Adding notes on configuring ClusterSecretStores for every provider

Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>

docs/provider-akeyless.md

@@ -40,7 +40,7 @@ Be sure the `akeyless` provider is listed in the `Kind=SecretStore` and the `ake
 ```yaml
 {% include 'akeyless-secret-store.yaml' %}
 ```
-
+**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` for `accessID`, `accessType` and `accessTypeParam` with the namespaces where the secrets reside.
 ### Creating external secret
 
 To get a secret from Akeyless and secret it on the Kubernetes cluster, a `Kind=ExternalSecret` is needed.
@@ -49,6 +49,7 @@ To get a secret from Akeyless and secret it on the Kubernetes cluster, a `Kind=E
 {% include 'akeyless-external-secret.yaml' %}
 ```
 
+
 #### Using DataFrom
 
 DataFrom can be used to get a secret as a JSON string and attempt to parse it.

docs/provider-aws-parameter-store.md

@@ -11,6 +11,7 @@ way users of the `SecretStore` can only access the secrets necessary.
 ``` yaml
 {% include 'aws-parameter-store.yaml' %}
 ```
+**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `accessKeyIDSecretRef` and `secretAccessKeySecretRef`  with the namespaces where the secrets reside.
 
 !!! warning "API Pricing & Throttling"
     The SSM Parameter Store API is charged by throughput and

docs/provider-aws-secrets-manager.md

@@ -11,7 +11,7 @@ way users of the `SecretStore` can only access the secrets necessary.
 ``` yaml
 {% include 'aws-sm-store.yaml' %}
 ```
-
+**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `accessKeyIDSecretRef` and `secretAccessKeySecretRef`  with the namespaces where the secrets reside.
 ### IAM Policy
 
 Create a IAM Policy to pin down access to secrets matching `dev-*`.

docs/provider-azure-key-vault.md

@@ -31,6 +31,7 @@ Be sure the `azurekv` provider is listed in the `Kind=SecretStore`
 ```yaml
 {% include 'azkv-secret-store.yaml' %}
 ```
+**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `clientId` and `clientSecret`  with the namespaces where the secrets reside.
 
 Or in case of Managed Idenetity authentication:
 

docs/provider-gitlab-project-variables.md

@@ -27,6 +27,7 @@ Be sure the `gitlab` provider is listed in the `Kind=SecretStore` and the Projec
 ```yaml
 {% include 'gitlab-secret-store.yaml' %}
 ```
+**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `accessToken` with the namespace where the secret resides.
 
 Your project ID can be found on your project's page.
 ![projectID](./pictures/screenshot_gitlab_projectID.png)

docs/provider-google-secrets-manager.md

@@ -84,7 +84,6 @@ You can use [GCP Service Account](https://cloud.google.com/iam/docs/service-acco
 {% include 'gcpsm-credentials-secret.yaml' %}
 ```
 
-**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` for `SecretAccessKeyRef` with the namespace of the secret that we just created.
 
 #### Update secret store
 Be sure the `gcpsm` provider is listed in the `Kind=SecretStore`
@@ -93,6 +92,8 @@ Be sure the `gcpsm` provider is listed in the `Kind=SecretStore`
 {% include 'gcpsm-secret-store.yaml' %}
 ```
 
+**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` for `SecretAccessKeyRef` with the namespace of the secret that we just created.
+
 #### Creating external secret
 
 To create a kubernetes secret from the GCP Secret Manager secret a `Kind=ExternalSecret` is needed.

docs/provider-hashicorp-vault.md

@@ -26,7 +26,6 @@ spec:
         # https://www.vaultproject.io/docs/auth/token
         tokenSecretRef:
           name: "vault-token"
-          namespace: "default"
           key: "token"
 ---
 apiVersion: v1
@@ -36,6 +35,7 @@ metadata:
 data:
   token: cm9vdA== # "root"
 ```
+**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` for `tokenSecretRef` with the namespace of the secret that we just created.
 
 Then create a simple k/v pair at path `secret/foo`:
 
@@ -92,6 +92,7 @@ A static token is stored in a `Kind=Secret` and is used to authenticate with vau
 ```yaml
 {% include 'vault-token-store.yaml' %}
 ```
+**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `tokenSecretRef` with the namespace where the secret resides.
 
 #### AppRole authentication example
 
@@ -101,6 +102,7 @@ A static token is stored in a `Kind=Secret` and is used to authenticate with vau
 ```yaml
 {% include 'vault-approle-store.yaml' %}
 ```
+**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `secretRef` with the namespace where the secret resides.
 
 #### Kubernetes authentication
 
@@ -115,6 +117,7 @@ options of optaining credentials for vault:
 ```yaml
 {% include 'vault-kubernetes-store.yaml' %}
 ```
+**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `serviceAccountRef` or in `secretRef`, if used.
 
 #### LDAP authentication
 
@@ -126,6 +129,7 @@ in a `Kind=Secret` referenced by the `secretRef`.
 ```yaml
 {% include 'vault-ldap-store.yaml' %}
 ```
+**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `secretRef` with the namespace where the secret resides.
 
 #### JWT/OIDC authentication
 
@@ -137,6 +141,7 @@ or `Kind=ClusterSecretStore` resource.
 ```yaml
 {% include 'vault-jwt-store.yaml' %}
 ```
+**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `secretRef` with the namespace where the secret resides.
 
 ### Vault Enterprise and Eventual Consistency
 

docs/provider-ibm-secrets-manager.md

@@ -40,6 +40,7 @@ Be sure the `ibm` provider is listed in the `Kind=SecretStore`
 ```yaml
 {% include 'ibm-secret-store.yaml' %}
 ```
+**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `secretApiKeySecretRef` with the namespace where the secret resides.
 
 To find your serviceURL, under your Secrets Manager resource, go to "Endpoints" on the left.
 Note: Use the url without the `/api` suffix that is presented in the UI.

docs/provider-oracle-vault.md

@@ -38,6 +38,7 @@ Be sure the `oracle` provider is listed in the `Kind=SecretStore`.
 {% include 'oracle-secret-store.yaml' %}
 ```
 
+**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `privatekey` and `fingerprint` with the namespaces where the secrets reside.
 ### Creating external secret
 
 To create a kubernetes secret from the Oracle Cloud Interface secret a`Kind=ExternalSecret` is needed.

docs/provider-webhook.md

@@ -38,6 +38,8 @@ data:
 
 NB: This is obviously not practical because it just returns the key as the result, but it shows how it works
 
+**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in all `secrets` references with the namespaces where the secrets reside.
+
 Now create an ExternalSecret that uses the above SecretStore:
 
 ```yaml
@@ -107,14 +109,14 @@ spec:
       # Use this name to refer to this secret in templating, above
       - name: <name>
         secretRef:
-          namespace: <namespace>
+          namespace: <namespace> # Only used in ClusterSecretStores
           name: <name>
       # Add CAs here for the TLS handshake
       caBundle: <base64 encoded cabundle>
       caProvider:
         type: Secret or COnfigMap
         name: <name of secret or configmap>
-        namespace: <namespace>
+        namespace: <namespace> # Only used in ClusterSecretStores
         key: <key inside secret>
 ```
 

docs/provider-yandex-lockbox.md

@@ -39,6 +39,7 @@ spec:
           key: authorized-key
 ```
 
+**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in all `authorizedKeySecretRef` with the namespace where the secret resides.
 ### Creating external secret
 To make External Secrets Operator sync a k8s secret with a Lockbox secret:
 

docs/snippets/provider-aws-access.md

@@ -50,6 +50,7 @@ spec:
             name: awssm-secret
             key: secret-access-key
 ```
+**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `accessKeyIDSecretRef`, `secretAccessKeySecretRef`  with the namespaces where the secrets reside.
 
 ### EKS Service Account credentials
 
@@ -86,3 +87,4 @@ spec:
           serviceAccountRef:
             name: my-serviceaccount
 ```
+**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` for `serviceAccountRef` with the namespace where the service account resides.

docs/snippets/vault-approle-store.yaml

@@ -21,5 +21,4 @@ spec:
           # Reference to a key in a K8 Secret that contains the App Role SecretId
           secretRef:
             name: "my-secret"
-            namespace: "secret-admin"
             key: "secret-id"

docs/snippets/vault-jwt-store.yaml

@@ -19,5 +19,4 @@ spec:
           role: "vault-jwt-role"
           secretRef:
             name: "my-secret"
-            namespace: "secret-admin"
             key: "jwt-token"

docs/snippets/vault-kubernetes-store.yaml

@@ -22,10 +22,8 @@ spec:
           # of a kubernetes ServiceAccount
           serviceAccountRef:
             name: "my-sa"
-            namespace: "secret-admin"
           # Optional secret field containing a Kubernetes ServiceAccount JWT
           #  used for authenticating with Vault
           secretRef:
             name: "my-secret"
-            namespace: "secret-admin"
             key: "vault"

docs/snippets/vault-ldap-store.yaml

@@ -19,5 +19,4 @@ spec:
           username: "username"
           secretRef:
             name: "my-secret"
-            namespace: "secret-admin"
             key: "ldap-password"

docs/snippets/vault-token-store.yaml

@@ -14,5 +14,4 @@ spec:
         # https://www.vaultproject.io/docs/auth/token
         tokenSecretRef:
           name: "my-secret"
-          namespace: "secret-admin"
           key: "vault-token"