets) |
+| [GCP Secret Manager](https://external-secrets.io/latest/provider-google-secrets-manager/)                  |  stable   |                                                                                        [external-secrets](https://github.com/external-secrets) |
+| [Azure Keyvault](https://external-secrets.io/latest/provider-azure-key-vault/)                             |  stable   |                                                                                        [external-secrets](https://github.com/external-secrets) |
+| [Kubernetes](https://external-secrets.io/latest/provider-kubernetes)                                       |   alpha   |                                                                                        [external-secrets](https://github.com/external-secrets) |
+| [IBM Secrets Manager](https://external-secrets.io/latest/provider-ibm-secrets-manager/)                    |   alpha   | [@knelasevero](https://github.com/knelasevero) [@sebagomez](https://github.com/sebagomez) [@ricardoptcosta](https://github.com/ricardoptcosta) |
+| [Yandex Lockbox](https://external-secrets.io/latest/provider-yandex-lockbox/)                              |   alpha   |                                            [@AndreyZamyslov](https://github.com/AndreyZamyslov) [@knelasevero](https://github.com/knelasevero) |
+| [Gitlab Project Variables](https://external-secrets.io/latest/provider-gitlab-project-variables/)          |   alpha   |                                                                                                         [@Jabray5](https://github.com/Jabray5) |
+| Alibaba Cloud KMS                                                                                          |   alpha   |                                                                                                 [@ElsaChelala](https://github.com/ElsaChelala) |
+| [Oracle Vault](https://external-secrets.io/latest/provider-oracle-vault)                                   |   alpha   |                                                        [@KianTigger](https://github.com/KianTigger) [@EladGabay](https://github.com/EladGabay) |
+| [Akeyless](https://external-secrets.io/latest/provider-akeyless)                                           |   alpha   |                                                                                           [@renanaAkeyless](https://github.com/renanaAkeyless) |
+| [1Password](https://external-secrets.io/latest/provider-1password-automation)                              |   alpha   |                                              [@SimSpaceCorp](https://github.com/Simspace) [@snarlysodboxer](https://github.com/snarlysodboxer) |
+| [Generic Webhook](https://external-secrets.io/latest/provider-webhook)                                     |   alpha   |                                                                                                         [@willemm](https://github.com/willemm) |
+| [senhasegura DevOps Secrets Management (DSM)](https://external-secrets.io/latest/provider-senhasegura-dsm) |   alpha   |                                                                                                           [@lfraga](https://github.com/lfraga) |
+
+## Provider Feature Support
+
+The following table show the support for features across different providers.
+
+| Provider                 | find by name | find by tags | metadataPolicy Fetch | referent authentication | store validation | push secret |
+| ------------------------ | :----------: | :----------: | :------------------: | :---------------------: | :--------------: | :---------: |
+| AWS Secrets Manager      |      x       |      x       |                      |                         |        x         |             |
+| AWS Parameter Store      |      x       |      x       |                      |                         |        x         |             |
+| Hashicorp Vault          |      x       |      x       |                      |                         |        x         |             |
+| GCP Secret Manager       |      x       |      x       |                      |                         |        x         |             |
+| Azure Keyvault           |      x       |      x       |          x           |            x            |        x         |             |
+| Kubernetes               |      x       |      x       |                      |            x            |        x         |             |
+| IBM Secrets Manager      |              |              |                      |                         |        x         |             |
+| Yandex Lockbox           |              |              |                      |                         |        x         |             |
+| Gitlab Project Variables |              |              |                      |                         |        x         |             |
+| Alibaba Cloud KMS        |              |              |                      |                         |        x         |             |
+| Oracle Vault             |              |              |                      |                         |        x         |             |
+| Akeyless                 |              |              |                      |                         |        x         |             |
+| 1Password                |      x       |              |                      |                         |        x         |             |
+| Generic Webhook          |              |              |                      |                         |                  |             |
+| senhasegura DSM          |              |              |                      |                         |        x         |             |
+
 
 ## Support Policy
 

hack/api-docs/mkdocs.yml

@@ -32,59 +32,59 @@ extra:
     property: G-QP38TD8K7V
 nav:
   - Introduction: index.md
-  - Overview: api-overview.md
+  - Overview: overview.md
   - API Types:
-      ExternalSecret: api-externalsecret.md
-      SecretStore: api-secretstore.md
-      ClusterSecretStore: api-clustersecretstore.md
-      ClusterExternalSecret: api-clusterexternalsecret.md
+      ExternalSecret: api/externalsecret.md
+      SecretStore: api/secretstore.md
+      ClusterSecretStore: api/clustersecretstore.md
+      ClusterExternalSecret: api/clusterexternalsecret.md
   - Guides:
-    - Introduction: guides-introduction.md
-    - Getting started: guides-getting-started.md
+    - Introduction: guides/introduction.md
+    - Getting started: guides/getting-started.md
     - Advanced Templating:
-        v2: guides-templating.md
-        v1: guides-templating-v1.md
-    - All keys, One secret: guides-all-keys-one-secret.md
-    - Common K8S Secret Types: guides-common-k8s-secret-types.md
-    - Controller Classes: guides-controller-class.md
-    - "Lifecycle: ownership & deletion": guides-ownership-deletion-policy.md
-    - Decoding Strategies: guides-decoding-strategy.md
-    - Getting Multiple Secrets: guides-getallsecrets.md
-    - Multi Tenancy: guides-multi-tenancy.md
-    - Metrics: guides-metrics.md
-    - Rewriting Keys: guides-datafrom-rewrite.md
-    - Upgrading to v1beta1: guides-v1beta1.md
-    - Using Latest Image: guides-using-latest-image.md
+        v2: guides/templating.md
+        v1: guides/templating-v1.md
+    - All keys, One secret: guides/all-keys-one-secret.md
+    - Common K8S Secret Types: guides/common-k8s-secret-types.md
+    - Controller Classes: guides/controller-class.md
+    - "Lifecycle: ownership & deletion": guides/ownership-deletion-policy.md
+    - Decoding Strategies: guides/decoding-strategy.md
+    - Getting Multiple Secrets: guides/getallsecrets.md
+    - Multi Tenancy: guides/multi-tenancy.md
+    - Metrics: guides/metrics.md
+    - Rewriting Keys: guides/datafrom-rewrite.md
+    - Upgrading to v1beta1: guides/v1beta1.md
+    - Using Latest Image: guides/using-latest-image.md
   - Provider:
     - AWS:
-      - Secrets Manager: provider-aws-secrets-manager.md
-      - Parameter Store: provider-aws-parameter-store.md
+      - Secrets Manager: provider/aws-secrets-manager.md
+      - Parameter Store: provider/aws-parameter-store.md
     - Azure:
-      - Key Vault: provider-azure-key-vault.md
+      - Key Vault: provider/azure-key-vault.md
     - Google:
-      - Secret Manager: provider-google-secrets-manager.md
+      - Secret Manager: provider/google-secrets-manager.md
     - IBM:
-      - Secrets Manager: provider-ibm-secrets-manager.md
-    - Akeyless: provider-akeyless.md
-    - HashiCorp Vault: provider-hashicorp-vault.md
+      - Secrets Manager: provider/ibm-secrets-manager.md
+    - Akeyless: provider/akeyless.md
+    - HashiCorp Vault: provider/hashicorp-vault.md
     - Yandex:
-        - Certificate Manager: provider-yandex-certificate-manager.md
-        - Lockbox: provider-yandex-lockbox.md
+        - Certificate Manager: provider/yandex-certificate-manager.md
+        - Lockbox: provider/yandex-lockbox.md
     - Gitlab:
-      - Gitlab Project Variables: provider-gitlab-project-variables.md
+      - Gitlab Project Variables: provider/gitlab-project-variables.md
     - Oracle:
-      - Oracle Vault: provider-oracle-vault.md
+      - Oracle Vault: provider/oracle-vault.md
     - 1Password:
-      - Secrets Automation: provider-1password-automation.md
-    - Webhook: provider-webhook.md
-    - Fake: provider-fake.md
-    - Kubernetes: provider-kubernetes.md
+      - Secrets Automation: provider/1password-automation.md
+    - Webhook: provider/webhook.md
+    - Fake: provider/fake.md
+    - Kubernetes: provider/kubernetes.md
     - senhasegura:
-      - DevOps Secrets Management (DSM): provider-senhasegura-dsm.md
+      - DevOps Secrets Management (DSM): provider/senhasegura-dsm.md
   - Examples:
-    - FluxCD: examples-gitops-using-fluxcd.md
-    - Anchore Engine: examples-anchore-engine-credentials.md
-    - Jenkins: examples-jenkins-kubernetes-credentials.md
+    - FluxCD: examples/gitops-using-fluxcd.md
+    - Anchore Engine: examples/anchore-engine-credentials.md
+    - Jenkins: examples/jenkins-kubernetes-credentials.md
   - External Resources:
     - Talks: eso-talks.md
     - Demos: eso-demos.md
@@ -92,11 +92,11 @@ nav:
   - References:
     - API specification: spec.md
   - Contributing:
-    - Developer guide: contributing-devguide.md
-    - Contributing Process: contributing-process.md
-    - Release Process: contributing-release.md
-    - Code of Conduct: contributing-coc.md
-  - Roadmap: roadmap.md
+    - Developer guide: contributing/devguide.md
+    - Contributing Process: contributing/process.md
+    - Release Process: contributing/release.md
+    - Code of Conduct: contributing/coc.md
+    - Roadmap: contributing/roadmap.md
   - FAQ: faq.md
   - Stability and Support: stability-support.md
   - Deprecation Policy: deprecation-policy.md