v1alpha2 code commit

apis/externalsecrets/v1alpha1/externalsecret_types.go

@@ -130,54 +130,6 @@ type ExternalSecretDataRemoteRef struct {
 	Property string `json:"property,omitempty"`
 }
 
-// ExternalSecretDataFromRemoteRef defines Provider data location.
-type ExternalSecretDataFromRemoteRef struct {
-	// Used to select a specific version and property from the secret
-	// +optional
-	Extract ExternalSecretExtract `json:"extract,omitempty"`
-	// Used to find secrets based on tags or regular expressions
-	// +optional
-	Find ExternalSecretFind `json:"find,omitempty"`
-}
-
-func (ref ExternalSecretDataFromRemoteRef) GetDataRemoteRef() ExternalSecretDataRemoteRef {
-	return ExternalSecretDataRemoteRef{
-		Key:      ref.Extract.Key,
-		Property: ref.Extract.Property,
-		Version:  ref.Extract.Version,
-	}
-}
-
-type ExternalSecretExtract struct {
-	// Key is the key used in the Provider
-	// +optional
-	Key string `json:"key,omitempty"`
-
-	// Used to select a specific version of the Provider value, if supported
-	// +optional
-	Version string `json:"version,omitempty"`
-
-	// +optional
-	// Used to select a specific property of the Provider value (if a map), if supported
-	Property string `json:"property,omitempty"`
-}
-
-type ExternalSecretFind struct {
-	// Key is the key used in the Provider
-	// +optional
-	Name FindName `json:"name,omitempty"`
-
-	// Used to select a specific version of the Provider value, if supported
-	// +optional
-	Tags map[string]string `json:"tags,omitempty"`
-}
-
-type FindName struct {
-	// Used to select multiple secrets based on a regular expression of the name
-	// +optional
-	RegExp string `json:"regexp,omitempty"`
-}
-
 // ExternalSecretSpec defines the desired state of ExternalSecret.
 type ExternalSecretSpec struct {
 	SecretStoreRef SecretStoreRef `json:"secretStoreRef"`
@@ -197,7 +149,7 @@ type ExternalSecretSpec struct {
 	// DataFrom is used to fetch all properties from a specific Provider data
 	// If multiple entries are specified, the Secret keys are merged in the specified order
 	// +optional
-	DataFrom []ExternalSecretDataFromRemoteRef `json:"dataFrom,omitempty"`
+	DataFrom []ExternalSecretDataRemoteRef `json:"dataFrom,omitempty"`
 }
 
 type ExternalSecretConditionType string

apis/externalsecrets/v1alpha1/zz_generated.deepcopy.go

@@ -402,23 +402,6 @@ func (in *ExternalSecretData) DeepCopy() *ExternalSecretData {
 	return out
 }
 
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExternalSecretDataFromRemoteRef) DeepCopyInto(out *ExternalSecretDataFromRemoteRef) {
-	*out = *in
-	out.Extract = in.Extract
-	in.Find.DeepCopyInto(&out.Find)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretDataFromRemoteRef.
-func (in *ExternalSecretDataFromRemoteRef) DeepCopy() *ExternalSecretDataFromRemoteRef {
-	if in == nil {
-		return nil
-	}
-	out := new(ExternalSecretDataFromRemoteRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ExternalSecretDataRemoteRef) DeepCopyInto(out *ExternalSecretDataRemoteRef) {
 	*out = *in
@@ -434,44 +417,6 @@ func (in *ExternalSecretDataRemoteRef) DeepCopy() *ExternalSecretDataRemoteRef {
 	return out
 }
 
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExternalSecretExtract) DeepCopyInto(out *ExternalSecretExtract) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretExtract.
-func (in *ExternalSecretExtract) DeepCopy() *ExternalSecretExtract {
-	if in == nil {
-		return nil
-	}
-	out := new(ExternalSecretExtract)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExternalSecretFind) DeepCopyInto(out *ExternalSecretFind) {
-	*out = *in
-	out.Name = in.Name
-	if in.Tags != nil {
-		in, out := &in.Tags, &out.Tags
-		*out = make(map[string]string, len(*in))
-		for key, val := range *in {
-			(*out)[key] = val
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretFind.
-func (in *ExternalSecretFind) DeepCopy() *ExternalSecretFind {
-	if in == nil {
-		return nil
-	}
-	out := new(ExternalSecretFind)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ExternalSecretList) DeepCopyInto(out *ExternalSecretList) {
 	*out = *in
@@ -521,10 +466,8 @@ func (in *ExternalSecretSpec) DeepCopyInto(out *ExternalSecretSpec) {
 	}
 	if in.DataFrom != nil {
 		in, out := &in.DataFrom, &out.DataFrom
-		*out = make([]ExternalSecretDataFromRemoteRef, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+		*out = make([]ExternalSecretDataRemoteRef, len(*in))
+		copy(*out, *in)
 	}
 }
 
@@ -656,21 +599,6 @@ func (in *ExternalSecretTemplateMetadata) DeepCopy() *ExternalSecretTemplateMeta
 	return out
 }
 
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FindName) DeepCopyInto(out *FindName) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FindName.
-func (in *FindName) DeepCopy() *FindName {
-	if in == nil {
-		return nil
-	}
-	out := new(FindName)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GCPSMAuth) DeepCopyInto(out *GCPSMAuth) {
 	*out = *in

apis/externalsecrets/v1alpha2/doc.go

@@ -0,0 +1,19 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1alpha1 contains resources for external-secrets
+// +kubebuilder:object:generate=true
+// +groupName=external-secrets.io
+// +versionName=v1alpha2
+package v1alpha2

apis/externalsecrets/v1alpha2/externalsecret_types.go

@@ -0,0 +1,274 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha2
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
+type SecretStoreRef struct {
+	// Name of the SecretStore resource
+	Name string `json:"name"`
+
+	// Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
+	// Defaults to `SecretStore`
+	// +optional
+	Kind string `json:"kind,omitempty"`
+}
+
+// ExternalSecretCreationPolicy defines rules on how to create the resulting Secret.
+type ExternalSecretCreationPolicy string
+
+const (
+	// Owner creates the Secret and sets .metadata.ownerReferences to the ExternalSecret resource.
+	Owner ExternalSecretCreationPolicy = "Owner"
+
+	// Merge does not create the Secret, but merges the data fields to the Secret.
+	Merge ExternalSecretCreationPolicy = "Merge"
+
+	// None does not create a Secret (future use with injector).
+	None ExternalSecretCreationPolicy = "None"
+)
+
+// ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
+type ExternalSecretTemplateMetadata struct {
+	// +optional
+	Annotations map[string]string `json:"annotations,omitempty"`
+
+	// +optional
+	Labels map[string]string `json:"labels,omitempty"`
+}
+
+// ExternalSecretTemplate defines a blueprint for the created Secret resource.
+// we can not use native corev1.Secret, it will have empty ObjectMeta values: https://github.com/kubernetes-sigs/controller-tools/issues/448
+type ExternalSecretTemplate struct {
+	// +optional
+	Type corev1.SecretType `json:"type,omitempty"`
+
+	// +optional
+	Metadata ExternalSecretTemplateMetadata `json:"metadata,omitempty"`
+
+	// +optional
+	Data map[string]string `json:"data,omitempty"`
+
+	// +optional
+	TemplateFrom []TemplateFrom `json:"templateFrom,omitempty"`
+}
+
+// +kubebuilder:validation:MinProperties=1
+// +kubebuilder:validation:MaxProperties=1
+type TemplateFrom struct {
+	ConfigMap *TemplateRef `json:"configMap,omitempty"`
+	Secret    *TemplateRef `json:"secret,omitempty"`
+}
+
+type TemplateRef struct {
+	Name  string            `json:"name"`
+	Items []TemplateRefItem `json:"items"`
+}
+
+type TemplateRefItem struct {
+	Key string `json:"key"`
+}
+
+// ExternalSecretTarget defines the Kubernetes Secret to be created
+// There can be only one target per ExternalSecret.
+type ExternalSecretTarget struct {
+	// Name defines the name of the Secret resource to be managed
+	// This field is immutable
+	// Defaults to the .metadata.name of the ExternalSecret resource
+	// +optional
+	Name string `json:"name,omitempty"`
+
+	// CreationPolicy defines rules on how to create the resulting Secret
+	// Defaults to 'Owner'
+	// +optional
+	// +kubebuilder:default="Owner"
+	CreationPolicy ExternalSecretCreationPolicy `json:"creationPolicy,omitempty"`
+
+	// Template defines a blueprint for the created Secret resource.
+	// +optional
+	Template *ExternalSecretTemplate `json:"template,omitempty"`
+
+	// Immutable defines if the final secret will be immutable
+	// +optional
+	Immutable bool `json:"immutable,omitempty"`
+}
+
+// ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
+type ExternalSecretData struct {
+	SecretKey string `json:"secretKey"`
+
+	RemoteRef ExternalSecretDataRemoteRef `json:"remoteRef"`
+}
+
+// ExternalSecretDataRemoteRef defines Provider data location.
+type ExternalSecretDataRemoteRef struct {
+	// Key is the key used in the Provider, mandatory
+	Key string `json:"key"`
+
+	// Used to select a specific version of the Provider value, if supported
+	// +optional
+	Version string `json:"version,omitempty"`
+
+	// +optional
+	// Used to select a specific property of the Provider value (if a map), if supported
+	Property string `json:"property,omitempty"`
+}
+
+// ExternalSecretDataFromRemoteRef defines Provider data location.
+type ExternalSecretDataFromRemoteRef struct {
+	// Used to select a specific version and property from the secret
+	// +optional
+	Extract ExternalSecretExtract `json:"extract,omitempty"`
+	// Used to find secrets based on tags or regular expressions
+	// +optional
+	Find ExternalSecretFind `json:"find,omitempty"`
+}
+
+func (ref ExternalSecretDataFromRemoteRef) GetDataRemoteRef() ExternalSecretDataRemoteRef {
+	return ExternalSecretDataRemoteRef{
+		Key:      ref.Extract.Key,
+		Property: ref.Extract.Property,
+		Version:  ref.Extract.Version,
+	}
+}
+
+type ExternalSecretExtract struct {
+	// Key is the key used in the Provider
+	// +optional
+	Key string `json:"key,omitempty"`
+
+	// Used to select a specific version of the Provider value, if supported
+	// +optional
+	Version string `json:"version,omitempty"`
+
+	// +optional
+	// Used to select a specific property of the Provider value (if a map), if supported
+	Property string `json:"property,omitempty"`
+}
+
+type ExternalSecretFind struct {
+	// Key is the key used in the Provider
+	// +optional
+	Name FindName `json:"name,omitempty"`
+
+	// Used to select a specific version of the Provider value, if supported
+	// +optional
+	Tags map[string]string `json:"tags,omitempty"`
+}
+
+type FindName struct {
+	// Used to select multiple secrets based on a regular expression of the name
+	// +optional
+	RegExp string `json:"regexp,omitempty"`
+}
+
+// ExternalSecretSpec defines the desired state of ExternalSecret.
+type ExternalSecretSpec struct {
+	SecretStoreRef SecretStoreRef `json:"secretStoreRef"`
+
+	Target ExternalSecretTarget `json:"target"`
+
+	// RefreshInterval is the amount of time before the values are read again from the SecretStore provider
+	// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
+	// May be set to zero to fetch and create it once. Defaults to 1h.
+	// +kubebuilder:default="1h"
+	RefreshInterval *metav1.Duration `json:"refreshInterval,omitempty"`
+
+	// Data defines the connection between the Kubernetes Secret keys and the Provider data
+	// +optional
+	Data []ExternalSecretData `json:"data,omitempty"`
+
+	// DataFrom is used to fetch all properties from a specific Provider data
+	// If multiple entries are specified, the Secret keys are merged in the specified order
+	// +optional
+	DataFrom []ExternalSecretDataFromRemoteRef `json:"dataFrom,omitempty"`
+}
+
+type ExternalSecretConditionType string
+
+const (
+	ExternalSecretReady   ExternalSecretConditionType = "Ready"
+	ExternalSecretDeleted ExternalSecretConditionType = "Deleted"
+)
+
+type ExternalSecretStatusCondition struct {
+	Type   ExternalSecretConditionType `json:"type"`
+	Status corev1.ConditionStatus      `json:"status"`
+
+	// +optional
+	Reason string `json:"reason,omitempty"`
+
+	// +optional
+	Message string `json:"message,omitempty"`
+
+	// +optional
+	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"`
+}
+
+const (
+	// ConditionReasonSecretSynced indicates that the secrets was synced.
+	ConditionReasonSecretSynced = "SecretSynced"
+	// ConditionReasonSecretSyncedError indicates that there was an error syncing the secret.
+	ConditionReasonSecretSyncedError = "SecretSyncedError"
+	// ConditionReasonSecretDeleted indicates that the secret has been deleted.
+	ConditionReasonSecretDeleted = "SecretDeleted"
+)
+
+type ExternalSecretStatus struct {
+	// +nullable
+	// refreshTime is the time and date the external secret was fetched and
+	// the target secret updated
+	RefreshTime metav1.Time `json:"refreshTime,omitempty"`
+
+	// SyncedResourceVersion keeps track of the last synced version
+	SyncedResourceVersion string `json:"syncedResourceVersion,omitempty"`
+
+	// +optional
+	Conditions []ExternalSecretStatusCondition `json:"conditions,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// ExternalSecret is the Schema for the external-secrets API.
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:scope=Namespaced,categories={externalsecrets},shortName=es
+// +kubebuilder:printcolumn:name="Store",type=string,JSONPath=`.spec.secretStoreRef.name`
+// +kubebuilder:printcolumn:name="Refresh Interval",type=string,JSONPath=`.spec.refreshInterval`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].reason`
+type ExternalSecret struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   ExternalSecretSpec   `json:"spec,omitempty"`
+	Status ExternalSecretStatus `json:"status,omitempty"`
+}
+
+const (
+	// AnnotationDataHash is used to ensure consistency.
+	AnnotationDataHash = "reconcile.external-secrets.io/data-hash"
+)
+
+// +kubebuilder:object:root=true
+
+// ExternalSecretList contains a list of ExternalSecret resources.
+type ExternalSecretList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []ExternalSecret `json:"items"`
+}

apis/externalsecrets/v1alpha2/generic_store.go

@@ -0,0 +1,78 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha2
+
+import (
+	"fmt"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// +kubebuilder:object:root=false
+// +kubebuilder:object:generate:false
+// +k8s:deepcopy-gen:interfaces=nil
+// +k8s:deepcopy-gen=nil
+
+// GenericStore is a common interface for interacting with ClusterSecretStore
+// or a namespaced SecretStore.
+type GenericStore interface {
+	runtime.Object
+	metav1.Object
+
+	GetObjectMeta() *metav1.ObjectMeta
+	GetSpec() *SecretStoreSpec
+	GetNamespacedName() string
+}
+
+// +kubebuilder:object:root:false
+// +kubebuilder:object:generate:false
+var _ GenericStore = &SecretStore{}
+
+func (c *SecretStore) GetObjectMeta() *metav1.ObjectMeta {
+	return &c.ObjectMeta
+}
+
+func (c *SecretStore) GetSpec() *SecretStoreSpec {
+	return &c.Spec
+}
+
+func (c *SecretStore) GetNamespacedName() string {
+	return fmt.Sprintf("%s/%s", c.Namespace, c.Name)
+}
+
+func (c *SecretStore) Copy() GenericStore {
+	return c.DeepCopy()
+}
+
+// +kubebuilder:object:root:false
+// +kubebuilder:object:generate:false
+var _ GenericStore = &ClusterSecretStore{}
+
+func (c *ClusterSecretStore) GetObjectMeta() *metav1.ObjectMeta {
+	return &c.ObjectMeta
+}
+
+func (c *ClusterSecretStore) GetSpec() *SecretStoreSpec {
+	return &c.Spec
+}
+
+func (c *ClusterSecretStore) Copy() GenericStore {
+	return c.DeepCopy()
+}
+
+func (c *ClusterSecretStore) GetNamespacedName() string {
+	return fmt.Sprintf("%s/%s", c.Namespace, c.Name)
+}

apis/externalsecrets/v1alpha2/register.go

@@ -0,0 +1,67 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha2
+
+import (
+	"reflect"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+// Package type metadata.
+const (
+	Group   = "external-secrets.io"
+	Version = "v1alpha1"
+)
+
+var (
+	// SchemeGroupVersion is group version used to register these objects.
+	SchemeGroupVersion = schema.GroupVersion{Group: Group, Version: Version}
+
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
+	SchemeBuilder = &scheme.Builder{GroupVersion: SchemeGroupVersion}
+	AddToScheme   = SchemeBuilder.AddToScheme
+)
+
+// ExternalSecret type metadata.
+var (
+	ExtSecretKind             = reflect.TypeOf(ExternalSecret{}).Name()
+	ExtSecretGroupKind        = schema.GroupKind{Group: Group, Kind: ExtSecretKind}.String()
+	ExtSecretKindAPIVersion   = ExtSecretKind + "." + SchemeGroupVersion.String()
+	ExtSecretGroupVersionKind = SchemeGroupVersion.WithKind(ExtSecretKind)
+)
+
+// SecretStore type metadata.
+var (
+	SecretStoreKind             = reflect.TypeOf(SecretStore{}).Name()
+	SecretStoreGroupKind        = schema.GroupKind{Group: Group, Kind: SecretStoreKind}.String()
+	SecretStoreKindAPIVersion   = SecretStoreKind + "." + SchemeGroupVersion.String()
+	SecretStoreGroupVersionKind = SchemeGroupVersion.WithKind(SecretStoreKind)
+)
+
+// ClusterSecretStore type metadata.
+var (
+	ClusterSecretStoreKind             = reflect.TypeOf(ClusterSecretStore{}).Name()
+	ClusterSecretStoreGroupKind        = schema.GroupKind{Group: Group, Kind: ClusterSecretStoreKind}.String()
+	ClusterSecretStoreKindAPIVersion   = ClusterSecretStoreKind + "." + SchemeGroupVersion.String()
+	ClusterSecretStoreGroupVersionKind = SchemeGroupVersion.WithKind(ClusterSecretStoreKind)
+)
+
+func init() {
+	SchemeBuilder.Register(&ExternalSecret{}, &ExternalSecretList{})
+	SchemeBuilder.Register(&SecretStore{}, &SecretStoreList{})
+	SchemeBuilder.Register(&ClusterSecretStore{}, &ClusterSecretStoreList{})
+}

apis/externalsecrets/v1alpha2/secretstore_akeyless_types.go

@@ -0,0 +1,42 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha2
+
+import (
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+// AkeylessProvider Configures an store to sync secrets using Akeyless KV.
+type AkeylessProvider struct {
+
+	// Akeyless GW API Url from which the secrets to be fetched from.
+	AkeylessGWApiURL *string `json:"akeylessGWApiURL"`
+
+	// Auth configures how the operator authenticates with Akeyless.
+	Auth *AkeylessAuth `json:"authSecretRef"`
+}
+
+type AkeylessAuth struct {
+	SecretRef AkeylessAuthSecretRef `json:"secretRef"`
+}
+
+// AkeylessAuthSecretRef
+//AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.
+type AkeylessAuthSecretRef struct {
+	// The SecretAccessID is used for authentication
+	AccessID        esmeta.SecretKeySelector `json:"accessID,omitempty"`
+	AccessType      esmeta.SecretKeySelector `json:"accessType,omitempty"`
+	AccessTypeParam esmeta.SecretKeySelector `json:"accessTypeParam,omitempty"`
+}

apis/externalsecrets/v1alpha2/secretstore_alibaba_types.go

@@ -0,0 +1,41 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha2
+
+import (
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+// AlibabaAuth contains a secretRef for credentials.
+type AlibabaAuth struct {
+	SecretRef AlibabaAuthSecretRef `json:"secretRef"`
+}
+
+// AlibabaAuthSecretRef holds secret references for Alibaba credentials.
+type AlibabaAuthSecretRef struct {
+	// The AccessKeyID is used for authentication
+	AccessKeyID esmeta.SecretKeySelector `json:"accessKeyIDSecretRef"`
+	// The AccessKeySecret is used for authentication
+	AccessKeySecret esmeta.SecretKeySelector `json:"accessKeySecretSecretRef"`
+}
+
+// AlibabaProvider configures a store to sync secrets using the Alibaba Secret Manager provider.
+type AlibabaProvider struct {
+	Auth *AlibabaAuth `json:"auth"`
+	// +optional
+	Endpoint string `json:"endpoint"`
+	// Alibaba Region to be used for the provider
+	RegionID string `json:"regionID"`
+}

apis/externalsecrets/v1alpha2/secretstore_aws_types.go

@@ -0,0 +1,76 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha2
+
+import (
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+// AWSAuth tells the controller how to do authentication with aws.
+// Only one of secretRef or jwt can be specified.
+// if none is specified the controller will load credentials using the aws sdk defaults.
+type AWSAuth struct {
+	// +optional
+	SecretRef *AWSAuthSecretRef `json:"secretRef,omitempty"`
+	// +optional
+	JWTAuth *AWSJWTAuth `json:"jwt,omitempty"`
+}
+
+// AWSAuthSecretRef holds secret references for AWS credentials
+// both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
+type AWSAuthSecretRef struct {
+	// The AccessKeyID is used for authentication
+	AccessKeyID esmeta.SecretKeySelector `json:"accessKeyIDSecretRef,omitempty"`
+
+	// The SecretAccessKey is used for authentication
+	SecretAccessKey esmeta.SecretKeySelector `json:"secretAccessKeySecretRef,omitempty"`
+}
+
+// Authenticate against AWS using service account tokens.
+type AWSJWTAuth struct {
+	ServiceAccountRef *esmeta.ServiceAccountSelector `json:"serviceAccountRef,omitempty"`
+}
+
+// AWSServiceType is a enum that defines the service/API that is used to fetch the secrets.
+// +kubebuilder:validation:Enum=SecretsManager;ParameterStore
+type AWSServiceType string
+
+const (
+	// AWSServiceSecretsManager is the AWS SecretsManager.
+	// see: https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html
+	AWSServiceSecretsManager AWSServiceType = "SecretsManager"
+	// AWSServiceParameterStore is the AWS SystemsManager ParameterStore.
+	// see: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html
+	AWSServiceParameterStore AWSServiceType = "ParameterStore"
+)
+
+// AWSProvider configures a store to sync secrets with AWS.
+type AWSProvider struct {
+	// Service defines which service should be used to fetch the secrets
+	Service AWSServiceType `json:"service"`
+
+	// Auth defines the information necessary to authenticate against AWS
+	// if not set aws sdk will infer credentials from your environment
+	// see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+	// +optional
+	Auth AWSAuth `json:"auth"`
+
+	// Role is a Role ARN which the SecretManager provider will assume
+	// +optional
+	Role string `json:"role,omitempty"`
+
+	// AWS Region to be used for the provider
+	Region string `json:"region"`
+}

apis/externalsecrets/v1alpha2/secretstore_azurekv_types.go

@@ -0,0 +1,62 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha2
+
+import smmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+
+// AuthType describes how to authenticate to the Azure Keyvault
+// Only one of the following auth types may be specified.
+// If none of the following auth type is specified, the default one
+// is ServicePrincipal.
+// +kubebuilder:validation:Enum=ServicePrincipal;ManagedIdentity
+type AuthType string
+
+const (
+	// Using service principal to authenticate, which needs a tenantId, a clientId and a clientSecret.
+	ServicePrincipal AuthType = "ServicePrincipal"
+
+	// Using Managed Identity to authenticate. Used with aad-pod-identity instelled in the clister.
+	ManagedIdentity AuthType = "ManagedIdentity"
+)
+
+// Configures an store to sync secrets using Azure KV.
+type AzureKVProvider struct {
+	// Auth type defines how to authenticate to the keyvault service.
+	// Valid values are:
+	// - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
+	// - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
+	// +optional
+	// +kubebuilder:default=ServicePrincipal
+	AuthType *AuthType `json:"authType,omitempty"`
+	// Vault Url from which the secrets to be fetched from.
+	VaultURL *string `json:"vaultUrl"`
+	// TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
+	// +optional
+	TenantID *string `json:"tenantId,omitempty"`
+	// Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
+	// +optional
+	AuthSecretRef *AzureKVAuth `json:"authSecretRef,omitempty"`
+	// If multiple Managed Identity is assigned to the pod, you can select the one to be used
+	// +optional
+	IdentityID *string `json:"identityId,omitempty"`
+}
+
+// Configuration used to authenticate with Azure.
+type AzureKVAuth struct {
+	// The Azure clientId of the service principle used for authentication.
+	ClientID *smmeta.SecretKeySelector `json:"clientId"`
+	// The Azure ClientSecret of the service principle used for authentication.
+	ClientSecret *smmeta.SecretKeySelector `json:"clientSecret"`
+}

apis/externalsecrets/v1alpha2/secretstore_gcpsm_types.go

@@ -0,0 +1,48 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha2
+
+import (
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+type GCPSMAuth struct {
+	// +optional
+	SecretRef *GCPSMAuthSecretRef `json:"secretRef,omitempty"`
+	// +optional
+	WorkloadIdentity *GCPWorkloadIdentity `json:"workloadIdentity,omitempty"`
+}
+
+type GCPSMAuthSecretRef struct {
+	// The SecretAccessKey is used for authentication
+	// +optional
+	SecretAccessKey esmeta.SecretKeySelector `json:"secretAccessKeySecretRef,omitempty"`
+}
+
+type GCPWorkloadIdentity struct {
+	ServiceAccountRef esmeta.ServiceAccountSelector `json:"serviceAccountRef"`
+	ClusterLocation   string                        `json:"clusterLocation"`
+	ClusterName       string                        `json:"clusterName"`
+}
+
+// GCPSMProvider Configures a store to sync secrets using the GCP Secret Manager provider.
+type GCPSMProvider struct {
+	// Auth defines the information necessary to authenticate against GCP
+	// +optional
+	Auth GCPSMAuth `json:"auth,omitempty"`
+
+	// ProjectID project where secret is located
+	ProjectID string `json:"projectID,omitempty"`
+}

apis/externalsecrets/v1alpha2/secretstore_gitlab_types.go

@@ -0,0 +1,40 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha2
+
+import (
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+// Configures a store to sync secrets with a GitLab instance.
+type GitlabProvider struct {
+	// URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
+	URL string `json:"url,omitempty"`
+
+	// Auth configures how secret-manager authenticates with a GitLab instance.
+	Auth GitlabAuth `json:"auth"`
+
+	// ProjectID specifies a project where secrets are located.
+	ProjectID string `json:"projectID,omitempty"`
+}
+
+type GitlabAuth struct {
+	SecretRef GitlabSecretRef `json:"SecretRef"`
+}
+
+type GitlabSecretRef struct {
+	// AccessToken is used for authentication.
+	AccessToken esmeta.SecretKeySelector `json:"accessToken,omitempty"`
+}

apis/externalsecrets/v1alpha2/secretstore_ibm_types.go

@@ -0,0 +1,39 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha2
+
+import (
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+// Configures an store to sync secrets using a IBM Cloud Secrets Manager
+// backend.
+type IBMProvider struct {
+	// Auth configures how secret-manager authenticates with the IBM secrets manager.
+	Auth IBMAuth `json:"auth"`
+
+	// ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
+	ServiceURL *string `json:"serviceUrl,omitempty"`
+}
+
+type IBMAuth struct {
+	SecretRef IBMAuthSecretRef `json:"secretRef"`
+}
+
+type IBMAuthSecretRef struct {
+	// The SecretAccessKey is used for authentication
+	// +optional
+	SecretAPIKey esmeta.SecretKeySelector `json:"secretApiKeySecretRef,omitempty"`
+}

apis/externalsecrets/v1alpha2/secretstore_oracle_types.go

@@ -0,0 +1,49 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha2
+
+import (
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+// Configures an store to sync secrets using a Oracle Vault
+// backend.
+type OracleProvider struct {
+	// Auth configures how secret-manager authenticates with the Oracle Vault.
+	Auth OracleAuth `json:"auth"`
+
+	// User is an access OCID specific to the account.
+	User string `json:"user,omitempty"`
+
+	// Tenancy is the tenancy OCID where secret is located.
+	Tenancy string `json:"tenancy,omitempty"`
+
+	// Region is the region where secret is located.
+	Region string `json:"region,omitempty"`
+
+	// Vault is the vault's OCID of the specific vault where secret is located.
+	Vault string `json:"vault,omitempty"`
+}
+
+type OracleAuth struct {
+	// SecretRef to pass through sensitive information.
+	SecretRef OracleSecretRef `json:"secretRef"`
+}
+
+type OracleSecretRef struct {
+	// PrivateKey is the user's API Signing Key in PEM format, used for authentication.
+	PrivateKey esmeta.SecretKeySelector `json:"privatekey,omitempty"`
+
+	// Fingerprint is the fingerprint of the API private key.
+	Fingerprint esmeta.SecretKeySelector `json:"fingerprint,omitempty"`
+}

apis/externalsecrets/v1alpha2/secretstore_types.go

@@ -0,0 +1,161 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha2
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// SecretStoreSpec defines the desired state of SecretStore.
+type SecretStoreSpec struct {
+	// Used to select the correct KES controller (think: ingress.ingressClassName)
+	// The KES controller is instantiated with a specific controller name and filters ES based on this property
+	// +optional
+	Controller string `json:"controller"`
+
+	// Used to configure the provider. Only one provider may be set
+	Provider *SecretStoreProvider `json:"provider"`
+
+	// Used to configure http retries if failed
+	// +optional
+	RetrySettings *SecretStoreRetrySettings `json:"retrySettings,omitempty"`
+}
+
+// SecretStoreProvider contains the provider-specific configration.
+// +kubebuilder:validation:MinProperties=1
+// +kubebuilder:validation:MaxProperties=1
+type SecretStoreProvider struct {
+	// AWS configures this store to sync secrets using AWS Secret Manager provider
+	// +optional
+	AWS *AWSProvider `json:"aws,omitempty"`
+
+	// AzureKV configures this store to sync secrets using Azure Key Vault provider
+	// +optional
+	AzureKV *AzureKVProvider `json:"azurekv,omitempty"`
+
+	// Akeyless configures this store to sync secrets using Akeyless Vault provider
+	// +optional
+	Akeyless *AkeylessProvider `json:"akeyless,omitempty"`
+
+	// Vault configures this store to sync secrets using Hashi provider
+	// +optional
+	Vault *VaultProvider `json:"vault,omitempty"`
+
+	// GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
+	// +optional
+	GCPSM *GCPSMProvider `json:"gcpsm,omitempty"`
+
+	// Oracle configures this store to sync secrets using Oracle Vault provider
+	// +optional
+	Oracle *OracleProvider `json:"oracle,omitempty"`
+
+	// IBM configures this store to sync secrets using IBM Cloud provider
+	// +optional
+	IBM *IBMProvider `json:"ibm,omitempty"`
+
+	// YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
+	// +optional
+	YandexLockbox *YandexLockboxProvider `json:"yandexlockbox,omitempty"`
+
+	// GItlab configures this store to sync secrets using Gitlab Variables provider
+	// +optional
+	Gitlab *GitlabProvider `json:"gitlab,omitempty"`
+
+	// Alibaba configures this store to sync secrets using Alibaba Cloud provider
+	// +optional
+	Alibaba *AlibabaProvider `json:"alibaba,omitempty"`
+
+	// Webhook configures this store to sync secrets using a generic templated webhook
+	// +optional
+	Webhook *WebhookProvider `json:"webhook,omitempty"`
+}
+
+type SecretStoreRetrySettings struct {
+	MaxRetries    *int32  `json:"maxRetries,omitempty"`
+	RetryInterval *string `json:"retryInterval,omitempty"`
+}
+
+type SecretStoreConditionType string
+
+const (
+	SecretStoreReady SecretStoreConditionType = "Ready"
+)
+
+type SecretStoreStatusCondition struct {
+	Type   SecretStoreConditionType `json:"type"`
+	Status corev1.ConditionStatus   `json:"status"`
+
+	// +optional
+	Reason string `json:"reason,omitempty"`
+
+	// +optional
+	Message string `json:"message,omitempty"`
+
+	// +optional
+	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"`
+}
+
+// SecretStoreStatus defines the observed state of the SecretStore.
+type SecretStoreStatus struct {
+	// +optional
+	Conditions []SecretStoreStatusCondition `json:"conditions"`
+}
+
+// +kubebuilder:object:root=true
+
+// SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
+// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:scope=Namespaced,categories={externalsecrets},shortName=ss
+type SecretStore struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   SecretStoreSpec   `json:"spec,omitempty"`
+	Status SecretStoreStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// SecretStoreList contains a list of SecretStore resources.
+type SecretStoreList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []SecretStore `json:"items"`
+}
+
+// +kubebuilder:object:root=true
+
+// ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
+// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:scope=Cluster,categories={externalsecrets},shortName=css
+type ClusterSecretStore struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   SecretStoreSpec   `json:"spec,omitempty"`
+	Status SecretStoreStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// ClusterSecretStoreList contains a list of ClusterSecretStore resources.
+type ClusterSecretStoreList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []ClusterSecretStore `json:"items"`
+}

apis/externalsecrets/v1alpha2/secretstore_vault_types.go

@@ -0,0 +1,235 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha2
+
+import (
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+type VaultKVStoreVersion string
+
+const (
+	VaultKVStoreV1 VaultKVStoreVersion = "v1"
+	VaultKVStoreV2 VaultKVStoreVersion = "v2"
+)
+
+type CAProviderType string
+
+const (
+	CAProviderTypeSecret    CAProviderType = "Secret"
+	CAProviderTypeConfigMap CAProviderType = "ConfigMap"
+)
+
+// Defines a location to fetch the cert for the vault provider from.
+type CAProvider struct {
+	// The type of provider to use such as "Secret", or "ConfigMap".
+	// +kubebuilder:validation:Enum="Secret";"ConfigMap"
+	Type CAProviderType `json:"type"`
+
+	// The name of the object located at the provider type.
+	Name string `json:"name"`
+
+	// The key the value inside of the provider type to use, only used with "Secret" type
+	// +kubebuilder:validation:Optional
+	Key string `json:"key,omitempty"`
+
+	// The namespace the Provider type is in.
+	// +optional
+	Namespace *string `json:"namespace,omitempty"`
+}
+
+// Configures an store to sync secrets using a HashiCorp Vault
+// KV backend.
+type VaultProvider struct {
+	// Auth configures how secret-manager authenticates with the Vault server.
+	Auth VaultAuth `json:"auth"`
+
+	// Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
+	Server string `json:"server"`
+
+	// Path is the mount path of the Vault KV backend endpoint, e.g:
+	// "secret". The v2 KV secret engine version specific "/data" path suffix
+	// for fetching secrets from Vault is optional and will be appended
+	// if not present in specified path.
+	// +optional
+	Path *string `json:"path"`
+
+	// Version is the Vault KV secret engine version. This can be either "v1" or
+	// "v2". Version defaults to "v2".
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Enum="v1";"v2"
+	// +kubebuilder:default:="v2"
+	Version VaultKVStoreVersion `json:"version"`
+
+	// Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
+	// Vault environments to support Secure Multi-tenancy. e.g: "ns1".
+	// More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
+	// +optional
+	Namespace *string `json:"namespace,omitempty"`
+
+	// PEM encoded CA bundle used to validate Vault server certificate. Only used
+	// if the Server URL is using HTTPS protocol. This parameter is ignored for
+	// plain HTTP protocol connection. If not set the system root certificates
+	// are used to validate the TLS connection.
+	// +optional
+	CABundle []byte `json:"caBundle,omitempty"`
+
+	// The provider for the CA bundle to use to validate Vault server certificate.
+	// +optional
+	CAProvider *CAProvider `json:"caProvider,omitempty"`
+
+	// ReadYourWrites ensures isolated read-after-write semantics by
+	// providing discovered cluster replication states in each request.
+	// More information about eventual consistency in Vault can be found here
+	// https://www.vaultproject.io/docs/enterprise/consistency
+	// +optional
+	ReadYourWrites bool `json:"readYourWrites,omitempty"`
+
+	// ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
+	// leader instead of simply retrying within a loop. This can increase performance if
+	// the option is enabled serverside.
+	// https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
+	// +optional
+	ForwardInconsistent bool `json:"forwardInconsistent,omitempty"`
+}
+
+// VaultAuth is the configuration used to authenticate with a Vault server.
+// Only one of `tokenSecretRef`, `appRole`,  `kubernetes`, `ldap`, `jwt` or `cert`
+// can be specified.
+type VaultAuth struct {
+	// TokenSecretRef authenticates with Vault by presenting a token.
+	// +optional
+	TokenSecretRef *esmeta.SecretKeySelector `json:"tokenSecretRef,omitempty"`
+
+	// AppRole authenticates with Vault using the App Role auth mechanism,
+	// with the role and secret stored in a Kubernetes Secret resource.
+	// +optional
+	AppRole *VaultAppRole `json:"appRole,omitempty"`
+
+	// Kubernetes authenticates with Vault by passing the ServiceAccount
+	// token stored in the named Secret resource to the Vault server.
+	// +optional
+	Kubernetes *VaultKubernetesAuth `json:"kubernetes,omitempty"`
+
+	// Ldap authenticates with Vault by passing username/password pair using
+	// the LDAP authentication method
+	// +optional
+	Ldap *VaultLdapAuth `json:"ldap,omitempty"`
+
+	// Jwt authenticates with Vault by passing role and JWT token using the
+	// JWT/OIDC authentication method
+	// +optional
+	Jwt *VaultJwtAuth `json:"jwt,omitempty"`
+
+	// Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
+	// Cert authentication method
+	// +optional
+	Cert *VaultCertAuth `json:"cert,omitempty"`
+}
+
+// VaultAppRole authenticates with Vault using the App Role auth mechanism,
+// with the role and secret stored in a Kubernetes Secret resource.
+type VaultAppRole struct {
+	// Path where the App Role authentication backend is mounted
+	// in Vault, e.g: "approle"
+	// +kubebuilder:default=approle
+	Path string `json:"path"`
+
+	// RoleID configured in the App Role authentication backend when setting
+	// up the authentication backend in Vault.
+	RoleID string `json:"roleId"`
+
+	// Reference to a key in a Secret that contains the App Role secret used
+	// to authenticate with Vault.
+	// The `key` field must be specified and denotes which entry within the Secret
+	// resource is used as the app role secret.
+	SecretRef esmeta.SecretKeySelector `json:"secretRef"`
+}
+
+// Authenticate against Vault using a Kubernetes ServiceAccount token stored in
+// a Secret.
+type VaultKubernetesAuth struct {
+	// Path where the Kubernetes authentication backend is mounted in Vault, e.g:
+	// "kubernetes"
+	// +kubebuilder:default=kubernetes
+	Path string `json:"mountPath"`
+
+	// Optional service account field containing the name of a kubernetes ServiceAccount.
+	// If the service account is specified, the service account secret token JWT will be used
+	// for authenticating with Vault. If the service account selector is not supplied,
+	// the secretRef will be used instead.
+	// +optional
+	ServiceAccountRef *esmeta.ServiceAccountSelector `json:"serviceAccountRef,omitempty"`
+
+	// Optional secret field containing a Kubernetes ServiceAccount JWT used
+	// for authenticating with Vault. If a name is specified without a key,
+	// `token` is the default. If one is not specified, the one bound to
+	// the controller will be used.
+	// +optional
+	SecretRef *esmeta.SecretKeySelector `json:"secretRef,omitempty"`
+
+	// A required field containing the Vault Role to assume. A Role binds a
+	// Kubernetes ServiceAccount with a set of Vault policies.
+	Role string `json:"role"`
+}
+
+// VaultLdapAuth authenticates with Vault using the LDAP authentication method,
+// with the username and password stored in a Kubernetes Secret resource.
+type VaultLdapAuth struct {
+	// Path where the LDAP authentication backend is mounted
+	// in Vault, e.g: "ldap"
+	// +kubebuilder:default=ldap
+	Path string `json:"path"`
+
+	// Username is a LDAP user name used to authenticate using the LDAP Vault
+	// authentication method
+	Username string `json:"username"`
+
+	// SecretRef to a key in a Secret resource containing password for the LDAP
+	// user used to authenticate with Vault using the LDAP authentication
+	// method
+	SecretRef esmeta.SecretKeySelector `json:"secretRef,omitempty"`
+}
+
+// VaultJwtAuth authenticates with Vault using the JWT/OIDC authentication
+// method, with the role name and token stored in a Kubernetes Secret resource.
+type VaultJwtAuth struct {
+	// Path where the JWT authentication backend is mounted
+	// in Vault, e.g: "jwt"
+	// +kubebuilder:default=jwt
+	Path string `json:"path"`
+
+	// Role is a JWT role to authenticate using the JWT/OIDC Vault
+	// authentication method
+	// +optional
+	Role string `json:"role"`
+
+	// SecretRef to a key in a Secret resource containing JWT token to
+	// authenticate with Vault using the JWT/OIDC authentication method
+	SecretRef esmeta.SecretKeySelector `json:"secretRef,omitempty"`
+}
+
+// VaultJwtAuth authenticates with Vault using the JWT/OIDC authentication
+// method, with the role name and token stored in a Kubernetes Secret resource.
+type VaultCertAuth struct {
+	// ClientCert is a certificate to authenticate using the Cert Vault
+	// authentication method
+	// +optional
+	ClientCert esmeta.SecretKeySelector `json:"clientCert,omitempty"`
+
+	// SecretRef to a key in a Secret resource containing client private key to
+	// authenticate with Vault using the Cert authentication method
+	SecretRef esmeta.SecretKeySelector `json:"secretRef,omitempty"`
+}

apis/externalsecrets/v1alpha2/secretstore_webhook_types.go

@@ -0,0 +1,101 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha2
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+// AkeylessProvider Configures an store to sync secrets using Akeyless KV.
+type WebhookProvider struct {
+	// Webhook Method
+	// +optional, default GET
+	Method string `json:"method,omitempty"`
+
+	// Webhook url to call
+	URL string `json:"url"`
+
+	// Headers
+	// +optional
+	Headers map[string]string `json:"headers,omitempty"`
+
+	// Body
+	// +optional
+	Body string `json:"body,omitempty"`
+
+	// Timeout
+	// +optional
+	Timeout *metav1.Duration `json:"timeout,omitempty"`
+
+	// Result formatting
+	Result WebhookResult `json:"result"`
+
+	// Secrets to fill in templates
+	// These secrets will be passed to the templating function as key value pairs under the given name
+	// +optional
+	Secrets []WebhookSecret `json:"secrets,omitempty"`
+
+	// PEM encoded CA bundle used to validate webhook server certificate. Only used
+	// if the Server URL is using HTTPS protocol. This parameter is ignored for
+	// plain HTTP protocol connection. If not set the system root certificates
+	// are used to validate the TLS connection.
+	// +optional
+	CABundle []byte `json:"caBundle,omitempty"`
+
+	// The provider for the CA bundle to use to validate webhook server certificate.
+	// +optional
+	CAProvider *WebhookCAProvider `json:"caProvider,omitempty"`
+}
+
+type WebhookCAProviderType string
+
+const (
+	WebhookCAProviderTypeSecret    WebhookCAProviderType = "Secret"
+	WebhookCAProviderTypeConfigMap WebhookCAProviderType = "ConfigMap"
+)
+
+// Defines a location to fetch the cert for the webhook provider from.
+type WebhookCAProvider struct {
+	// The type of provider to use such as "Secret", or "ConfigMap".
+	// +kubebuilder:validation:Enum="Secret";"ConfigMap"
+	Type WebhookCAProviderType `json:"type"`
+
+	// The name of the object located at the provider type.
+	Name string `json:"name"`
+
+	// The key the value inside of the provider type to use, only used with "Secret" type
+	// +kubebuilder:validation:Optional
+	Key string `json:"key,omitempty"`
+
+	// The namespace the Provider type is in.
+	// +optional
+	Namespace *string `json:"namespace,omitempty"`
+}
+
+type WebhookResult struct {
+	// Json path of return value
+	// +optional
+	JSONPath string `json:"jsonPath,omitempty"`
+}
+
+type WebhookSecret struct {
+	// Name of this secret in templates
+	Name string `json:"name"`
+
+	// Secret ref to fill in credentials
+	SecretRef esmeta.SecretKeySelector `json:"secretRef"`
+}

apis/externalsecrets/v1alpha2/secretstore_yandexlockbox_types.go

@@ -0,0 +1,43 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha2
+
+import (
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+type YandexLockboxAuth struct {
+	// The authorized key used for authentication
+	// +optional
+	AuthorizedKey esmeta.SecretKeySelector `json:"authorizedKeySecretRef,omitempty"`
+}
+
+type YandexLockboxCAProvider struct {
+	Certificate esmeta.SecretKeySelector `json:"certSecretRef,omitempty"`
+}
+
+// YandexLockboxProvider Configures a store to sync secrets using the Yandex Lockbox provider.
+type YandexLockboxProvider struct {
+	// Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
+	// +optional
+	APIEndpoint string `json:"apiEndpoint,omitempty"`
+
+	// Auth defines the information necessary to authenticate against Yandex Lockbox
+	Auth YandexLockboxAuth `json:"auth"`
+
+	// The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
+	// +optional
+	CAProvider *YandexLockboxCAProvider `json:"caProvider,omitempty"`
+}

apis/externalsecrets/v1alpha2/zz_generated.deepcopy.go

@@ -0,0 +1,1507 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by controller-gen. DO NOT EDIT.
+
+package v1alpha2
+
+import (
+	metav1 "github.com/external-secrets/external-secrets/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AWSAuth) DeepCopyInto(out *AWSAuth) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(AWSAuthSecretRef)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.JWTAuth != nil {
+		in, out := &in.JWTAuth, &out.JWTAuth
+		*out = new(AWSJWTAuth)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSAuth.
+func (in *AWSAuth) DeepCopy() *AWSAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(AWSAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AWSAuthSecretRef) DeepCopyInto(out *AWSAuthSecretRef) {
+	*out = *in
+	in.AccessKeyID.DeepCopyInto(&out.AccessKeyID)
+	in.SecretAccessKey.DeepCopyInto(&out.SecretAccessKey)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSAuthSecretRef.
+func (in *AWSAuthSecretRef) DeepCopy() *AWSAuthSecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(AWSAuthSecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AWSJWTAuth) DeepCopyInto(out *AWSJWTAuth) {
+	*out = *in
+	if in.ServiceAccountRef != nil {
+		in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
+		*out = new(metav1.ServiceAccountSelector)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSJWTAuth.
+func (in *AWSJWTAuth) DeepCopy() *AWSJWTAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(AWSJWTAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AWSProvider) DeepCopyInto(out *AWSProvider) {
+	*out = *in
+	in.Auth.DeepCopyInto(&out.Auth)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSProvider.
+func (in *AWSProvider) DeepCopy() *AWSProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(AWSProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AkeylessAuth) DeepCopyInto(out *AkeylessAuth) {
+	*out = *in
+	in.SecretRef.DeepCopyInto(&out.SecretRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AkeylessAuth.
+func (in *AkeylessAuth) DeepCopy() *AkeylessAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(AkeylessAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AkeylessAuthSecretRef) DeepCopyInto(out *AkeylessAuthSecretRef) {
+	*out = *in
+	in.AccessID.DeepCopyInto(&out.AccessID)
+	in.AccessType.DeepCopyInto(&out.AccessType)
+	in.AccessTypeParam.DeepCopyInto(&out.AccessTypeParam)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AkeylessAuthSecretRef.
+func (in *AkeylessAuthSecretRef) DeepCopy() *AkeylessAuthSecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(AkeylessAuthSecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AkeylessProvider) DeepCopyInto(out *AkeylessProvider) {
+	*out = *in
+	if in.AkeylessGWApiURL != nil {
+		in, out := &in.AkeylessGWApiURL, &out.AkeylessGWApiURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Auth != nil {
+		in, out := &in.Auth, &out.Auth
+		*out = new(AkeylessAuth)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AkeylessProvider.
+func (in *AkeylessProvider) DeepCopy() *AkeylessProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(AkeylessProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AlibabaAuth) DeepCopyInto(out *AlibabaAuth) {
+	*out = *in
+	in.SecretRef.DeepCopyInto(&out.SecretRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AlibabaAuth.
+func (in *AlibabaAuth) DeepCopy() *AlibabaAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(AlibabaAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AlibabaAuthSecretRef) DeepCopyInto(out *AlibabaAuthSecretRef) {
+	*out = *in
+	in.AccessKeyID.DeepCopyInto(&out.AccessKeyID)
+	in.AccessKeySecret.DeepCopyInto(&out.AccessKeySecret)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AlibabaAuthSecretRef.
+func (in *AlibabaAuthSecretRef) DeepCopy() *AlibabaAuthSecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(AlibabaAuthSecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AlibabaProvider) DeepCopyInto(out *AlibabaProvider) {
+	*out = *in
+	if in.Auth != nil {
+		in, out := &in.Auth, &out.Auth
+		*out = new(AlibabaAuth)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AlibabaProvider.
+func (in *AlibabaProvider) DeepCopy() *AlibabaProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(AlibabaProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AzureKVAuth) DeepCopyInto(out *AzureKVAuth) {
+	*out = *in
+	if in.ClientID != nil {
+		in, out := &in.ClientID, &out.ClientID
+		*out = new(metav1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ClientSecret != nil {
+		in, out := &in.ClientSecret, &out.ClientSecret
+		*out = new(metav1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureKVAuth.
+func (in *AzureKVAuth) DeepCopy() *AzureKVAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(AzureKVAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AzureKVProvider) DeepCopyInto(out *AzureKVProvider) {
+	*out = *in
+	if in.AuthType != nil {
+		in, out := &in.AuthType, &out.AuthType
+		*out = new(AuthType)
+		**out = **in
+	}
+	if in.VaultURL != nil {
+		in, out := &in.VaultURL, &out.VaultURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.TenantID != nil {
+		in, out := &in.TenantID, &out.TenantID
+		*out = new(string)
+		**out = **in
+	}
+	if in.AuthSecretRef != nil {
+		in, out := &in.AuthSecretRef, &out.AuthSecretRef
+		*out = new(AzureKVAuth)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.IdentityID != nil {
+		in, out := &in.IdentityID, &out.IdentityID
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureKVProvider.
+func (in *AzureKVProvider) DeepCopy() *AzureKVProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(AzureKVProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CAProvider) DeepCopyInto(out *CAProvider) {
+	*out = *in
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CAProvider.
+func (in *CAProvider) DeepCopy() *CAProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(CAProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterSecretStore) DeepCopyInto(out *ClusterSecretStore) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterSecretStore.
+func (in *ClusterSecretStore) DeepCopy() *ClusterSecretStore {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterSecretStore)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterSecretStore) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterSecretStoreList) DeepCopyInto(out *ClusterSecretStoreList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ClusterSecretStore, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterSecretStoreList.
+func (in *ClusterSecretStoreList) DeepCopy() *ClusterSecretStoreList {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterSecretStoreList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterSecretStoreList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecret) DeepCopyInto(out *ExternalSecret) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecret.
+func (in *ExternalSecret) DeepCopy() *ExternalSecret {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecret)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ExternalSecret) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretData) DeepCopyInto(out *ExternalSecretData) {
+	*out = *in
+	out.RemoteRef = in.RemoteRef
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretData.
+func (in *ExternalSecretData) DeepCopy() *ExternalSecretData {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretData)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretDataFromRemoteRef) DeepCopyInto(out *ExternalSecretDataFromRemoteRef) {
+	*out = *in
+	out.Extract = in.Extract
+	in.Find.DeepCopyInto(&out.Find)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretDataFromRemoteRef.
+func (in *ExternalSecretDataFromRemoteRef) DeepCopy() *ExternalSecretDataFromRemoteRef {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretDataFromRemoteRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretDataRemoteRef) DeepCopyInto(out *ExternalSecretDataRemoteRef) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretDataRemoteRef.
+func (in *ExternalSecretDataRemoteRef) DeepCopy() *ExternalSecretDataRemoteRef {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretDataRemoteRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretExtract) DeepCopyInto(out *ExternalSecretExtract) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretExtract.
+func (in *ExternalSecretExtract) DeepCopy() *ExternalSecretExtract {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretExtract)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretFind) DeepCopyInto(out *ExternalSecretFind) {
+	*out = *in
+	out.Name = in.Name
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretFind.
+func (in *ExternalSecretFind) DeepCopy() *ExternalSecretFind {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretFind)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretList) DeepCopyInto(out *ExternalSecretList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ExternalSecret, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretList.
+func (in *ExternalSecretList) DeepCopy() *ExternalSecretList {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ExternalSecretList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretSpec) DeepCopyInto(out *ExternalSecretSpec) {
+	*out = *in
+	out.SecretStoreRef = in.SecretStoreRef
+	in.Target.DeepCopyInto(&out.Target)
+	if in.RefreshInterval != nil {
+		in, out := &in.RefreshInterval, &out.RefreshInterval
+		*out = new(v1.Duration)
+		**out = **in
+	}
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = make([]ExternalSecretData, len(*in))
+		copy(*out, *in)
+	}
+	if in.DataFrom != nil {
+		in, out := &in.DataFrom, &out.DataFrom
+		*out = make([]ExternalSecretDataFromRemoteRef, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretSpec.
+func (in *ExternalSecretSpec) DeepCopy() *ExternalSecretSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretStatus) DeepCopyInto(out *ExternalSecretStatus) {
+	*out = *in
+	in.RefreshTime.DeepCopyInto(&out.RefreshTime)
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]ExternalSecretStatusCondition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretStatus.
+func (in *ExternalSecretStatus) DeepCopy() *ExternalSecretStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretStatusCondition) DeepCopyInto(out *ExternalSecretStatusCondition) {
+	*out = *in
+	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretStatusCondition.
+func (in *ExternalSecretStatusCondition) DeepCopy() *ExternalSecretStatusCondition {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretStatusCondition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretTarget) DeepCopyInto(out *ExternalSecretTarget) {
+	*out = *in
+	if in.Template != nil {
+		in, out := &in.Template, &out.Template
+		*out = new(ExternalSecretTemplate)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretTarget.
+func (in *ExternalSecretTarget) DeepCopy() *ExternalSecretTarget {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretTarget)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretTemplate) DeepCopyInto(out *ExternalSecretTemplate) {
+	*out = *in
+	in.Metadata.DeepCopyInto(&out.Metadata)
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.TemplateFrom != nil {
+		in, out := &in.TemplateFrom, &out.TemplateFrom
+		*out = make([]TemplateFrom, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretTemplate.
+func (in *ExternalSecretTemplate) DeepCopy() *ExternalSecretTemplate {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretTemplate)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretTemplateMetadata) DeepCopyInto(out *ExternalSecretTemplateMetadata) {
+	*out = *in
+	if in.Annotations != nil {
+		in, out := &in.Annotations, &out.Annotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.Labels != nil {
+		in, out := &in.Labels, &out.Labels
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretTemplateMetadata.
+func (in *ExternalSecretTemplateMetadata) DeepCopy() *ExternalSecretTemplateMetadata {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretTemplateMetadata)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FindName) DeepCopyInto(out *FindName) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FindName.
+func (in *FindName) DeepCopy() *FindName {
+	if in == nil {
+		return nil
+	}
+	out := new(FindName)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GCPSMAuth) DeepCopyInto(out *GCPSMAuth) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(GCPSMAuthSecretRef)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.WorkloadIdentity != nil {
+		in, out := &in.WorkloadIdentity, &out.WorkloadIdentity
+		*out = new(GCPWorkloadIdentity)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCPSMAuth.
+func (in *GCPSMAuth) DeepCopy() *GCPSMAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(GCPSMAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GCPSMAuthSecretRef) DeepCopyInto(out *GCPSMAuthSecretRef) {
+	*out = *in
+	in.SecretAccessKey.DeepCopyInto(&out.SecretAccessKey)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCPSMAuthSecretRef.
+func (in *GCPSMAuthSecretRef) DeepCopy() *GCPSMAuthSecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(GCPSMAuthSecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GCPSMProvider) DeepCopyInto(out *GCPSMProvider) {
+	*out = *in
+	in.Auth.DeepCopyInto(&out.Auth)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCPSMProvider.
+func (in *GCPSMProvider) DeepCopy() *GCPSMProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(GCPSMProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GCPWorkloadIdentity) DeepCopyInto(out *GCPWorkloadIdentity) {
+	*out = *in
+	in.ServiceAccountRef.DeepCopyInto(&out.ServiceAccountRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCPWorkloadIdentity.
+func (in *GCPWorkloadIdentity) DeepCopy() *GCPWorkloadIdentity {
+	if in == nil {
+		return nil
+	}
+	out := new(GCPWorkloadIdentity)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GitlabAuth) DeepCopyInto(out *GitlabAuth) {
+	*out = *in
+	in.SecretRef.DeepCopyInto(&out.SecretRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitlabAuth.
+func (in *GitlabAuth) DeepCopy() *GitlabAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(GitlabAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GitlabProvider) DeepCopyInto(out *GitlabProvider) {
+	*out = *in
+	in.Auth.DeepCopyInto(&out.Auth)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitlabProvider.
+func (in *GitlabProvider) DeepCopy() *GitlabProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(GitlabProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GitlabSecretRef) DeepCopyInto(out *GitlabSecretRef) {
+	*out = *in
+	in.AccessToken.DeepCopyInto(&out.AccessToken)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitlabSecretRef.
+func (in *GitlabSecretRef) DeepCopy() *GitlabSecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(GitlabSecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IBMAuth) DeepCopyInto(out *IBMAuth) {
+	*out = *in
+	in.SecretRef.DeepCopyInto(&out.SecretRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IBMAuth.
+func (in *IBMAuth) DeepCopy() *IBMAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(IBMAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IBMAuthSecretRef) DeepCopyInto(out *IBMAuthSecretRef) {
+	*out = *in
+	in.SecretAPIKey.DeepCopyInto(&out.SecretAPIKey)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IBMAuthSecretRef.
+func (in *IBMAuthSecretRef) DeepCopy() *IBMAuthSecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(IBMAuthSecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IBMProvider) DeepCopyInto(out *IBMProvider) {
+	*out = *in
+	in.Auth.DeepCopyInto(&out.Auth)
+	if in.ServiceURL != nil {
+		in, out := &in.ServiceURL, &out.ServiceURL
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IBMProvider.
+func (in *IBMProvider) DeepCopy() *IBMProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(IBMProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OracleAuth) DeepCopyInto(out *OracleAuth) {
+	*out = *in
+	in.SecretRef.DeepCopyInto(&out.SecretRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OracleAuth.
+func (in *OracleAuth) DeepCopy() *OracleAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(OracleAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OracleProvider) DeepCopyInto(out *OracleProvider) {
+	*out = *in
+	in.Auth.DeepCopyInto(&out.Auth)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OracleProvider.
+func (in *OracleProvider) DeepCopy() *OracleProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(OracleProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OracleSecretRef) DeepCopyInto(out *OracleSecretRef) {
+	*out = *in
+	in.PrivateKey.DeepCopyInto(&out.PrivateKey)
+	in.Fingerprint.DeepCopyInto(&out.Fingerprint)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OracleSecretRef.
+func (in *OracleSecretRef) DeepCopy() *OracleSecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(OracleSecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretStore) DeepCopyInto(out *SecretStore) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStore.
+func (in *SecretStore) DeepCopy() *SecretStore {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretStore)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *SecretStore) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretStoreList) DeepCopyInto(out *SecretStoreList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]SecretStore, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreList.
+func (in *SecretStoreList) DeepCopy() *SecretStoreList {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretStoreList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *SecretStoreList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretStoreProvider) DeepCopyInto(out *SecretStoreProvider) {
+	*out = *in
+	if in.AWS != nil {
+		in, out := &in.AWS, &out.AWS
+		*out = new(AWSProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.AzureKV != nil {
+		in, out := &in.AzureKV, &out.AzureKV
+		*out = new(AzureKVProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Akeyless != nil {
+		in, out := &in.Akeyless, &out.Akeyless
+		*out = new(AkeylessProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Vault != nil {
+		in, out := &in.Vault, &out.Vault
+		*out = new(VaultProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.GCPSM != nil {
+		in, out := &in.GCPSM, &out.GCPSM
+		*out = new(GCPSMProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Oracle != nil {
+		in, out := &in.Oracle, &out.Oracle
+		*out = new(OracleProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.IBM != nil {
+		in, out := &in.IBM, &out.IBM
+		*out = new(IBMProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.YandexLockbox != nil {
+		in, out := &in.YandexLockbox, &out.YandexLockbox
+		*out = new(YandexLockboxProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Gitlab != nil {
+		in, out := &in.Gitlab, &out.Gitlab
+		*out = new(GitlabProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Alibaba != nil {
+		in, out := &in.Alibaba, &out.Alibaba
+		*out = new(AlibabaProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Webhook != nil {
+		in, out := &in.Webhook, &out.Webhook
+		*out = new(WebhookProvider)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreProvider.
+func (in *SecretStoreProvider) DeepCopy() *SecretStoreProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretStoreProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretStoreRef) DeepCopyInto(out *SecretStoreRef) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreRef.
+func (in *SecretStoreRef) DeepCopy() *SecretStoreRef {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretStoreRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretStoreRetrySettings) DeepCopyInto(out *SecretStoreRetrySettings) {
+	*out = *in
+	if in.MaxRetries != nil {
+		in, out := &in.MaxRetries, &out.MaxRetries
+		*out = new(int32)
+		**out = **in
+	}
+	if in.RetryInterval != nil {
+		in, out := &in.RetryInterval, &out.RetryInterval
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreRetrySettings.
+func (in *SecretStoreRetrySettings) DeepCopy() *SecretStoreRetrySettings {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretStoreRetrySettings)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretStoreSpec) DeepCopyInto(out *SecretStoreSpec) {
+	*out = *in
+	if in.Provider != nil {
+		in, out := &in.Provider, &out.Provider
+		*out = new(SecretStoreProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.RetrySettings != nil {
+		in, out := &in.RetrySettings, &out.RetrySettings
+		*out = new(SecretStoreRetrySettings)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreSpec.
+func (in *SecretStoreSpec) DeepCopy() *SecretStoreSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretStoreSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretStoreStatus) DeepCopyInto(out *SecretStoreStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]SecretStoreStatusCondition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreStatus.
+func (in *SecretStoreStatus) DeepCopy() *SecretStoreStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretStoreStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretStoreStatusCondition) DeepCopyInto(out *SecretStoreStatusCondition) {
+	*out = *in
+	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreStatusCondition.
+func (in *SecretStoreStatusCondition) DeepCopy() *SecretStoreStatusCondition {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretStoreStatusCondition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TemplateFrom) DeepCopyInto(out *TemplateFrom) {
+	*out = *in
+	if in.ConfigMap != nil {
+		in, out := &in.ConfigMap, &out.ConfigMap
+		*out = new(TemplateRef)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Secret != nil {
+		in, out := &in.Secret, &out.Secret
+		*out = new(TemplateRef)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TemplateFrom.
+func (in *TemplateFrom) DeepCopy() *TemplateFrom {
+	if in == nil {
+		return nil
+	}
+	out := new(TemplateFrom)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TemplateRef) DeepCopyInto(out *TemplateRef) {
+	*out = *in
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]TemplateRefItem, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TemplateRef.
+func (in *TemplateRef) DeepCopy() *TemplateRef {
+	if in == nil {
+		return nil
+	}
+	out := new(TemplateRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TemplateRefItem) DeepCopyInto(out *TemplateRefItem) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TemplateRefItem.
+func (in *TemplateRefItem) DeepCopy() *TemplateRefItem {
+	if in == nil {
+		return nil
+	}
+	out := new(TemplateRefItem)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VaultAppRole) DeepCopyInto(out *VaultAppRole) {
+	*out = *in
+	in.SecretRef.DeepCopyInto(&out.SecretRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAppRole.
+func (in *VaultAppRole) DeepCopy() *VaultAppRole {
+	if in == nil {
+		return nil
+	}
+	out := new(VaultAppRole)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VaultAuth) DeepCopyInto(out *VaultAuth) {
+	*out = *in
+	if in.TokenSecretRef != nil {
+		in, out := &in.TokenSecretRef, &out.TokenSecretRef
+		*out = new(metav1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.AppRole != nil {
+		in, out := &in.AppRole, &out.AppRole
+		*out = new(VaultAppRole)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Kubernetes != nil {
+		in, out := &in.Kubernetes, &out.Kubernetes
+		*out = new(VaultKubernetesAuth)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Ldap != nil {
+		in, out := &in.Ldap, &out.Ldap
+		*out = new(VaultLdapAuth)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Jwt != nil {
+		in, out := &in.Jwt, &out.Jwt
+		*out = new(VaultJwtAuth)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Cert != nil {
+		in, out := &in.Cert, &out.Cert
+		*out = new(VaultCertAuth)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAuth.
+func (in *VaultAuth) DeepCopy() *VaultAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(VaultAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VaultCertAuth) DeepCopyInto(out *VaultCertAuth) {
+	*out = *in
+	in.ClientCert.DeepCopyInto(&out.ClientCert)
+	in.SecretRef.DeepCopyInto(&out.SecretRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultCertAuth.
+func (in *VaultCertAuth) DeepCopy() *VaultCertAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(VaultCertAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VaultJwtAuth) DeepCopyInto(out *VaultJwtAuth) {
+	*out = *in
+	in.SecretRef.DeepCopyInto(&out.SecretRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultJwtAuth.
+func (in *VaultJwtAuth) DeepCopy() *VaultJwtAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(VaultJwtAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth) {
+	*out = *in
+	if in.ServiceAccountRef != nil {
+		in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
+		*out = new(metav1.ServiceAccountSelector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(metav1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultKubernetesAuth.
+func (in *VaultKubernetesAuth) DeepCopy() *VaultKubernetesAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(VaultKubernetesAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VaultLdapAuth) DeepCopyInto(out *VaultLdapAuth) {
+	*out = *in
+	in.SecretRef.DeepCopyInto(&out.SecretRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultLdapAuth.
+func (in *VaultLdapAuth) DeepCopy() *VaultLdapAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(VaultLdapAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VaultProvider) DeepCopyInto(out *VaultProvider) {
+	*out = *in
+	in.Auth.DeepCopyInto(&out.Auth)
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.CABundle != nil {
+		in, out := &in.CABundle, &out.CABundle
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.CAProvider != nil {
+		in, out := &in.CAProvider, &out.CAProvider
+		*out = new(CAProvider)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultProvider.
+func (in *VaultProvider) DeepCopy() *VaultProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(VaultProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WebhookCAProvider) DeepCopyInto(out *WebhookCAProvider) {
+	*out = *in
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookCAProvider.
+func (in *WebhookCAProvider) DeepCopy() *WebhookCAProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(WebhookCAProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WebhookProvider) DeepCopyInto(out *WebhookProvider) {
+	*out = *in
+	if in.Headers != nil {
+		in, out := &in.Headers, &out.Headers
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.Timeout != nil {
+		in, out := &in.Timeout, &out.Timeout
+		*out = new(v1.Duration)
+		**out = **in
+	}
+	out.Result = in.Result
+	if in.Secrets != nil {
+		in, out := &in.Secrets, &out.Secrets
+		*out = make([]WebhookSecret, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CABundle != nil {
+		in, out := &in.CABundle, &out.CABundle
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.CAProvider != nil {
+		in, out := &in.CAProvider, &out.CAProvider
+		*out = new(WebhookCAProvider)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookProvider.
+func (in *WebhookProvider) DeepCopy() *WebhookProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(WebhookProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WebhookResult) DeepCopyInto(out *WebhookResult) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookResult.
+func (in *WebhookResult) DeepCopy() *WebhookResult {
+	if in == nil {
+		return nil
+	}
+	out := new(WebhookResult)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WebhookSecret) DeepCopyInto(out *WebhookSecret) {
+	*out = *in
+	in.SecretRef.DeepCopyInto(&out.SecretRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookSecret.
+func (in *WebhookSecret) DeepCopy() *WebhookSecret {
+	if in == nil {
+		return nil
+	}
+	out := new(WebhookSecret)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *YandexLockboxAuth) DeepCopyInto(out *YandexLockboxAuth) {
+	*out = *in
+	in.AuthorizedKey.DeepCopyInto(&out.AuthorizedKey)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new YandexLockboxAuth.
+func (in *YandexLockboxAuth) DeepCopy() *YandexLockboxAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(YandexLockboxAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *YandexLockboxCAProvider) DeepCopyInto(out *YandexLockboxCAProvider) {
+	*out = *in
+	in.Certificate.DeepCopyInto(&out.Certificate)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new YandexLockboxCAProvider.
+func (in *YandexLockboxCAProvider) DeepCopy() *YandexLockboxCAProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(YandexLockboxCAProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *YandexLockboxProvider) DeepCopyInto(out *YandexLockboxProvider) {
+	*out = *in
+	in.Auth.DeepCopyInto(&out.Auth)
+	if in.CAProvider != nil {
+		in, out := &in.CAProvider, &out.CAProvider
+		*out = new(YandexLockboxCAProvider)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new YandexLockboxProvider.
+func (in *YandexLockboxProvider) DeepCopy() *YandexLockboxProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(YandexLockboxProvider)
+	in.DeepCopyInto(out)
+	return out
+}

e2e/framework/eso.go

@@ -25,7 +25,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 )
 
 // WaitForSecretValue waits until a secret comes into existence and compares the secret.Data
@@ -56,7 +56,7 @@ func equalSecrets(exp, ts *v1.Secret) bool {
 	}
 
 	// secret contains data hash property which must be ignored
-	delete(ts.ObjectMeta.Annotations, esv1alpha1.AnnotationDataHash)
+	delete(ts.ObjectMeta.Annotations, esv1alpha2.AnnotationDataHash)
 	if len(ts.ObjectMeta.Annotations) == 0 {
 		ts.ObjectMeta.Annotations = nil
 	}

e2e/framework/framework.go

@@ -26,7 +26,7 @@ import (
 	"k8s.io/client-go/rest"
 	crclient "sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	"github.com/external-secrets/external-secrets/e2e/framework/addon"
 	"github.com/external-secrets/external-secrets/e2e/framework/log"
 	"github.com/external-secrets/external-secrets/e2e/framework/util"
@@ -34,7 +34,7 @@ import (
 
 func init() {
 	_ = kscheme.AddToScheme(util.Scheme)
-	_ = esv1alpha1.AddToScheme(util.Scheme)
+	_ = esv1alpha2.AddToScheme(util.Scheme)
 }
 
 type Framework struct {

e2e/framework/testcase.go

@@ -21,7 +21,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	"github.com/external-secrets/external-secrets/e2e/framework/log"
 )
 
@@ -30,7 +30,7 @@ var TargetSecretName = "target-secret"
 // TestCase contains the test infra to run a table driven test.
 type TestCase struct {
 	Framework      *Framework
-	ExternalSecret *esv1alpha1.ExternalSecret
+	ExternalSecret *esv1alpha2.ExternalSecret
 	Secrets        map[string]string
 	ExpectedSecret *v1.Secret
 }
@@ -85,16 +85,16 @@ func TableFunc(f *Framework, prov SecretStoreProvider) func(...func(*TestCase))
 func makeDefaultTestCase(f *Framework) *TestCase {
 	return &TestCase{
 		Framework: f,
-		ExternalSecret: &esv1alpha1.ExternalSecret{
+		ExternalSecret: &esv1alpha2.ExternalSecret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      "e2e-es",
 				Namespace: f.Namespace.Name,
 			},
-			Spec: esv1alpha1.ExternalSecretSpec{
-				SecretStoreRef: esv1alpha1.SecretStoreRef{
+			Spec: esv1alpha2.ExternalSecretSpec{
+				SecretStoreRef: esv1alpha2.SecretStoreRef{
 					Name: f.Namespace.Name,
 				},
-				Target: esv1alpha1.ExternalSecretTarget{
+				Target: esv1alpha2.ExternalSecretTarget{
 					Name: TargetSecretName,
 				},
 			},

e2e/suite/akeyless/provider.go

@@ -36,7 +36,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	"github.com/external-secrets/external-secrets/e2e/framework"
 )
@@ -129,16 +129,16 @@ func (a *akeylessProvider) BeforeEach() {
 	Expect(err).ToNot(HaveOccurred())
 
 	// Creating Akeyless secret store
-	secretStore := &esv1alpha1.SecretStore{
+	secretStore := &esv1alpha2.SecretStore{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      a.framework.Namespace.Name,
 			Namespace: a.framework.Namespace.Name,
 		},
-		Spec: esv1alpha1.SecretStoreSpec{
-			Provider: &esv1alpha1.SecretStoreProvider{
-				Akeyless: &esv1alpha1.AkeylessProvider{
-					Auth: &esv1alpha1.AkeylessAuth{
-						SecretRef: esv1alpha1.AkeylessAuthSecretRef{
+		Spec: esv1alpha2.SecretStoreSpec{
+			Provider: &esv1alpha2.SecretStoreProvider{
+				Akeyless: &esv1alpha2.AkeylessProvider{
+					Auth: &esv1alpha2.AkeylessAuth{
+						SecretRef: esv1alpha2.AkeylessAuthSecretRef{
 							AccessID: esmeta.SecretKeySelector{
 								Name: "access-id-secret",
 								Key:  "access-id",

e2e/suite/alibaba/provider.go

@@ -28,7 +28,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	"github.com/external-secrets/external-secrets/e2e/framework"
 )
@@ -97,16 +97,16 @@ func (s *alibabaProvider) BeforeEach() {
 	Expect(err).ToNot(HaveOccurred())
 
 	// Creating Alibaba secret store
-	secretStore := &esv1alpha1.SecretStore{
+	secretStore := &esv1alpha2.SecretStore{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      s.framework.Namespace.Name,
 			Namespace: s.framework.Namespace.Name,
 		},
-		Spec: esv1alpha1.SecretStoreSpec{
-			Provider: &esv1alpha1.SecretStoreProvider{
-				Alibaba: &esv1alpha1.AlibabaProvider{
-					Auth: &esv1alpha1.AlibabaAuth{
-						SecretRef: esv1alpha1.AlibabaAuthSecretRef{
+		Spec: esv1alpha2.SecretStoreSpec{
+			Provider: &esv1alpha2.SecretStoreProvider{
+				Alibaba: &esv1alpha2.AlibabaProvider{
+					Auth: &esv1alpha2.AlibabaAuth{
+						SecretRef: esv1alpha2.AlibabaAuthSecretRef{
 							AccessKeyID: esmeta.SecretKeySelector{
 								Name: "kms-secret",
 								Key:  "keyid",

e2e/suite/aws/common.go

@@ -21,7 +21,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	esmetav1 "github.com/external-secrets/external-secrets/apis/meta/v1"
 	"github.com/external-secrets/external-secrets/e2e/framework"
 )
@@ -41,18 +41,18 @@ func MountedIRSAStoreName(f *framework.Framework) string {
 }
 
 func UseClusterSecretStore(tc *framework.TestCase) {
-	tc.ExternalSecret.Spec.SecretStoreRef.Kind = esv1alpha1.ClusterSecretStoreKind
+	tc.ExternalSecret.Spec.SecretStoreRef.Kind = esv1alpha2.ClusterSecretStoreKind
 	tc.ExternalSecret.Spec.SecretStoreRef.Name = ReferencedIRSAStoreName(tc.Framework)
 }
 
 func UseMountedIRSAStore(tc *framework.TestCase) {
-	tc.ExternalSecret.Spec.SecretStoreRef.Kind = esv1alpha1.SecretStoreKind
+	tc.ExternalSecret.Spec.SecretStoreRef.Kind = esv1alpha2.SecretStoreKind
 	tc.ExternalSecret.Spec.SecretStoreRef.Name = MountedIRSAStoreName(tc.Framework)
 }
 
 // StaticStore is namespaced and references
 // static credentials from a secret.
-func SetupStaticStore(f *framework.Framework, kid, sak, region string, serviceType esv1alpha1.AWSServiceType) {
+func SetupStaticStore(f *framework.Framework, kid, sak, region string, serviceType esv1alpha2.AWSServiceType) {
 	awsCreds := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      StaticCredentialsSecretName,
@@ -66,18 +66,18 @@ func SetupStaticStore(f *framework.Framework, kid, sak, region string, serviceTy
 	err := f.CRClient.Create(context.Background(), awsCreds)
 	Expect(err).ToNot(HaveOccurred())
 
-	secretStore := &esv1alpha1.SecretStore{
+	secretStore := &esv1alpha2.SecretStore{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      f.Namespace.Name,
 			Namespace: f.Namespace.Name,
 		},
-		Spec: esv1alpha1.SecretStoreSpec{
-			Provider: &esv1alpha1.SecretStoreProvider{
-				AWS: &esv1alpha1.AWSProvider{
+		Spec: esv1alpha2.SecretStoreSpec{
+			Provider: &esv1alpha2.SecretStoreProvider{
+				AWS: &esv1alpha2.AWSProvider{
 					Service: serviceType,
 					Region:  region,
-					Auth: esv1alpha1.AWSAuth{
-						SecretRef: &esv1alpha1.AWSAuthSecretRef{
+					Auth: esv1alpha2.AWSAuth{
+						SecretRef: &esv1alpha2.AWSAuthSecretRef{
 							AccessKeyID: esmetav1.SecretKeySelector{
 								Name: StaticCredentialsSecretName,
 								Key:  "kid",

e2e/suite/aws/parameterstore/provider.go

@@ -31,7 +31,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	esmetav1 "github.com/external-secrets/external-secrets/apis/meta/v1"
 	"github.com/external-secrets/external-secrets/e2e/framework"
 	"github.com/external-secrets/external-secrets/e2e/framework/log"
@@ -67,14 +67,14 @@ func NewProvider(f *framework.Framework, kid, sak, region, saName, saNamespace s
 	}
 
 	BeforeEach(func() {
-		common.SetupStaticStore(f, kid, sak, region, esv1alpha1.AWSServiceParameterStore)
+		common.SetupStaticStore(f, kid, sak, region, esv1alpha2.AWSServiceParameterStore)
 		prov.SetupReferencedIRSAStore()
 		prov.SetupMountedIRSAStore()
 	})
 
 	AfterEach(func() {
 		// Cleanup ClusterSecretStore
-		err := prov.framework.CRClient.Delete(context.Background(), &esv1alpha1.ClusterSecretStore{
+		err := prov.framework.CRClient.Delete(context.Background(), &esv1alpha2.ClusterSecretStore{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: common.ReferencedIRSAStoreName(f),
 			},
@@ -116,17 +116,17 @@ func (s *Provider) DeleteSecret(key string) {
 // MountedIRSAStore is a SecretStore without auth config
 // ESO relies on the pod-mounted ServiceAccount when using this store.
 func (s *Provider) SetupMountedIRSAStore() {
-	secretStore := &esv1alpha1.SecretStore{
+	secretStore := &esv1alpha2.SecretStore{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      common.MountedIRSAStoreName(s.framework),
 			Namespace: s.framework.Namespace.Name,
 		},
-		Spec: esv1alpha1.SecretStoreSpec{
-			Provider: &esv1alpha1.SecretStoreProvider{
-				AWS: &esv1alpha1.AWSProvider{
-					Service: esv1alpha1.AWSServiceParameterStore,
+		Spec: esv1alpha2.SecretStoreSpec{
+			Provider: &esv1alpha2.SecretStoreProvider{
+				AWS: &esv1alpha2.AWSProvider{
+					Service: esv1alpha2.AWSServiceParameterStore,
 					Region:  s.region,
-					Auth:    esv1alpha1.AWSAuth{},
+					Auth:    esv1alpha2.AWSAuth{},
 				},
 			},
 		},
@@ -139,18 +139,18 @@ func (s *Provider) SetupMountedIRSAStore() {
 // that references a (IRSA-) ServiceAccount in the default namespace.
 func (s *Provider) SetupReferencedIRSAStore() {
 	log.Logf("creating IRSA ClusterSecretStore %s", s.framework.Namespace.Name)
-	secretStore := &esv1alpha1.ClusterSecretStore{
+	secretStore := &esv1alpha2.ClusterSecretStore{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: common.ReferencedIRSAStoreName(s.framework),
 		},
 	}
 	_, err := controllerutil.CreateOrUpdate(context.Background(), s.framework.CRClient, secretStore, func() error {
-		secretStore.Spec.Provider = &esv1alpha1.SecretStoreProvider{
-			AWS: &esv1alpha1.AWSProvider{
-				Service: esv1alpha1.AWSServiceParameterStore,
+		secretStore.Spec.Provider = &esv1alpha2.SecretStoreProvider{
+			AWS: &esv1alpha2.AWSProvider{
+				Service: esv1alpha2.AWSServiceParameterStore,
 				Region:  s.region,
-				Auth: esv1alpha1.AWSAuth{
-					JWTAuth: &esv1alpha1.AWSJWTAuth{
+				Auth: esv1alpha2.AWSAuth{
+					JWTAuth: &esv1alpha2.AWSJWTAuth{
 						ServiceAccountRef: &esmetav1.ServiceAccountSelector{
 							Name:      s.ServiceAccountName,
 							Namespace: &s.ServiceAccountNamespace,

e2e/suite/aws/secretsmanager/provider.go

@@ -32,7 +32,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	esmetav1 "github.com/external-secrets/external-secrets/apis/meta/v1"
 	"github.com/external-secrets/external-secrets/e2e/framework"
 	"github.com/external-secrets/external-secrets/e2e/framework/log"
@@ -68,14 +68,14 @@ func NewProvider(f *framework.Framework, kid, sak, region, saName, saNamespace s
 	}
 
 	BeforeEach(func() {
-		common.SetupStaticStore(f, kid, sak, region, esv1alpha1.AWSServiceSecretsManager)
+		common.SetupStaticStore(f, kid, sak, region, esv1alpha2.AWSServiceSecretsManager)
 		prov.SetupReferencedIRSAStore()
 		prov.SetupMountedIRSAStore()
 	})
 
 	AfterEach(func() {
 		// Cleanup ClusterSecretStore
-		err := prov.framework.CRClient.Delete(context.Background(), &esv1alpha1.ClusterSecretStore{
+		err := prov.framework.CRClient.Delete(context.Background(), &esv1alpha2.ClusterSecretStore{
 			ObjectMeta: metav1.ObjectMeta{
 				Name: common.ReferencedIRSAStoreName(f),
 			},
@@ -133,17 +133,17 @@ func (s *Provider) DeleteSecret(key string) {
 // MountedIRSAStore is a SecretStore without auth config
 // ESO relies on the pod-mounted ServiceAccount when using this store.
 func (s *Provider) SetupMountedIRSAStore() {
-	secretStore := &esv1alpha1.SecretStore{
+	secretStore := &esv1alpha2.SecretStore{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      common.MountedIRSAStoreName(s.framework),
 			Namespace: s.framework.Namespace.Name,
 		},
-		Spec: esv1alpha1.SecretStoreSpec{
-			Provider: &esv1alpha1.SecretStoreProvider{
-				AWS: &esv1alpha1.AWSProvider{
-					Service: esv1alpha1.AWSServiceSecretsManager,
+		Spec: esv1alpha2.SecretStoreSpec{
+			Provider: &esv1alpha2.SecretStoreProvider{
+				AWS: &esv1alpha2.AWSProvider{
+					Service: esv1alpha2.AWSServiceSecretsManager,
 					Region:  s.region,
-					Auth:    esv1alpha1.AWSAuth{},
+					Auth:    esv1alpha2.AWSAuth{},
 				},
 			},
 		},
@@ -156,18 +156,18 @@ func (s *Provider) SetupMountedIRSAStore() {
 // that references a (IRSA-) ServiceAccount in the default namespace.
 func (s *Provider) SetupReferencedIRSAStore() {
 	log.Logf("creating IRSA ClusterSecretStore %s", s.framework.Namespace.Name)
-	secretStore := &esv1alpha1.ClusterSecretStore{
+	secretStore := &esv1alpha2.ClusterSecretStore{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: common.ReferencedIRSAStoreName(s.framework),
 		},
 	}
 	_, err := controllerutil.CreateOrUpdate(context.Background(), s.framework.CRClient, secretStore, func() error {
-		secretStore.Spec.Provider = &esv1alpha1.SecretStoreProvider{
-			AWS: &esv1alpha1.AWSProvider{
-				Service: esv1alpha1.AWSServiceSecretsManager,
+		secretStore.Spec.Provider = &esv1alpha2.SecretStoreProvider{
+			AWS: &esv1alpha2.AWSProvider{
+				Service: esv1alpha2.AWSServiceSecretsManager,
 				Region:  s.region,
-				Auth: esv1alpha1.AWSAuth{
-					JWTAuth: &esv1alpha1.AWSJWTAuth{
+				Auth: esv1alpha2.AWSAuth{
+					JWTAuth: &esv1alpha2.AWSJWTAuth{
 						ServiceAccountRef: &esmetav1.ServiceAccountSelector{
 							Name:      s.ServiceAccountName,
 							Namespace: &s.ServiceAccountNamespace,

e2e/suite/azure/azure_cert.go

@@ -20,7 +20,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 
 	// nolint
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	"github.com/external-secrets/external-secrets/e2e/framework"
 )
 
@@ -52,10 +52,10 @@ var _ = Describe("[azure]", Label("azure", "keyvault", "cert"), func() {
 					secretKey: certBytes,
 				},
 			}
-			tc.ExternalSecret.Spec.Data = []esv1alpha1.ExternalSecretData{
+			tc.ExternalSecret.Spec.Data = []esv1alpha2.ExternalSecretData{
 				{
 					SecretKey: secretKey,
-					RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
+					RemoteRef: esv1alpha2.ExternalSecretDataRemoteRef{
 						Key: "cert/" + certName,
 					},
 				},

e2e/suite/azure/azure_key.go

@@ -22,7 +22,7 @@ import (
 	. "github.com/onsi/ginkgo/v2"
 	v1 "k8s.io/api/core/v1"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	"github.com/external-secrets/external-secrets/e2e/framework"
 )
 
@@ -55,10 +55,10 @@ var _ = Describe("[azure]", Label("azure", "keyvault", "key"), func() {
 					secretKey: keyBytes,
 				},
 			}
-			tc.ExternalSecret.Spec.Data = []esv1alpha1.ExternalSecretData{
+			tc.ExternalSecret.Spec.Data = []esv1alpha2.ExternalSecretData{
 				{
 					SecretKey: secretKey,
-					RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
+					RemoteRef: esv1alpha2.ExternalSecretDataRemoteRef{
 						Key: "key/" + keyName,
 					},
 				},

e2e/suite/azure/provider.go

@@ -28,7 +28,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	utilpointer "k8s.io/utils/pointer"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	"github.com/external-secrets/external-secrets/e2e/framework"
 )
@@ -190,17 +190,17 @@ func (s *azureProvider) CreateSecretStore() {
 	err := s.framework.CRClient.Create(context.Background(), azureCreds)
 	Expect(err).ToNot(HaveOccurred())
 
-	secretStore := &esv1alpha1.SecretStore{
+	secretStore := &esv1alpha2.SecretStore{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      s.framework.Namespace.Name,
 			Namespace: s.framework.Namespace.Name,
 		},
-		Spec: esv1alpha1.SecretStoreSpec{
-			Provider: &esv1alpha1.SecretStoreProvider{
-				AzureKV: &esv1alpha1.AzureKVProvider{
+		Spec: esv1alpha2.SecretStoreSpec{
+			Provider: &esv1alpha2.SecretStoreProvider{
+				AzureKV: &esv1alpha2.AzureKVProvider{
 					TenantID: &s.tenantID,
 					VaultURL: &s.vaultURL,
-					AuthSecretRef: &esv1alpha1.AzureKVAuth{
+					AuthSecretRef: &esv1alpha2.AzureKVAuth{
 						ClientID: &esmeta.SecretKeySelector{
 							Name: "provider-secret",
 							Key:  "client-id",

e2e/suite/common/common.go

@@ -18,7 +18,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	"github.com/external-secrets/external-secrets/e2e/framework"
 )
 
@@ -48,16 +48,16 @@ func SimpleDataSync(f *framework.Framework) (string, func(*framework.TestCase))
 				secretKey2: []byte(secretValue),
 			},
 		}
-		tc.ExternalSecret.Spec.Data = []esv1alpha1.ExternalSecretData{
+		tc.ExternalSecret.Spec.Data = []esv1alpha2.ExternalSecretData{
 			{
 				SecretKey: secretKey1,
-				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
+				RemoteRef: esv1alpha2.ExternalSecretDataRemoteRef{
 					Key: secretKey1,
 				},
 			},
 			{
 				SecretKey: secretKey2,
-				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
+				RemoteRef: esv1alpha2.ExternalSecretDataRemoteRef{
 					Key: secretKey2,
 				},
 			},
@@ -81,10 +81,10 @@ func SyncWithoutTargetName(f *framework.Framework) (string, func(*framework.Test
 			},
 		}
 		tc.ExternalSecret.Spec.Target.Name = ""
-		tc.ExternalSecret.Spec.Data = []esv1alpha1.ExternalSecretData{
+		tc.ExternalSecret.Spec.Data = []esv1alpha2.ExternalSecretData{
 			{
 				SecretKey: secretKey1,
-				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
+				RemoteRef: esv1alpha2.ExternalSecretDataRemoteRef{
 					Key: secretKey1,
 				},
 			},
@@ -111,17 +111,17 @@ func JSONDataWithProperty(f *framework.Framework) (string, func(*framework.TestC
 				secretKey2: []byte("bar2-val"),
 			},
 		}
-		tc.ExternalSecret.Spec.Data = []esv1alpha1.ExternalSecretData{
+		tc.ExternalSecret.Spec.Data = []esv1alpha2.ExternalSecretData{
 			{
 				SecretKey: secretKey1,
-				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
+				RemoteRef: esv1alpha2.ExternalSecretDataRemoteRef{
 					Key:      secretKey1,
 					Property: "foo1",
 				},
 			},
 			{
 				SecretKey: secretKey2,
-				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
+				RemoteRef: esv1alpha2.ExternalSecretDataRemoteRef{
 					Key:      secretKey2,
 					Property: "bar2",
 				},
@@ -146,10 +146,10 @@ func JSONDataWithoutTargetName(f *framework.Framework) (string, func(*framework.
 			},
 		}
 		tc.ExternalSecret.Spec.Target.Name = ""
-		tc.ExternalSecret.Spec.Data = []esv1alpha1.ExternalSecretData{
+		tc.ExternalSecret.Spec.Data = []esv1alpha2.ExternalSecretData{
 			{
 				SecretKey: secretKey,
-				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
+				RemoteRef: esv1alpha2.ExternalSecretDataRemoteRef{
 					Key:      secretKey,
 					Property: "foo",
 				},
@@ -184,8 +184,8 @@ func JSONDataWithTemplate(f *framework.Framework) (string, func(*framework.TestC
 				"my-data": []byte(`executed: foo1-val|bar2-val`),
 			},
 		}
-		tc.ExternalSecret.Spec.Target.Template = &esv1alpha1.ExternalSecretTemplate{
-			Metadata: esv1alpha1.ExternalSecretTemplateMetadata{
+		tc.ExternalSecret.Spec.Target.Template = &esv1alpha2.ExternalSecretTemplate{
+			Metadata: esv1alpha2.ExternalSecretTemplateMetadata{
 				Annotations: map[string]string{
 					"example": "annotation",
 				},
@@ -197,17 +197,17 @@ func JSONDataWithTemplate(f *framework.Framework) (string, func(*framework.TestC
 				"my-data": "executed: {{ .one | toString }}|{{ .two | toString }}",
 			},
 		}
-		tc.ExternalSecret.Spec.Data = []esv1alpha1.ExternalSecretData{
+		tc.ExternalSecret.Spec.Data = []esv1alpha2.ExternalSecretData{
 			{
 				SecretKey: "one",
-				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
+				RemoteRef: esv1alpha2.ExternalSecretDataRemoteRef{
 					Key:      secretKey1,
 					Property: "foo1",
 				},
 			},
 			{
 				SecretKey: "two",
-				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
+				RemoteRef: esv1alpha2.ExternalSecretDataRemoteRef{
 					Key:      secretKey2,
 					Property: "bar2",
 				},
@@ -235,9 +235,9 @@ func JSONDataFromSync(f *framework.Framework) (string, func(*framework.TestCase)
 				targetSecretKey2: []byte(targetSecretValue2),
 			},
 		}
-		tc.ExternalSecret.Spec.DataFrom = []esv1alpha1.ExternalSecretDataFromRemoteRef{
+		tc.ExternalSecret.Spec.DataFrom = []esv1alpha2.ExternalSecretDataFromRemoteRef{
 			{
-				Extract: esv1alpha1.ExternalSecretExtract{
+				Extract: esv1alpha2.ExternalSecretExtract{
 					Key: secretKey1,
 				},
 			},
@@ -275,17 +275,17 @@ func NestedJSONWithGJSON(f *framework.Framework) (string, func(*framework.TestCa
 				targetSecretKey2: []byte(targetSecretValue2),
 			},
 		}
-		tc.ExternalSecret.Spec.Data = []esv1alpha1.ExternalSecretData{
+		tc.ExternalSecret.Spec.Data = []esv1alpha2.ExternalSecretData{
 			{
 				SecretKey: targetSecretKey1,
-				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
+				RemoteRef: esv1alpha2.ExternalSecretDataRemoteRef{
 					Key:      secretKey1,
 					Property: "name.first",
 				},
 			},
 			{
 				SecretKey: targetSecretKey2,
-				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
+				RemoteRef: esv1alpha2.ExternalSecretDataRemoteRef{
 					Key:      secretKey1,
 					Property: "friends.1.first",
 				},
@@ -313,17 +313,17 @@ func DockerJSONConfig(f *framework.Framework) (string, func(*framework.TestCase)
 			},
 		}
 
-		tc.ExternalSecret.Spec.Data = []esv1alpha1.ExternalSecretData{
+		tc.ExternalSecret.Spec.Data = []esv1alpha2.ExternalSecretData{
 			{
 				SecretKey: "mysecret",
-				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
+				RemoteRef: esv1alpha2.ExternalSecretDataRemoteRef{
 					Key:      cloudSecretName,
 					Property: "dockerconfig",
 				},
 			},
 		}
 
-		tc.ExternalSecret.Spec.Target.Template = &esv1alpha1.ExternalSecretTemplate{
+		tc.ExternalSecret.Spec.Target.Template = &esv1alpha2.ExternalSecretTemplate{
 			Data: map[string]string{
 				dockerConfigJSONKey: mysecretToStringTemplating,
 			},
@@ -351,17 +351,17 @@ func DataPropertyDockerconfigJSON(f *framework.Framework) (string, func(*framewo
 			},
 		}
 
-		tc.ExternalSecret.Spec.Data = []esv1alpha1.ExternalSecretData{
+		tc.ExternalSecret.Spec.Data = []esv1alpha2.ExternalSecretData{
 			{
 				SecretKey: "mysecret",
-				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
+				RemoteRef: esv1alpha2.ExternalSecretDataRemoteRef{
 					Key:      cloudSecretName,
 					Property: "dockerconfig",
 				},
 			},
 		}
 
-		tc.ExternalSecret.Spec.Target.Template = &esv1alpha1.ExternalSecretTemplate{
+		tc.ExternalSecret.Spec.Target.Template = &esv1alpha2.ExternalSecretTemplate{
 			Type: v1.SecretTypeDockerConfigJson,
 			Data: map[string]string{
 				dockerConfigJSONKey: mysecretToStringTemplating,
@@ -425,16 +425,16 @@ func SSHKeySync(f *framework.Framework) (string, func(*framework.TestCase)) {
 			},
 		}
 
-		tc.ExternalSecret.Spec.Data = []esv1alpha1.ExternalSecretData{
+		tc.ExternalSecret.Spec.Data = []esv1alpha2.ExternalSecretData{
 			{
 				SecretKey: "mysecret",
-				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
+				RemoteRef: esv1alpha2.ExternalSecretDataRemoteRef{
 					Key: sshSecretName,
 				},
 			},
 		}
 
-		tc.ExternalSecret.Spec.Target.Template = &esv1alpha1.ExternalSecretTemplate{
+		tc.ExternalSecret.Spec.Target.Template = &esv1alpha2.ExternalSecretTemplate{
 			Type: v1.SecretTypeSSHAuth,
 			Data: map[string]string{
 				sshPrivateKey: mysecretToStringTemplating,
@@ -497,17 +497,17 @@ func SSHKeySyncDataProperty(f *framework.Framework) (string, func(*framework.Tes
 			},
 		}
 
-		tc.ExternalSecret.Spec.Data = []esv1alpha1.ExternalSecretData{
+		tc.ExternalSecret.Spec.Data = []esv1alpha2.ExternalSecretData{
 			{
 				SecretKey: "mysecret",
-				RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
+				RemoteRef: esv1alpha2.ExternalSecretDataRemoteRef{
 					Key:      cloudSecretName,
 					Property: "ssh-auth",
 				},
 			},
 		}
 
-		tc.ExternalSecret.Spec.Target.Template = &esv1alpha1.ExternalSecretTemplate{
+		tc.ExternalSecret.Spec.Target.Template = &esv1alpha2.ExternalSecretTemplate{
 			Type: v1.SecretTypeSSHAuth,
 			Data: map[string]string{
 				sshPrivateKey: mysecretToStringTemplating,

e2e/suite/gcp/gcp.go

@@ -24,7 +24,7 @@ import (
 	p12 "software.sslmate.com/src/go-pkcs12"
 
 	// nolint
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	"github.com/external-secrets/external-secrets/e2e/framework"
 	"github.com/external-secrets/external-secrets/e2e/suite/common"
 )
@@ -134,16 +134,16 @@ x6HaRh+EUwU51von6M9lEF9/p5Q=
 		},
 	}
 
-	tc.ExternalSecret.Spec.Data = []esv1alpha1.ExternalSecretData{
+	tc.ExternalSecret.Spec.Data = []esv1alpha2.ExternalSecretData{
 		{
 			SecretKey: "mysecret",
-			RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
+			RemoteRef: esv1alpha2.ExternalSecretDataRemoteRef{
 				Key: cloudSecretName,
 			},
 		},
 	}
 
-	tc.ExternalSecret.Spec.Target.Template = &esv1alpha1.ExternalSecretTemplate{
+	tc.ExternalSecret.Spec.Target.Template = &esv1alpha2.ExternalSecretTemplate{
 		Type: v1.SecretTypeTLS,
 		Data: map[string]string{
 			"tls.crt": "{{ .mysecret | pkcs12cert | pemCertificate }}",

e2e/suite/gcp/gcp_managed.go

@@ -19,7 +19,7 @@ import (
 
 	// nolint
 	// . "github.com/onsi/gomega"
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	"github.com/external-secrets/external-secrets/e2e/framework"
 	"github.com/external-secrets/external-secrets/e2e/framework/addon"
 	"github.com/external-secrets/external-secrets/e2e/suite/common"
@@ -105,7 +105,7 @@ func usePodIDESReference(tc *framework.TestCase) {
 
 func useSpecifcSAESReference(prov *GcpProvider) func(*framework.TestCase) {
 	return func(tc *framework.TestCase) {
-		tc.ExternalSecret.Spec.SecretStoreRef.Kind = esv1alpha1.ClusterSecretStoreKind
+		tc.ExternalSecret.Spec.SecretStoreRef.Kind = esv1alpha2.ClusterSecretStoreKind
 		tc.ExternalSecret.Spec.SecretStoreRef.Name = prov.SAClusterSecretStoreName()
 	}
 }

e2e/suite/gcp/provider.go

@@ -33,7 +33,7 @@ import (
 	utilpointer "k8s.io/utils/pointer"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	"github.com/external-secrets/external-secrets/e2e/framework"
 	gcpsm "github.com/external-secrets/external-secrets/pkg/provider/gcp/secretmanager"
@@ -145,16 +145,16 @@ func (s *GcpProvider) DeleteSecret(key string) {
 	Expect(err).ToNot(HaveOccurred())
 }
 
-func makeStore(s *GcpProvider) *esv1alpha1.SecretStore {
-	return &esv1alpha1.SecretStore{
+func makeStore(s *GcpProvider) *esv1alpha2.SecretStore {
+	return &esv1alpha2.SecretStore{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      s.framework.Namespace.Name,
 			Namespace: s.framework.Namespace.Name,
 		},
-		Spec: esv1alpha1.SecretStoreSpec{
+		Spec: esv1alpha2.SecretStoreSpec{
 			Controller: s.controllerClass,
-			Provider: &esv1alpha1.SecretStoreProvider{
-				GCPSM: &esv1alpha1.GCPSMProvider{
+			Provider: &esv1alpha2.SecretStoreProvider{
+				GCPSM: &esv1alpha2.GCPSMProvider{
 					ProjectID: s.projectID,
 				},
 			},
@@ -178,8 +178,8 @@ func (s *GcpProvider) CreateSAKeyStore(ns string) {
 		Expect(err).ToNot(HaveOccurred())
 	}
 	secretStore := makeStore(s)
-	secretStore.Spec.Provider.GCPSM.Auth = esv1alpha1.GCPSMAuth{
-		SecretRef: &esv1alpha1.GCPSMAuthSecretRef{
+	secretStore.Spec.Provider.GCPSM.Auth = esv1alpha2.GCPSMAuth{
+		SecretRef: &esv1alpha2.GCPSMAuthSecretRef{
 			SecretAccessKey: esmeta.SecretKeySelector{
 				Name: staticCredentialsSecretName,
 				Key:  "secret-access-credentials",
@@ -202,18 +202,18 @@ func (s *GcpProvider) SAClusterSecretStoreName() string {
 }
 
 func (s *GcpProvider) CreateSpecifcSASecretStore(ns string) {
-	clusterSecretStore := &esv1alpha1.ClusterSecretStore{
+	clusterSecretStore := &esv1alpha2.ClusterSecretStore{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: s.SAClusterSecretStoreName(),
 		},
 	}
 	_, err := controllerutil.CreateOrUpdate(context.Background(), s.framework.CRClient, clusterSecretStore, func() error {
 		clusterSecretStore.Spec.Controller = s.controllerClass
-		clusterSecretStore.Spec.Provider = &esv1alpha1.SecretStoreProvider{
-			GCPSM: &esv1alpha1.GCPSMProvider{
+		clusterSecretStore.Spec.Provider = &esv1alpha2.SecretStoreProvider{
+			GCPSM: &esv1alpha2.GCPSMProvider{
 				ProjectID: s.projectID,
-				Auth: esv1alpha1.GCPSMAuth{
-					WorkloadIdentity: &esv1alpha1.GCPWorkloadIdentity{
+				Auth: esv1alpha2.GCPSMAuth{
+					WorkloadIdentity: &esv1alpha2.GCPWorkloadIdentity{
 						ClusterLocation: s.clusterLocation,
 						ClusterName:     s.clusterName,
 						ServiceAccountRef: esmeta.ServiceAccountSelector{
@@ -232,7 +232,7 @@ func (s *GcpProvider) CreateSpecifcSASecretStore(ns string) {
 // Cleanup removes global resources that may have been
 // created by this provider.
 func (s *GcpProvider) DeleteSpecifcSASecretStore() {
-	err := s.framework.CRClient.Delete(context.Background(), &esv1alpha1.ClusterSecretStore{
+	err := s.framework.CRClient.Delete(context.Background(), &esv1alpha2.ClusterSecretStore{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: s.SAClusterSecretStoreName(),
 		},

e2e/suite/gitlab/provider.go

@@ -27,7 +27,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	"github.com/external-secrets/external-secrets/e2e/framework"
 )
@@ -111,17 +111,17 @@ func (s *gitlabProvider) BeforeEach() {
 
 	// Create a secret store - change these values to match YAML
 	By("creating a secret store for credentials")
-	secretStore := &esv1alpha1.SecretStore{
+	secretStore := &esv1alpha2.SecretStore{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      s.framework.Namespace.Name,
 			Namespace: s.framework.Namespace.Name,
 		},
-		Spec: esv1alpha1.SecretStoreSpec{
-			Provider: &esv1alpha1.SecretStoreProvider{
-				Gitlab: &esv1alpha1.GitlabProvider{
+		Spec: esv1alpha2.SecretStoreSpec{
+			Provider: &esv1alpha2.SecretStoreProvider{
+				Gitlab: &esv1alpha2.GitlabProvider{
 					ProjectID: s.projectID,
-					Auth: esv1alpha1.GitlabAuth{
-						SecretRef: esv1alpha1.GitlabSecretRef{
+					Auth: esv1alpha2.GitlabAuth{
+						SecretRef: esv1alpha2.GitlabSecretRef{
 							AccessToken: esmeta.SecretKeySelector{
 								Name: "provider-secret",
 								Key:  "token",

e2e/suite/oracle/provider.go

@@ -27,7 +27,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	utilpointer "k8s.io/utils/pointer"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	"github.com/external-secrets/external-secrets/e2e/framework"
 )
@@ -105,16 +105,16 @@ func (p *oracleProvider) BeforeEach() {
 	err := p.framework.CRClient.Create(context.Background(), OracleCreds)
 	Expect(err).ToNot(HaveOccurred())
 
-	secretStore := &esv1alpha1.SecretStore{
+	secretStore := &esv1alpha2.SecretStore{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      p.framework.Namespace.Name,
 			Namespace: p.framework.Namespace.Name,
 		},
-		Spec: esv1alpha1.SecretStoreSpec{
-			Provider: &esv1alpha1.SecretStoreProvider{
-				Oracle: &esv1alpha1.OracleProvider{
-					Auth: esv1alpha1.OracleAuth{
-						SecretRef: esv1alpha1.OracleSecretRef{
+		Spec: esv1alpha2.SecretStoreSpec{
+			Provider: &esv1alpha2.SecretStoreProvider{
+				Oracle: &esv1alpha2.OracleProvider{
+					Auth: esv1alpha2.OracleAuth{
+						SecretRef: esv1alpha2.OracleSecretRef{
 							Fingerprint: esmeta.SecretKeySelector{
 								Name: "vms-secret",
 								Key:  "keyid",

e2e/suite/vault/provider.go

@@ -28,7 +28,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	"github.com/external-secrets/external-secrets/e2e/framework"
 	"github.com/external-secrets/external-secrets/e2e/framework/addon"
@@ -98,16 +98,16 @@ func (s *vaultProvider) BeforeEach() {
 	s.CreateKubernetesAuthStore(v, ns)
 }
 
-func makeStore(name, ns string, v *addon.Vault) *esv1alpha1.SecretStore {
-	return &esv1alpha1.SecretStore{
+func makeStore(name, ns string, v *addon.Vault) *esv1alpha2.SecretStore {
+	return &esv1alpha2.SecretStore{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
 			Namespace: ns,
 		},
-		Spec: esv1alpha1.SecretStoreSpec{
-			Provider: &esv1alpha1.SecretStoreProvider{
-				Vault: &esv1alpha1.VaultProvider{
-					Version:  esv1alpha1.VaultKVStoreV2,
+		Spec: esv1alpha2.SecretStoreSpec{
+			Provider: &esv1alpha2.SecretStoreProvider{
+				Vault: &esv1alpha2.VaultProvider{
+					Version:  esv1alpha2.VaultKVStoreV2,
 					Path:     &secretStorePath,
 					Server:   v.VaultURL,
 					CABundle: v.VaultServerCA,
@@ -137,8 +137,8 @@ func (s *vaultProvider) CreateCertStore(v *addon.Vault, ns string) {
 
 	By("creating an secret store for vault")
 	secretStore := makeStore(certAuthProviderName, ns, v)
-	secretStore.Spec.Provider.Vault.Auth = esv1alpha1.VaultAuth{
-		Cert: &esv1alpha1.VaultCertAuth{
+	secretStore.Spec.Provider.Vault.Auth = esv1alpha2.VaultAuth{
+		Cert: &esv1alpha2.VaultCertAuth{
 			ClientCert: esmeta.SecretKeySelector{
 				Name: certAuthProviderName,
 				Key:  "client_cert",
@@ -166,7 +166,7 @@ func (s vaultProvider) CreateTokenStore(v *addon.Vault, ns string) {
 	err := s.framework.CRClient.Create(context.Background(), vaultCreds)
 	Expect(err).ToNot(HaveOccurred())
 	secretStore := makeStore(s.framework.Namespace.Name, ns, v)
-	secretStore.Spec.Provider.Vault.Auth = esv1alpha1.VaultAuth{
+	secretStore.Spec.Provider.Vault.Auth = esv1alpha2.VaultAuth{
 		TokenSecretRef: &esmeta.SecretKeySelector{
 			Name: "token-provider",
 			Key:  "token",
@@ -192,8 +192,8 @@ func (s vaultProvider) CreateAppRoleStore(v *addon.Vault, ns string) {
 
 	By("creating an secret store for vault")
 	secretStore := makeStore(appRoleAuthProviderName, ns, v)
-	secretStore.Spec.Provider.Vault.Auth = esv1alpha1.VaultAuth{
-		AppRole: &esv1alpha1.VaultAppRole{
+	secretStore.Spec.Provider.Vault.Auth = esv1alpha2.VaultAuth{
+		AppRole: &esv1alpha2.VaultAppRole{
 			Path:   v.AppRolePath,
 			RoleID: v.AppRoleID,
 			SecretRef: esmeta.SecretKeySelector{
@@ -220,9 +220,9 @@ func (s vaultProvider) CreateV1Store(v *addon.Vault, ns string) {
 	Expect(err).ToNot(HaveOccurred())
 	secretStore := makeStore(kvv1ProviderName, ns, v)
 	secretV1StorePath := "secret_v1"
-	secretStore.Spec.Provider.Vault.Version = esv1alpha1.VaultKVStoreV1
+	secretStore.Spec.Provider.Vault.Version = esv1alpha2.VaultKVStoreV1
 	secretStore.Spec.Provider.Vault.Path = &secretV1StorePath
-	secretStore.Spec.Provider.Vault.Auth = esv1alpha1.VaultAuth{
+	secretStore.Spec.Provider.Vault.Auth = esv1alpha2.VaultAuth{
 		TokenSecretRef: &esmeta.SecretKeySelector{
 			Name: "v1-provider",
 			Key:  "token",
@@ -245,8 +245,8 @@ func (s vaultProvider) CreateJWTStore(v *addon.Vault, ns string) {
 	err := s.framework.CRClient.Create(context.Background(), vaultCreds)
 	Expect(err).ToNot(HaveOccurred())
 	secretStore := makeStore(jwtProviderName, ns, v)
-	secretStore.Spec.Provider.Vault.Auth = esv1alpha1.VaultAuth{
-		Jwt: &esv1alpha1.VaultJwtAuth{
+	secretStore.Spec.Provider.Vault.Auth = esv1alpha2.VaultAuth{
+		Jwt: &esv1alpha2.VaultJwtAuth{
 			Path: v.JWTPath,
 			Role: v.JWTRole,
 			SecretRef: esmeta.SecretKeySelector{
@@ -261,8 +261,8 @@ func (s vaultProvider) CreateJWTStore(v *addon.Vault, ns string) {
 
 func (s vaultProvider) CreateKubernetesAuthStore(v *addon.Vault, ns string) {
 	secretStore := makeStore(kubernetesProviderName, ns, v)
-	secretStore.Spec.Provider.Vault.Auth = esv1alpha1.VaultAuth{
-		Kubernetes: &esv1alpha1.VaultKubernetesAuth{
+	secretStore.Spec.Provider.Vault.Auth = esv1alpha2.VaultAuth{
+		Kubernetes: &esv1alpha2.VaultKubernetesAuth{
 			Path: v.KubernetesAuthPath,
 			Role: v.KubernetesAuthRole,
 			ServiceAccountRef: &esmeta.ServiceAccountSelector{

main.go

@@ -27,7 +27,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	"github.com/external-secrets/external-secrets/pkg/controllers/externalsecret"
 	"github.com/external-secrets/external-secrets/pkg/controllers/secretstore"
 )
@@ -39,7 +39,7 @@ var (
 
 func init() {
 	_ = clientgoscheme.AddToScheme(scheme)
-	_ = esv1alpha1.AddToScheme(scheme)
+	_ = esv1alpha2.AddToScheme(scheme)
 }
 
 func main() {

pkg/controllers/externalsecret/externalsecret_controller.go

@@ -32,7 +32,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	"github.com/external-secrets/external-secrets/pkg/provider"
 
 	// Loading registered providers.
@@ -85,13 +85,13 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 
 	syncCallsMetricLabels := prometheus.Labels{"name": req.Name, "namespace": req.Namespace}
 
-	var externalSecret esv1alpha1.ExternalSecret
+	var externalSecret esv1alpha2.ExternalSecret
 
 	err := r.Get(ctx, req.NamespacedName, &externalSecret)
 	if apierrors.IsNotFound(err) {
 		syncCallsTotal.With(syncCallsMetricLabels).Inc()
-		conditionSynced := NewExternalSecretCondition(esv1alpha1.ExternalSecretDeleted, v1.ConditionFalse, esv1alpha1.ConditionReasonSecretDeleted, "Secret was deleted")
-		SetExternalSecretCondition(&esv1alpha1.ExternalSecret{
+		conditionSynced := NewExternalSecretCondition(esv1alpha2.ExternalSecretDeleted, v1.ConditionFalse, esv1alpha2.ConditionReasonSecretDeleted, "Secret was deleted")
+		SetExternalSecretCondition(&esv1alpha2.ExternalSecret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      req.Name,
 				Namespace: req.Namespace,
@@ -116,7 +116,7 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 	store, err := r.getStore(ctx, &externalSecret)
 	if err != nil {
 		log.Error(err, errStoreRef)
-		conditionSynced := NewExternalSecretCondition(esv1alpha1.ExternalSecretReady, v1.ConditionFalse, esv1alpha1.ConditionReasonSecretSyncedError, err.Error())
+		conditionSynced := NewExternalSecretCondition(esv1alpha2.ExternalSecretReady, v1.ConditionFalse, esv1alpha2.ConditionReasonSecretSyncedError, err.Error())
 		SetExternalSecretCondition(&externalSecret, *conditionSynced)
 		syncCallsError.With(syncCallsMetricLabels).Inc()
 		return ctrl.Result{RequeueAfter: requeueAfter}, nil
@@ -140,7 +140,7 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 	secretClient, err := storeProvider.NewClient(ctx, store, r.Client, req.Namespace)
 	if err != nil {
 		log.Error(err, errStoreClient)
-		conditionSynced := NewExternalSecretCondition(esv1alpha1.ExternalSecretReady, v1.ConditionFalse, esv1alpha1.ConditionReasonSecretSyncedError, err.Error())
+		conditionSynced := NewExternalSecretCondition(esv1alpha2.ExternalSecretReady, v1.ConditionFalse, esv1alpha2.ConditionReasonSecretSyncedError, err.Error())
 		SetExternalSecretCondition(&externalSecret, *conditionSynced)
 		syncCallsError.With(syncCallsMetricLabels).Inc()
 		return ctrl.Result{RequeueAfter: requeueAfter}, nil
@@ -200,7 +200,7 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 	}
 
 	mutationFunc := func() error {
-		if externalSecret.Spec.Target.CreationPolicy == esv1alpha1.Owner {
+		if externalSecret.Spec.Target.CreationPolicy == esv1alpha2.Owner {
 			err = controllerutil.SetControllerReference(&externalSecret, &secret.ObjectMeta, r.Scheme)
 			if err != nil {
 				return fmt.Errorf(errSetCtrlReference, err)
@@ -222,9 +222,9 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 
 	// nolint
 	switch externalSecret.Spec.Target.CreationPolicy {
-	case esv1alpha1.Merge:
+	case esv1alpha2.Merge:
 		err = patchSecret(ctx, r.Client, r.Scheme, secret, mutationFunc)
-	case esv1alpha1.None:
+	case esv1alpha2.None:
 		log.V(1).Info("secret creation skipped due to creationPolicy=None")
 		err = nil
 	default:
@@ -233,14 +233,14 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 
 	if err != nil {
 		log.Error(err, errReconcileES)
-		conditionSynced := NewExternalSecretCondition(esv1alpha1.ExternalSecretReady, v1.ConditionFalse, esv1alpha1.ConditionReasonSecretSyncedError, err.Error())
+		conditionSynced := NewExternalSecretCondition(esv1alpha2.ExternalSecretReady, v1.ConditionFalse, esv1alpha2.ConditionReasonSecretSyncedError, err.Error())
 		SetExternalSecretCondition(&externalSecret, *conditionSynced)
 		syncCallsError.With(syncCallsMetricLabels).Inc()
 		return ctrl.Result{RequeueAfter: requeueAfter}, nil
 	}
 
-	conditionSynced := NewExternalSecretCondition(esv1alpha1.ExternalSecretReady, v1.ConditionTrue, esv1alpha1.ConditionReasonSecretSynced, "Secret was synced")
-	currCond := GetExternalSecretCondition(externalSecret.Status, esv1alpha1.ExternalSecretReady)
+	conditionSynced := NewExternalSecretCondition(esv1alpha2.ExternalSecretReady, v1.ConditionTrue, esv1alpha2.ConditionReasonSecretSynced, "Secret was synced")
+	currCond := GetExternalSecretCondition(externalSecret.Status, esv1alpha2.ExternalSecretReady)
 	SetExternalSecretCondition(&externalSecret, *conditionSynced)
 	externalSecret.Status.RefreshTime = metav1.NewTime(time.Now())
 	externalSecret.Status.SyncedResourceVersion = getResourceVersion(externalSecret)
@@ -298,14 +298,14 @@ func patchSecret(ctx context.Context, c client.Client, scheme *runtime.Scheme, s
 }
 
 // shouldProcessStore returns true if the store should be processed.
-func shouldProcessStore(store esv1alpha1.GenericStore, class string) bool {
+func shouldProcessStore(store esv1alpha2.GenericStore, class string) bool {
 	if store.GetSpec().Controller == "" || store.GetSpec().Controller == class {
 		return true
 	}
 	return false
 }
 
-func getResourceVersion(es esv1alpha1.ExternalSecret) string {
+func getResourceVersion(es esv1alpha2.ExternalSecret) string {
 	return fmt.Sprintf("%d-%s", es.ObjectMeta.GetGeneration(), hashMeta(es.ObjectMeta))
 }
 
@@ -320,7 +320,7 @@ func hashMeta(m metav1.ObjectMeta) string {
 	})
 }
 
-func shouldRefresh(es esv1alpha1.ExternalSecret) bool {
+func shouldRefresh(es esv1alpha2.ExternalSecret) bool {
 	// refresh if resource version changed
 	if es.Status.SyncedResourceVersion != getResourceVersion(es) {
 		return true
@@ -336,14 +336,14 @@ func shouldRefresh(es esv1alpha1.ExternalSecret) bool {
 	return !es.Status.RefreshTime.Add(es.Spec.RefreshInterval.Duration).After(time.Now())
 }
 
-func shouldReconcile(es esv1alpha1.ExternalSecret) bool {
+func shouldReconcile(es esv1alpha2.ExternalSecret) bool {
 	if es.Spec.Target.Immutable && hasSyncedCondition(es) {
 		return false
 	}
 	return true
 }
 
-func hasSyncedCondition(es esv1alpha1.ExternalSecret) bool {
+func hasSyncedCondition(es esv1alpha2.ExternalSecret) bool {
 	for _, condition := range es.Status.Conditions {
 		if condition.Reason == "SecretSynced" {
 			return true
@@ -360,20 +360,20 @@ func isSecretValid(existingSecret v1.Secret) bool {
 	}
 
 	// if the calculated hash is different from the calculation, then it's invalid
-	if existingSecret.Annotations[esv1alpha1.AnnotationDataHash] != utils.ObjectHash(existingSecret.Data) {
+	if existingSecret.Annotations[esv1alpha2.AnnotationDataHash] != utils.ObjectHash(existingSecret.Data) {
 		return false
 	}
 	return true
 }
 
 // getStore returns the store with the provided ExternalSecret.
-func (r *Reconciler) getStore(ctx context.Context, externalSecret *esv1alpha1.ExternalSecret) (esv1alpha1.GenericStore, error) {
+func (r *Reconciler) getStore(ctx context.Context, externalSecret *esv1alpha2.ExternalSecret) (esv1alpha2.GenericStore, error) {
 	ref := types.NamespacedName{
 		Name: externalSecret.Spec.SecretStoreRef.Name,
 	}
 
-	if externalSecret.Spec.SecretStoreRef.Kind == esv1alpha1.ClusterSecretStoreKind {
-		var store esv1alpha1.ClusterSecretStore
+	if externalSecret.Spec.SecretStoreRef.Kind == esv1alpha2.ClusterSecretStoreKind {
+		var store esv1alpha2.ClusterSecretStore
 		err := r.Get(ctx, ref, &store)
 		if err != nil {
 			return nil, fmt.Errorf(errGetClusterSecretStore, ref.Name, err)
@@ -384,7 +384,7 @@ func (r *Reconciler) getStore(ctx context.Context, externalSecret *esv1alpha1.Ex
 
 	ref.Namespace = externalSecret.Namespace
 
-	var store esv1alpha1.SecretStore
+	var store esv1alpha2.SecretStore
 	err := r.Get(ctx, ref, &store)
 	if err != nil {
 		return nil, fmt.Errorf(errGetSecretStore, ref.Name, err)
@@ -393,7 +393,7 @@ func (r *Reconciler) getStore(ctx context.Context, externalSecret *esv1alpha1.Ex
 }
 
 // getProviderSecretData returns the provider's secret data with the provided ExternalSecret.
-func (r *Reconciler) getProviderSecretData(ctx context.Context, providerClient provider.SecretsClient, externalSecret *esv1alpha1.ExternalSecret) (map[string][]byte, error) {
+func (r *Reconciler) getProviderSecretData(ctx context.Context, providerClient provider.SecretsClient, externalSecret *esv1alpha2.ExternalSecret) (map[string][]byte, error) {
 	providerData := make(map[string][]byte)
 
 	for _, remoteRef := range externalSecret.Spec.DataFrom {
@@ -432,7 +432,7 @@ func (r *Reconciler) getProviderSecretData(ctx context.Context, providerClient p
 func (r *Reconciler) SetupWithManager(mgr ctrl.Manager, opts controller.Options) error {
 	return ctrl.NewControllerManagedBy(mgr).
 		WithOptions(opts).
-		For(&esv1alpha1.ExternalSecret{}).
+		For(&esv1alpha2.ExternalSecret{}).
 		Owns(&v1.Secret{}).
 		Complete(r)
 }

pkg/controllers/externalsecret/externalsecret_controller_template.go

@@ -22,7 +22,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 
 	// Loading registered providers.
 	_ "github.com/external-secrets/external-secrets/pkg/provider/register"
@@ -34,13 +34,13 @@ import (
 // * template.Data (highest precedence)
 // * template.templateFrom
 // * secret via es.data or es.dataFrom.
-func (r *Reconciler) applyTemplate(ctx context.Context, es *esv1alpha1.ExternalSecret, secret *v1.Secret, dataMap map[string][]byte) error {
+func (r *Reconciler) applyTemplate(ctx context.Context, es *esv1alpha2.ExternalSecret, secret *v1.Secret, dataMap map[string][]byte) error {
 	mergeMetadata(secret, es)
 
 	// no template: copy data and return
 	if es.Spec.Target.Template == nil {
 		secret.Data = dataMap
-		secret.Annotations[esv1alpha1.AnnotationDataHash] = utils.ObjectHash(secret.Data)
+		secret.Annotations[esv1alpha2.AnnotationDataHash] = utils.ObjectHash(secret.Data)
 		return nil
 	}
 
@@ -66,14 +66,14 @@ func (r *Reconciler) applyTemplate(ctx context.Context, es *esv1alpha1.ExternalS
 	if len(es.Spec.Target.Template.Data) == 0 {
 		secret.Data = dataMap
 	}
-	secret.Annotations[esv1alpha1.AnnotationDataHash] = utils.ObjectHash(secret.Data)
+	secret.Annotations[esv1alpha2.AnnotationDataHash] = utils.ObjectHash(secret.Data)
 
 	return nil
 }
 
 // we do not want to force-override the label/annotations
 // and only copy the necessary key/value pairs.
-func mergeMetadata(secret *v1.Secret, externalSecret *esv1alpha1.ExternalSecret) {
+func mergeMetadata(secret *v1.Secret, externalSecret *esv1alpha2.ExternalSecret) {
 	if secret.ObjectMeta.Labels == nil {
 		secret.ObjectMeta.Labels = make(map[string]string)
 	}
@@ -91,7 +91,7 @@ func mergeMetadata(secret *v1.Secret, externalSecret *esv1alpha1.ExternalSecret)
 	utils.MergeStringMap(secret.ObjectMeta.Annotations, externalSecret.Spec.Target.Template.Metadata.Annotations)
 }
 
-func (r *Reconciler) getTemplateData(ctx context.Context, externalSecret *esv1alpha1.ExternalSecret) (map[string][]byte, error) {
+func (r *Reconciler) getTemplateData(ctx context.Context, externalSecret *esv1alpha2.ExternalSecret) (map[string][]byte, error) {
 	out := make(map[string][]byte)
 	if externalSecret.Spec.Target.Template == nil {
 		return out, nil
@@ -109,7 +109,7 @@ func (r *Reconciler) getTemplateData(ctx context.Context, externalSecret *esv1al
 	return out, nil
 }
 
-func mergeConfigMap(ctx context.Context, k8sClient client.Client, es *esv1alpha1.ExternalSecret, tpl esv1alpha1.TemplateFrom, out map[string][]byte) error {
+func mergeConfigMap(ctx context.Context, k8sClient client.Client, es *esv1alpha2.ExternalSecret, tpl esv1alpha2.TemplateFrom, out map[string][]byte) error {
 	if tpl.ConfigMap == nil {
 		return nil
 	}
@@ -132,7 +132,7 @@ func mergeConfigMap(ctx context.Context, k8sClient client.Client, es *esv1alpha1
 	return nil
 }
 
-func mergeSecret(ctx context.Context, k8sClient client.Client, es *esv1alpha1.ExternalSecret, tpl esv1alpha1.TemplateFrom, out map[string][]byte) error {
+func mergeSecret(ctx context.Context, k8sClient client.Client, es *esv1alpha2.ExternalSecret, tpl esv1alpha2.TemplateFrom, out map[string][]byte) error {
 	if tpl.Secret == nil {
 		return nil
 	}

pkg/controllers/externalsecret/externalsecret_controller_test.go

@@ -29,7 +29,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	"github.com/external-secrets/external-secrets/pkg/provider"
 	"github.com/external-secrets/external-secrets/pkg/provider/fake"
 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
@@ -43,19 +43,19 @@ var (
 )
 
 type testCase struct {
-	secretStore    *esv1alpha1.SecretStore
-	externalSecret *esv1alpha1.ExternalSecret
+	secretStore    *esv1alpha2.SecretStore
+	externalSecret *esv1alpha2.ExternalSecret
 
 	// checkCondition should return true if the externalSecret
 	// has the expected condition
-	checkCondition func(*esv1alpha1.ExternalSecret) bool
+	checkCondition func(*esv1alpha2.ExternalSecret) bool
 
 	// checkExternalSecret is called after the condition has been verified
 	// use this to verify the externalSecret
-	checkExternalSecret func(*esv1alpha1.ExternalSecret)
+	checkExternalSecret func(*esv1alpha2.ExternalSecret)
 
 	// optional. use this to test the secret value
-	checkSecret func(*esv1alpha1.ExternalSecret, *v1.Secret)
+	checkSecret func(*esv1alpha2.ExternalSecret, *v1.Secret)
 }
 
 type testTweaks func(*testCase)
@@ -98,7 +98,7 @@ var _ = Describe("Kind=secret existence logic", func() {
 				ObjectMeta: metav1.ObjectMeta{
 					UID: "xxx",
 					Annotations: map[string]string{
-						esv1alpha1.AnnotationDataHash: "xxxxxx",
+						esv1alpha2.AnnotationDataHash: "xxxxxx",
 					},
 				},
 			},
@@ -110,7 +110,7 @@ var _ = Describe("Kind=secret existence logic", func() {
 				ObjectMeta: metav1.ObjectMeta{
 					UID: "xxx",
 					Annotations: map[string]string{
-						esv1alpha1.AnnotationDataHash: "caa0155759a6a9b3b6ada5a6883ee2bb",
+						esv1alpha2.AnnotationDataHash: "caa0155759a6a9b3b6ada5a6883ee2bb",
 					},
 				},
 				Data: map[string][]byte{
@@ -167,7 +167,7 @@ var _ = Describe("ExternalSecret controller", func() {
 				Name: ExternalSecretNamespace,
 			},
 		}, client.PropagationPolicy(metav1.DeletePropagationBackground)), client.GracePeriodSeconds(0)).To(Succeed())
-		Expect(k8sClient.Delete(context.Background(), &esv1alpha1.SecretStore{
+		Expect(k8sClient.Delete(context.Background(), &esv1alpha2.SecretStore{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      ExternalSecretStore,
 				Namespace: ExternalSecretNamespace,
@@ -182,43 +182,43 @@ var _ = Describe("ExternalSecret controller", func() {
 	makeDefaultTestcase := func() *testCase {
 		return &testCase{
 			// default condition: es should be ready
-			checkCondition: func(es *esv1alpha1.ExternalSecret) bool {
-				cond := GetExternalSecretCondition(es.Status, esv1alpha1.ExternalSecretReady)
+			checkCondition: func(es *esv1alpha2.ExternalSecret) bool {
+				cond := GetExternalSecretCondition(es.Status, esv1alpha2.ExternalSecretReady)
 				if cond == nil || cond.Status != v1.ConditionTrue {
 					return false
 				}
 				return true
 			},
-			checkExternalSecret: func(es *esv1alpha1.ExternalSecret) {},
-			secretStore: &esv1alpha1.SecretStore{
+			checkExternalSecret: func(es *esv1alpha2.ExternalSecret) {},
+			secretStore: &esv1alpha2.SecretStore{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      ExternalSecretStore,
 					Namespace: ExternalSecretNamespace,
 				},
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{
-						AWS: &esv1alpha1.AWSProvider{
-							Service: esv1alpha1.AWSServiceSecretsManager,
+				Spec: esv1alpha2.SecretStoreSpec{
+					Provider: &esv1alpha2.SecretStoreProvider{
+						AWS: &esv1alpha2.AWSProvider{
+							Service: esv1alpha2.AWSServiceSecretsManager,
 						},
 					},
 				},
 			},
-			externalSecret: &esv1alpha1.ExternalSecret{
+			externalSecret: &esv1alpha2.ExternalSecret{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      ExternalSecretName,
 					Namespace: ExternalSecretNamespace,
 				},
-				Spec: esv1alpha1.ExternalSecretSpec{
-					SecretStoreRef: esv1alpha1.SecretStoreRef{
+				Spec: esv1alpha2.ExternalSecretSpec{
+					SecretStoreRef: esv1alpha2.SecretStoreRef{
 						Name: ExternalSecretStore,
 					},
-					Target: esv1alpha1.ExternalSecretTarget{
+					Target: esv1alpha2.ExternalSecretTarget{
 						Name: ExternalSecretTargetSecretName,
 					},
-					Data: []esv1alpha1.ExternalSecretData{
+					Data: []esv1alpha2.ExternalSecretData{
 						{
 							SecretKey: targetProp,
-							RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
+							RemoteRef: esv1alpha2.ExternalSecretDataRemoteRef{
 								Key:      remoteKey,
 								Property: remoteProperty,
 							},
@@ -232,7 +232,7 @@ var _ = Describe("ExternalSecret controller", func() {
 	// if target Secret name is not specified it should use the ExternalSecret name.
 	syncWithoutTargetName := func(tc *testCase) {
 		tc.externalSecret.Spec.Target.Name = ""
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(es *esv1alpha2.ExternalSecret, secret *v1.Secret) {
 
 			// check secret name
 			Expect(secret.ObjectMeta.Name).To(Equal(ExternalSecretName))
@@ -250,7 +250,7 @@ var _ = Describe("ExternalSecret controller", func() {
 			"hihihih": "hehehe",
 		}
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(es *esv1alpha2.ExternalSecret, secret *v1.Secret) {
 			// check value
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 
@@ -267,9 +267,9 @@ var _ = Describe("ExternalSecret controller", func() {
 	checkPrometheusCounters := func(tc *testCase) {
 		const secretVal = "someValue"
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
-			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionFalse, 0.0)).To(BeTrue())
-			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionTrue, 1.0)).To(BeTrue())
+		tc.checkSecret = func(es *esv1alpha2.ExternalSecret, secret *v1.Secret) {
+			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha2.ExternalSecretReady, v1.ConditionFalse, 0.0)).To(BeTrue())
+			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha2.ExternalSecretReady, v1.ConditionTrue, 1.0)).To(BeTrue())
 			Eventually(func() bool {
 				Expect(syncCallsTotal.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metric)).To(Succeed())
 				return metric.GetCounter().GetValue() == 1.0
@@ -284,7 +284,7 @@ var _ = Describe("ExternalSecret controller", func() {
 		const secretVal = "someValue"
 		const existingKey = "pre-existing-key"
 		existingVal := "pre-existing-value"
-		tc.externalSecret.Spec.Target.CreationPolicy = esv1alpha1.Merge
+		tc.externalSecret.Spec.Target.CreationPolicy = esv1alpha2.Merge
 
 		// create secret beforehand
 		Expect(k8sClient.Create(context.Background(), &v1.Secret{
@@ -298,7 +298,7 @@ var _ = Describe("ExternalSecret controller", func() {
 		}, client.FieldOwner(FakeManager))).To(Succeed())
 
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(es *esv1alpha2.ExternalSecret, secret *v1.Secret) {
 			// check value
 			Expect(string(secret.Data[existingKey])).To(Equal(existingVal))
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
@@ -313,7 +313,7 @@ var _ = Describe("ExternalSecret controller", func() {
 			Expect(hasFieldOwnership(
 				secret.ObjectMeta,
 				"external-secrets",
-				fmt.Sprintf("{\"f:data\":{\"f:targetProperty\":{}},\"f:immutable\":{},\"f:metadata\":{\"f:annotations\":{\"f:%s\":{}}}}", esv1alpha1.AnnotationDataHash)),
+				fmt.Sprintf("{\"f:data\":{\"f:targetProperty\":{}},\"f:immutable\":{},\"f:metadata\":{\"f:annotations\":{\"f:%s\":{}}}}", esv1alpha2.AnnotationDataHash)),
 			).To(BeTrue())
 			Expect(hasFieldOwnership(secret.ObjectMeta, FakeManager, "{\"f:data\":{\".\":{},\"f:pre-existing-key\":{}},\"f:type\":{}}")).To(BeTrue())
 		}
@@ -323,7 +323,7 @@ var _ = Describe("ExternalSecret controller", func() {
 	mergeWithSecretNoChange := func(tc *testCase) {
 		const existingKey = "pre-existing-key"
 		existingVal := "someValue"
-		tc.externalSecret.Spec.Target.CreationPolicy = esv1alpha1.Merge
+		tc.externalSecret.Spec.Target.CreationPolicy = esv1alpha2.Merge
 
 		// create secret beforehand
 		Expect(k8sClient.Create(context.Background(), &v1.Secret{
@@ -336,7 +336,7 @@ var _ = Describe("ExternalSecret controller", func() {
 			},
 		}, client.FieldOwner(FakeManager))).To(Succeed())
 
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(es *esv1alpha2.ExternalSecret, secret *v1.Secret) {
 			oldResourceVersion := secret.ResourceVersion
 
 			cleanSecret := secret.DeepCopy()
@@ -363,23 +363,23 @@ var _ = Describe("ExternalSecret controller", func() {
 	// should not merge with secret if it doesn't exist
 	mergeWithSecretErr := func(tc *testCase) {
 		const secretVal = "someValue"
-		tc.externalSecret.Spec.Target.CreationPolicy = esv1alpha1.Merge
+		tc.externalSecret.Spec.Target.CreationPolicy = esv1alpha2.Merge
 
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
-		tc.checkCondition = func(es *esv1alpha1.ExternalSecret) bool {
-			cond := GetExternalSecretCondition(es.Status, esv1alpha1.ExternalSecretReady)
-			if cond == nil || cond.Status != v1.ConditionFalse || cond.Reason != esv1alpha1.ConditionReasonSecretSyncedError {
+		tc.checkCondition = func(es *esv1alpha2.ExternalSecret) bool {
+			cond := GetExternalSecretCondition(es.Status, esv1alpha2.ExternalSecretReady)
+			if cond == nil || cond.Status != v1.ConditionFalse || cond.Reason != esv1alpha2.ConditionReasonSecretSyncedError {
 				return false
 			}
 			return true
 		}
-		tc.checkExternalSecret = func(es *esv1alpha1.ExternalSecret) {
+		tc.checkExternalSecret = func(es *esv1alpha2.ExternalSecret) {
 			Eventually(func() bool {
 				Expect(syncCallsError.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metric)).To(Succeed())
 				return metric.GetCounter().GetValue() >= 2.0
 			}, timeout, interval).Should(BeTrue())
-			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionFalse, 1.0)).To(BeTrue())
-			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionTrue, 0.0)).To(BeTrue())
+			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha2.ExternalSecretReady, v1.ConditionFalse, 1.0)).To(BeTrue())
+			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha2.ExternalSecretReady, v1.ConditionTrue, 0.0)).To(BeTrue())
 		}
 	}
 
@@ -389,7 +389,7 @@ var _ = Describe("ExternalSecret controller", func() {
 		// this should confict
 		const existingKey = targetProp
 		existingVal := "pre-existing-value"
-		tc.externalSecret.Spec.Target.CreationPolicy = esv1alpha1.Merge
+		tc.externalSecret.Spec.Target.CreationPolicy = esv1alpha2.Merge
 
 		// create secret beforehand
 		Expect(k8sClient.Create(context.Background(), &v1.Secret{
@@ -403,7 +403,7 @@ var _ = Describe("ExternalSecret controller", func() {
 		}, client.FieldOwner(FakeManager))).To(Succeed())
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
 
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(es *esv1alpha2.ExternalSecret, secret *v1.Secret) {
 			// check that value stays the same
 			Expect(string(secret.Data[existingKey])).To(Equal(secretVal))
 
@@ -426,8 +426,8 @@ var _ = Describe("ExternalSecret controller", func() {
 		tc.externalSecret.ObjectMeta.Annotations = map[string]string{
 			"hihihih": "hehehe",
 		}
-		tc.externalSecret.Spec.Target.Template = &esv1alpha1.ExternalSecretTemplate{
-			Metadata: esv1alpha1.ExternalSecretTemplateMetadata{
+		tc.externalSecret.Spec.Target.Template = &esv1alpha2.ExternalSecretTemplate{
+			Metadata: esv1alpha2.ExternalSecretTemplateMetadata{
 				Labels: map[string]string{
 					"foos": "ball",
 				},
@@ -442,7 +442,7 @@ var _ = Describe("ExternalSecret controller", func() {
 			},
 		}
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(es *esv1alpha2.ExternalSecret, secret *v1.Secret) {
 			// check values
 			Expect(string(secret.Data[targetProp])).To(Equal(expectedSecretVal))
 			Expect(string(secret.Data[tplStaticKey])).To(Equal(tplStaticVal))
@@ -488,14 +488,14 @@ var _ = Describe("ExternalSecret controller", func() {
 				tplFromSecKey: []byte(tplFromSecVal),
 			},
 		})).To(Succeed())
-		tc.externalSecret.Spec.Target.Template = &esv1alpha1.ExternalSecretTemplate{
-			Metadata: esv1alpha1.ExternalSecretTemplateMetadata{},
+		tc.externalSecret.Spec.Target.Template = &esv1alpha2.ExternalSecretTemplate{
+			Metadata: esv1alpha2.ExternalSecretTemplateMetadata{},
 			Type:     v1.SecretTypeOpaque,
-			TemplateFrom: []esv1alpha1.TemplateFrom{
+			TemplateFrom: []esv1alpha2.TemplateFrom{
 				{
-					ConfigMap: &esv1alpha1.TemplateRef{
+					ConfigMap: &esv1alpha2.TemplateRef{
 						Name: tplFromCMName,
-						Items: []esv1alpha1.TemplateRefItem{
+						Items: []esv1alpha2.TemplateRefItem{
 							{
 								Key: tplFromKey,
 							},
@@ -503,9 +503,9 @@ var _ = Describe("ExternalSecret controller", func() {
 					},
 				},
 				{
-					Secret: &esv1alpha1.TemplateRef{
+					Secret: &esv1alpha2.TemplateRef{
 						Name: tplFromSecretName,
-						Items: []esv1alpha1.TemplateRefItem{
+						Items: []esv1alpha2.TemplateRefItem{
 							{
 								Key: tplFromSecKey,
 							},
@@ -522,9 +522,9 @@ var _ = Describe("ExternalSecret controller", func() {
 				tplStaticKey: tplStaticVal,
 			},
 		}
-		tc.externalSecret.Spec.DataFrom = []esv1alpha1.ExternalSecretDataFromRemoteRef{
+		tc.externalSecret.Spec.DataFrom = []esv1alpha2.ExternalSecretDataFromRemoteRef{
 			{
-				Extract: esv1alpha1.ExternalSecretExtract{
+				Extract: esv1alpha2.ExternalSecretExtract{
 					Key: "datamap",
 				},
 			},
@@ -534,7 +534,7 @@ var _ = Describe("ExternalSecret controller", func() {
 			"targetProperty": []byte(FooValue),
 			bar:              []byte(BarValue),
 		}, nil)
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(es *esv1alpha2.ExternalSecret, secret *v1.Secret) {
 			// check values
 			Expect(string(secret.Data[targetProp])).To(Equal(expectedSecretVal))
 			Expect(string(secret.Data[tplStaticKey])).To(Equal(tplStaticVal))
@@ -549,8 +549,8 @@ var _ = Describe("ExternalSecret controller", func() {
 		const tplStaticKey = "tplstatickey"
 		const tplStaticVal = "tplstaticvalue"
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Second}
-		tc.externalSecret.Spec.Target.Template = &esv1alpha1.ExternalSecretTemplate{
-			Metadata: esv1alpha1.ExternalSecretTemplateMetadata{
+		tc.externalSecret.Spec.Target.Template = &esv1alpha2.ExternalSecretTemplate{
+			Metadata: esv1alpha2.ExternalSecretTemplateMetadata{
 				Labels:      map[string]string{foo: bar},
 				Annotations: map[string]string{foo: bar},
 			},
@@ -561,7 +561,7 @@ var _ = Describe("ExternalSecret controller", func() {
 			},
 		}
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(es *esv1alpha2.ExternalSecret, secret *v1.Secret) {
 			// check values
 			Expect(string(secret.Data[targetProp])).To(Equal(expectedSecretVal))
 			Expect(string(secret.Data[tplStaticKey])).To(Equal(tplStaticVal))
@@ -609,14 +609,14 @@ var _ = Describe("ExternalSecret controller", func() {
 	onlyMetadataFromTemplate := func(tc *testCase) {
 		const secretVal = "someValue"
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Second}
-		tc.externalSecret.Spec.Target.Template = &esv1alpha1.ExternalSecretTemplate{
-			Metadata: esv1alpha1.ExternalSecretTemplateMetadata{
+		tc.externalSecret.Spec.Target.Template = &esv1alpha2.ExternalSecretTemplate{
+			Metadata: esv1alpha2.ExternalSecretTemplateMetadata{
 				Labels:      map[string]string{foo: bar},
 				Annotations: map[string]string{foo: bar},
 			},
 		}
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(es *esv1alpha2.ExternalSecret, secret *v1.Secret) {
 			// check values
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 
@@ -635,7 +635,7 @@ var _ = Describe("ExternalSecret controller", func() {
 		const secretVal = "someValue"
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Second}
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(es *esv1alpha2.ExternalSecret, secret *v1.Secret) {
 			// check values
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 
@@ -665,16 +665,16 @@ var _ = Describe("ExternalSecret controller", func() {
 			"foo": []byte("1111"),
 			"bar": []byte("2222"),
 		}, nil)
-		tc.externalSecret.Spec.Data = []esv1alpha1.ExternalSecretData{}
-		tc.externalSecret.Spec.DataFrom = []esv1alpha1.ExternalSecretDataFromRemoteRef{
+		tc.externalSecret.Spec.Data = []esv1alpha2.ExternalSecretData{}
+		tc.externalSecret.Spec.DataFrom = []esv1alpha2.ExternalSecretDataFromRemoteRef{
 			{
-				Extract: esv1alpha1.ExternalSecretExtract{
+				Extract: esv1alpha2.ExternalSecretExtract{
 					Key: remoteKey,
 				},
 			},
 		}
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Second}
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(es *esv1alpha2.ExternalSecret, secret *v1.Secret) {
 			// check values
 			Expect(string(secret.Data["foo"])).To(Equal("1111"))
 			Expect(string(secret.Data["bar"])).To(Equal("2222"))
@@ -706,17 +706,17 @@ var _ = Describe("ExternalSecret controller", func() {
 			"foo": []byte("1111"),
 			"bar": []byte("2222"),
 		}, nil)
-		tc.externalSecret.Spec.Target.Template = &esv1alpha1.ExternalSecretTemplate{}
-		tc.externalSecret.Spec.Data = []esv1alpha1.ExternalSecretData{}
-		tc.externalSecret.Spec.DataFrom = []esv1alpha1.ExternalSecretDataFromRemoteRef{
+		tc.externalSecret.Spec.Target.Template = &esv1alpha2.ExternalSecretTemplate{}
+		tc.externalSecret.Spec.Data = []esv1alpha2.ExternalSecretData{}
+		tc.externalSecret.Spec.DataFrom = []esv1alpha2.ExternalSecretDataFromRemoteRef{
 			{
-				Extract: esv1alpha1.ExternalSecretExtract{
+				Extract: esv1alpha2.ExternalSecretExtract{
 					Key: remoteKey,
 				},
 			},
 		}
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Second}
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(es *esv1alpha2.ExternalSecret, secret *v1.Secret) {
 			// check values
 			Expect(string(secret.Data["foo"])).To(Equal("1111"))
 			Expect(string(secret.Data["bar"])).To(Equal("2222"))
@@ -746,7 +746,7 @@ var _ = Describe("ExternalSecret controller", func() {
 		const secretVal = "someValue"
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: 0}
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(es *esv1alpha2.ExternalSecret, secret *v1.Secret) {
 			// check values
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 
@@ -773,9 +773,9 @@ var _ = Describe("ExternalSecret controller", func() {
 	// should be put into the secret
 	syncWithDataFrom := func(tc *testCase) {
 		tc.externalSecret.Spec.Data = nil
-		tc.externalSecret.Spec.DataFrom = []esv1alpha1.ExternalSecretDataFromRemoteRef{
+		tc.externalSecret.Spec.DataFrom = []esv1alpha2.ExternalSecretDataFromRemoteRef{
 			{
-				Extract: esv1alpha1.ExternalSecretExtract{
+				Extract: esv1alpha2.ExternalSecretExtract{
 					Key: remoteKey,
 				},
 			},
@@ -784,7 +784,7 @@ var _ = Describe("ExternalSecret controller", func() {
 			foo: []byte(FooValue),
 			bar: []byte(BarValue),
 		}, nil)
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(es *esv1alpha2.ExternalSecret, secret *v1.Secret) {
 			// check values
 			Expect(string(secret.Data[foo])).To(Equal(FooValue))
 			Expect(string(secret.Data[bar])).To(Equal(BarValue))
@@ -795,16 +795,16 @@ var _ = Describe("ExternalSecret controller", func() {
 	// should be put into the secret
 	syncWithDataFromTemplate := func(tc *testCase) {
 		tc.externalSecret.Spec.Data = nil
-		tc.externalSecret.Spec.Target = esv1alpha1.ExternalSecretTarget{
+		tc.externalSecret.Spec.Target = esv1alpha2.ExternalSecretTarget{
 			Name: ExternalSecretTargetSecretName,
-			Template: &esv1alpha1.ExternalSecretTemplate{
+			Template: &esv1alpha2.ExternalSecretTemplate{
 				Type: v1.SecretTypeTLS,
 			},
 		}
 
-		tc.externalSecret.Spec.DataFrom = []esv1alpha1.ExternalSecretDataFromRemoteRef{
+		tc.externalSecret.Spec.DataFrom = []esv1alpha2.ExternalSecretDataFromRemoteRef{
 			{
-				Extract: esv1alpha1.ExternalSecretExtract{
+				Extract: esv1alpha2.ExternalSecretExtract{
 					Key: remoteKey,
 				},
 			},
@@ -813,7 +813,7 @@ var _ = Describe("ExternalSecret controller", func() {
 			"tls.crt": []byte(FooValue),
 			"tls.key": []byte(BarValue),
 		}, nil)
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(es *esv1alpha2.ExternalSecret, secret *v1.Secret) {
 			Expect(secret.Type).To(Equal(v1.SecretTypeTLS))
 			// check values
 			Expect(string(secret.Data["tls.crt"])).To(Equal(FooValue))
@@ -827,20 +827,20 @@ var _ = Describe("ExternalSecret controller", func() {
 		const secretVal = foo + bar
 		fakeProvider.WithGetSecret(nil, fmt.Errorf("boom"))
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Millisecond * 100}
-		tc.checkCondition = func(es *esv1alpha1.ExternalSecret) bool {
-			cond := GetExternalSecretCondition(es.Status, esv1alpha1.ExternalSecretReady)
-			if cond == nil || cond.Status != v1.ConditionFalse || cond.Reason != esv1alpha1.ConditionReasonSecretSyncedError {
+		tc.checkCondition = func(es *esv1alpha2.ExternalSecret) bool {
+			cond := GetExternalSecretCondition(es.Status, esv1alpha2.ExternalSecretReady)
+			if cond == nil || cond.Status != v1.ConditionFalse || cond.Reason != esv1alpha2.ConditionReasonSecretSyncedError {
 				return false
 			}
 			return true
 		}
-		tc.checkExternalSecret = func(es *esv1alpha1.ExternalSecret) {
+		tc.checkExternalSecret = func(es *esv1alpha2.ExternalSecret) {
 			Eventually(func() bool {
 				Expect(syncCallsError.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metric)).To(Succeed())
 				return metric.GetCounter().GetValue() >= 2.0
 			}, timeout, interval).Should(BeTrue())
-			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionFalse, 1.0)).To(BeTrue())
-			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionTrue, 0.0)).To(BeTrue())
+			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha2.ExternalSecretReady, v1.ConditionFalse, 1.0)).To(BeTrue())
+			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha2.ExternalSecretReady, v1.ConditionTrue, 0.0)).To(BeTrue())
 
 			// es condition should reflect recovered provider error
 			fakeProvider.WithGetSecret([]byte(secretVal), nil)
@@ -851,7 +851,7 @@ var _ = Describe("ExternalSecret controller", func() {
 					return false
 				}
 				// condition must now be true!
-				cond := GetExternalSecretCondition(es.Status, esv1alpha1.ExternalSecretReady)
+				cond := GetExternalSecretCondition(es.Status, esv1alpha2.ExternalSecretReady)
 				if cond == nil && cond.Status != v1.ConditionTrue {
 					return false
 				}
@@ -864,45 +864,45 @@ var _ = Describe("ExternalSecret controller", func() {
 	// a error condition must be set.
 	storeMissingErrCondition := func(tc *testCase) {
 		tc.externalSecret.Spec.SecretStoreRef.Name = "nonexistent"
-		tc.checkCondition = func(es *esv1alpha1.ExternalSecret) bool {
-			cond := GetExternalSecretCondition(es.Status, esv1alpha1.ExternalSecretReady)
-			if cond == nil || cond.Status != v1.ConditionFalse || cond.Reason != esv1alpha1.ConditionReasonSecretSyncedError {
+		tc.checkCondition = func(es *esv1alpha2.ExternalSecret) bool {
+			cond := GetExternalSecretCondition(es.Status, esv1alpha2.ExternalSecretReady)
+			if cond == nil || cond.Status != v1.ConditionFalse || cond.Reason != esv1alpha2.ConditionReasonSecretSyncedError {
 				return false
 			}
 			return true
 		}
-		tc.checkExternalSecret = func(es *esv1alpha1.ExternalSecret) {
+		tc.checkExternalSecret = func(es *esv1alpha2.ExternalSecret) {
 			Eventually(func() bool {
 				Expect(syncCallsError.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metric)).To(Succeed())
 				return metric.GetCounter().GetValue() >= 2.0
 			}, timeout, interval).Should(BeTrue())
-			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionFalse, 1.0)).To(BeTrue())
-			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionTrue, 0.0)).To(BeTrue())
+			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha2.ExternalSecretReady, v1.ConditionFalse, 1.0)).To(BeTrue())
+			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha2.ExternalSecretReady, v1.ConditionTrue, 0.0)).To(BeTrue())
 		}
 	}
 
 	// when the provider constructor errors (e.g. invalid configuration)
 	// a SecretSyncedError status condition must be set
 	storeConstructErrCondition := func(tc *testCase) {
-		fakeProvider.WithNew(func(context.Context, esv1alpha1.GenericStore, client.Client,
+		fakeProvider.WithNew(func(context.Context, esv1alpha2.GenericStore, client.Client,
 			string) (provider.SecretsClient, error) {
 			return nil, fmt.Errorf("artificial constructor error")
 		})
-		tc.checkCondition = func(es *esv1alpha1.ExternalSecret) bool {
+		tc.checkCondition = func(es *esv1alpha2.ExternalSecret) bool {
 			// condition must be false
-			cond := GetExternalSecretCondition(es.Status, esv1alpha1.ExternalSecretReady)
-			if cond == nil || cond.Status != v1.ConditionFalse || cond.Reason != esv1alpha1.ConditionReasonSecretSyncedError {
+			cond := GetExternalSecretCondition(es.Status, esv1alpha2.ExternalSecretReady)
+			if cond == nil || cond.Status != v1.ConditionFalse || cond.Reason != esv1alpha2.ConditionReasonSecretSyncedError {
 				return false
 			}
 			return true
 		}
-		tc.checkExternalSecret = func(es *esv1alpha1.ExternalSecret) {
+		tc.checkExternalSecret = func(es *esv1alpha2.ExternalSecret) {
 			Eventually(func() bool {
 				Expect(syncCallsError.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metric)).To(Succeed())
 				return metric.GetCounter().GetValue() >= 2.0
 			}, timeout, interval).Should(BeTrue())
-			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionFalse, 1.0)).To(BeTrue())
-			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionTrue, 0.0)).To(BeTrue())
+			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha2.ExternalSecretReady, v1.ConditionFalse, 1.0)).To(BeTrue())
+			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha2.ExternalSecretReady, v1.ConditionTrue, 0.0)).To(BeTrue())
 		}
 	}
 
@@ -910,24 +910,24 @@ var _ = Describe("ExternalSecret controller", func() {
 	// the externalSecret must not be touched
 	ignoreMismatchController := func(tc *testCase) {
 		tc.secretStore.Spec.Controller = "nop"
-		tc.checkCondition = func(es *esv1alpha1.ExternalSecret) bool {
-			cond := GetExternalSecretCondition(es.Status, esv1alpha1.ExternalSecretReady)
+		tc.checkCondition = func(es *esv1alpha2.ExternalSecret) bool {
+			cond := GetExternalSecretCondition(es.Status, esv1alpha2.ExternalSecretReady)
 			return cond == nil
 		}
-		tc.checkExternalSecret = func(es *esv1alpha1.ExternalSecret) {
+		tc.checkExternalSecret = func(es *esv1alpha2.ExternalSecret) {
 			// Condition True and False should be 0, since the Condition was not created
 			Eventually(func() float64 {
-				Expect(externalSecretCondition.WithLabelValues(ExternalSecretName, ExternalSecretNamespace, string(esv1alpha1.ExternalSecretReady), string(v1.ConditionTrue)).Write(&metric)).To(Succeed())
+				Expect(externalSecretCondition.WithLabelValues(ExternalSecretName, ExternalSecretNamespace, string(esv1alpha2.ExternalSecretReady), string(v1.ConditionTrue)).Write(&metric)).To(Succeed())
 				return metric.GetGauge().GetValue()
 			}, timeout, interval).Should(Equal(0.0))
 
 			Eventually(func() float64 {
-				Expect(externalSecretCondition.WithLabelValues(ExternalSecretName, ExternalSecretNamespace, string(esv1alpha1.ExternalSecretReady), string(v1.ConditionFalse)).Write(&metric)).To(Succeed())
+				Expect(externalSecretCondition.WithLabelValues(ExternalSecretName, ExternalSecretNamespace, string(esv1alpha2.ExternalSecretReady), string(v1.ConditionFalse)).Write(&metric)).To(Succeed())
 				return metric.GetGauge().GetValue()
 			}, timeout, interval).Should(Equal(0.0))
 
-			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionFalse, 0.0)).To(BeTrue())
-			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionTrue, 0.0)).To(BeTrue())
+			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha2.ExternalSecretReady, v1.ConditionFalse, 0.0)).To(BeTrue())
+			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha2.ExternalSecretReady, v1.ConditionTrue, 0.0)).To(BeTrue())
 		}
 	}
 
@@ -937,7 +937,7 @@ var _ = Describe("ExternalSecret controller", func() {
 		const secretVal = "someValue"
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Minute * 10}
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(es *esv1alpha2.ExternalSecret, secret *v1.Secret) {
 
 			// check values
 			oldUID := secret.UID
@@ -966,8 +966,8 @@ var _ = Describe("ExternalSecret controller", func() {
 	checkSecretDataHashAnnotation := func(tc *testCase) {
 		const secretVal = "someValue"
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
-			Expect(secret.Annotations[esv1alpha1.AnnotationDataHash]).To(Equal("9d30b95ca81e156f9454b5ef3bfcc6ee"))
+		tc.checkSecret = func(es *esv1alpha2.ExternalSecret, secret *v1.Secret) {
+			Expect(secret.Annotations[esv1alpha2.AnnotationDataHash]).To(Equal("9d30b95ca81e156f9454b5ef3bfcc6ee"))
 		}
 	}
 
@@ -978,14 +978,14 @@ var _ = Describe("ExternalSecret controller", func() {
 		}
 		fakeProvider.WithGetSecretMap(fakeData, nil)
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Minute * 10}
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
-			oldHash := secret.Annotations[esv1alpha1.AnnotationDataHash]
+		tc.checkSecret = func(es *esv1alpha2.ExternalSecret, secret *v1.Secret) {
+			oldHash := secret.Annotations[esv1alpha2.AnnotationDataHash]
 			oldResourceVersion := secret.ResourceVersion
 			Expect(oldHash).NotTo(BeEmpty())
 
 			cleanSecret := secret.DeepCopy()
 			secret.Data["new"] = []byte("value")
-			secret.ObjectMeta.Annotations[esv1alpha1.AnnotationDataHash] = "thisiswronghash"
+			secret.ObjectMeta.Annotations[esv1alpha2.AnnotationDataHash] = "thisiswronghash"
 			Expect(k8sClient.Patch(context.Background(), secret, client.MergeFrom(cleanSecret))).To(Succeed())
 
 			var refreshedSecret v1.Secret
@@ -1000,7 +1000,7 @@ var _ = Describe("ExternalSecret controller", func() {
 				}
 				// refreshed secret should have a different generation (sign that it was updated), but since
 				// the secret source is the same (not changed), the hash should be reverted to an old value
-				return refreshedSecret.ResourceVersion != oldResourceVersion && refreshedSecret.Annotations[esv1alpha1.AnnotationDataHash] == oldHash
+				return refreshedSecret.ResourceVersion != oldResourceVersion && refreshedSecret.Annotations[esv1alpha2.AnnotationDataHash] == oldHash
 			}, timeout, interval).Should(BeTrue())
 		}
 	}
@@ -1016,7 +1016,7 @@ var _ = Describe("ExternalSecret controller", func() {
 			Expect(k8sClient.Create(ctx, tc.secretStore)).To(Succeed())
 			Expect(k8sClient.Create(ctx, tc.externalSecret)).Should(Succeed())
 			esKey := types.NamespacedName{Name: ExternalSecretName, Namespace: ExternalSecretNamespace}
-			createdES := &esv1alpha1.ExternalSecret{}
+			createdES := &esv1alpha2.ExternalSecret{}
 			By("checking the es condition")
 			Eventually(func() bool {
 				err := k8sClient.Get(ctx, esKey, createdES)
@@ -1077,24 +1077,24 @@ var _ = Describe("ExternalSecret controller", func() {
 var _ = Describe("ExternalSecret refresh logic", func() {
 	Context("secret refresh", func() {
 		It("should refresh when resource version does not match", func() {
-			Expect(shouldRefresh(esv1alpha1.ExternalSecret{
-				Status: esv1alpha1.ExternalSecretStatus{
+			Expect(shouldRefresh(esv1alpha2.ExternalSecret{
+				Status: esv1alpha2.ExternalSecretStatus{
 					SyncedResourceVersion: "some resource version",
 				},
 			})).To(BeTrue())
 		})
 		It("should refresh when labels change", func() {
-			es := esv1alpha1.ExternalSecret{
+			es := esv1alpha2.ExternalSecret{
 				ObjectMeta: metav1.ObjectMeta{
 					Generation: 1,
 					Labels: map[string]string{
 						"foo": "bar",
 					},
 				},
-				Spec: esv1alpha1.ExternalSecretSpec{
+				Spec: esv1alpha2.ExternalSecretSpec{
 					RefreshInterval: &metav1.Duration{Duration: time.Minute},
 				},
-				Status: esv1alpha1.ExternalSecretStatus{
+				Status: esv1alpha2.ExternalSecretStatus{
 					RefreshTime: metav1.Now(),
 				},
 			}
@@ -1108,17 +1108,17 @@ var _ = Describe("ExternalSecret refresh logic", func() {
 		})
 
 		It("should refresh when annotations change", func() {
-			es := esv1alpha1.ExternalSecret{
+			es := esv1alpha2.ExternalSecret{
 				ObjectMeta: metav1.ObjectMeta{
 					Generation: 1,
 					Annotations: map[string]string{
 						"foo": "bar",
 					},
 				},
-				Spec: esv1alpha1.ExternalSecretSpec{
+				Spec: esv1alpha2.ExternalSecretSpec{
 					RefreshInterval: &metav1.Duration{Duration: time.Minute},
 				},
-				Status: esv1alpha1.ExternalSecretStatus{
+				Status: esv1alpha2.ExternalSecretStatus{
 					RefreshTime: metav1.Now(),
 				},
 			}
@@ -1132,14 +1132,14 @@ var _ = Describe("ExternalSecret refresh logic", func() {
 		})
 
 		It("should refresh when generation has changed", func() {
-			es := esv1alpha1.ExternalSecret{
+			es := esv1alpha2.ExternalSecret{
 				ObjectMeta: metav1.ObjectMeta{
 					Generation: 1,
 				},
-				Spec: esv1alpha1.ExternalSecretSpec{
+				Spec: esv1alpha2.ExternalSecretSpec{
 					RefreshInterval: &metav1.Duration{Duration: 0},
 				},
-				Status: esv1alpha1.ExternalSecretStatus{
+				Status: esv1alpha2.ExternalSecretStatus{
 					RefreshTime: metav1.Now(),
 				},
 			}
@@ -1152,14 +1152,14 @@ var _ = Describe("ExternalSecret refresh logic", func() {
 		})
 
 		It("should skip refresh when refreshInterval is 0", func() {
-			es := esv1alpha1.ExternalSecret{
+			es := esv1alpha2.ExternalSecret{
 				ObjectMeta: metav1.ObjectMeta{
 					Generation: 1,
 				},
-				Spec: esv1alpha1.ExternalSecretSpec{
+				Spec: esv1alpha2.ExternalSecretSpec{
 					RefreshInterval: &metav1.Duration{Duration: 0},
 				},
-				Status: esv1alpha1.ExternalSecretStatus{},
+				Status: esv1alpha2.ExternalSecretStatus{},
 			}
 			// resource version matches
 			es.Status.SyncedResourceVersion = getResourceVersion(es)
@@ -1167,14 +1167,14 @@ var _ = Describe("ExternalSecret refresh logic", func() {
 		})
 
 		It("should refresh when refresh interval has passed", func() {
-			es := esv1alpha1.ExternalSecret{
+			es := esv1alpha2.ExternalSecret{
 				ObjectMeta: metav1.ObjectMeta{
 					Generation: 1,
 				},
-				Spec: esv1alpha1.ExternalSecretSpec{
+				Spec: esv1alpha2.ExternalSecretSpec{
 					RefreshInterval: &metav1.Duration{Duration: time.Second},
 				},
-				Status: esv1alpha1.ExternalSecretStatus{
+				Status: esv1alpha2.ExternalSecretStatus{
 					RefreshTime: metav1.NewTime(metav1.Now().Add(-time.Second * 5)),
 				},
 			}
@@ -1184,14 +1184,14 @@ var _ = Describe("ExternalSecret refresh logic", func() {
 		})
 
 		It("should refresh when no refresh time was set", func() {
-			es := esv1alpha1.ExternalSecret{
+			es := esv1alpha2.ExternalSecret{
 				ObjectMeta: metav1.ObjectMeta{
 					Generation: 1,
 				},
-				Spec: esv1alpha1.ExternalSecretSpec{
+				Spec: esv1alpha2.ExternalSecretSpec{
 					RefreshInterval: &metav1.Duration{Duration: time.Second},
 				},
-				Status: esv1alpha1.ExternalSecretStatus{},
+				Status: esv1alpha2.ExternalSecretStatus{},
 			}
 			// resource version matches
 			es.Status.SyncedResourceVersion = getResourceVersion(es)
@@ -1267,18 +1267,18 @@ var _ = Describe("ExternalSecret refresh logic", func() {
 var _ = Describe("Controller Reconcile logic", func() {
 	Context("controller reconcile", func() {
 		It("should reconcile when resource is not synced", func() {
-			Expect(shouldReconcile(esv1alpha1.ExternalSecret{
-				Status: esv1alpha1.ExternalSecretStatus{
+			Expect(shouldReconcile(esv1alpha2.ExternalSecret{
+				Status: esv1alpha2.ExternalSecretStatus{
 					SyncedResourceVersion: "some resource version",
-					Conditions:            []esv1alpha1.ExternalSecretStatusCondition{{Reason: "NotASecretSynced"}},
+					Conditions:            []esv1alpha2.ExternalSecretStatusCondition{{Reason: "NotASecretSynced"}},
 				},
 			})).To(BeTrue())
 		})
 
 		It("should reconcile when secret isn't immutable", func() {
-			Expect(shouldReconcile(esv1alpha1.ExternalSecret{
-				Spec: esv1alpha1.ExternalSecretSpec{
-					Target: esv1alpha1.ExternalSecretTarget{
+			Expect(shouldReconcile(esv1alpha2.ExternalSecret{
+				Spec: esv1alpha2.ExternalSecretSpec{
+					Target: esv1alpha2.ExternalSecretTarget{
 						Immutable: false,
 					},
 				},
@@ -1286,15 +1286,15 @@ var _ = Describe("Controller Reconcile logic", func() {
 		})
 
 		It("should not reconcile if secret is immutable and has synced condition", func() {
-			Expect(shouldReconcile(esv1alpha1.ExternalSecret{
-				Spec: esv1alpha1.ExternalSecretSpec{
-					Target: esv1alpha1.ExternalSecretTarget{
+			Expect(shouldReconcile(esv1alpha2.ExternalSecret{
+				Spec: esv1alpha2.ExternalSecretSpec{
+					Target: esv1alpha2.ExternalSecretTarget{
 						Immutable: true,
 					},
 				},
-				Status: esv1alpha1.ExternalSecretStatus{
+				Status: esv1alpha2.ExternalSecretStatus{
 					SyncedResourceVersion: "some resource version",
-					Conditions:            []esv1alpha1.ExternalSecretStatusCondition{{Reason: "SecretSynced"}},
+					Conditions:            []esv1alpha2.ExternalSecretStatusCondition{{Reason: "SecretSynced"}},
 				},
 			})).To(BeFalse())
 		})
@@ -1341,7 +1341,7 @@ func hasFieldOwnership(meta metav1.ObjectMeta, mgr, rawFields string) bool {
 	return false
 }
 
-func externalSecretConditionShouldBe(name, ns string, ct esv1alpha1.ExternalSecretConditionType, cs v1.ConditionStatus, v float64) bool {
+func externalSecretConditionShouldBe(name, ns string, ct esv1alpha2.ExternalSecretConditionType, cs v1.ConditionStatus, v float64) bool {
 	return Eventually(func() float64 {
 		Expect(externalSecretCondition.WithLabelValues(name, ns, string(ct), string(cs)).Write(&metric)).To(Succeed())
 		return metric.GetGauge().GetValue()
@@ -1350,9 +1350,9 @@ func externalSecretConditionShouldBe(name, ns string, ct esv1alpha1.ExternalSecr
 
 func init() {
 	fakeProvider = fake.New()
-	schema.ForceRegister(fakeProvider, &esv1alpha1.SecretStoreProvider{
-		AWS: &esv1alpha1.AWSProvider{
-			Service: esv1alpha1.AWSServiceSecretsManager,
+	schema.ForceRegister(fakeProvider, &esv1alpha2.SecretStoreProvider{
+		AWS: &esv1alpha2.AWSProvider{
+			Service: esv1alpha2.AWSServiceSecretsManager,
 		},
 	})
 }

pkg/controllers/externalsecret/metrics.go

@@ -19,7 +19,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/metrics"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 )
 
 const (
@@ -50,35 +50,35 @@ var (
 )
 
 // updateExternalSecretCondition updates the ExternalSecret conditions.
-func updateExternalSecretCondition(es *esv1alpha1.ExternalSecret, condition *esv1alpha1.ExternalSecretStatusCondition, value float64) {
+func updateExternalSecretCondition(es *esv1alpha2.ExternalSecret, condition *esv1alpha2.ExternalSecretStatusCondition, value float64) {
 	switch condition.Type {
-	case esv1alpha1.ExternalSecretDeleted:
+	case esv1alpha2.ExternalSecretDeleted:
 		// Remove condition=Ready metrics when the object gets deleted.
 		externalSecretCondition.Delete(prometheus.Labels{
 			"name":      es.Name,
 			"namespace": es.Namespace,
-			"condition": string(esv1alpha1.ExternalSecretReady),
+			"condition": string(esv1alpha2.ExternalSecretReady),
 			"status":    string(v1.ConditionFalse),
 		})
 		externalSecretCondition.Delete(prometheus.Labels{
 			"name":      es.Name,
 			"namespace": es.Namespace,
-			"condition": string(esv1alpha1.ExternalSecretReady),
+			"condition": string(esv1alpha2.ExternalSecretReady),
 			"status":    string(v1.ConditionTrue),
 		})
 
-	case esv1alpha1.ExternalSecretReady:
+	case esv1alpha2.ExternalSecretReady:
 		// Remove condition=Deleted metrics when the object gets ready.
 		externalSecretCondition.Delete(prometheus.Labels{
 			"name":      es.Name,
 			"namespace": es.Namespace,
-			"condition": string(esv1alpha1.ExternalSecretDeleted),
+			"condition": string(esv1alpha2.ExternalSecretDeleted),
 			"status":    string(v1.ConditionFalse),
 		})
 		externalSecretCondition.Delete(prometheus.Labels{
 			"name":      es.Name,
 			"namespace": es.Namespace,
-			"condition": string(esv1alpha1.ExternalSecretDeleted),
+			"condition": string(esv1alpha2.ExternalSecretDeleted),
 			"status":    string(v1.ConditionTrue),
 		})
 		// Toggle opposite Status to 0
@@ -87,14 +87,14 @@ func updateExternalSecretCondition(es *esv1alpha1.ExternalSecret, condition *esv
 			externalSecretCondition.With(prometheus.Labels{
 				"name":      es.Name,
 				"namespace": es.Namespace,
-				"condition": string(esv1alpha1.ExternalSecretReady),
+				"condition": string(esv1alpha2.ExternalSecretReady),
 				"status":    string(v1.ConditionTrue),
 			}).Set(0)
 		case v1.ConditionTrue:
 			externalSecretCondition.With(prometheus.Labels{
 				"name":      es.Name,
 				"namespace": es.Namespace,
-				"condition": string(esv1alpha1.ExternalSecretReady),
+				"condition": string(esv1alpha2.ExternalSecretReady),
 				"status":    string(v1.ConditionFalse),
 			}).Set(0)
 		case v1.ConditionUnknown:

pkg/controllers/externalsecret/suite_test.go

@@ -32,7 +32,7 @@ import (
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 )
 
 // These tests use Ginkgo (BDD-style Go testing framework). Refer to
@@ -66,7 +66,7 @@ var _ = BeforeSuite(func() {
 	Expect(err).ToNot(HaveOccurred())
 	Expect(cfg).ToNot(BeNil())
 
-	err = esv1alpha1.AddToScheme(scheme.Scheme)
+	err = esv1alpha2.AddToScheme(scheme.Scheme)
 	Expect(err).NotTo(HaveOccurred())
 
 	k8sManager, err := ctrl.NewManager(cfg, ctrl.Options{

pkg/controllers/externalsecret/util.go

@@ -17,12 +17,12 @@ import (
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 )
 
 // NewExternalSecretCondition a set of default options for creating an External Secret Condition.
-func NewExternalSecretCondition(condType esv1alpha1.ExternalSecretConditionType, status v1.ConditionStatus, reason, message string) *esv1alpha1.ExternalSecretStatusCondition {
-	return &esv1alpha1.ExternalSecretStatusCondition{
+func NewExternalSecretCondition(condType esv1alpha2.ExternalSecretConditionType, status v1.ConditionStatus, reason, message string) *esv1alpha2.ExternalSecretStatusCondition {
+	return &esv1alpha2.ExternalSecretStatusCondition{
 		Type:               condType,
 		Status:             status,
 		LastTransitionTime: metav1.Now(),
@@ -32,7 +32,7 @@ func NewExternalSecretCondition(condType esv1alpha1.ExternalSecretConditionType,
 }
 
 // GetExternalSecretCondition returns the condition with the provided type.
-func GetExternalSecretCondition(status esv1alpha1.ExternalSecretStatus, condType esv1alpha1.ExternalSecretConditionType) *esv1alpha1.ExternalSecretStatusCondition {
+func GetExternalSecretCondition(status esv1alpha2.ExternalSecretStatus, condType esv1alpha2.ExternalSecretConditionType) *esv1alpha2.ExternalSecretStatusCondition {
 	for i := range status.Conditions {
 		c := status.Conditions[i]
 		if c.Type == condType {
@@ -44,7 +44,7 @@ func GetExternalSecretCondition(status esv1alpha1.ExternalSecretStatus, condType
 
 // SetExternalSecretCondition updates the external secret to include the provided
 // condition.
-func SetExternalSecretCondition(es *esv1alpha1.ExternalSecret, condition esv1alpha1.ExternalSecretStatusCondition) {
+func SetExternalSecretCondition(es *esv1alpha2.ExternalSecret, condition esv1alpha2.ExternalSecretStatusCondition) {
 	currentCond := GetExternalSecretCondition(es.Status, condition.Type)
 
 	if currentCond != nil && currentCond.Status == condition.Status &&
@@ -68,8 +68,8 @@ func SetExternalSecretCondition(es *esv1alpha1.ExternalSecret, condition esv1alp
 }
 
 // filterOutCondition returns an empty set of conditions with the provided type.
-func filterOutCondition(conditions []esv1alpha1.ExternalSecretStatusCondition, condType esv1alpha1.ExternalSecretConditionType) []esv1alpha1.ExternalSecretStatusCondition {
-	newConditions := make([]esv1alpha1.ExternalSecretStatusCondition, 0, len(conditions))
+func filterOutCondition(conditions []esv1alpha2.ExternalSecretStatusCondition, condType esv1alpha2.ExternalSecretConditionType) []esv1alpha2.ExternalSecretStatusCondition {
+	newConditions := make([]esv1alpha2.ExternalSecretStatusCondition, 0, len(conditions))
 	for _, c := range conditions {
 		if c.Type == condType {
 			continue

pkg/controllers/secretstore/secretstore_controller.go

@@ -22,7 +22,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 )
 
 // Reconciler reconciles a SecretStore object.
@@ -45,6 +45,6 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 // SetupWithManager returns a new controller builder that will be started by the provided Manager.
 func (r *Reconciler) SetupWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewControllerManagedBy(mgr).
-		For(&esv1alpha1.SecretStore{}).
+		For(&esv1alpha2.SecretStore{}).
 		Complete(r)
 }

pkg/controllers/secretstore/suite_test.go

@@ -27,7 +27,7 @@ import (
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 )
 
 // These tests use Ginkgo (BDD-style Go testing framework). Refer to
@@ -56,10 +56,10 @@ var _ = BeforeSuite(func() {
 	Expect(err).ToNot(HaveOccurred())
 	Expect(cfg).ToNot(BeNil())
 
-	err = esv1alpha1.AddToScheme(scheme.Scheme)
+	err = esv1alpha2.AddToScheme(scheme.Scheme)
 	Expect(err).NotTo(HaveOccurred())
 
-	err = esv1alpha1.AddToScheme(scheme.Scheme)
+	err = esv1alpha2.AddToScheme(scheme.Scheme)
 	Expect(err).NotTo(HaveOccurred())
 
 	k8sClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme})

pkg/provider/akeyless/akeyless.go

@@ -23,7 +23,7 @@ import (
 	"github.com/akeylesslabs/akeyless-go/v2"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	"github.com/external-secrets/external-secrets/pkg/provider"
 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
 	"github.com/external-secrets/external-secrets/pkg/utils"
@@ -39,7 +39,7 @@ type Provider struct{}
 // akeylessBase satisfies the provider.SecretsClient interface.
 type akeylessBase struct {
 	kube      client.Client
-	store     esv1alpha1.GenericStore
+	store     esv1alpha2.GenericStore
 	namespace string
 
 	akeylessGwAPIURL string
@@ -56,17 +56,17 @@ type akeylessVaultInterface interface {
 }
 
 func init() {
-	schema.Register(&Provider{}, &esv1alpha1.SecretStoreProvider{
-		Akeyless: &esv1alpha1.AkeylessProvider{},
+	schema.Register(&Provider{}, &esv1alpha2.SecretStoreProvider{
+		Akeyless: &esv1alpha2.AkeylessProvider{},
 	})
 }
 
 // NewClient constructs a new secrets client based on the provided store.
-func (p *Provider) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
+func (p *Provider) NewClient(ctx context.Context, store esv1alpha2.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
 	return newClient(ctx, store, kube, namespace)
 }
 
-func newClient(_ context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
+func newClient(_ context.Context, store esv1alpha2.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
 	akl := &akeylessBase{
 		kube:      kube,
 		store:     store,
@@ -105,7 +105,7 @@ func (a *Akeyless) Close(ctx context.Context) error {
 
 // Implements store.Client.GetSecret Interface.
 // Retrieves a secret with the secret name defined in ref.Name.
-func (a *Akeyless) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
+func (a *Akeyless) GetSecret(ctx context.Context, ref esv1alpha2.ExternalSecretDataRemoteRef) ([]byte, error) {
 	if utils.IsNil(a.Client) {
 		return nil, fmt.Errorf(errUninitalizedAkeylessProvider)
 	}
@@ -130,14 +130,14 @@ func (a *Akeyless) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretD
 
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
-func (a *Akeyless) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+func (a *Akeyless) GetAllSecrets(ctx context.Context, ref esv1alpha2.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	return nil, utils.ThrowNotImplemented()
 }
 
 // Implements store.Client.GetSecretMap Interface.
 // New version of GetSecretMap.
-func (a *Akeyless) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+func (a *Akeyless) GetSecretMap(ctx context.Context, ref esv1alpha2.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	if utils.IsNil(a.Client) {
 		return nil, fmt.Errorf(errUninitalizedAkeylessProvider)
 	}

pkg/provider/akeyless/akeyless_test.go

@@ -20,7 +20,7 @@ import (
 	"strings"
 	"testing"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	fakeakeyless "github.com/external-secrets/external-secrets/pkg/provider/akeyless/fake"
 	"github.com/external-secrets/external-secrets/pkg/utils"
 )
@@ -29,8 +29,8 @@ type akeylessTestCase struct {
 	mockClient     *fakeakeyless.AkeylessMockClient
 	apiInput       *fakeakeyless.Input
 	apiOutput      *fakeakeyless.Output
-	ref            *esv1alpha1.ExternalSecretDataRemoteRef
-	refFrom        *esv1alpha1.ExternalSecretDataFromRemoteRef
+	ref            *esv1alpha2.ExternalSecretDataRemoteRef
+	refFrom        *esv1alpha2.ExternalSecretDataFromRemoteRef
 	expectError    string
 	expectedSecret string
 	// for testing secretmap

pkg/provider/akeyless/auth.go

@@ -21,7 +21,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 )
 
 const (
@@ -44,7 +44,7 @@ func (a *akeylessBase) TokenFromSecretRef(ctx context.Context) (string, error) {
 		Namespace: a.namespace, // default to ExternalSecret namespace
 	}
 	// only ClusterStore is allowed to set namespace (and then it's required)
-	if a.store.GetObjectKind().GroupVersionKind().Kind == esv1alpha1.ClusterSecretStoreKind {
+	if a.store.GetObjectKind().GroupVersionKind().Kind == esv1alpha2.ClusterSecretStoreKind {
 		if prov.Auth.SecretRef.AccessID.Namespace == nil {
 			return "", fmt.Errorf(errInvalidClusterStoreMissingAKIDNamespace)
 		}
@@ -60,7 +60,7 @@ func (a *akeylessBase) TokenFromSecretRef(ctx context.Context) (string, error) {
 		Namespace: a.namespace, // default to ExternalSecret namespace
 	}
 	// only ClusterStore is allowed to set namespace (and then it's required)
-	if a.store.GetObjectKind().GroupVersionKind().Kind == esv1alpha1.ClusterSecretStoreKind {
+	if a.store.GetObjectKind().GroupVersionKind().Kind == esv1alpha2.ClusterSecretStoreKind {
 		if prov.Auth.SecretRef.AccessType.Namespace == nil {
 			return "", fmt.Errorf(errInvalidClusterStoreMissingSAKNamespace)
 		}
@@ -77,7 +77,7 @@ func (a *akeylessBase) TokenFromSecretRef(ctx context.Context) (string, error) {
 		Namespace: a.namespace, // default to ExternalSecret namespace
 	}
 	// only ClusterStore is allowed to set namespace (and then it's required)
-	if a.store.GetObjectKind().GroupVersionKind().Kind == esv1alpha1.ClusterSecretStoreKind {
+	if a.store.GetObjectKind().GroupVersionKind().Kind == esv1alpha2.ClusterSecretStoreKind {
 		if prov.Auth.SecretRef.AccessType.Namespace == nil {
 			return "", fmt.Errorf(errInvalidClusterStoreMissingSAKNamespace)
 		}

pkg/provider/akeyless/utils.go

@@ -21,7 +21,7 @@ import (
 	"strings"
 	"time"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 )
 
 const (
@@ -34,7 +34,7 @@ const (
 )
 
 // GetAKeylessProvider does the necessary nil checks and returns the akeyless provider or an error.
-func GetAKeylessProvider(store esv1alpha1.GenericStore) (*esv1alpha1.AkeylessProvider, error) {
+func GetAKeylessProvider(store esv1alpha2.GenericStore) (*esv1alpha2.AkeylessProvider, error) {
 	if store == nil {
 		return nil, fmt.Errorf(errNilStore)
 	}

pkg/provider/alibaba/kms.go

@@ -25,7 +25,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	"github.com/external-secrets/external-secrets/pkg/provider"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/util"
 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
@@ -45,7 +45,7 @@ const (
 
 type Client struct {
 	kube      kclient.Client
-	store     *esv1alpha1.AlibabaProvider
+	store     *esv1alpha2.AlibabaProvider
 	namespace string
 	storeKind string
 	regionID  string
@@ -74,7 +74,7 @@ func (c *Client) setAuth(ctx context.Context) error {
 	}
 
 	// only ClusterStore is allowed to set namespace (and then it's required)
-	if c.storeKind == esv1alpha1.ClusterSecretStoreKind {
+	if c.storeKind == esv1alpha2.ClusterSecretStoreKind {
 		if c.store.Auth.SecretRef.AccessKeyID.Namespace == nil {
 			return fmt.Errorf(errInvalidClusterStoreMissingAKIDNamespace)
 		}
@@ -90,7 +90,7 @@ func (c *Client) setAuth(ctx context.Context) error {
 		Name:      c.store.Auth.SecretRef.AccessKeySecret.Name,
 		Namespace: c.namespace,
 	}
-	if c.storeKind == esv1alpha1.ClusterSecretStoreKind {
+	if c.storeKind == esv1alpha2.ClusterSecretStoreKind {
 		if c.store.Auth.SecretRef.AccessKeySecret.Namespace == nil {
 			return fmt.Errorf(errInvalidClusterStoreMissingSKNamespace)
 		}
@@ -111,7 +111,7 @@ func (c *Client) setAuth(ctx context.Context) error {
 }
 
 // GetSecret returns a single secret from the provider.
-func (kms *KeyManagementService) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
+func (kms *KeyManagementService) GetSecret(ctx context.Context, ref esv1alpha2.ExternalSecretDataRemoteRef) ([]byte, error) {
 	if utils.IsNil(kms.Client) {
 		return nil, fmt.Errorf(errUninitalizedAlibabaProvider)
 	}
@@ -142,13 +142,13 @@ func (kms *KeyManagementService) GetSecret(ctx context.Context, ref esv1alpha1.E
 
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
-func (kms *KeyManagementService) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+func (kms *KeyManagementService) GetAllSecrets(ctx context.Context, ref esv1alpha2.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	return nil, utils.ThrowNotImplemented()
 }
 
 // GetSecretMap returns multiple k/v pairs from the provider.
-func (kms *KeyManagementService) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+func (kms *KeyManagementService) GetSecretMap(ctx context.Context, ref esv1alpha2.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	data, err := kms.GetSecret(ctx, ref.GetDataRemoteRef())
 	if err != nil {
 		return nil, err
@@ -166,7 +166,7 @@ func (kms *KeyManagementService) GetSecretMap(ctx context.Context, ref esv1alpha
 }
 
 // NewClient constructs a new secrets client based on the provided store.
-func (kms *KeyManagementService) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
+func (kms *KeyManagementService) NewClient(ctx context.Context, store esv1alpha2.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
 	storeSpec := store.GetSpec()
 	alibabaSpec := storeSpec.Provider.Alibaba
 	iStore := &Client{
@@ -194,7 +194,7 @@ func (kms *KeyManagementService) Close(ctx context.Context) error {
 }
 
 func init() {
-	schema.Register(&KeyManagementService{}, &esv1alpha1.SecretStoreProvider{
-		Alibaba: &esv1alpha1.AlibabaProvider{},
+	schema.Register(&KeyManagementService{}, &esv1alpha2.SecretStoreProvider{
+		Alibaba: &esv1alpha2.AlibabaProvider{},
 	})
 }

pkg/provider/alibaba/kms_test.go

@@ -24,7 +24,7 @@ import (
 	"github.com/aliyun/alibaba-cloud-sdk-go/sdk/responses"
 	kmssdk "github.com/aliyun/alibaba-cloud-sdk-go/services/kms"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	fakesm "github.com/external-secrets/external-secrets/pkg/provider/alibaba/fake"
 	"github.com/external-secrets/external-secrets/pkg/utils"
 )
@@ -38,8 +38,8 @@ type keyManagementServiceTestCase struct {
 	mockClient     *fakesm.AlibabaMockClient
 	apiInput       *kmssdk.GetSecretValueRequest
 	apiOutput      *kmssdk.GetSecretValueResponse
-	ref            *esv1alpha1.ExternalSecretDataRemoteRef
-	refFrom        *esv1alpha1.ExternalSecretDataFromRemoteRef
+	ref            *esv1alpha2.ExternalSecretDataRemoteRef
+	refFrom        *esv1alpha2.ExternalSecretDataFromRemoteRef
 	apiErr         error
 	expectError    string
 	expectedSecret string

pkg/provider/aws/auth/auth.go

@@ -33,7 +33,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	ctrlcfg "sigs.k8s.io/controller-runtime/pkg/client/config"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/util"
 )
 
@@ -62,7 +62,7 @@ const (
 // * service-account token authentication via AssumeRoleWithWebIdentity
 // * static credentials from a Kind=Secret, optionally with doing a AssumeRole.
 // * sdk default provider chain, see: https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#credentials-default
-func New(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string, assumeRoler STSProvider, jwtProvider jwtProviderFactory) (*session.Session, error) {
+func New(ctx context.Context, store esv1alpha2.GenericStore, kube client.Client, namespace string, assumeRoler STSProvider, jwtProvider jwtProviderFactory) (*session.Session, error) {
 	prov, err := util.GetAWSProvider(store)
 	if err != nil {
 		return nil, err
@@ -113,13 +113,13 @@ func New(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client,
 	return sess, nil
 }
 
-func sessionFromSecretRef(ctx context.Context, prov *esv1alpha1.AWSProvider, store esv1alpha1.GenericStore, kube client.Client, namespace string) (*credentials.Credentials, error) {
+func sessionFromSecretRef(ctx context.Context, prov *esv1alpha2.AWSProvider, store esv1alpha2.GenericStore, kube client.Client, namespace string) (*credentials.Credentials, error) {
 	ke := client.ObjectKey{
 		Name:      prov.Auth.SecretRef.AccessKeyID.Name,
 		Namespace: namespace, // default to ExternalSecret namespace
 	}
 	// only ClusterStore is allowed to set namespace (and then it's required)
-	if store.GetObjectKind().GroupVersionKind().Kind == esv1alpha1.ClusterSecretStoreKind {
+	if store.GetObjectKind().GroupVersionKind().Kind == esv1alpha2.ClusterSecretStoreKind {
 		if prov.Auth.SecretRef.AccessKeyID.Namespace == nil {
 			return nil, fmt.Errorf(errInvalidClusterStoreMissingAKIDNamespace)
 		}
@@ -135,7 +135,7 @@ func sessionFromSecretRef(ctx context.Context, prov *esv1alpha1.AWSProvider, sto
 		Namespace: namespace, // default to ExternalSecret namespace
 	}
 	// only ClusterStore is allowed to set namespace (and then it's required)
-	if store.GetObjectKind().GroupVersionKind().Kind == esv1alpha1.ClusterSecretStoreKind {
+	if store.GetObjectKind().GroupVersionKind().Kind == esv1alpha2.ClusterSecretStoreKind {
 		if prov.Auth.SecretRef.SecretAccessKey.Namespace == nil {
 			return nil, fmt.Errorf(errInvalidClusterStoreMissingSAKNamespace)
 		}
@@ -158,8 +158,8 @@ func sessionFromSecretRef(ctx context.Context, prov *esv1alpha1.AWSProvider, sto
 	return credentials.NewStaticCredentials(aks, sak, ""), err
 }
 
-func sessionFromServiceAccount(ctx context.Context, prov *esv1alpha1.AWSProvider, store esv1alpha1.GenericStore, kube client.Client, namespace string, jwtProvider jwtProviderFactory) (*credentials.Credentials, error) {
-	if store.GetObjectKind().GroupVersionKind().Kind == esv1alpha1.ClusterSecretStoreKind {
+func sessionFromServiceAccount(ctx context.Context, prov *esv1alpha2.AWSProvider, store esv1alpha2.GenericStore, kube client.Client, namespace string, jwtProvider jwtProviderFactory) (*credentials.Credentials, error) {
+	if store.GetObjectKind().GroupVersionKind().Kind == esv1alpha2.ClusterSecretStoreKind {
 		if prov.Auth.JWTAuth.ServiceAccountRef.Namespace == nil {
 			return nil, fmt.Errorf("serviceAccountRef has no Namespace field (mandatory for ClusterSecretStore specs)")
 		}

pkg/provider/aws/auth/auth_test.go

@@ -32,7 +32,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	fakesess "github.com/external-secrets/external-secrets/pkg/provider/aws/auth/fake"
 )
@@ -54,30 +54,30 @@ func TestNewSession(t *testing.T) {
 		{
 			name:      "not store spec",
 			expectErr: "storeSpec is missing provider",
-			store:     &esv1alpha1.SecretStore{},
+			store:     &esv1alpha2.SecretStore{},
 		},
 		{
 			name:      "store spec has no provider",
 			expectErr: "storeSpec is missing provider",
-			store: &esv1alpha1.SecretStore{
-				Spec: esv1alpha1.SecretStoreSpec{},
+			store: &esv1alpha2.SecretStore{
+				Spec: esv1alpha2.SecretStoreSpec{},
 			},
 		},
 		{
 			name:      "spec has no awssm field",
 			expectErr: "Missing AWS field",
-			store: &esv1alpha1.SecretStore{
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{},
+			store: &esv1alpha2.SecretStore{
+				Spec: esv1alpha2.SecretStoreSpec{
+					Provider: &esv1alpha2.SecretStoreProvider{},
 				},
 			},
 		},
 		{
 			name: "configure aws using environment variables",
-			store: &esv1alpha1.SecretStore{
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{
-						AWS: &esv1alpha1.AWSProvider{},
+			store: &esv1alpha2.SecretStore{
+				Spec: esv1alpha2.SecretStoreSpec{
+					Provider: &esv1alpha2.SecretStoreProvider{
+						AWS: &esv1alpha2.AWSProvider{},
 					},
 				},
 			},
@@ -110,10 +110,10 @@ func TestNewSession(t *testing.T) {
 					},
 				}
 			},
-			store: &esv1alpha1.SecretStore{
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{
-						AWS: &esv1alpha1.AWSProvider{
+			store: &esv1alpha2.SecretStore{
+				Spec: esv1alpha2.SecretStoreSpec{
+					Provider: &esv1alpha2.SecretStoreProvider{
+						AWS: &esv1alpha2.AWSProvider{
 							Role: "foo-bar-baz",
 						},
 					},
@@ -130,12 +130,12 @@ func TestNewSession(t *testing.T) {
 		{
 			name:      "error out when secret with credentials does not exist",
 			namespace: "foo",
-			store: &esv1alpha1.SecretStore{
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{
-						AWS: &esv1alpha1.AWSProvider{
-							Auth: esv1alpha1.AWSAuth{
-								SecretRef: &esv1alpha1.AWSAuthSecretRef{
+			store: &esv1alpha2.SecretStore{
+				Spec: esv1alpha2.SecretStoreSpec{
+					Provider: &esv1alpha2.SecretStoreProvider{
+						AWS: &esv1alpha2.AWSProvider{
+							Auth: esv1alpha2.AWSAuth{
+								SecretRef: &esv1alpha2.AWSAuthSecretRef{
 									AccessKeyID: esmeta.SecretKeySelector{
 										Name: "othersecret",
 										Key:  "one",
@@ -155,12 +155,12 @@ func TestNewSession(t *testing.T) {
 		{
 			name:      "use credentials from secret to configure aws",
 			namespace: "foo",
-			store: &esv1alpha1.SecretStore{
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{
-						AWS: &esv1alpha1.AWSProvider{
-							Auth: esv1alpha1.AWSAuth{
-								SecretRef: &esv1alpha1.AWSAuthSecretRef{
+			store: &esv1alpha2.SecretStore{
+				Spec: esv1alpha2.SecretStoreSpec{
+					Provider: &esv1alpha2.SecretStoreProvider{
+						AWS: &esv1alpha2.AWSProvider{
+							Auth: esv1alpha2.AWSAuth{
+								SecretRef: &esv1alpha2.AWSAuthSecretRef{
 									AccessKeyID: esmeta.SecretKeySelector{
 										Name: "onesecret",
 										// Namespace is not set
@@ -196,12 +196,12 @@ func TestNewSession(t *testing.T) {
 		{
 			name:      "error out when secret key does not exist",
 			namespace: "foo",
-			store: &esv1alpha1.SecretStore{
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{
-						AWS: &esv1alpha1.AWSProvider{
-							Auth: esv1alpha1.AWSAuth{
-								SecretRef: &esv1alpha1.AWSAuthSecretRef{
+			store: &esv1alpha2.SecretStore{
+				Spec: esv1alpha2.SecretStoreSpec{
+					Provider: &esv1alpha2.SecretStoreProvider{
+						AWS: &esv1alpha2.AWSProvider{
+							Auth: esv1alpha2.AWSAuth{
+								SecretRef: &esv1alpha2.AWSAuthSecretRef{
 									AccessKeyID: esmeta.SecretKeySelector{
 										Name: "brokensecret",
 										Key:  "one",
@@ -230,12 +230,12 @@ func TestNewSession(t *testing.T) {
 		{
 			name:      "should not be able to access secrets from different namespace",
 			namespace: "foo",
-			store: &esv1alpha1.SecretStore{
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{
-						AWS: &esv1alpha1.AWSProvider{
-							Auth: esv1alpha1.AWSAuth{
-								SecretRef: &esv1alpha1.AWSAuthSecretRef{
+			store: &esv1alpha2.SecretStore{
+				Spec: esv1alpha2.SecretStoreSpec{
+					Provider: &esv1alpha2.SecretStoreProvider{
+						AWS: &esv1alpha2.AWSProvider{
+							Auth: esv1alpha2.AWSAuth{
+								SecretRef: &esv1alpha2.AWSAuthSecretRef{
 									AccessKeyID: esmeta.SecretKeySelector{
 										Name:      "onesecret",
 										Namespace: aws.String("evil"), // this should not be possible!
@@ -269,16 +269,16 @@ func TestNewSession(t *testing.T) {
 		{
 			name:      "ClusterStore should use credentials from a specific namespace",
 			namespace: esNamespaceKey,
-			store: &esv1alpha1.ClusterSecretStore{
+			store: &esv1alpha2.ClusterSecretStore{
 				TypeMeta: metav1.TypeMeta{
-					APIVersion: esv1alpha1.ClusterSecretStoreKindAPIVersion,
-					Kind:       esv1alpha1.ClusterSecretStoreKind,
+					APIVersion: esv1alpha2.ClusterSecretStoreKindAPIVersion,
+					Kind:       esv1alpha2.ClusterSecretStoreKind,
 				},
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{
-						AWS: &esv1alpha1.AWSProvider{
-							Auth: esv1alpha1.AWSAuth{
-								SecretRef: &esv1alpha1.AWSAuthSecretRef{
+				Spec: esv1alpha2.SecretStoreSpec{
+					Provider: &esv1alpha2.SecretStoreProvider{
+						AWS: &esv1alpha2.AWSProvider{
+							Auth: esv1alpha2.AWSAuth{
+								SecretRef: &esv1alpha2.AWSAuthSecretRef{
 									AccessKeyID: esmeta.SecretKeySelector{
 										Name:      "onesecret",
 										Namespace: aws.String(platformTeamNsKey),
@@ -314,16 +314,16 @@ func TestNewSession(t *testing.T) {
 		{
 			name:      "namespace is mandatory when using ClusterStore with SecretKeySelector",
 			namespace: esNamespaceKey,
-			store: &esv1alpha1.ClusterSecretStore{
+			store: &esv1alpha2.ClusterSecretStore{
 				TypeMeta: metav1.TypeMeta{
-					APIVersion: esv1alpha1.ClusterSecretStoreKindAPIVersion,
-					Kind:       esv1alpha1.ClusterSecretStoreKind,
+					APIVersion: esv1alpha2.ClusterSecretStoreKindAPIVersion,
+					Kind:       esv1alpha2.ClusterSecretStoreKind,
 				},
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{
-						AWS: &esv1alpha1.AWSProvider{
-							Auth: esv1alpha1.AWSAuth{
-								SecretRef: &esv1alpha1.AWSAuthSecretRef{
+				Spec: esv1alpha2.SecretStoreSpec{
+					Provider: &esv1alpha2.SecretStoreProvider{
+						AWS: &esv1alpha2.AWSProvider{
+							Auth: esv1alpha2.AWSAuth{
+								SecretRef: &esv1alpha2.AWSAuthSecretRef{
 									AccessKeyID: esmeta.SecretKeySelector{
 										Name: "onesecret",
 										Key:  "one",
@@ -368,16 +368,16 @@ func TestNewSession(t *testing.T) {
 					IsExpiredFunc: func() bool { return false },
 				}, nil
 			},
-			store: &esv1alpha1.ClusterSecretStore{
+			store: &esv1alpha2.ClusterSecretStore{
 				TypeMeta: metav1.TypeMeta{
-					APIVersion: esv1alpha1.ClusterSecretStoreKindAPIVersion,
-					Kind:       esv1alpha1.ClusterSecretStoreKind,
+					APIVersion: esv1alpha2.ClusterSecretStoreKindAPIVersion,
+					Kind:       esv1alpha2.ClusterSecretStoreKind,
 				},
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{
-						AWS: &esv1alpha1.AWSProvider{
-							Auth: esv1alpha1.AWSAuth{
-								JWTAuth: &esv1alpha1.AWSJWTAuth{
+				Spec: esv1alpha2.SecretStoreSpec{
+					Provider: &esv1alpha2.SecretStoreProvider{
+						AWS: &esv1alpha2.AWSProvider{
+							Auth: esv1alpha2.AWSAuth{
+								JWTAuth: &esv1alpha2.AWSJWTAuth{
 									ServiceAccountRef: &esmeta.ServiceAccountSelector{
 										Name:      myServiceAccountKey,
 										Namespace: aws.String(otherNsName),
@@ -403,7 +403,7 @@ func TestNewSession(t *testing.T) {
 
 type TestSessionRow struct {
 	name              string
-	store             esv1alpha1.GenericStore
+	store             esv1alpha2.GenericStore
 	secrets           []v1.Secret
 	sa                *v1.ServiceAccount
 	jwtProvider       jwtProviderFactory
@@ -464,11 +464,11 @@ func TestSMEnvCredentials(t *testing.T) {
 	os.Setenv("AWS_ACCESS_KEY_ID", "2222")
 	defer os.Unsetenv("AWS_SECRET_ACCESS_KEY")
 	defer os.Unsetenv("AWS_ACCESS_KEY_ID")
-	s, err := New(context.Background(), &esv1alpha1.SecretStore{
-		Spec: esv1alpha1.SecretStoreSpec{
-			Provider: &esv1alpha1.SecretStoreProvider{
+	s, err := New(context.Background(), &esv1alpha2.SecretStore{
+		Spec: esv1alpha2.SecretStoreSpec{
+			Provider: &esv1alpha2.SecretStoreProvider{
 				// defaults
-				AWS: &esv1alpha1.AWSProvider{},
+				AWS: &esv1alpha2.AWSProvider{},
 			},
 		},
 	}, k8sClient, "example-ns", DefaultSTSProvider, nil)
@@ -504,11 +504,11 @@ func TestSMAssumeRole(t *testing.T) {
 	os.Setenv("AWS_ACCESS_KEY_ID", "2222")
 	defer os.Unsetenv("AWS_SECRET_ACCESS_KEY")
 	defer os.Unsetenv("AWS_ACCESS_KEY_ID")
-	s, err := New(context.Background(), &esv1alpha1.SecretStore{
-		Spec: esv1alpha1.SecretStoreSpec{
-			Provider: &esv1alpha1.SecretStoreProvider{
+	s, err := New(context.Background(), &esv1alpha2.SecretStore{
+		Spec: esv1alpha2.SecretStoreSpec{
+			Provider: &esv1alpha2.SecretStoreProvider{
 				// do assume role!
-				AWS: &esv1alpha1.AWSProvider{
+				AWS: &esv1alpha2.AWSProvider{
 					Role: "my-awesome-role",
 				},
 			},

pkg/provider/aws/parameterstore/parameterstore.go

@@ -24,7 +24,7 @@ import (
 	"github.com/tidwall/gjson"
 	ctrl "sigs.k8s.io/controller-runtime"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/util"
 	"github.com/external-secrets/external-secrets/pkg/utils"
 )
@@ -50,7 +50,7 @@ func New(sess client.ConfigProvider) (*ParameterStore, error) {
 }
 
 // GetSecret returns a single secret from the provider.
-func (pm *ParameterStore) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
+func (pm *ParameterStore) GetSecret(ctx context.Context, ref esv1alpha2.ExternalSecretDataRemoteRef) ([]byte, error) {
 	log.Info("fetching secret value", "key", ref.Key)
 	out, err := pm.client.GetParameter(&ssm.GetParameterInput{
 		Name:           &ref.Key,
@@ -74,13 +74,13 @@ func (pm *ParameterStore) GetSecret(ctx context.Context, ref esv1alpha1.External
 
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
-func (pm *ParameterStore) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+func (pm *ParameterStore) GetAllSecrets(ctx context.Context, ref esv1alpha2.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	return nil, utils.ThrowNotImplemented()
 }
 
 // GetSecretMap returns multiple k/v pairs from the provider.
-func (pm *ParameterStore) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+func (pm *ParameterStore) GetSecretMap(ctx context.Context, ref esv1alpha2.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	log.Info("fetching secret map", "key", ref.Extract.Key)
 	data, err := pm.GetSecret(ctx, ref.GetDataRemoteRef())
 	if err != nil {

pkg/provider/aws/parameterstore/parameterstore_test.go

@@ -23,7 +23,7 @@ import (
 	"github.com/aws/aws-sdk-go/service/ssm"
 	"github.com/google/go-cmp/cmp"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	fake "github.com/external-secrets/external-secrets/pkg/provider/aws/parameterstore/fake"
 )
 
@@ -31,8 +31,8 @@ type parameterstoreTestCase struct {
 	fakeClient     *fake.Client
 	apiInput       *ssm.GetParameterInput
 	apiOutput      *ssm.GetParameterOutput
-	remoteRef      *esv1alpha1.ExternalSecretDataRemoteRef
-	remoteRefFrom  *esv1alpha1.ExternalSecretDataFromRemoteRef
+	remoteRef      *esv1alpha2.ExternalSecretDataRemoteRef
+	remoteRefFrom  *esv1alpha2.ExternalSecretDataFromRemoteRef
 	apiErr         error
 	expectError    string
 	expectedSecret string
@@ -68,15 +68,15 @@ func makeValidAPIOutput() *ssm.GetParameterOutput {
 	}
 }
 
-func makeValidRemoteRef() *esv1alpha1.ExternalSecretDataRemoteRef {
-	return &esv1alpha1.ExternalSecretDataRemoteRef{
+func makeValidRemoteRef() *esv1alpha2.ExternalSecretDataRemoteRef {
+	return &esv1alpha2.ExternalSecretDataRemoteRef{
 		Key: "/baz",
 	}
 }
 
-func makeValidRemoteRefFrom() *esv1alpha1.ExternalSecretDataFromRemoteRef {
-	return &esv1alpha1.ExternalSecretDataFromRemoteRef{
-		Extract: esv1alpha1.ExternalSecretExtract{
+func makeValidRemoteRefFrom() *esv1alpha2.ExternalSecretDataFromRemoteRef {
+	return &esv1alpha2.ExternalSecretDataFromRemoteRef{
+		Extract: esv1alpha2.ExternalSecretExtract{
 			Key: "/baz",
 		},
 	}

pkg/provider/aws/provider.go

@@ -20,7 +20,7 @@ import (
 
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	"github.com/external-secrets/external-secrets/pkg/provider"
 	awsauth "github.com/external-secrets/external-secrets/pkg/provider/aws/auth"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/parameterstore"
@@ -38,11 +38,11 @@ const (
 )
 
 // NewClient constructs a new secrets client based on the provided store.
-func (p *Provider) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
+func (p *Provider) NewClient(ctx context.Context, store esv1alpha2.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
 	return newClient(ctx, store, kube, namespace, awsauth.DefaultSTSProvider)
 }
 
-func newClient(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string, assumeRoler awsauth.STSProvider) (provider.SecretsClient, error) {
+func newClient(ctx context.Context, store esv1alpha2.GenericStore, kube client.Client, namespace string, assumeRoler awsauth.STSProvider) (provider.SecretsClient, error) {
 	prov, err := util.GetAWSProvider(store)
 	if err != nil {
 		return nil, err
@@ -52,16 +52,16 @@ func newClient(ctx context.Context, store esv1alpha1.GenericStore, kube client.C
 		return nil, fmt.Errorf(errUnableCreateSession, err)
 	}
 	switch prov.Service {
-	case esv1alpha1.AWSServiceSecretsManager:
+	case esv1alpha2.AWSServiceSecretsManager:
 		return secretsmanager.New(sess)
-	case esv1alpha1.AWSServiceParameterStore:
+	case esv1alpha2.AWSServiceParameterStore:
 		return parameterstore.New(sess)
 	}
 	return nil, fmt.Errorf(errUnknownProviderService, prov.Service)
 }
 
 func init() {
-	schema.Register(&Provider{}, &esv1alpha1.SecretStoreProvider{
-		AWS: &esv1alpha1.AWSProvider{},
+	schema.Register(&Provider{}, &esv1alpha2.SecretStoreProvider{
+		AWS: &esv1alpha2.AWSProvider{},
 	})
 }

pkg/provider/aws/provider_test.go

@@ -22,7 +22,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/parameterstore"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/secretsmanager"
@@ -34,7 +34,7 @@ func TestProvider(t *testing.T) {
 
 	tbl := []struct {
 		test    string
-		store   esv1alpha1.GenericStore
+		store   esv1alpha2.GenericStore
 		expType interface{}
 		expErr  bool
 	}{
@@ -46,16 +46,16 @@ func TestProvider(t *testing.T) {
 		{
 			test:   "should not create provider due to missing provider",
 			expErr: true,
-			store: &esv1alpha1.SecretStore{
-				Spec: esv1alpha1.SecretStoreSpec{},
+			store: &esv1alpha2.SecretStore{
+				Spec: esv1alpha2.SecretStoreSpec{},
 			},
 		},
 		{
 			test:   "should not create provider due to missing provider field",
 			expErr: true,
-			store: &esv1alpha1.SecretStore{
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{},
+			store: &esv1alpha2.SecretStore{
+				Spec: esv1alpha2.SecretStoreSpec{
+					Provider: &esv1alpha2.SecretStoreProvider{},
 				},
 			},
 		},
@@ -63,11 +63,11 @@ func TestProvider(t *testing.T) {
 			test:    "should create parameter store client",
 			expErr:  false,
 			expType: &parameterstore.ParameterStore{},
-			store: &esv1alpha1.SecretStore{
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{
-						AWS: &esv1alpha1.AWSProvider{
-							Service: esv1alpha1.AWSServiceParameterStore,
+			store: &esv1alpha2.SecretStore{
+				Spec: esv1alpha2.SecretStoreSpec{
+					Provider: &esv1alpha2.SecretStoreProvider{
+						AWS: &esv1alpha2.AWSProvider{
+							Service: esv1alpha2.AWSServiceParameterStore,
 						},
 					},
 				},
@@ -77,11 +77,11 @@ func TestProvider(t *testing.T) {
 			test:    "should create secretsmanager client",
 			expErr:  false,
 			expType: &secretsmanager.SecretsManager{},
-			store: &esv1alpha1.SecretStore{
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{
-						AWS: &esv1alpha1.AWSProvider{
-							Service: esv1alpha1.AWSServiceSecretsManager,
+			store: &esv1alpha2.SecretStore{
+				Spec: esv1alpha2.SecretStoreSpec{
+					Provider: &esv1alpha2.SecretStoreProvider{
+						AWS: &esv1alpha2.AWSProvider{
+							Service: esv1alpha2.AWSServiceSecretsManager,
 						},
 					},
 				},
@@ -90,10 +90,10 @@ func TestProvider(t *testing.T) {
 		{
 			test:   "invalid service should return an error",
 			expErr: true,
-			store: &esv1alpha1.SecretStore{
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{
-						AWS: &esv1alpha1.AWSProvider{
+			store: &esv1alpha2.SecretStore{
+				Spec: esv1alpha2.SecretStoreSpec{
+					Provider: &esv1alpha2.SecretStoreProvider{
+						AWS: &esv1alpha2.AWSProvider{
 							Service: "HIHIHIHHEHEHEHEHEHE",
 						},
 					},
@@ -103,13 +103,13 @@ func TestProvider(t *testing.T) {
 		{
 			test:   "newSession error should be returned",
 			expErr: true,
-			store: &esv1alpha1.SecretStore{
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{
-						AWS: &esv1alpha1.AWSProvider{
-							Service: esv1alpha1.AWSServiceParameterStore,
-							Auth: esv1alpha1.AWSAuth{
-								SecretRef: &esv1alpha1.AWSAuthSecretRef{
+			store: &esv1alpha2.SecretStore{
+				Spec: esv1alpha2.SecretStoreSpec{
+					Provider: &esv1alpha2.SecretStoreProvider{
+						AWS: &esv1alpha2.AWSProvider{
+							Service: esv1alpha2.AWSServiceParameterStore,
+							Auth: esv1alpha2.AWSAuth{
+								SecretRef: &esv1alpha2.AWSAuthSecretRef{
 									AccessKeyID: esmeta.SecretKeySelector{
 										Name:      "foo",
 										Namespace: aws.String("NOOP"),

pkg/provider/aws/secretsmanager/secretsmanager.go

@@ -24,7 +24,7 @@ import (
 	"github.com/tidwall/gjson"
 	ctrl "sigs.k8s.io/controller-runtime"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/util"
 	"github.com/external-secrets/external-secrets/pkg/utils"
 )
@@ -51,7 +51,7 @@ func New(sess client.ConfigProvider) (*SecretsManager, error) {
 	}, nil
 }
 
-func (sm *SecretsManager) fetch(_ context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (*awssm.GetSecretValueOutput, error) {
+func (sm *SecretsManager) fetch(_ context.Context, ref esv1alpha2.ExternalSecretDataRemoteRef) (*awssm.GetSecretValueOutput, error) {
 	ver := "AWSCURRENT"
 	if ref.Version != "" {
 		ver = ref.Version
@@ -76,7 +76,7 @@ func (sm *SecretsManager) fetch(_ context.Context, ref esv1alpha1.ExternalSecret
 }
 
 // GetSecret returns a single secret from the provider.
-func (sm *SecretsManager) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
+func (sm *SecretsManager) GetSecret(ctx context.Context, ref esv1alpha2.ExternalSecretDataRemoteRef) ([]byte, error) {
 	secretOut, err := sm.fetch(ctx, ref)
 	if err != nil {
 		return nil, util.SanitizeErr(err)
@@ -106,7 +106,7 @@ func (sm *SecretsManager) GetSecret(ctx context.Context, ref esv1alpha1.External
 }
 
 // GetSecretMap returns multiple k/v pairs from the provider.
-func (sm *SecretsManager) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+func (sm *SecretsManager) GetSecretMap(ctx context.Context, ref esv1alpha2.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	log.Info("fetching secret map", "key", ref.Extract.Key)
 	data, err := sm.GetSecret(ctx, ref.GetDataRemoteRef())
 	if err != nil {
@@ -132,7 +132,7 @@ func (sm *SecretsManager) GetSecretMap(ctx context.Context, ref esv1alpha1.Exter
 
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
-func (sm *SecretsManager) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+func (sm *SecretsManager) GetAllSecrets(ctx context.Context, ref esv1alpha2.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	return nil, utils.ThrowNotImplemented()
 }

pkg/provider/aws/secretsmanager/secretsmanager_test.go

@@ -24,7 +24,7 @@ import (
 	awssm "github.com/aws/aws-sdk-go/service/secretsmanager"
 	"github.com/google/go-cmp/cmp"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	fakesm "github.com/external-secrets/external-secrets/pkg/provider/aws/secretsmanager/fake"
 )
 
@@ -32,8 +32,8 @@ type secretsManagerTestCase struct {
 	fakeClient     *fakesm.Client
 	apiInput       *awssm.GetSecretValueInput
 	apiOutput      *awssm.GetSecretValueOutput
-	remoteRef      *esv1alpha1.ExternalSecretDataRemoteRef
-	remoteRefFrom  *esv1alpha1.ExternalSecretDataFromRemoteRef
+	remoteRef      *esv1alpha2.ExternalSecretDataRemoteRef
+	remoteRefFrom  *esv1alpha2.ExternalSecretDataFromRemoteRef
 	apiErr         error
 	expectError    string
 	expectedSecret string
@@ -61,16 +61,16 @@ func makeValidSecretsManagerTestCase() *secretsManagerTestCase {
 	return &smtc
 }
 
-func makeValidRemoteRef() *esv1alpha1.ExternalSecretDataRemoteRef {
-	return &esv1alpha1.ExternalSecretDataRemoteRef{
+func makeValidRemoteRef() *esv1alpha2.ExternalSecretDataRemoteRef {
+	return &esv1alpha2.ExternalSecretDataRemoteRef{
 		Key:     "/baz",
 		Version: "AWSCURRENT",
 	}
 }
 
-func makeValidRemoteRefFrom() *esv1alpha1.ExternalSecretDataFromRemoteRef {
-	return &esv1alpha1.ExternalSecretDataFromRemoteRef{
-		Extract: esv1alpha1.ExternalSecretExtract{
+func makeValidRemoteRefFrom() *esv1alpha2.ExternalSecretDataFromRemoteRef {
+	return &esv1alpha2.ExternalSecretDataFromRemoteRef{
+		Extract: esv1alpha2.ExternalSecretExtract{
 			Key:     "/baz",
 			Version: "AWSCURRENT",
 		},

pkg/provider/aws/util/provider.go

@@ -16,7 +16,7 @@ package util
 import (
 	"fmt"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 )
 
 const (
@@ -28,7 +28,7 @@ const (
 
 // GetAWSProvider does the necessary nil checks on the generic store
 // it returns the aws provider or an error.
-func GetAWSProvider(store esv1alpha1.GenericStore) (*esv1alpha1.AWSProvider, error) {
+func GetAWSProvider(store esv1alpha2.GenericStore) (*esv1alpha2.AWSProvider, error) {
 	if store == nil {
 		return nil, fmt.Errorf(errNilStore)
 	}

pkg/provider/azure/keyvault/keyvault.go

@@ -29,7 +29,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	smmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	"github.com/external-secrets/external-secrets/pkg/provider"
 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
@@ -50,24 +50,24 @@ type SecretClient interface {
 
 type Azure struct {
 	kube       client.Client
-	store      esv1alpha1.GenericStore
+	store      esv1alpha2.GenericStore
 	baseClient SecretClient
 	vaultURL   string
 	namespace  string
 }
 
 func init() {
-	schema.Register(&Azure{}, &esv1alpha1.SecretStoreProvider{
-		AzureKV: &esv1alpha1.AzureKVProvider{},
+	schema.Register(&Azure{}, &esv1alpha2.SecretStoreProvider{
+		AzureKV: &esv1alpha2.AzureKVProvider{},
 	})
 }
 
 // NewClient constructs a new secrets client based on the provided store.
-func (a *Azure) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
+func (a *Azure) NewClient(ctx context.Context, store esv1alpha2.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
 	return newClient(ctx, store, kube, namespace)
 }
 
-func newClient(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
+func newClient(ctx context.Context, store esv1alpha2.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
 	anAzure := &Azure{
 		kube:      kube,
 		store:     store,
@@ -90,7 +90,7 @@ func newClient(ctx context.Context, store esv1alpha1.GenericStore, kube client.C
 // Implements store.Client.GetSecret Interface.
 // Retrieves a secret/Key/Certificate with the secret name defined in ref.Name
 // The Object Type is defined as a prefix in the ref.Name , if no prefix is defined , we assume a secret is required.
-func (a *Azure) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
+func (a *Azure) GetSecret(ctx context.Context, ref esv1alpha2.ExternalSecretDataRemoteRef) ([]byte, error) {
 	version := ""
 	basicClient := a.baseClient
 	objectType, secretName := getObjType(ref)
@@ -143,7 +143,7 @@ func (a *Azure) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretData
 
 // Implements store.Client.GetSecretMap Interface.
 // New version of GetSecretMap.
-func (a *Azure) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+func (a *Azure) GetSecretMap(ctx context.Context, ref esv1alpha2.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	dataRef := ref.GetDataRemoteRef()
 	objectType, secretName := getObjType(dataRef)
 
@@ -177,7 +177,7 @@ func (a *Azure) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretD
 
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
-func (a *Azure) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+func (a *Azure) GetAllSecrets(ctx context.Context, ref esv1alpha2.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	basicClient := a.baseClient
 	secretsMap := make(map[string][]byte)
 	checkTags := len(ref.Find.Tags) > 0
@@ -212,7 +212,7 @@ func (a *Azure) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecret
 	return secretsMap, nil
 }
 
-func isValidSecret(checkTags, checkName bool, ref esv1alpha1.ExternalSecretDataFromRemoteRef, secret keyvault.SecretItem) (bool, string) {
+func isValidSecret(checkTags, checkName bool, ref esv1alpha2.ExternalSecretDataFromRemoteRef, secret keyvault.SecretItem) (bool, string) {
 	if secret.ID == nil || !*secret.Attributes.Enabled {
 		return false, ""
 	}
@@ -229,12 +229,12 @@ func isValidSecret(checkTags, checkName bool, ref esv1alpha1.ExternalSecretDataF
 	return true, secretName
 }
 
-func okByName(ref esv1alpha1.ExternalSecretDataFromRemoteRef, secretName string) bool {
+func okByName(ref esv1alpha2.ExternalSecretDataFromRemoteRef, secretName string) bool {
 	matches, _ := regexp.MatchString(ref.Find.Name.RegExp, secretName)
 	return matches
 }
 
-func okByTags(ref esv1alpha1.ExternalSecretDataFromRemoteRef, secret keyvault.SecretItem) bool {
+func okByTags(ref esv1alpha2.ExternalSecretDataFromRemoteRef, secret keyvault.SecretItem) bool {
 	tagsFound := true
 	for k, v := range ref.Find.Tags {
 		if val, ok := secret.Tags[k]; !ok || *val != v {
@@ -248,7 +248,7 @@ func okByTags(ref esv1alpha1.ExternalSecretDataFromRemoteRef, secret keyvault.Se
 func (a *Azure) setAzureClientWithManagedIdentity() (bool, error) {
 	spec := *a.store.GetSpec().Provider.AzureKV
 
-	if *spec.AuthType != esv1alpha1.ManagedIdentity {
+	if *spec.AuthType != esv1alpha2.ManagedIdentity {
 		return false, nil
 	}
 
@@ -274,7 +274,7 @@ func (a *Azure) setAzureClientWithManagedIdentity() (bool, error) {
 func (a *Azure) setAzureClientWithServicePrincipal(ctx context.Context) (bool, error) {
 	spec := *a.store.GetSpec().Provider.AzureKV
 
-	if *spec.AuthType != esv1alpha1.ServicePrincipal {
+	if *spec.AuthType != esv1alpha2.ServicePrincipal {
 		return false, nil
 	}
 
@@ -288,7 +288,7 @@ func (a *Azure) setAzureClientWithServicePrincipal(ctx context.Context) (bool, e
 		return true, fmt.Errorf("missing accessKeyID/secretAccessKey in store config")
 	}
 	clusterScoped := false
-	if a.store.GetObjectKind().GroupVersionKind().Kind == esv1alpha1.ClusterSecretStoreKind {
+	if a.store.GetObjectKind().GroupVersionKind().Kind == esv1alpha2.ClusterSecretStoreKind {
 		clusterScoped = true
 	}
 	cid, err := a.secretKeyRef(ctx, a.store.GetNamespace(), *spec.AuthSecretRef.ClientID, clusterScoped)
@@ -341,7 +341,7 @@ func (a *Azure) Close(ctx context.Context) error {
 	return nil
 }
 
-func getObjType(ref esv1alpha1.ExternalSecretDataRemoteRef) (string, string) {
+func getObjType(ref esv1alpha2.ExternalSecretDataRemoteRef) (string, string) {
 	objectType := defaultObjType
 
 	secretName := ref.Key

pkg/provider/azure/keyvault/keyvault_test.go

@@ -26,7 +26,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	v1 "github.com/external-secrets/external-secrets/apis/meta/v1"
 	fake "github.com/external-secrets/external-secrets/pkg/provider/azure/keyvault/fake"
 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
@@ -38,8 +38,8 @@ type secretManagerTestCase struct {
 	secretName     string
 	secretVersion  string
 	serviceURL     string
-	ref            *esv1alpha1.ExternalSecretDataRemoteRef
-	refFrom        *esv1alpha1.ExternalSecretDataFromRemoteRef
+	ref            *esv1alpha2.ExternalSecretDataRemoteRef
+	refFrom        *esv1alpha2.ExternalSecretDataFromRemoteRef
 	apiErr         error
 	secretOutput   keyvault.SecretBundle
 	keyOutput      keyvault.KeyBundle
@@ -90,12 +90,12 @@ func TestNewClientManagedIdentityNoNeedForCredentials(t *testing.T) {
 	namespace := "internal"
 	vaultURL := "https://local.vault.url"
 	identityID := "1234"
-	authType := esv1alpha1.ManagedIdentity
-	store := esv1alpha1.SecretStore{
+	authType := esv1alpha2.ManagedIdentity
+	store := esv1alpha2.SecretStore{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: namespace,
 		},
-		Spec: esv1alpha1.SecretStoreSpec{Provider: &esv1alpha1.SecretStoreProvider{AzureKV: &esv1alpha1.AzureKVProvider{
+		Spec: esv1alpha2.SecretStoreSpec{Provider: &esv1alpha2.SecretStoreProvider{AzureKV: &esv1alpha2.AzureKVProvider{
 			AuthType:   &authType,
 			IdentityID: &identityID,
 			VaultURL:   &vaultURL,
@@ -119,12 +119,12 @@ func TestNewClientNoCreds(t *testing.T) {
 	namespace := "internal"
 	vaultURL := "https://local.vault.url"
 	tenantID := "1234"
-	authType := esv1alpha1.ServicePrincipal
-	store := esv1alpha1.SecretStore{
+	authType := esv1alpha2.ServicePrincipal
+	store := esv1alpha2.SecretStore{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: namespace,
 		},
-		Spec: esv1alpha1.SecretStoreSpec{Provider: &esv1alpha1.SecretStoreProvider{AzureKV: &esv1alpha1.AzureKVProvider{
+		Spec: esv1alpha2.SecretStoreSpec{Provider: &esv1alpha2.SecretStoreProvider{AzureKV: &esv1alpha2.AzureKVProvider{
 			AuthType: &authType,
 			VaultURL: &vaultURL,
 			TenantID: &tenantID,
@@ -136,7 +136,7 @@ func TestNewClientNoCreds(t *testing.T) {
 	_, err = provider.NewClient(context.Background(), &store, k8sClient, namespace)
 	tassert.EqualError(t, err, "missing clientID/clientSecret in store config")
 
-	store.Spec.Provider.AzureKV.AuthSecretRef = &esv1alpha1.AzureKVAuth{}
+	store.Spec.Provider.AzureKV.AuthSecretRef = &esv1alpha2.AzureKVAuth{}
 	_, err = provider.NewClient(context.Background(), &store, k8sClient, namespace)
 	tassert.EqualError(t, err, "missing accessKeyID/secretAccessKey in store config")
 
@@ -147,8 +147,8 @@ func TestNewClientNoCreds(t *testing.T) {
 	store.Spec.Provider.AzureKV.AuthSecretRef.ClientSecret = &v1.SecretKeySelector{Name: "password"}
 	_, err = provider.NewClient(context.Background(), &store, k8sClient, namespace)
 	tassert.EqualError(t, err, "could not find secret internal/user: secrets \"user\" not found")
-	store.TypeMeta.Kind = esv1alpha1.ClusterSecretStoreKind
-	store.TypeMeta.APIVersion = esv1alpha1.ClusterSecretStoreKindAPIVersion
+	store.TypeMeta.Kind = esv1alpha2.ClusterSecretStoreKind
+	store.TypeMeta.APIVersion = esv1alpha2.ClusterSecretStoreKindAPIVersion
 	ns := "default"
 	store.Spec.Provider.AzureKV.AuthSecretRef.ClientID.Namespace = &ns
 	store.Spec.Provider.AzureKV.AuthSecretRef.ClientSecret.Namespace = &ns

pkg/provider/fake/fake.go

@@ -19,7 +19,7 @@ import (
 
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	"github.com/external-secrets/external-secrets/pkg/provider"
 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
 	"github.com/external-secrets/external-secrets/pkg/utils"
@@ -29,24 +29,24 @@ var _ provider.Provider = &Client{}
 
 // Client is a fake client for testing.
 type Client struct {
-	NewFn func(context.Context, esv1alpha1.GenericStore, client.Client,
+	NewFn func(context.Context, esv1alpha2.GenericStore, client.Client,
 		string) (provider.SecretsClient, error)
-	GetSecretFn    func(context.Context, esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error)
-	GetSecretMapFn func(context.Context, esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error)
+	GetSecretFn    func(context.Context, esv1alpha2.ExternalSecretDataRemoteRef) ([]byte, error)
+	GetSecretMapFn func(context.Context, esv1alpha2.ExternalSecretDataFromRemoteRef) (map[string][]byte, error)
 }
 
 // New returns a fake provider/client.
 func New() *Client {
 	v := &Client{
-		GetSecretFn: func(context.Context, esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
+		GetSecretFn: func(context.Context, esv1alpha2.ExternalSecretDataRemoteRef) ([]byte, error) {
 			return nil, nil
 		},
-		GetSecretMapFn: func(context.Context, esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+		GetSecretMapFn: func(context.Context, esv1alpha2.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 			return nil, nil
 		},
 	}
 
-	v.NewFn = func(context.Context, esv1alpha1.GenericStore, client.Client, string) (provider.SecretsClient, error) {
+	v.NewFn = func(context.Context, esv1alpha2.GenericStore, client.Client, string) (provider.SecretsClient, error) {
 		return v, nil
 	}
 
@@ -54,18 +54,18 @@ func New() *Client {
 }
 
 // RegisterAs registers the fake client in the schema.
-func (v *Client) RegisterAs(provider *esv1alpha1.SecretStoreProvider) {
+func (v *Client) RegisterAs(provider *esv1alpha2.SecretStoreProvider) {
 	schema.ForceRegister(v, provider)
 }
 
 // GetSecret implements the provider.Provider interface.
-func (v *Client) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
+func (v *Client) GetSecret(ctx context.Context, ref esv1alpha2.ExternalSecretDataRemoteRef) ([]byte, error) {
 	return v.GetSecretFn(ctx, ref)
 }
 
 // WithGetSecret wraps secret data returned by this provider.
 func (v *Client) WithGetSecret(secData []byte, err error) *Client {
-	v.GetSecretFn = func(context.Context, esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
+	v.GetSecretFn = func(context.Context, esv1alpha2.ExternalSecretDataRemoteRef) ([]byte, error) {
 		return secData, err
 	}
 	return v
@@ -73,13 +73,13 @@ func (v *Client) WithGetSecret(secData []byte, err error) *Client {
 
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
-func (v *Client) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+func (v *Client) GetAllSecrets(ctx context.Context, ref esv1alpha2.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	return nil, utils.ThrowNotImplemented()
 }
 
 // GetSecretMap imeplements the provider.Provider interface.
-func (v *Client) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+func (v *Client) GetSecretMap(ctx context.Context, ref esv1alpha2.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	return v.GetSecretMapFn(ctx, ref)
 }
 func (v *Client) Close(ctx context.Context) error {
@@ -88,21 +88,21 @@ func (v *Client) Close(ctx context.Context) error {
 
 // WithGetSecretMap wraps the secret data map returned by this fake provider.
 func (v *Client) WithGetSecretMap(secData map[string][]byte, err error) *Client {
-	v.GetSecretMapFn = func(context.Context, esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+	v.GetSecretMapFn = func(context.Context, esv1alpha2.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 		return secData, err
 	}
 	return v
 }
 
 // WithNew wraps the fake provider factory function.
-func (v *Client) WithNew(f func(context.Context, esv1alpha1.GenericStore, client.Client,
+func (v *Client) WithNew(f func(context.Context, esv1alpha2.GenericStore, client.Client,
 	string) (provider.SecretsClient, error)) *Client {
 	v.NewFn = f
 	return v
 }
 
 // NewClient returns a new fake provider.
-func (v *Client) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
+func (v *Client) NewClient(ctx context.Context, store esv1alpha2.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
 	c, err := v.NewFn(ctx, store, kube, namespace)
 	if err != nil {
 		return nil, err

pkg/provider/gcp/secretmanager/secretsmanager.go

@@ -29,7 +29,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	"github.com/external-secrets/external-secrets/pkg/provider"
 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
 	"github.com/external-secrets/external-secrets/pkg/utils"
@@ -66,13 +66,13 @@ type ProviderGCP struct {
 
 type gClient struct {
 	kube             kclient.Client
-	store            *esv1alpha1.GCPSMProvider
+	store            *esv1alpha2.GCPSMProvider
 	namespace        string
 	storeKind        string
 	workloadIdentity *workloadIdentity
 }
 
-func (c *gClient) getTokenSource(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (oauth2.TokenSource, error) {
+func (c *gClient) getTokenSource(ctx context.Context, store esv1alpha2.GenericStore, kube kclient.Client, namespace string) (oauth2.TokenSource, error) {
 	ts, err := serviceAccountTokenSource(ctx, store, kube, namespace)
 	if ts != nil || err != nil {
 		return ts, err
@@ -85,7 +85,7 @@ func (c *gClient) getTokenSource(ctx context.Context, store esv1alpha1.GenericSt
 	return google.DefaultTokenSource(ctx, CloudPlatformRole)
 }
 
-func serviceAccountTokenSource(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (oauth2.TokenSource, error) {
+func serviceAccountTokenSource(ctx context.Context, store esv1alpha2.GenericStore, kube kclient.Client, namespace string) (oauth2.TokenSource, error) {
 	spec := store.GetSpec()
 	if spec == nil || spec.Provider.GCPSM == nil {
 		return nil, fmt.Errorf(errMissingStoreSpec)
@@ -103,7 +103,7 @@ func serviceAccountTokenSource(ctx context.Context, store esv1alpha1.GenericStor
 	}
 
 	// only ClusterStore is allowed to set namespace (and then it's required)
-	if storeKind == esv1alpha1.ClusterSecretStoreKind {
+	if storeKind == esv1alpha2.ClusterSecretStoreKind {
 		if credentialsSecretName != "" && sr.SecretAccessKey.Namespace == nil {
 			return nil, fmt.Errorf(errInvalidClusterStoreMissingSAKNamespace)
 		} else if credentialsSecretName != "" {
@@ -126,7 +126,7 @@ func serviceAccountTokenSource(ctx context.Context, store esv1alpha1.GenericStor
 }
 
 // NewClient constructs a GCP Provider.
-func (sm *ProviderGCP) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
+func (sm *ProviderGCP) NewClient(ctx context.Context, store esv1alpha2.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
 	storeSpec := store.GetSpec()
 	if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.GCPSM == nil {
 		return nil, fmt.Errorf(errGCPSMStore)
@@ -162,7 +162,7 @@ func (sm *ProviderGCP) NewClient(ctx context.Context, store esv1alpha1.GenericSt
 }
 
 // GetSecret returns a single secret from the provider.
-func (sm *ProviderGCP) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
+func (sm *ProviderGCP) GetSecret(ctx context.Context, ref esv1alpha2.ExternalSecretDataRemoteRef) ([]byte, error) {
 	if utils.IsNil(sm.SecretManagerClient) || sm.projectID == "" {
 		return nil, fmt.Errorf(errUninitalizedGCPProvider)
 	}
@@ -201,13 +201,13 @@ func (sm *ProviderGCP) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSec
 
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
-func (sm *ProviderGCP) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+func (sm *ProviderGCP) GetAllSecrets(ctx context.Context, ref esv1alpha2.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	return nil, utils.ThrowNotImplemented()
 }
 
 // GetSecretMap returns multiple k/v pairs from the provider.
-func (sm *ProviderGCP) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+func (sm *ProviderGCP) GetSecretMap(ctx context.Context, ref esv1alpha2.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	if sm.SecretManagerClient == nil || sm.projectID == "" {
 		return nil, fmt.Errorf(errUninitalizedGCPProvider)
 	}
@@ -246,7 +246,7 @@ func (sm *ProviderGCP) Close(ctx context.Context) error {
 }
 
 func init() {
-	schema.Register(&ProviderGCP{}, &esv1alpha1.SecretStoreProvider{
-		GCPSM: &esv1alpha1.GCPSMProvider{},
+	schema.Register(&ProviderGCP{}, &esv1alpha2.SecretStoreProvider{
+		GCPSM: &esv1alpha2.GCPSMProvider{},
 	})
 }

pkg/provider/gcp/secretmanager/secretsmanager_test.go

@@ -22,7 +22,7 @@ import (
 
 	secretmanagerpb "google.golang.org/genproto/googleapis/cloud/secretmanager/v1"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	fakesm "github.com/external-secrets/external-secrets/pkg/provider/gcp/secretmanager/fake"
 	"github.com/external-secrets/external-secrets/pkg/utils"
 )
@@ -31,8 +31,8 @@ type secretManagerTestCase struct {
 	mockClient     *fakesm.MockSMClient
 	apiInput       *secretmanagerpb.AccessSecretVersionRequest
 	apiOutput      *secretmanagerpb.AccessSecretVersionResponse
-	ref            *esv1alpha1.ExternalSecretDataRemoteRef
-	refFrom        *esv1alpha1.ExternalSecretDataFromRemoteRef
+	ref            *esv1alpha2.ExternalSecretDataRemoteRef
+	refFrom        *esv1alpha2.ExternalSecretDataFromRemoteRef
 	projectID      string
 	apiErr         error
 	expectError    string
@@ -106,7 +106,7 @@ func TestSecretManagerGetSecret(t *testing.T) {
 
 	// good case: ref with
 	setCustomRef := func(smtc *secretManagerTestCase) {
-		smtc.ref = &esv1alpha1.ExternalSecretDataRemoteRef{
+		smtc.ref = &esv1alpha2.ExternalSecretDataRemoteRef{
 			Key:      "/baz",
 			Version:  "default",
 			Property: "name.first",

pkg/provider/gcp/secretmanager/secretsmanager_workload_identity.go

@@ -40,7 +40,7 @@ import (
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 	ctrlcfg "sigs.k8s.io/controller-runtime/pkg/client/config"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 )
 
 const (
@@ -90,7 +90,7 @@ func newWorkloadIdentity(ctx context.Context) (*workloadIdentity, error) {
 	}, nil
 }
 
-func (w *workloadIdentity) TokenSource(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (oauth2.TokenSource, error) {
+func (w *workloadIdentity) TokenSource(ctx context.Context, store esv1alpha2.GenericStore, kube kclient.Client, namespace string) (oauth2.TokenSource, error) {
 	spec := store.GetSpec()
 	if spec == nil || spec.Provider == nil || spec.Provider.GCPSM == nil {
 		return nil, fmt.Errorf(errMissingStoreSpec)
@@ -106,7 +106,7 @@ func (w *workloadIdentity) TokenSource(ctx context.Context, store esv1alpha1.Gen
 	}
 
 	// only ClusterStore is allowed to set namespace (and then it's required)
-	if storeKind == esv1alpha1.ClusterSecretStoreKind {
+	if storeKind == esv1alpha2.ClusterSecretStoreKind {
 		if wi.ServiceAccountRef.Namespace == nil {
 			return nil, fmt.Errorf(errInvalidClusterStoreMissingSANamespace)
 		}

pkg/provider/gcp/secretmanager/secretsmanager_workload_identity_test.go

@@ -32,7 +32,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
@@ -44,7 +44,7 @@ type workloadIdentityTest struct {
 	genAccessToken func(context.Context, *credentialspb.GenerateAccessTokenRequest, ...gax.CallOption) (*credentialspb.GenerateAccessTokenResponse, error)
 	genIDBindToken func(ctx context.Context, client *http.Client, k8sToken, idPool, idProvider string) (*oauth2.Token, error)
 	genSAToken     func(c context.Context, s1, s2, s3 string) (*authv1.TokenRequest, error)
-	store          esv1alpha1.GenericStore
+	store          esv1alpha2.GenericStore
 	kubeObjects    []client.Object
 }
 
@@ -54,14 +54,14 @@ func TestWorkloadIdentity(t *testing.T) {
 		composeTestcase(
 			defaultTestCase("missing store spec should result in error"),
 			withErr("invalid: missing store spec"),
-			withStore(&esv1alpha1.SecretStore{}),
+			withStore(&esv1alpha2.SecretStore{}),
 		),
 		composeTestcase(
 			defaultTestCase("should skip when no workload identity is configured: TokenSource and error must be nil"),
-			withStore(&esv1alpha1.SecretStore{
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{
-						GCPSM: &esv1alpha1.GCPSMProvider{},
+			withStore(&esv1alpha2.SecretStore{
+				Spec: esv1alpha2.SecretStoreSpec{
+					Provider: &esv1alpha2.SecretStoreProvider{
+						GCPSM: &esv1alpha2.GCPSMProvider{},
 					},
 				},
 			}),
@@ -210,7 +210,7 @@ func withErr(err string) testCaseMutator {
 	}
 }
 
-func withStore(store esv1alpha1.GenericStore) testCaseMutator {
+func withStore(store esv1alpha2.GenericStore) testCaseMutator {
 	return func(tc *workloadIdentityTest) {
 		tc.store = store
 	}
@@ -282,8 +282,8 @@ func defaultTestCase(name string) *workloadIdentityTest {
 	}
 }
 
-func defaultStore() *esv1alpha1.SecretStore {
-	return &esv1alpha1.SecretStore{
+func defaultStore() *esv1alpha2.SecretStore {
+	return &esv1alpha2.SecretStore{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "foobar",
 			Namespace: "default",
@@ -292,10 +292,10 @@ func defaultStore() *esv1alpha1.SecretStore {
 	}
 }
 
-func defaultClusterStore() *esv1alpha1.ClusterSecretStore {
-	return &esv1alpha1.ClusterSecretStore{
+func defaultClusterStore() *esv1alpha2.ClusterSecretStore {
+	return &esv1alpha2.ClusterSecretStore{
 		TypeMeta: metav1.TypeMeta{
-			Kind: esv1alpha1.ClusterSecretStoreKind,
+			Kind: esv1alpha2.ClusterSecretStoreKind,
 		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "foobar",
@@ -304,12 +304,12 @@ func defaultClusterStore() *esv1alpha1.ClusterSecretStore {
 	}
 }
 
-func defaultStoreSpec() esv1alpha1.SecretStoreSpec {
-	return esv1alpha1.SecretStoreSpec{
-		Provider: &esv1alpha1.SecretStoreProvider{
-			GCPSM: &esv1alpha1.GCPSMProvider{
-				Auth: esv1alpha1.GCPSMAuth{
-					WorkloadIdentity: &esv1alpha1.GCPWorkloadIdentity{
+func defaultStoreSpec() esv1alpha2.SecretStoreSpec {
+	return esv1alpha2.SecretStoreSpec{
+		Provider: &esv1alpha2.SecretStoreProvider{
+			GCPSM: &esv1alpha2.GCPSMProvider{
+				Auth: esv1alpha2.GCPSMAuth{
+					WorkloadIdentity: &esv1alpha2.GCPWorkloadIdentity{
 						ServiceAccountRef: esmeta.ServiceAccountSelector{
 							Name: "example",
 						},
@@ -323,9 +323,9 @@ func defaultStoreSpec() esv1alpha1.SecretStoreSpec {
 	}
 }
 
-type storeMutator func(spc esv1alpha1.GenericStore)
+type storeMutator func(spc esv1alpha2.GenericStore)
 
-func composeStore(store esv1alpha1.GenericStore, mutators ...storeMutator) esv1alpha1.GenericStore {
+func composeStore(store esv1alpha2.GenericStore, mutators ...storeMutator) esv1alpha2.GenericStore {
 	for _, m := range mutators {
 		m(store)
 	}
@@ -333,7 +333,7 @@ func composeStore(store esv1alpha1.GenericStore, mutators ...storeMutator) esv1a
 }
 
 func withSANamespace(namespace string) storeMutator {
-	return func(store esv1alpha1.GenericStore) {
+	return func(store esv1alpha2.GenericStore) {
 		spc := store.GetSpec()
 		spc.Provider.GCPSM.Auth.WorkloadIdentity.ServiceAccountRef.Namespace = &namespace
 	}

pkg/provider/gitlab/gitlab.go

@@ -25,7 +25,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	"github.com/external-secrets/external-secrets/e2e/framework/log"
 	"github.com/external-secrets/external-secrets/pkg/provider"
 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
@@ -56,15 +56,15 @@ type Gitlab struct {
 // Client for interacting with kubernetes cluster...?
 type gClient struct {
 	kube        kclient.Client
-	store       *esv1alpha1.GitlabProvider
+	store       *esv1alpha2.GitlabProvider
 	namespace   string
 	storeKind   string
 	credentials []byte
 }
 
 func init() {
-	schema.Register(&Gitlab{}, &esv1alpha1.SecretStoreProvider{
-		Gitlab: &esv1alpha1.GitlabProvider{},
+	schema.Register(&Gitlab{}, &esv1alpha2.SecretStoreProvider{
+		Gitlab: &esv1alpha2.GitlabProvider{},
 	})
 }
 
@@ -80,7 +80,7 @@ func (c *gClient) setAuth(ctx context.Context) error {
 		Namespace: c.namespace,
 	}
 	// only ClusterStore is allowed to set namespace (and then it's required)
-	if c.storeKind == esv1alpha1.ClusterSecretStoreKind {
+	if c.storeKind == esv1alpha2.ClusterSecretStoreKind {
 		if c.store.Auth.SecretRef.AccessToken.Namespace == nil {
 			return fmt.Errorf(errInvalidClusterStoreMissingSAKNamespace)
 		}
@@ -108,7 +108,7 @@ func NewGitlabProvider() *Gitlab {
 }
 
 // Method on Gitlab Provider to set up client with credentials and populate projectID.
-func (g *Gitlab) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
+func (g *Gitlab) NewClient(ctx context.Context, store esv1alpha2.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
 	storeSpec := store.GetSpec()
 	if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.Gitlab == nil {
 		return nil, fmt.Errorf("no store type or wrong store type")
@@ -148,7 +148,7 @@ func (g *Gitlab) NewClient(ctx context.Context, store esv1alpha1.GenericStore, k
 	return g, nil
 }
 
-func (g *Gitlab) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
+func (g *Gitlab) GetSecret(ctx context.Context, ref esv1alpha2.ExternalSecretDataRemoteRef) ([]byte, error) {
 	if utils.IsNil(g.client) {
 		return nil, fmt.Errorf(errUninitalizedGitlabProvider)
 	}
@@ -187,12 +187,12 @@ func (g *Gitlab) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDat
 
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
-func (g *Gitlab) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+func (g *Gitlab) GetAllSecrets(ctx context.Context, ref esv1alpha2.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	return nil, utils.ThrowNotImplemented()
 }
 
-func (g *Gitlab) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+func (g *Gitlab) GetSecretMap(ctx context.Context, ref esv1alpha2.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// Gets a secret as normal, expecting secret value to be a json object
 	data, err := g.GetSecret(ctx, ref.GetDataRemoteRef())
 	if err != nil {

pkg/provider/gitlab/gitlab_test.go

@@ -22,7 +22,7 @@ import (
 
 	gitlab "github.com/xanzy/go-gitlab"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	fakegitlab "github.com/external-secrets/external-secrets/pkg/provider/gitlab/fake"
 	"github.com/external-secrets/external-secrets/pkg/utils"
 )
@@ -32,8 +32,8 @@ type secretManagerTestCase struct {
 	apiInputProjectID string
 	apiInputKey       string
 	apiOutput         *gitlab.ProjectVariable
-	ref               *esv1alpha1.ExternalSecretDataRemoteRef
-	refFrom           *esv1alpha1.ExternalSecretDataFromRemoteRef
+	ref               *esv1alpha2.ExternalSecretDataRemoteRef
+	refFrom           *esv1alpha2.ExternalSecretDataFromRemoteRef
 	projectID         *string
 	apiErr            error
 	expectError       string

pkg/provider/ibm/provider.go

@@ -26,7 +26,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	"github.com/external-secrets/external-secrets/pkg/provider"
 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
 	"github.com/external-secrets/external-secrets/pkg/utils"
@@ -56,7 +56,7 @@ type providerIBM struct {
 
 type client struct {
 	kube        kclient.Client
-	store       *esv1alpha1.IBMProvider
+	store       *esv1alpha2.IBMProvider
 	namespace   string
 	storeKind   string
 	credentials []byte
@@ -74,7 +74,7 @@ func (c *client) setAuth(ctx context.Context) error {
 	}
 
 	// only ClusterStore is allowed to set namespace (and then it's required)
-	if c.storeKind == esv1alpha1.ClusterSecretStoreKind {
+	if c.storeKind == esv1alpha2.ClusterSecretStoreKind {
 		if c.store.Auth.SecretRef.SecretAPIKey.Namespace == nil {
 			return fmt.Errorf(errInvalidClusterStoreMissingSKNamespace)
 		}
@@ -95,12 +95,12 @@ func (c *client) setAuth(ctx context.Context) error {
 
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
-func (ibm *providerIBM) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+func (ibm *providerIBM) GetAllSecrets(ctx context.Context, ref esv1alpha2.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	return nil, utils.ThrowNotImplemented()
 }
 
-func (ibm *providerIBM) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
+func (ibm *providerIBM) GetSecret(ctx context.Context, ref esv1alpha2.ExternalSecretDataRemoteRef) ([]byte, error) {
 	if utils.IsNil(ibm.IBMClient) {
 		return nil, fmt.Errorf(errUninitalizedIBMProvider)
 	}
@@ -158,7 +158,7 @@ func getArbitrarySecret(ibm *providerIBM, secretName *string) ([]byte, error) {
 	return []byte(arbitrarySecretPayload), nil
 }
 
-func getImportCertSecret(ibm *providerIBM, secretName *string, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
+func getImportCertSecret(ibm *providerIBM, secretName *string, ref esv1alpha2.ExternalSecretDataRemoteRef) ([]byte, error) {
 	response, _, err := ibm.IBMClient.GetSecret(
 		&sm.GetSecretOptions{
 			SecretType: core.StringPtr(sm.CreateSecretOptionsSecretTypeImportedCertConst),
@@ -193,7 +193,7 @@ func getIamCredentialsSecret(ibm *providerIBM, secretName *string) ([]byte, erro
 	return []byte(secretData), nil
 }
 
-func getUsernamePasswordSecret(ibm *providerIBM, secretName *string, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
+func getUsernamePasswordSecret(ibm *providerIBM, secretName *string, ref esv1alpha2.ExternalSecretDataRemoteRef) ([]byte, error) {
 	response, _, err := ibm.IBMClient.GetSecret(
 		&sm.GetSecretOptions{
 			SecretType: core.StringPtr(sm.CreateSecretOptionsSecretTypeUsernamePasswordConst),
@@ -212,7 +212,7 @@ func getUsernamePasswordSecret(ibm *providerIBM, secretName *string, ref esv1alp
 	return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Property, ref.Key)
 }
 
-func (ibm *providerIBM) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+func (ibm *providerIBM) GetSecretMap(ctx context.Context, ref esv1alpha2.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	if utils.IsNil(ibm.IBMClient) {
 		return nil, fmt.Errorf(errUninitalizedIBMProvider)
 	}
@@ -320,7 +320,7 @@ func (ibm *providerIBM) Close(ctx context.Context) error {
 	return nil
 }
 
-func (ibm *providerIBM) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
+func (ibm *providerIBM) NewClient(ctx context.Context, store esv1alpha2.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
 	storeSpec := store.GetSpec()
 	ibmSpec := storeSpec.Provider.IBM
 
@@ -373,7 +373,7 @@ func (ibm *providerIBM) NewClient(ctx context.Context, store esv1alpha1.GenericS
 }
 
 func init() {
-	schema.Register(&providerIBM{}, &esv1alpha1.SecretStoreProvider{
-		IBM: &esv1alpha1.IBMProvider{},
+	schema.Register(&providerIBM{}, &esv1alpha2.SecretStoreProvider{
+		IBM: &esv1alpha2.IBMProvider{},
 	})
 }

pkg/provider/ibm/provider_test.go

@@ -27,7 +27,7 @@ import (
 	utilpointer "k8s.io/utils/pointer"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	v1 "github.com/external-secrets/external-secrets/apis/meta/v1"
 	fakesm "github.com/external-secrets/external-secrets/pkg/provider/ibm/fake"
 	"github.com/external-secrets/external-secrets/pkg/utils"
@@ -37,8 +37,8 @@ type secretManagerTestCase struct {
 	mockClient     *fakesm.IBMMockClient
 	apiInput       *sm.GetSecretOptions
 	apiOutput      *sm.GetSecret
-	ref            *esv1alpha1.ExternalSecretDataRemoteRef
-	refFrom        *esv1alpha1.ExternalSecretDataFromRemoteRef
+	ref            *esv1alpha2.ExternalSecretDataRemoteRef
+	refFrom        *esv1alpha2.ExternalSecretDataFromRemoteRef
 	serviceURL     *string
 	apiErr         error
 	expectError    string
@@ -378,12 +378,12 @@ func TestValidRetryInput(t *testing.T) {
 	invalid := "Invalid"
 	serviceURL := "http://fake-service-url.cool"
 
-	spec := &esv1alpha1.SecretStore{
-		Spec: esv1alpha1.SecretStoreSpec{
-			Provider: &esv1alpha1.SecretStoreProvider{
-				IBM: &esv1alpha1.IBMProvider{
-					Auth: esv1alpha1.IBMAuth{
-						SecretRef: esv1alpha1.IBMAuthSecretRef{
+	spec := &esv1alpha2.SecretStore{
+		Spec: esv1alpha2.SecretStoreSpec{
+			Provider: &esv1alpha2.SecretStoreProvider{
+				IBM: &esv1alpha2.IBMProvider{
+					Auth: esv1alpha2.IBMAuth{
+						SecretRef: esv1alpha2.IBMAuthSecretRef{
 							SecretAPIKey: v1.SecretKeySelector{
 								Name: "fake-secret",
 								Key:  "fake-key",
@@ -393,7 +393,7 @@ func TestValidRetryInput(t *testing.T) {
 					ServiceURL: &serviceURL,
 				},
 			},
-			RetrySettings: &esv1alpha1.SecretStoreRetrySettings{
+			RetrySettings: &esv1alpha2.SecretStoreRetrySettings{
 				RetryInterval: &invalid,
 			},
 		},

pkg/provider/oracle/oracle.go

@@ -24,7 +24,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	"github.com/external-secrets/external-secrets/pkg/provider"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/util"
 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
@@ -54,7 +54,7 @@ const (
 
 type client struct {
 	kube        kclient.Client
-	store       *esv1alpha1.OracleProvider
+	store       *esv1alpha2.OracleProvider
 	namespace   string
 	storeKind   string
 	tenancy     string
@@ -85,7 +85,7 @@ func (c *client) setAuth(ctx context.Context) error {
 	}
 
 	// only ClusterStore is allowed to set namespace (and then it's required)
-	if c.storeKind == esv1alpha1.ClusterSecretStoreKind {
+	if c.storeKind == esv1alpha2.ClusterSecretStoreKind {
 		if c.store.Auth.SecretRef.PrivateKey.Namespace == nil {
 			return fmt.Errorf(errInvalidClusterStoreMissingSKNamespace)
 		}
@@ -125,7 +125,7 @@ func (c *client) setAuth(ctx context.Context) error {
 	return nil
 }
 
-func (vms *VaultManagementService) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
+func (vms *VaultManagementService) GetSecret(ctx context.Context, ref esv1alpha2.ExternalSecretDataRemoteRef) ([]byte, error) {
 	if utils.IsNil(vms.Client) {
 		return nil, fmt.Errorf(errUninitalizedOracleProvider)
 	}
@@ -164,12 +164,12 @@ func (vms *VaultManagementService) GetSecret(ctx context.Context, ref esv1alpha1
 
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
-func (vms *VaultManagementService) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+func (vms *VaultManagementService) GetAllSecrets(ctx context.Context, ref esv1alpha2.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	return nil, utils.ThrowNotImplemented()
 }
 
-func (vms *VaultManagementService) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+func (vms *VaultManagementService) GetSecretMap(ctx context.Context, ref esv1alpha2.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	data, err := vms.GetSecret(ctx, ref.GetDataRemoteRef())
 	if err != nil {
 		return nil, err
@@ -187,7 +187,7 @@ func (vms *VaultManagementService) GetSecretMap(ctx context.Context, ref esv1alp
 }
 
 // NewClient constructs a new secrets client based on the provided store.
-func (vms *VaultManagementService) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
+func (vms *VaultManagementService) NewClient(ctx context.Context, store esv1alpha2.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
 	storeSpec := store.GetSpec()
 	oracleSpec := storeSpec.Provider.Oracle
 
@@ -229,7 +229,7 @@ func (vms *VaultManagementService) Close(ctx context.Context) error {
 }
 
 func init() {
-	schema.Register(&VaultManagementService{}, &esv1alpha1.SecretStoreProvider{
-		Oracle: &esv1alpha1.OracleProvider{},
+	schema.Register(&VaultManagementService{}, &esv1alpha2.SecretStoreProvider{
+		Oracle: &esv1alpha2.OracleProvider{},
 	})
 }

pkg/provider/oracle/oracle_test.go

@@ -22,7 +22,7 @@ import (
 	secrets "github.com/oracle/oci-go-sdk/v45/secrets"
 	utilpointer "k8s.io/utils/pointer"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	fakeoracle "github.com/external-secrets/external-secrets/pkg/provider/oracle/fake"
 	"github.com/external-secrets/external-secrets/pkg/utils"
 )
@@ -31,8 +31,8 @@ type vaultTestCase struct {
 	mockClient     *fakeoracle.OracleMockClient
 	apiInput       *secrets.GetSecretBundleByNameRequest
 	apiOutput      *secrets.GetSecretBundleByNameResponse
-	ref            *esv1alpha1.ExternalSecretDataRemoteRef
-	refFrom        *esv1alpha1.ExternalSecretDataFromRemoteRef
+	ref            *esv1alpha2.ExternalSecretDataRemoteRef
+	refFrom        *esv1alpha2.ExternalSecretDataFromRemoteRef
 	apiErr         error
 	expectError    string
 	expectedSecret string

pkg/provider/provider.go

@@ -19,25 +19,25 @@ import (
 
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 )
 
 // Provider is a common interface for interacting with secret backends.
 type Provider interface {
 	// NewClient constructs a SecretsManager Provider
-	NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (SecretsClient, error)
+	NewClient(ctx context.Context, store esv1alpha2.GenericStore, kube client.Client, namespace string) (SecretsClient, error)
 }
 
 // SecretsClient provides access to secrets.
 type SecretsClient interface {
 	// GetSecret returns a single secret from the provider
-	GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error)
+	GetSecret(ctx context.Context, ref esv1alpha2.ExternalSecretDataRemoteRef) ([]byte, error)
 
 	// GetSecretMap returns multiple k/v pairs from the provider
-	GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error)
+	GetSecretMap(ctx context.Context, ref esv1alpha2.ExternalSecretDataFromRemoteRef) (map[string][]byte, error)
 
 	// GetSecretMap returns all k/v pairs from the provider
-	GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error)
+	GetAllSecrets(ctx context.Context, ref esv1alpha2.ExternalSecretDataFromRemoteRef) (map[string][]byte, error)
 
 	Close(ctx context.Context) error
 }

pkg/provider/schema/schema.go

@@ -19,7 +19,7 @@ import (
 	"fmt"
 	"sync"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	"github.com/external-secrets/external-secrets/pkg/provider"
 )
 
@@ -32,7 +32,7 @@ func init() {
 
 // Register a store backend type. Register panics if a
 // backend with the same store is already registered.
-func Register(s provider.Provider, storeSpec *esv1alpha1.SecretStoreProvider) {
+func Register(s provider.Provider, storeSpec *esv1alpha2.SecretStoreProvider) {
 	storeName, err := getProviderName(storeSpec)
 	if err != nil {
 		panic(fmt.Sprintf("store error registering schema: %s", err.Error()))
@@ -50,7 +50,7 @@ func Register(s provider.Provider, storeSpec *esv1alpha1.SecretStoreProvider) {
 
 // ForceRegister adds to store schema, overwriting a store if
 // already registered. Should only be used for testing.
-func ForceRegister(s provider.Provider, storeSpec *esv1alpha1.SecretStoreProvider) {
+func ForceRegister(s provider.Provider, storeSpec *esv1alpha2.SecretStoreProvider) {
 	storeName, err := getProviderName(storeSpec)
 	if err != nil {
 		panic(fmt.Sprintf("store error registering schema: %s", err.Error()))
@@ -70,7 +70,7 @@ func GetProviderByName(name string) (provider.Provider, bool) {
 }
 
 // GetProvider returns the provider from the generic store.
-func GetProvider(s esv1alpha1.GenericStore) (provider.Provider, error) {
+func GetProvider(s esv1alpha2.GenericStore) (provider.Provider, error) {
 	spec := s.GetSpec()
 	storeName, err := getProviderName(spec.Provider)
 	if err != nil {
@@ -90,7 +90,7 @@ func GetProvider(s esv1alpha1.GenericStore) (provider.Provider, error) {
 
 // getProviderName returns the name of the configured provider
 // or an error if the provider is not configured.
-func getProviderName(storeSpec *esv1alpha1.SecretStoreProvider) (string, error) {
+func getProviderName(storeSpec *esv1alpha2.SecretStoreProvider) (string, error) {
 	storeBytes, err := json.Marshal(storeSpec)
 	if err != nil || storeBytes == nil {
 		return "", fmt.Errorf("failed to marshal store spec: %w", err)

pkg/provider/schema/schema_test.go

@@ -20,7 +20,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	"github.com/external-secrets/external-secrets/pkg/provider"
 	"github.com/external-secrets/external-secrets/pkg/utils"
 )
@@ -30,23 +30,23 @@ type PP struct{}
 const shouldBeRegistered = "provider should be registered"
 
 // New constructs a SecretsManager Provider.
-func (p *PP) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
+func (p *PP) NewClient(ctx context.Context, store esv1alpha2.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
 	return p, nil
 }
 
 // GetSecret returns a single secret from the provider.
-func (p *PP) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
+func (p *PP) GetSecret(ctx context.Context, ref esv1alpha2.ExternalSecretDataRemoteRef) ([]byte, error) {
 	return []byte("NOOP"), nil
 }
 
 // GetSecretMap returns multiple k/v pairs from the provider.
-func (p *PP) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+func (p *PP) GetSecretMap(ctx context.Context, ref esv1alpha2.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	return map[string][]byte{}, nil
 }
 
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
-func (p *PP) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+func (p *PP) GetAllSecrets(ctx context.Context, ref esv1alpha2.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	return nil, utils.ThrowNotImplemented()
 }
@@ -64,22 +64,22 @@ func TestRegister(t *testing.T) {
 		name      string
 		expPanic  bool
 		expExists bool
-		provider  *esv1alpha1.SecretStoreProvider
+		provider  *esv1alpha2.SecretStoreProvider
 	}{
 		{
 			test:      "should panic when given an invalid provider",
 			name:      "aws",
 			expPanic:  true,
 			expExists: false,
-			provider:  &esv1alpha1.SecretStoreProvider{},
+			provider:  &esv1alpha2.SecretStoreProvider{},
 		},
 		{
 			test:      "should register an correct provider",
 			name:      "aws",
 			expExists: false,
-			provider: &esv1alpha1.SecretStoreProvider{
-				AWS: &esv1alpha1.AWSProvider{
-					Service: esv1alpha1.AWSServiceSecretsManager,
+			provider: &esv1alpha2.SecretStoreProvider{
+				AWS: &esv1alpha2.AWSProvider{
+					Service: esv1alpha2.AWSServiceSecretsManager,
 				},
 			},
 		},
@@ -88,9 +88,9 @@ func TestRegister(t *testing.T) {
 			name:      "aws",
 			expPanic:  true,
 			expExists: true,
-			provider: &esv1alpha1.SecretStoreProvider{
-				AWS: &esv1alpha1.AWSProvider{
-					Service: esv1alpha1.AWSServiceSecretsManager,
+			provider: &esv1alpha2.SecretStoreProvider{
+				AWS: &esv1alpha2.AWSProvider{
+					Service: esv1alpha2.AWSServiceSecretsManager,
 				},
 			},
 		},
@@ -107,10 +107,10 @@ func TestRegister(t *testing.T) {
 	}
 }
 
-func runTest(t *testing.T, name string, provider *esv1alpha1.SecretStoreProvider, expPanic bool) {
+func runTest(t *testing.T, name string, provider *esv1alpha2.SecretStoreProvider, expPanic bool) {
 	testProvider := &PP{}
-	secretStore := &esv1alpha1.SecretStore{
-		Spec: esv1alpha1.SecretStoreSpec{
+	secretStore := &esv1alpha2.SecretStore{
+		Spec: esv1alpha2.SecretStoreSpec{
 			Provider: provider,
 		},
 	}
@@ -133,19 +133,19 @@ func runTest(t *testing.T, name string, provider *esv1alpha1.SecretStoreProvider
 // ForceRegister is used by other tests, we should ensure it works as expected.
 func TestForceRegister(t *testing.T) {
 	testProvider := &PP{}
-	provider := &esv1alpha1.SecretStoreProvider{
-		AWS: &esv1alpha1.AWSProvider{
-			Service: esv1alpha1.AWSServiceParameterStore,
+	provider := &esv1alpha2.SecretStoreProvider{
+		AWS: &esv1alpha2.AWSProvider{
+			Service: esv1alpha2.AWSServiceParameterStore,
 		},
 	}
-	secretStore := &esv1alpha1.SecretStore{
-		Spec: esv1alpha1.SecretStoreSpec{
+	secretStore := &esv1alpha2.SecretStore{
+		Spec: esv1alpha2.SecretStoreSpec{
 			Provider: provider,
 		},
 	}
-	ForceRegister(testProvider, &esv1alpha1.SecretStoreProvider{
-		AWS: &esv1alpha1.AWSProvider{
-			Service: esv1alpha1.AWSServiceParameterStore,
+	ForceRegister(testProvider, &esv1alpha2.SecretStoreProvider{
+		AWS: &esv1alpha2.AWSProvider{
+			Service: esv1alpha2.AWSServiceParameterStore,
 		},
 	})
 	p1, ok := GetProviderByName("aws")
@@ -162,10 +162,10 @@ func TestRegisterGCP(t *testing.T) {
 	assert.False(t, ok, "provider should not be registered")
 
 	testProvider := &PP{}
-	secretStore := &esv1alpha1.SecretStore{
-		Spec: esv1alpha1.SecretStoreSpec{
-			Provider: &esv1alpha1.SecretStoreProvider{
-				GCPSM: &esv1alpha1.GCPSMProvider{},
+	secretStore := &esv1alpha2.SecretStore{
+		Spec: esv1alpha2.SecretStoreSpec{
+			Provider: &esv1alpha2.SecretStoreProvider{
+				GCPSM: &esv1alpha2.GCPSMProvider{},
 			},
 		},
 	}

pkg/provider/vault/vault.go

@@ -32,7 +32,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	"github.com/external-secrets/external-secrets/pkg/provider"
 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
@@ -89,7 +89,7 @@ type Client interface {
 
 type client struct {
 	kube      kclient.Client
-	store     *esv1alpha1.VaultProvider
+	store     *esv1alpha2.VaultProvider
 	log       logr.Logger
 	client    Client
 	namespace string
@@ -99,8 +99,8 @@ type client struct {
 func init() {
 	schema.Register(&connector{
 		newVaultClient: newVaultClient,
-	}, &esv1alpha1.SecretStoreProvider{
-		Vault: &esv1alpha1.VaultProvider{},
+	}, &esv1alpha2.SecretStoreProvider{
+		Vault: &esv1alpha2.VaultProvider{},
 	})
 }
 
@@ -112,7 +112,7 @@ type connector struct {
 	newVaultClient func(c *vault.Config) (Client, error)
 }
 
-func (c *connector) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
+func (c *connector) NewClient(ctx context.Context, store esv1alpha2.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
 	storeSpec := store.GetSpec()
 	if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.Vault == nil {
 		return nil, errors.New(errVaultStore)
@@ -153,7 +153,7 @@ func (c *connector) NewClient(ctx context.Context, store esv1alpha1.GenericStore
 	return vStore, nil
 }
 
-func (v *client) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
+func (v *client) GetSecret(ctx context.Context, ref esv1alpha2.ExternalSecretDataRemoteRef) ([]byte, error) {
 	data, err := v.readSecret(ctx, ref.Key, ref.Version)
 	if err != nil {
 		return nil, err
@@ -165,13 +165,13 @@ func (v *client) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDat
 	return value, nil
 }
 
-func (v *client) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+func (v *client) GetSecretMap(ctx context.Context, ref esv1alpha2.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	return v.readSecret(ctx, ref.Extract.Key, ref.Extract.Version)
 }
 
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
-func (v *client) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+func (v *client) GetAllSecrets(ctx context.Context, ref esv1alpha2.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	return nil, utils.ThrowNotImplemented()
 }
@@ -204,7 +204,7 @@ func (v *client) buildPath(path string) string {
 		cursor++
 	}
 
-	if v.store.Version == esv1alpha1.VaultKVStoreV2 {
+	if v.store.Version == esv1alpha2.VaultKVStoreV2 {
 		// Add the required `data` part of the URL for the v2 API
 		if len(origPath) < 2 || origPath[1] != "data" {
 			newPath = append(newPath, "data")
@@ -238,7 +238,7 @@ func (v *client) readSecret(ctx context.Context, path, version string) (map[stri
 	}
 
 	secretData := vaultSecret.Data
-	if v.store.Version == esv1alpha1.VaultKVStoreV2 {
+	if v.store.Version == esv1alpha2.VaultKVStoreV2 {
 		// Vault KV2 has data embedded within sub-field
 		// reference - https://www.vaultproject.io/api/secret/kv/kv-v2#read-secret-version
 		dataInt, ok := vaultSecret.Data["data"]
@@ -286,7 +286,7 @@ func (v *client) newConfig() (*vault.Config, error) {
 		}
 	}
 
-	if v.store.CAProvider != nil && v.storeKind == esv1alpha1.ClusterSecretStoreKind && v.store.CAProvider.Namespace == nil {
+	if v.store.CAProvider != nil && v.storeKind == esv1alpha2.ClusterSecretStoreKind && v.store.CAProvider.Namespace == nil {
 		return nil, errors.New(errCANamespace)
 	}
 
@@ -295,9 +295,9 @@ func (v *client) newConfig() (*vault.Config, error) {
 		var err error
 
 		switch v.store.CAProvider.Type {
-		case esv1alpha1.CAProviderTypeSecret:
+		case esv1alpha2.CAProviderTypeSecret:
 			cert, err = getCertFromSecret(v)
-		case esv1alpha1.CAProviderTypeConfigMap:
+		case esv1alpha2.CAProviderTypeConfigMap:
 			cert, err = getCertFromConfigMap(v)
 		default:
 			return nil, errors.New(errUnknownCAProvider)
@@ -484,7 +484,7 @@ func (v *client) secretKeyRefForServiceAccount(ctx context.Context, serviceAccou
 		Namespace: v.namespace,
 		Name:      serviceAccountRef.Name,
 	}
-	if (v.storeKind == esv1alpha1.ClusterSecretStoreKind) &&
+	if (v.storeKind == esv1alpha2.ClusterSecretStoreKind) &&
 		(serviceAccountRef.Namespace != nil) {
 		ref.Namespace = *serviceAccountRef.Namespace
 	}
@@ -517,7 +517,7 @@ func (v *client) secretKeyRef(ctx context.Context, secretRef *esmeta.SecretKeySe
 		Namespace: v.namespace,
 		Name:      secretRef.Name,
 	}
-	if (v.storeKind == esv1alpha1.ClusterSecretStoreKind) &&
+	if (v.storeKind == esv1alpha2.ClusterSecretStoreKind) &&
 		(secretRef.Namespace != nil) {
 		ref.Namespace = *secretRef.Namespace
 	}
@@ -545,7 +545,7 @@ func appRoleParameters(role, secret string) map[string]string {
 	}
 }
 
-func (v *client) requestTokenWithAppRoleRef(ctx context.Context, client Client, appRole *esv1alpha1.VaultAppRole) (string, error) {
+func (v *client) requestTokenWithAppRoleRef(ctx context.Context, client Client, appRole *esv1alpha2.VaultAppRole) (string, error) {
 	roleID := strings.TrimSpace(appRole.RoleID)
 
 	secretID, err := v.secretKeyRef(ctx, &appRole.SecretRef)
@@ -591,7 +591,7 @@ func kubeParameters(role, jwt string) map[string]string {
 	}
 }
 
-func (v *client) requestTokenWithKubernetesAuth(ctx context.Context, client Client, kubernetesAuth *esv1alpha1.VaultKubernetesAuth) (string, error) {
+func (v *client) requestTokenWithKubernetesAuth(ctx context.Context, client Client, kubernetesAuth *esv1alpha2.VaultKubernetesAuth) (string, error) {
 	jwtString, err := getJwtString(ctx, v, kubernetesAuth)
 	if err != nil {
 		return "", err
@@ -626,7 +626,7 @@ func (v *client) requestTokenWithKubernetesAuth(ctx context.Context, client Clie
 	return token, nil
 }
 
-func getJwtString(ctx context.Context, v *client, kubernetesAuth *esv1alpha1.VaultKubernetesAuth) (string, error) {
+func getJwtString(ctx context.Context, v *client, kubernetesAuth *esv1alpha2.VaultKubernetesAuth) (string, error) {
 	if kubernetesAuth.ServiceAccountRef != nil {
 		jwt, err := v.secretKeyRefForServiceAccount(ctx, kubernetesAuth.ServiceAccountRef)
 		if err != nil {
@@ -659,7 +659,7 @@ func getJwtString(ctx context.Context, v *client, kubernetesAuth *esv1alpha1.Vau
 	}
 }
 
-func (v *client) requestTokenWithLdapAuth(ctx context.Context, client Client, ldapAuth *esv1alpha1.VaultLdapAuth) (string, error) {
+func (v *client) requestTokenWithLdapAuth(ctx context.Context, client Client, ldapAuth *esv1alpha2.VaultLdapAuth) (string, error) {
 	username := strings.TrimSpace(ldapAuth.Username)
 
 	password, err := v.secretKeyRef(ctx, &ldapAuth.SecretRef)
@@ -698,7 +698,7 @@ func (v *client) requestTokenWithLdapAuth(ctx context.Context, client Client, ld
 	return token, nil
 }
 
-func (v *client) requestTokenWithJwtAuth(ctx context.Context, client Client, jwtAuth *esv1alpha1.VaultJwtAuth) (string, error) {
+func (v *client) requestTokenWithJwtAuth(ctx context.Context, client Client, jwtAuth *esv1alpha2.VaultJwtAuth) (string, error) {
 	role := strings.TrimSpace(jwtAuth.Role)
 
 	jwt, err := v.secretKeyRef(ctx, &jwtAuth.SecretRef)
@@ -738,7 +738,7 @@ func (v *client) requestTokenWithJwtAuth(ctx context.Context, client Client, jwt
 	return token, nil
 }
 
-func (v *client) requestTokenWithCertAuth(ctx context.Context, client Client, certAuth *esv1alpha1.VaultCertAuth, cfg *vault.Config) (string, error) {
+func (v *client) requestTokenWithCertAuth(ctx context.Context, client Client, certAuth *esv1alpha2.VaultCertAuth, cfg *vault.Config) (string, error) {
 	clientKey, err := v.secretKeyRef(ctx, &certAuth.SecretRef)
 	if err != nil {
 		return "", err

pkg/provider/vault/vault_test.go

@@ -31,7 +31,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	"github.com/external-secrets/external-secrets/pkg/provider/vault/fake"
 )
@@ -45,20 +45,20 @@ var (
 	secretStorePath = "secret"
 )
 
-func makeValidSecretStoreWithVersion(v esv1alpha1.VaultKVStoreVersion) *esv1alpha1.SecretStore {
-	return &esv1alpha1.SecretStore{
+func makeValidSecretStoreWithVersion(v esv1alpha2.VaultKVStoreVersion) *esv1alpha2.SecretStore {
+	return &esv1alpha2.SecretStore{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "vault-store",
 			Namespace: "default",
 		},
-		Spec: esv1alpha1.SecretStoreSpec{
-			Provider: &esv1alpha1.SecretStoreProvider{
-				Vault: &esv1alpha1.VaultProvider{
+		Spec: esv1alpha2.SecretStoreSpec{
+			Provider: &esv1alpha2.SecretStoreProvider{
+				Vault: &esv1alpha2.VaultProvider{
 					Server:  "vault.example.com",
 					Path:    &secretStorePath,
 					Version: v,
-					Auth: esv1alpha1.VaultAuth{
-						Kubernetes: &esv1alpha1.VaultKubernetesAuth{
+					Auth: esv1alpha2.VaultAuth{
+						Kubernetes: &esv1alpha2.VaultKubernetesAuth{
 							Path: "kubernetes",
 							Role: "kubernetes-auth-role",
 							ServiceAccountRef: &esmeta.ServiceAccountSelector{
@@ -72,24 +72,24 @@ func makeValidSecretStoreWithVersion(v esv1alpha1.VaultKVStoreVersion) *esv1alph
 	}
 }
 
-func makeValidSecretStore() *esv1alpha1.SecretStore {
-	return makeValidSecretStoreWithVersion(esv1alpha1.VaultKVStoreV2)
+func makeValidSecretStore() *esv1alpha2.SecretStore {
+	return makeValidSecretStoreWithVersion(esv1alpha2.VaultKVStoreV2)
 }
 
-func makeValidSecretStoreWithCerts() *esv1alpha1.SecretStore {
-	return &esv1alpha1.SecretStore{
+func makeValidSecretStoreWithCerts() *esv1alpha2.SecretStore {
+	return &esv1alpha2.SecretStore{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "vault-store",
 			Namespace: "default",
 		},
-		Spec: esv1alpha1.SecretStoreSpec{
-			Provider: &esv1alpha1.SecretStoreProvider{
-				Vault: &esv1alpha1.VaultProvider{
+		Spec: esv1alpha2.SecretStoreSpec{
+			Provider: &esv1alpha2.SecretStoreProvider{
+				Vault: &esv1alpha2.VaultProvider{
 					Server:  "vault.example.com",
 					Path:    &secretStorePath,
-					Version: esv1alpha1.VaultKVStoreV2,
-					Auth: esv1alpha1.VaultAuth{
-						Cert: &esv1alpha1.VaultCertAuth{
+					Version: esv1alpha2.VaultKVStoreV2,
+					Auth: esv1alpha2.VaultAuth{
+						Cert: &esv1alpha2.VaultCertAuth{
 							ClientCert: esmeta.SecretKeySelector{
 								Name: "tls-auth-certs",
 								Key:  "tls.crt",
@@ -106,9 +106,9 @@ func makeValidSecretStoreWithCerts() *esv1alpha1.SecretStore {
 	}
 }
 
-func makeValidSecretStoreWithK8sCerts(isSecret bool) *esv1alpha1.SecretStore {
+func makeValidSecretStoreWithK8sCerts(isSecret bool) *esv1alpha2.SecretStore {
 	store := makeSecretStore()
-	caProvider := &esv1alpha1.CAProvider{
+	caProvider := &esv1alpha2.CAProvider{
 		Name: "vault-cert",
 		Key:  "cert",
 	}
@@ -123,8 +123,8 @@ func makeValidSecretStoreWithK8sCerts(isSecret bool) *esv1alpha1.SecretStore {
 	return store
 }
 
-func makeInvalidClusterSecretStoreWithK8sCerts() *esv1alpha1.ClusterSecretStore {
-	return &esv1alpha1.ClusterSecretStore{
+func makeInvalidClusterSecretStoreWithK8sCerts() *esv1alpha2.ClusterSecretStore {
+	return &esv1alpha2.ClusterSecretStore{
 		TypeMeta: metav1.TypeMeta{
 			Kind: "ClusterSecretStore",
 		},
@@ -132,14 +132,14 @@ func makeInvalidClusterSecretStoreWithK8sCerts() *esv1alpha1.ClusterSecretStore
 			Name:      "vault-store",
 			Namespace: "default",
 		},
-		Spec: esv1alpha1.SecretStoreSpec{
-			Provider: &esv1alpha1.SecretStoreProvider{
-				Vault: &esv1alpha1.VaultProvider{
+		Spec: esv1alpha2.SecretStoreSpec{
+			Provider: &esv1alpha2.SecretStoreProvider{
+				Vault: &esv1alpha2.VaultProvider{
 					Server:  "vault.example.com",
 					Path:    &secretStorePath,
 					Version: "v2",
-					Auth: esv1alpha1.VaultAuth{
-						Kubernetes: &esv1alpha1.VaultKubernetesAuth{
+					Auth: esv1alpha2.VaultAuth{
+						Kubernetes: &esv1alpha2.VaultKubernetesAuth{
 							Path: "kubernetes",
 							Role: "kubernetes-auth-role",
 							ServiceAccountRef: &esmeta.ServiceAccountSelector{
@@ -147,7 +147,7 @@ func makeInvalidClusterSecretStoreWithK8sCerts() *esv1alpha1.ClusterSecretStore
 							},
 						},
 					},
-					CAProvider: &esv1alpha1.CAProvider{
+					CAProvider: &esv1alpha2.CAProvider{
 						Name: "vault-cert",
 						Key:  "cert",
 						Type: "Secret",
@@ -158,9 +158,9 @@ func makeInvalidClusterSecretStoreWithK8sCerts() *esv1alpha1.ClusterSecretStore
 	}
 }
 
-type secretStoreTweakFn func(s *esv1alpha1.SecretStore)
+type secretStoreTweakFn func(s *esv1alpha2.SecretStore)
 
-func makeSecretStore(tweaks ...secretStoreTweakFn) *esv1alpha1.SecretStore {
+func makeSecretStore(tweaks ...secretStoreTweakFn) *esv1alpha2.SecretStore {
 	store := makeValidSecretStore()
 
 	for _, fn := range tweaks {
@@ -193,7 +193,7 @@ func newVaultTokenIDResponse(token string) *vault.Response {
 
 type args struct {
 	newClientFunc func(c *vault.Config) (Client, error)
-	store         esv1alpha1.GenericStore
+	store         esv1alpha2.GenericStore
 	kube          kclient.Client
 	ns            string
 }
@@ -250,7 +250,7 @@ MIICsTCCAZkCFEJJ4daz5sxkFlzq9n1djLEuG7bmMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNVBAMMCHZh
 		"InvalidVaultStore": {
 			reason: "Should return error if given an invalid vault store.",
 			args: args{
-				store: &esv1alpha1.SecretStore{},
+				store: &esv1alpha2.SecretStore{},
 			},
 			want: want{
 				err: errors.New(errVaultStore),
@@ -259,7 +259,7 @@ MIICsTCCAZkCFEJJ4daz5sxkFlzq9n1djLEuG7bmMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNVBAMMCHZh
 		"AddVaultStoreCertsError": {
 			reason: "Should return error if given an invalid CA certificate.",
 			args: args{
-				store: makeSecretStore(func(s *esv1alpha1.SecretStore) {
+				store: makeSecretStore(func(s *esv1alpha2.SecretStore) {
 					s.Spec.Provider.Vault.CABundle = []byte("badcertdata")
 				}),
 			},
@@ -270,8 +270,8 @@ MIICsTCCAZkCFEJJ4daz5sxkFlzq9n1djLEuG7bmMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNVBAMMCHZh
 		"VaultAuthFormatError": {
 			reason: "Should return error if no valid authentication method is given.",
 			args: args{
-				store: makeSecretStore(func(s *esv1alpha1.SecretStore) {
-					s.Spec.Provider.Vault.Auth = esv1alpha1.VaultAuth{}
+				store: makeSecretStore(func(s *esv1alpha2.SecretStore) {
+					s.Spec.Provider.Vault.Auth = esv1alpha2.VaultAuth{}
 				}),
 			},
 			want: want{
@@ -293,7 +293,7 @@ MIICsTCCAZkCFEJJ4daz5sxkFlzq9n1djLEuG7bmMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNVBAMMCHZh
 		"GetKubeSecretError": {
 			reason: "Should return error if fetching kubernetes secret fails.",
 			args: args{
-				store: makeSecretStore(func(s *esv1alpha1.SecretStore) {
+				store: makeSecretStore(func(s *esv1alpha2.SecretStore) {
 					s.Spec.Provider.Vault.Auth.Kubernetes.ServiceAccountRef = nil
 					s.Spec.Provider.Vault.Auth.Kubernetes.SecretRef = &esmeta.SecretKeySelector{
 						Name: "vault-secret",
@@ -564,11 +564,11 @@ func TestGetSecretMap(t *testing.T) {
 	}
 
 	type args struct {
-		store    *esv1alpha1.VaultProvider
+		store    *esv1alpha2.VaultProvider
 		kube     kclient.Client
 		vClient  Client
 		ns       string
-		dataFrom esv1alpha1.ExternalSecretDataFromRemoteRef
+		dataFrom esv1alpha2.ExternalSecretDataFromRemoteRef
 	}
 
 	type want struct {
@@ -583,7 +583,7 @@ func TestGetSecretMap(t *testing.T) {
 		"ReadSecretKV1": {
 			reason: "Should map the secret even if it has a nil value",
 			args: args{
-				store: makeValidSecretStoreWithVersion(esv1alpha1.VaultKVStoreV1).Spec.Provider.Vault,
+				store: makeValidSecretStoreWithVersion(esv1alpha2.VaultKVStoreV1).Spec.Provider.Vault,
 				vClient: &fake.VaultClient{
 					MockNewRequest: fake.NewMockNewRequestFn(&vault.Request{}),
 					MockRawRequestWithContext: fake.NewMockRawRequestWithContextFn(
@@ -598,7 +598,7 @@ func TestGetSecretMap(t *testing.T) {
 		"ReadSecretKV2": {
 			reason: "Should map the secret even if it has a nil value",
 			args: args{
-				store: makeValidSecretStoreWithVersion(esv1alpha1.VaultKVStoreV2).Spec.Provider.Vault,
+				store: makeValidSecretStoreWithVersion(esv1alpha2.VaultKVStoreV2).Spec.Provider.Vault,
 				vClient: &fake.VaultClient{
 					MockNewRequest: fake.NewMockNewRequestFn(&vault.Request{}),
 					MockRawRequestWithContext: fake.NewMockRawRequestWithContextFn(
@@ -617,7 +617,7 @@ func TestGetSecretMap(t *testing.T) {
 		"ReadSecretWithNilValueKV1": {
 			reason: "Should map the secret even if it has a nil value",
 			args: args{
-				store: makeValidSecretStoreWithVersion(esv1alpha1.VaultKVStoreV1).Spec.Provider.Vault,
+				store: makeValidSecretStoreWithVersion(esv1alpha2.VaultKVStoreV1).Spec.Provider.Vault,
 				vClient: &fake.VaultClient{
 					MockNewRequest: fake.NewMockNewRequestFn(&vault.Request{}),
 					MockRawRequestWithContext: fake.NewMockRawRequestWithContextFn(
@@ -632,7 +632,7 @@ func TestGetSecretMap(t *testing.T) {
 		"ReadSecretWithNilValueKV2": {
 			reason: "Should map the secret even if it has a nil value",
 			args: args{
-				store: makeValidSecretStoreWithVersion(esv1alpha1.VaultKVStoreV2).Spec.Provider.Vault,
+				store: makeValidSecretStoreWithVersion(esv1alpha2.VaultKVStoreV2).Spec.Provider.Vault,
 				vClient: &fake.VaultClient{
 					MockNewRequest: fake.NewMockNewRequestFn(&vault.Request{}),
 					MockRawRequestWithContext: fake.NewMockRawRequestWithContextFn(
@@ -684,12 +684,12 @@ func TestGetSecretPath(t *testing.T) {
 	storeV2NoPath := storeV2.DeepCopy()
 	storeV2NoPath.Spec.Provider.Vault.Path = nil
 
-	storeV1 := makeValidSecretStoreWithVersion(esv1alpha1.VaultKVStoreV1)
+	storeV1 := makeValidSecretStoreWithVersion(esv1alpha2.VaultKVStoreV1)
 	storeV1NoPath := storeV1.DeepCopy()
 	storeV1NoPath.Spec.Provider.Vault.Path = nil
 
 	type args struct {
-		store    *esv1alpha1.VaultProvider
+		store    *esv1alpha2.VaultProvider
 		path     string
 		expected string
 	}

pkg/provider/webhook/webhook.go

@@ -32,7 +32,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	"github.com/external-secrets/external-secrets/pkg/provider"
 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
@@ -45,19 +45,19 @@ type Provider struct{}
 
 type WebHook struct {
 	kube      client.Client
-	store     esv1alpha1.GenericStore
+	store     esv1alpha2.GenericStore
 	namespace string
 	storeKind string
 	http      *http.Client
 }
 
 func init() {
-	schema.Register(&Provider{}, &esv1alpha1.SecretStoreProvider{
-		Webhook: &esv1alpha1.WebhookProvider{},
+	schema.Register(&Provider{}, &esv1alpha2.SecretStoreProvider{
+		Webhook: &esv1alpha2.WebhookProvider{},
 	})
 }
 
-func (p *Provider) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
+func (p *Provider) NewClient(ctx context.Context, store esv1alpha2.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
 	whClient := &WebHook{
 		kube:      kube,
 		store:     store,
@@ -75,7 +75,7 @@ func (p *Provider) NewClient(ctx context.Context, store esv1alpha1.GenericStore,
 	return whClient, nil
 }
 
-func getProvider(store esv1alpha1.GenericStore) (*esv1alpha1.WebhookProvider, error) {
+func getProvider(store esv1alpha2.GenericStore) (*esv1alpha2.WebhookProvider, error) {
 	spc := store.GetSpec()
 	if spc == nil || spc.Provider == nil || spc.Provider.Webhook == nil {
 		return nil, fmt.Errorf("missing store provider webhook")
@@ -88,7 +88,7 @@ func (w *WebHook) getStoreSecret(ctx context.Context, ref esmeta.SecretKeySelect
 		Name:      ref.Name,
 		Namespace: w.namespace,
 	}
-	if w.storeKind == esv1alpha1.ClusterSecretStoreKind {
+	if w.storeKind == esv1alpha2.ClusterSecretStoreKind {
 		if ref.Namespace == nil {
 			return nil, fmt.Errorf("no namespace on ClusterSecretStore webhook secret %s", ref.Name)
 		}
@@ -101,7 +101,7 @@ func (w *WebHook) getStoreSecret(ctx context.Context, ref esmeta.SecretKeySelect
 	return secret, nil
 }
 
-func (w *WebHook) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
+func (w *WebHook) GetSecret(ctx context.Context, ref esv1alpha2.ExternalSecretDataRemoteRef) ([]byte, error) {
 	provider, err := getProvider(w.store)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get store: %w", err)
@@ -130,7 +130,7 @@ func (w *WebHook) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDa
 	return result, nil
 }
 
-func (w *WebHook) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+func (w *WebHook) GetSecretMap(ctx context.Context, ref esv1alpha2.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	provider, err := getProvider(w.store)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get store: %w", err)
@@ -179,7 +179,7 @@ func (w *WebHook) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecre
 	return values, nil
 }
 
-func (w *WebHook) getTemplateData(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef, secrets []esv1alpha1.WebhookSecret) (map[string]map[string]string, error) {
+func (w *WebHook) getTemplateData(ctx context.Context, ref esv1alpha2.ExternalSecretDataRemoteRef, secrets []esv1alpha2.WebhookSecret) (map[string]map[string]string, error) {
 	data := map[string]map[string]string{
 		"remoteRef": {
 			"key":      url.QueryEscape(ref.Key),
@@ -202,7 +202,7 @@ func (w *WebHook) getTemplateData(ctx context.Context, ref esv1alpha1.ExternalSe
 	return data, nil
 }
 
-func (w *WebHook) getWebhookData(ctx context.Context, provider *esv1alpha1.WebhookProvider, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
+func (w *WebHook) getWebhookData(ctx context.Context, provider *esv1alpha2.WebhookProvider, ref esv1alpha2.ExternalSecretDataRemoteRef) ([]byte, error) {
 	if w.http == nil {
 		return nil, fmt.Errorf("http client not initialized")
 	}
@@ -246,7 +246,7 @@ func (w *WebHook) getWebhookData(ctx context.Context, provider *esv1alpha1.Webho
 	return io.ReadAll(resp.Body)
 }
 
-func (w *WebHook) getHTTPClient(provider *esv1alpha1.WebhookProvider) (*http.Client, error) {
+func (w *WebHook) getHTTPClient(provider *esv1alpha2.WebhookProvider) (*http.Client, error) {
 	client := &http.Client{}
 	if provider.Timeout != nil {
 		client.Timeout = provider.Timeout.Duration
@@ -268,7 +268,7 @@ func (w *WebHook) getHTTPClient(provider *esv1alpha1.WebhookProvider) (*http.Cli
 	return client, nil
 }
 
-func (w *WebHook) getCACertPool(provider *esv1alpha1.WebhookProvider) (*x509.CertPool, error) {
+func (w *WebHook) getCACertPool(provider *esv1alpha2.WebhookProvider) (*x509.CertPool, error) {
 	caCertPool := x509.NewCertPool()
 	if len(provider.CABundle) > 0 {
 		ok := caCertPool.AppendCertsFromPEM(provider.CABundle)
@@ -277,7 +277,7 @@ func (w *WebHook) getCACertPool(provider *esv1alpha1.WebhookProvider) (*x509.Cer
 		}
 	}
 
-	if provider.CAProvider != nil && w.storeKind == esv1alpha1.ClusterSecretStoreKind && provider.CAProvider.Namespace == nil {
+	if provider.CAProvider != nil && w.storeKind == esv1alpha2.ClusterSecretStoreKind && provider.CAProvider.Namespace == nil {
 		return nil, fmt.Errorf("missing namespace on CAProvider secret")
 	}
 
@@ -286,9 +286,9 @@ func (w *WebHook) getCACertPool(provider *esv1alpha1.WebhookProvider) (*x509.Cer
 		var err error
 
 		switch provider.CAProvider.Type {
-		case esv1alpha1.WebhookCAProviderTypeSecret:
+		case esv1alpha2.WebhookCAProviderTypeSecret:
 			cert, err = w.getCertFromSecret(provider)
-		case esv1alpha1.WebhookCAProviderTypeConfigMap:
+		case esv1alpha2.WebhookCAProviderTypeConfigMap:
 			cert, err = w.getCertFromConfigMap(provider)
 		default:
 			err = fmt.Errorf("unknown caprovider type: %s", provider.CAProvider.Type)
@@ -306,7 +306,7 @@ func (w *WebHook) getCACertPool(provider *esv1alpha1.WebhookProvider) (*x509.Cer
 	return caCertPool, nil
 }
 
-func (w *WebHook) getCertFromSecret(provider *esv1alpha1.WebhookProvider) ([]byte, error) {
+func (w *WebHook) getCertFromSecret(provider *esv1alpha2.WebhookProvider) ([]byte, error) {
 	secretRef := esmeta.SecretKeySelector{
 		Name: provider.CAProvider.Name,
 		Key:  provider.CAProvider.Key,
@@ -331,7 +331,7 @@ func (w *WebHook) secretKeyRef(ctx context.Context, secretRef *esmeta.SecretKeyS
 		Namespace: w.namespace,
 		Name:      secretRef.Name,
 	}
-	if (w.storeKind == esv1alpha1.ClusterSecretStoreKind) &&
+	if (w.storeKind == esv1alpha2.ClusterSecretStoreKind) &&
 		(secretRef.Namespace != nil) {
 		ref.Namespace = *secretRef.Namespace
 	}
@@ -350,7 +350,7 @@ func (w *WebHook) secretKeyRef(ctx context.Context, secretRef *esmeta.SecretKeyS
 	return valueStr, nil
 }
 
-func (w *WebHook) getCertFromConfigMap(provider *esv1alpha1.WebhookProvider) ([]byte, error) {
+func (w *WebHook) getCertFromConfigMap(provider *esv1alpha2.WebhookProvider) ([]byte, error) {
 	objKey := client.ObjectKey{
 		Name: provider.CAProvider.Name,
 	}
@@ -376,7 +376,7 @@ func (w *WebHook) getCertFromConfigMap(provider *esv1alpha1.WebhookProvider) ([]
 
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
-func (w *WebHook) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+func (w *WebHook) GetAllSecrets(ctx context.Context, ref esv1alpha2.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	return nil, utils.ThrowNotImplemented()
 }

pkg/provider/webhook/webhook_test.go

@@ -27,7 +27,7 @@ import (
 	"gopkg.in/yaml.v3"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	"github.com/external-secrets/external-secrets/pkg/provider"
 )
 
@@ -269,8 +269,8 @@ func runTestCase(tc testCase, t *testing.T) {
 }
 
 func testGetSecretMap(tc testCase, t *testing.T, client provider.SecretsClient) {
-	testRef := esv1alpha1.ExternalSecretDataFromRemoteRef{
-		Extract: esv1alpha1.ExternalSecretExtract{
+	testRef := esv1alpha2.ExternalSecretDataFromRemoteRef{
+		Extract: esv1alpha2.ExternalSecretExtract{
 			Key:     tc.Args.Key,
 			Version: tc.Args.Version,
 		},
@@ -296,7 +296,7 @@ func testGetSecretMap(tc testCase, t *testing.T, client provider.SecretsClient)
 }
 
 func testGetSecret(tc testCase, t *testing.T, client provider.SecretsClient) {
-	testRef := esv1alpha1.ExternalSecretDataRemoteRef{
+	testRef := esv1alpha2.ExternalSecretDataRemoteRef{
 		Key:     tc.Args.Key,
 		Version: tc.Args.Version,
 	}
@@ -315,8 +315,8 @@ func testGetSecret(tc testCase, t *testing.T, client provider.SecretsClient) {
 	}
 }
 
-func makeClusterSecretStore(url string, args args) *esv1alpha1.ClusterSecretStore {
-	store := &esv1alpha1.ClusterSecretStore{
+func makeClusterSecretStore(url string, args args) *esv1alpha2.ClusterSecretStore {
+	store := &esv1alpha2.ClusterSecretStore{
 		TypeMeta: metav1.TypeMeta{
 			Kind: "ClusterSecretStore",
 		},
@@ -324,16 +324,16 @@ func makeClusterSecretStore(url string, args args) *esv1alpha1.ClusterSecretStor
 			Name:      "wehbook-store",
 			Namespace: "default",
 		},
-		Spec: esv1alpha1.SecretStoreSpec{
-			Provider: &esv1alpha1.SecretStoreProvider{
-				Webhook: &esv1alpha1.WebhookProvider{
+		Spec: esv1alpha2.SecretStoreSpec{
+			Provider: &esv1alpha2.SecretStoreProvider{
+				Webhook: &esv1alpha2.WebhookProvider{
 					URL:  url + args.URL,
 					Body: args.Body,
 					Headers: map[string]string{
 						"Content-Type": "application.json",
 						"X-SecretKey":  "{{ .remoteRef.key }}",
 					},
-					Result: esv1alpha1.WebhookResult{
+					Result: esv1alpha2.WebhookResult{
 						JSONPath: args.JSONPath,
 					},
 				},

pkg/provider/yandex/lockbox/lockbox.go

@@ -29,7 +29,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	"github.com/external-secrets/external-secrets/pkg/provider"
 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
 	"github.com/external-secrets/external-secrets/pkg/provider/yandex/lockbox/client"
@@ -67,7 +67,7 @@ func newLockboxProvider(yandexCloudCreator client.YandexCloudCreator) *lockboxPr
 }
 
 // NewClient constructs a Yandex Lockbox Provider.
-func (p *lockboxProvider) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
+func (p *lockboxProvider) NewClient(ctx context.Context, store esv1alpha2.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
 	storeSpec := store.GetSpec()
 	if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.YandexLockbox == nil {
 		return nil, fmt.Errorf("received invalid Yandex Lockbox SecretStore resource")
@@ -84,7 +84,7 @@ func (p *lockboxProvider) NewClient(ctx context.Context, store esv1alpha1.Generi
 	}
 
 	// only ClusterStore is allowed to set namespace (and then it's required)
-	if store.GetObjectKind().GroupVersionKind().Kind == esv1alpha1.ClusterSecretStoreKind {
+	if store.GetObjectKind().GroupVersionKind().Kind == esv1alpha2.ClusterSecretStoreKind {
 		if storeSpecYandexLockbox.Auth.AuthorizedKey.Namespace == nil {
 			return nil, fmt.Errorf("invalid ClusterSecretStore: missing AuthorizedKey Namespace")
 		}
@@ -116,7 +116,7 @@ func (p *lockboxProvider) NewClient(ctx context.Context, store esv1alpha1.Generi
 			Namespace: namespace,
 		}
 
-		if store.GetObjectKind().GroupVersionKind().Kind == esv1alpha1.ClusterSecretStoreKind {
+		if store.GetObjectKind().GroupVersionKind().Kind == esv1alpha2.ClusterSecretStoreKind {
 			if storeSpecYandexLockbox.CAProvider.Certificate.Namespace == nil {
 				return nil, fmt.Errorf("invalid ClusterSecretStore: missing CA certificate Namespace")
 			}
@@ -226,7 +226,7 @@ type lockboxSecretsClient struct {
 }
 
 // GetSecret returns a single secret from the provider.
-func (c *lockboxSecretsClient) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
+func (c *lockboxSecretsClient) GetSecret(ctx context.Context, ref esv1alpha2.ExternalSecretDataRemoteRef) ([]byte, error) {
 	entries, err := c.lockboxClient.GetPayloadEntries(ctx, c.iamToken, ref.Key, ref.Version)
 	if err != nil {
 		return nil, fmt.Errorf("unable to request secret payload to get secret: %w", err)
@@ -257,13 +257,13 @@ func (c *lockboxSecretsClient) GetSecret(ctx context.Context, ref esv1alpha1.Ext
 
 // Implements store.Client.GetAllSecrets Interface.
 // New version of GetAllSecrets.
-func (c *lockboxSecretsClient) GetAllSecrets(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+func (c *lockboxSecretsClient) GetAllSecrets(ctx context.Context, ref esv1alpha2.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	// TO be implemented
 	return nil, utils.ThrowNotImplemented()
 }
 
 // GetSecretMap returns multiple k/v pairs from the provider.
-func (c *lockboxSecretsClient) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
+func (c *lockboxSecretsClient) GetSecretMap(ctx context.Context, ref esv1alpha2.ExternalSecretDataFromRemoteRef) (map[string][]byte, error) {
 	entries, err := c.lockboxClient.GetPayloadEntries(ctx, c.iamToken, ref.Extract.Key, ref.Extract.Version)
 	if err != nil {
 		return nil, fmt.Errorf("unable to request secret payload to get secret map: %w", err)
@@ -327,8 +327,8 @@ func init() {
 
 	schema.Register(
 		lockboxProvider,
-		&esv1alpha1.SecretStoreProvider{
-			YandexLockbox: &esv1alpha1.YandexLockboxProvider{},
+		&esv1alpha2.SecretStoreProvider{
+			YandexLockbox: &esv1alpha2.YandexLockboxProvider{},
 		},
 	)
 }

pkg/provider/yandex/lockbox/lockbox_test.go

@@ -32,7 +32,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
 	"github.com/external-secrets/external-secrets/pkg/provider/yandex/lockbox/client/fake"
@@ -48,13 +48,13 @@ func TestNewClient(t *testing.T) {
 	ctx := context.Background()
 	const namespace = "namespace"
 
-	store := &esv1alpha1.SecretStore{
+	store := &esv1alpha2.SecretStore{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: namespace,
 		},
-		Spec: esv1alpha1.SecretStoreSpec{
-			Provider: &esv1alpha1.SecretStoreProvider{
-				YandexLockbox: &esv1alpha1.YandexLockboxProvider{},
+		Spec: esv1alpha2.SecretStoreSpec{
+			Provider: &esv1alpha2.SecretStoreProvider{
+				YandexLockbox: &esv1alpha2.YandexLockboxProvider{},
 			},
 		},
 	}
@@ -66,7 +66,7 @@ func TestNewClient(t *testing.T) {
 	tassert.EqualError(t, err, errMissingKey)
 	tassert.Nil(t, secretClient)
 
-	store.Spec.Provider.YandexLockbox.Auth = esv1alpha1.YandexLockboxAuth{}
+	store.Spec.Provider.YandexLockbox.Auth = esv1alpha2.YandexLockboxAuth{}
 	secretClient, err = provider.NewClient(context.Background(), store, k8sClient, namespace)
 	tassert.EqualError(t, err, errMissingKey)
 	tassert.Nil(t, secretClient)
@@ -89,7 +89,7 @@ func TestNewClient(t *testing.T) {
 
 	const caCertificateSecretName = "caCertificateSecretName"
 	const caCertificateSecretKey = "caCertificateSecretKey"
-	store.Spec.Provider.YandexLockbox.CAProvider = &esv1alpha1.YandexLockboxCAProvider{
+	store.Spec.Provider.YandexLockbox.CAProvider = &esv1alpha2.YandexLockboxCAProvider{
 		Certificate: esmeta.SecretKeySelector{
 			Key:  caCertificateSecretKey,
 			Name: caCertificateSecretName,
@@ -619,16 +619,16 @@ func TestGetSecretMapByVersionID(t *testing.T) {
 
 // helper functions
 
-func newYandexLockboxSecretStore(apiEndpoint, namespace, authorizedKeySecretName, authorizedKeySecretKey string) esv1alpha1.GenericStore {
-	return &esv1alpha1.SecretStore{
+func newYandexLockboxSecretStore(apiEndpoint, namespace, authorizedKeySecretName, authorizedKeySecretKey string) esv1alpha2.GenericStore {
+	return &esv1alpha2.SecretStore{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: namespace,
 		},
-		Spec: esv1alpha1.SecretStoreSpec{
-			Provider: &esv1alpha1.SecretStoreProvider{
-				YandexLockbox: &esv1alpha1.YandexLockboxProvider{
+		Spec: esv1alpha2.SecretStoreSpec{
+			Provider: &esv1alpha2.SecretStoreProvider{
+				YandexLockbox: &esv1alpha2.YandexLockboxProvider{
 					APIEndpoint: apiEndpoint,
-					Auth: esv1alpha1.YandexLockboxAuth{
+					Auth: esv1alpha2.YandexLockboxAuth{
 						AuthorizedKey: esmeta.SecretKeySelector{
 							Name: authorizedKeySecretName,
 							Key:  authorizedKeySecretKey,
@@ -640,17 +640,17 @@ func newYandexLockboxSecretStore(apiEndpoint, namespace, authorizedKeySecretName
 	}
 }
 
-func getRemoteDef(key, property, version string) esv1alpha1.ExternalSecretDataRemoteRef {
-	return esv1alpha1.ExternalSecretDataRemoteRef{
+func getRemoteDef(key, property, version string) esv1alpha2.ExternalSecretDataRemoteRef {
+	return esv1alpha2.ExternalSecretDataRemoteRef{
 		Key:      key,
 		Property: property,
 		Version:  version,
 	}
 }
 
-func getRemoteFromDef(key, property, version string) esv1alpha1.ExternalSecretDataFromRemoteRef {
-	return esv1alpha1.ExternalSecretDataFromRemoteRef{
-		Extract: esv1alpha1.ExternalSecretExtract{
+func getRemoteFromDef(key, property, version string) esv1alpha2.ExternalSecretDataFromRemoteRef {
+	return esv1alpha2.ExternalSecretDataFromRemoteRef{
+		Extract: esv1alpha2.ExternalSecretExtract{
 			Key:      key,
 			Property: property,
 			Version:  version,

pkg/utils/utils.go

@@ -23,7 +23,7 @@ import (
 	"runtime"
 	"strings"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1alpha2 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha2"
 )
 
 const (
@@ -76,25 +76,25 @@ func ErrorContains(out error, want string) bool {
 	return strings.Contains(out.Error(), want)
 }
 
-func MakeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
+func MakeValidRef() *esv1alpha2.ExternalSecretDataRemoteRef {
 	return MakeValidRefWithParams(testSecret, "", defaultVersion)
 }
 
-func MakeValidRefWithParams(key, property, version string) *esv1alpha1.ExternalSecretDataRemoteRef {
-	return &esv1alpha1.ExternalSecretDataRemoteRef{
+func MakeValidRefWithParams(key, property, version string) *esv1alpha2.ExternalSecretDataRemoteRef {
+	return &esv1alpha2.ExternalSecretDataRemoteRef{
 		Key:      key,
 		Property: property,
 		Version:  version,
 	}
 }
 
-func MakeValidRefFrom() *esv1alpha1.ExternalSecretDataFromRemoteRef {
+func MakeValidRefFrom() *esv1alpha2.ExternalSecretDataFromRemoteRef {
 	return MakeValidRefFromWithParams(testSecret, "", defaultVersion)
 }
 
-func MakeValidRefFromWithParams(key, property, version string) *esv1alpha1.ExternalSecretDataFromRemoteRef {
-	return &esv1alpha1.ExternalSecretDataFromRemoteRef{
-		Extract: esv1alpha1.ExternalSecretExtract{
+func MakeValidRefFromWithParams(key, property, version string) *esv1alpha2.ExternalSecretDataFromRemoteRef {
+	return &esv1alpha2.ExternalSecretDataFromRemoteRef{
+		Extract: esv1alpha2.ExternalSecretExtract{
 			Key:      key,
 			Property: property,
 			Version:  version,