chore(linter): fix linter issue in `api` and `cmd` package (#5413)

* chore(linter): fix linter issue in api and cmd package

Signed-off-by: Olumide Ogundele <olumideralph@gmail.com>

* configure sonarqube to ignore godoc comments as duplicates

Signed-off-by: Olumide Ogundele <olumideralph@gmail.com>

* update sonarqube config

Signed-off-by: Olumide Ogundele <olumideralph@gmail.com>

* update sonarqube config

Signed-off-by: Olumide Ogundele <olumideralph@gmail.com>

* update sonarqube config

Signed-off-by: Olumide Ogundele <olumideralph@gmail.com>

* update sonarqube config

Signed-off-by: Olumide Ogundele <olumideralph@gmail.com>

* update sonarqube config

Signed-off-by: Olumide Ogundele <olumideralph@gmail.com>

* update sonarqube config

Signed-off-by: Olumide Ogundele <olumideralph@gmail.com>

* update the api docs

Signed-off-by: Olumide Ogundele <olumideralph@gmail.com>

---------

Signed-off-by: Olumide Ogundele <olumideralph@gmail.com>
Co-authored-by: Gergely Brautigam <skarlso777@gmail.com>

.sonarcloud.properties

@@ -10,8 +10,19 @@ sonar.tests=.
 sonar.test.inclusions=**/*_test.go, e2e/**
 
 # Issues to ignore
-sonar.issue.ignore.multicriteria=g1
+sonar.issue.ignore.multicriteria=g1,g2,g3
 
 # Ignore "Define a constant instead of duplicating this literal" in tests
 sonar.issue.ignore.multicriteria.g1.ruleKey=go:S1192
 sonar.issue.ignore.multicriteria.g1.resourceKey=**/*_test.go, e2e/**
+
+# Ignore duplicated blocks in v1beta1 package - these are API versions and duplication is expected
+sonar.issue.ignore.multicriteria.g2.ruleKey=go:S1066
+sonar.issue.ignore.multicriteria.g2.resourceKey=apis/externalsecrets/v1beta1/**
+
+# Ignore duplicated blocks in v1 package - these are API versions and duplication is expected
+sonar.issue.ignore.multicriteria.g3.ruleKey=go:S1066
+sonar.issue.ignore.multicriteria.g3.resourceKey=apis/externalsecrets/v1/**
+
+# Exclude API directories from duplication detection altogether because duplication is expected between versions.
+sonar.cpd.exclusions=apis/externalsecrets/v1/**,apis/externalsecrets/v1beta1/**

apis/doc.go

@@ -17,4 +17,5 @@ limitations under the License.
 //
 // +domain=external-secrets.io
 
+// Package apis contains Kubernetes API groups for external-secrets resources.
 package apis

apis/externalsecrets/doc.go

@@ -16,4 +16,6 @@ limitations under the License.
 
 // +groupName=external-secrets.io
 
+// Package externalsecrets contains API Schema definitions for the externalsecrets API groups.
+// Currently, we have v1, v1alpha1 and v1beta1 versions.
 package externalsecrets

apis/externalsecrets/v1/clusterexternalsecret_types.go

@@ -68,10 +68,13 @@ type ExternalSecretMetadata struct {
 	Labels map[string]string `json:"labels,omitempty"`
 }
 
+// ClusterExternalSecretConditionType defines a value type for ClusterExternalSecret conditions.
 type ClusterExternalSecretConditionType string
 
+// ClusterExternalSecretReady is a ClusterExternalSecretConditionType set when the ClusterExternalSecret is ready.
 const ClusterExternalSecretReady ClusterExternalSecretConditionType = "Ready"
 
+// ClusterExternalSecretStatusCondition defines the observed state of a ClusterExternalSecret resource.
 type ClusterExternalSecretStatusCondition struct {
 	Type   ClusterExternalSecretConditionType `json:"type"`
 	Status corev1.ConditionStatus             `json:"status"`
@@ -108,6 +111,7 @@ type ClusterExternalSecretStatus struct {
 	Conditions []ClusterExternalSecretStatusCondition `json:"conditions,omitempty"`
 }
 
+// ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
 // +kubebuilder:object:root=true
 // +kubebuilder:storageversion
 // +kubebuilder:resource:scope=Cluster,categories={external-secrets},shortName=ces
@@ -116,7 +120,6 @@ type ClusterExternalSecretStatus struct {
 // +kubebuilder:printcolumn:name="Store",type=string,JSONPath=`.spec.externalSecretSpec.secretStoreRef.name`
 // +kubebuilder:printcolumn:name="Refresh Interval",type=string,JSONPath=`.spec.refreshTime`
 // +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].status`
-// ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
 type ClusterExternalSecret struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

apis/externalsecrets/v1/externalsecret_types.go

@@ -41,17 +41,17 @@ type SecretStoreRef struct {
 type ExternalSecretCreationPolicy string
 
 const (
-	// Owner creates the Secret and sets .metadata.ownerReferences to the ExternalSecret resource.
+	// CreatePolicyOwner creates the Secret and sets .metadata.ownerReferences to the ExternalSecret resource.
 	CreatePolicyOwner ExternalSecretCreationPolicy = "Owner"
 
-	// Orphan creates the Secret and does not set the ownerReference.
+	// CreatePolicyOrphan creates the Secret and does not set the ownerReference.
 	// I.e. it will be orphaned after the deletion of the ExternalSecret.
 	CreatePolicyOrphan ExternalSecretCreationPolicy = "Orphan"
 
-	// Merge does not create the Secret, but merges the data fields to the Secret.
+	// CreatePolicyMerge does not create the Secret, but merges the data fields to the Secret.
 	CreatePolicyMerge ExternalSecretCreationPolicy = "Merge"
 
-	// None does not create a Secret (future use with injector).
+	// CreatePolicyNone does not create a Secret (future use with injector).
 	CreatePolicyNone ExternalSecretCreationPolicy = "None"
 )
 
@@ -60,19 +60,19 @@ const (
 type ExternalSecretDeletionPolicy string
 
 const (
-	// Delete deletes the secret if all provider secrets are deleted.
+	// DeletionPolicyDelete deletes the secret if all provider secrets are deleted.
 	// If a secret gets deleted on the provider side and is not accessible
 	// anymore this is not considered an error and the ExternalSecret
 	// does not go into SecretSyncedError status.
 	DeletionPolicyDelete ExternalSecretDeletionPolicy = "Delete"
 
-	// Merge removes keys in the secret, but not the secret itself.
+	// DeletionPolicyMerge removes keys in the secret, but not the secret itself.
 	// If a secret gets deleted on the provider side and is not accessible
 	// anymore this is not considered an error and the ExternalSecret
 	// does not go into SecretSyncedError status.
 	DeletionPolicyMerge ExternalSecretDeletionPolicy = "Merge"
 
-	// Retain will retain the secret if all provider secrets have been deleted.
+	// DeletionPolicyRetain will retain the secret if all provider secrets have been deleted.
 	// If a provider secret does not exist the ExternalSecret gets into the
 	// SecretSyncedError status.
 	DeletionPolicyRetain ExternalSecretDeletionPolicy = "Retain"
@@ -115,21 +115,28 @@ type ExternalSecretTemplate struct {
 	TemplateFrom []TemplateFrom `json:"templateFrom,omitempty"`
 }
 
+// TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
 // +kubebuilder:validation:Enum=Replace;Merge
 type TemplateMergePolicy string
 
+// These constants are used to define the merge policy for templates.
 const (
 	MergePolicyReplace TemplateMergePolicy = "Replace"
 	MergePolicyMerge   TemplateMergePolicy = "Merge"
 )
 
+// TemplateEngineVersion specifies the template engine version that should be used to
+// compile/execute the template.
 // +kubebuilder:validation:Enum=v2
 type TemplateEngineVersion string
 
 const (
+	// TemplateEngineV2 is the currently supported template engine version.
 	TemplateEngineV2 TemplateEngineVersion = "v2"
 )
 
+// TemplateFrom specifies a source for templates.
+// Each item in the list can either reference a ConfigMap or a Secret resource.
 type TemplateFrom struct {
 	ConfigMap *TemplateRef `json:"configMap,omitempty"`
 	Secret    *TemplateRef `json:"secret,omitempty"`
@@ -142,23 +149,28 @@ type TemplateFrom struct {
 	Literal *string `json:"literal,omitempty"`
 }
 
+// TemplateScope specifies how the template keys should be interpreted.
 // +kubebuilder:validation:Enum=Values;KeysAndValues
 type TemplateScope string
 
+// These are used to define the scope of templates.
 const (
 	TemplateScopeValues        TemplateScope = "Values"
 	TemplateScopeKeysAndValues TemplateScope = "KeysAndValues"
 )
 
+// TemplateTarget specifies where the rendered templates should be applied.
 // +kubebuilder:validation:Enum=Data;Annotations;Labels
 type TemplateTarget string
 
+// These are used to define the target of templates.
 const (
 	TemplateTargetData        TemplateTarget = "Data"
 	TemplateTargetAnnotations TemplateTarget = "Annotations"
 	TemplateTargetLabels      TemplateTarget = "Labels"
 )
 
+// TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
 type TemplateRef struct {
 	// The name of the ConfigMap/Secret resource
 	// +kubebuilder:validation:MinLength:=1
@@ -170,6 +182,7 @@ type TemplateRef struct {
 	Items []TemplateRefItem `json:"items"`
 }
 
+// TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
 type TemplateRefItem struct {
 	// A key in the ConfigMap/Secret
 	// +kubebuilder:validation:MinLength:=1
@@ -181,8 +194,8 @@ type TemplateRefItem struct {
 	TemplateAs TemplateScope `json:"templateAs,omitempty"`
 }
 
-// ExternalSecretTarget defines the Kubernetes Secret to be created
-// There can be only one target per ExternalSecret.
+// ExternalSecretTarget defines the Kubernetes Secret to be created,
+// there can be only one target per ExternalSecret.
 type ExternalSecretTarget struct {
 	// The name of the Secret resource to be managed.
 	// Defaults to the .metadata.name of the ExternalSecret resource
@@ -259,32 +272,45 @@ type ExternalSecretDataRemoteRef struct {
 	DecodingStrategy ExternalSecretDecodingStrategy `json:"decodingStrategy,omitempty"`
 }
 
+// ExternalSecretMetadataPolicy defines policies for fetching metadata from provider secrets.
 // +kubebuilder:validation:Enum=None;Fetch
 type ExternalSecretMetadataPolicy string
 
 const (
-	ExternalSecretMetadataPolicyNone  ExternalSecretMetadataPolicy = "None"
+	// ExternalSecretMetadataPolicyNone specifies that no metadata should be fetched from the provider.
+	ExternalSecretMetadataPolicyNone ExternalSecretMetadataPolicy = "None"
+	// ExternalSecretMetadataPolicyFetch specifies that metadata should be fetched from the provider.
 	ExternalSecretMetadataPolicyFetch ExternalSecretMetadataPolicy = "Fetch"
 )
 
+// ExternalSecretConversionStrategy defines strategies for converting secret values.
 // +kubebuilder:validation:Enum=Default;Unicode
 type ExternalSecretConversionStrategy string
 
 const (
+	// ExternalSecretConversionDefault specifies the default conversion strategy.
 	ExternalSecretConversionDefault ExternalSecretConversionStrategy = "Default"
+	// ExternalSecretConversionUnicode specifies that values should be treated as Unicode.
 	ExternalSecretConversionUnicode ExternalSecretConversionStrategy = "Unicode"
 )
 
+// ExternalSecretDecodingStrategy defines strategies for decoding secret values.
 // +kubebuilder:validation:Enum=Auto;Base64;Base64URL;None
 type ExternalSecretDecodingStrategy string
 
 const (
-	ExternalSecretDecodeAuto      ExternalSecretDecodingStrategy = "Auto"
-	ExternalSecretDecodeBase64    ExternalSecretDecodingStrategy = "Base64"
+	// ExternalSecretDecodeAuto specifies automatic detection of the decoding method.
+	ExternalSecretDecodeAuto ExternalSecretDecodingStrategy = "Auto"
+	// ExternalSecretDecodeBase64 specifies that values should be decoded using Base64.
+	ExternalSecretDecodeBase64 ExternalSecretDecodingStrategy = "Base64"
+	// ExternalSecretDecodeBase64URL specifies that values should be decoded using Base64URL.
 	ExternalSecretDecodeBase64URL ExternalSecretDecodingStrategy = "Base64URL"
-	ExternalSecretDecodeNone      ExternalSecretDecodingStrategy = "None"
+	// ExternalSecretDecodeNone specifies that no decoding should be performed.
+	ExternalSecretDecodeNone ExternalSecretDecodingStrategy = "None"
 )
 
+// ExternalSecretDataFromRemoteRef defines the connection between the Kubernetes Secret keys and the Provider data
+// when using DataFrom to fetch multiple values from a Provider.
 type ExternalSecretDataFromRemoteRef struct {
 	// Used to extract multiple key/value pairs from one secret
 	// Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
@@ -309,6 +335,7 @@ type ExternalSecretDataFromRemoteRef struct {
 	SourceRef *StoreGeneratorSourceRef `json:"sourceRef,omitempty"`
 }
 
+// ExternalSecretRewrite defines how to rewrite secret data values before they are written to the Secret.
 // +kubebuilder:validation:MinProperties=1
 // +kubebuilder:validation:MaxProperties=1
 type ExternalSecretRewrite struct {
@@ -329,6 +356,7 @@ type ExternalSecretRewrite struct {
 	Transform *ExternalSecretRewriteTransform `json:"transform,omitempty"`
 }
 
+// ExternalSecretRewriteMerge defines configuration for merging secret values.
 type ExternalSecretRewriteMerge struct {
 	// Used to define the target key of the merge operation.
 	// Required if strategy is JSON. Ignored otherwise.
@@ -356,30 +384,40 @@ type ExternalSecretRewriteMerge struct {
 	Strategy ExternalSecretRewriteMergeStrategy `json:"strategy,omitempty"`
 }
 
+// ExternalSecretRewriteMergeConflictPolicy defines the policy for resolving conflicts when merging secrets.
 // +kubebuilder:validation:Enum=Ignore;Error
 type ExternalSecretRewriteMergeConflictPolicy string
 
 const (
+	// ExternalSecretRewriteMergeConflictPolicyIgnore ignores conflicts when merging secret values.
 	ExternalSecretRewriteMergeConflictPolicyIgnore ExternalSecretRewriteMergeConflictPolicy = "Ignore"
-	ExternalSecretRewriteMergeConflictPolicyError  ExternalSecretRewriteMergeConflictPolicy = "Error"
+	// ExternalSecretRewriteMergeConflictPolicyError returns an error when conflicts occur during merge.
+	ExternalSecretRewriteMergeConflictPolicyError ExternalSecretRewriteMergeConflictPolicy = "Error"
 )
 
+// ExternalSecretRewriteMergePriorityPolicy defines the policy for handling missing keys in the priority
+// list during merge operations.
 // +kubebuilder:validation:Enum=IgnoreNotFound;Strict
 type ExternalSecretRewriteMergePriorityPolicy string
 
+// These constants define the priority policies for merging secrets.
 const (
 	ExternalSecretRewriteMergePriorityPolicyIgnoreNotFound ExternalSecretRewriteMergePriorityPolicy = "IgnoreNotFound"
 	ExternalSecretRewriteMergePriorityPolicyStrict         ExternalSecretRewriteMergePriorityPolicy = "Strict"
 )
 
+// ExternalSecretRewriteMergeStrategy defines the strategy for merging secrets.
 // +kubebuilder:validation:Enum=Extract;JSON
 type ExternalSecretRewriteMergeStrategy string
 
 const (
+	// ExternalSecretRewriteMergeStrategyExtract merges secrets by extracting values.
 	ExternalSecretRewriteMergeStrategyExtract ExternalSecretRewriteMergeStrategy = "Extract"
-	ExternalSecretRewriteMergeStrategyJSON    ExternalSecretRewriteMergeStrategy = "JSON"
+	// ExternalSecretRewriteMergeStrategyJSON merges secrets using JSON merge strategy.
+	ExternalSecretRewriteMergeStrategyJSON ExternalSecretRewriteMergeStrategy = "JSON"
 )
 
+// ExternalSecretRewriteRegexp defines configuration for rewriting secrets using regular expressions.
 type ExternalSecretRewriteRegexp struct {
 	// Used to define the regular expression of a re.Compiler.
 	Source string `json:"source"`
@@ -387,12 +425,14 @@ type ExternalSecretRewriteRegexp struct {
 	Target string `json:"target"`
 }
 
+// ExternalSecretRewriteTransform defines configuration for transforming secrets using templates.
 type ExternalSecretRewriteTransform struct {
 	// Used to define the template to apply on the secret name.
 	// `.value ` will specify the secret name in the template.
 	Template string `json:"template"`
 }
 
+// ExternalSecretFind defines configuration for finding secrets in the provider.
 type ExternalSecretFind struct {
 	// A root path to start the find operations.
 	// +optional
@@ -417,19 +457,24 @@ type ExternalSecretFind struct {
 	DecodingStrategy ExternalSecretDecodingStrategy `json:"decodingStrategy,omitempty"`
 }
 
+// FindName defines criteria for finding secrets by name patterns.
 type FindName struct {
 	// Finds secrets base
 	// +optional
 	RegExp string `json:"regexp,omitempty"`
 }
 
+// ExternalSecretRefreshPolicy defines how and when the ExternalSecret should be refreshed.
 // +kubebuilder:validation:Enum=CreatedOnce;Periodic;OnChange
 type ExternalSecretRefreshPolicy string
 
 const (
+	// RefreshPolicyCreatedOnce creates the Secret once and does not update it thereafter.
 	RefreshPolicyCreatedOnce ExternalSecretRefreshPolicy = "CreatedOnce"
-	RefreshPolicyPeriodic    ExternalSecretRefreshPolicy = "Periodic"
-	RefreshPolicyOnChange    ExternalSecretRefreshPolicy = "OnChange"
+	// RefreshPolicyPeriodic synchronizes the Secret from the provider at regular intervals.
+	RefreshPolicyPeriodic ExternalSecretRefreshPolicy = "Periodic"
+	// RefreshPolicyOnChange only synchronizes when the ExternalSecret's metadata or spec changes.
+	RefreshPolicyOnChange ExternalSecretRefreshPolicy = "OnChange"
 )
 
 // ExternalSecretSpec defines the desired state of ExternalSecret.
@@ -514,14 +559,18 @@ type GeneratorRef struct {
 	Name string `json:"name"`
 }
 
+// ExternalSecretConditionType defines a value type for ExternalSecret conditions.
 // +kubebuilder:validation:Enum=Ready;Deleted
 type ExternalSecretConditionType string
 
 const (
-	ExternalSecretReady   ExternalSecretConditionType = "Ready"
+	// ExternalSecretReady indicates that the external secret is ready and synced.
+	ExternalSecretReady ExternalSecretConditionType = "Ready"
+	// ExternalSecretDeleted indicates that the external secret has been deleted.
 	ExternalSecretDeleted ExternalSecretConditionType = "Deleted"
 )
 
+// ExternalSecretStatusCondition defines a status condition of an ExternalSecret resource.
 type ExternalSecretStatusCondition struct {
 	Type   ExternalSecretConditionType `json:"type"`
 	Status corev1.ConditionStatus      `json:"status"`
@@ -546,14 +595,21 @@ const (
 	// ConditionReasonSecretMissing indicates that the secret is missing.
 	ConditionReasonSecretMissing = "SecretMissing"
 
-	ReasonUpdateFailed          = "UpdateFailed"
-	ReasonDeprecated            = "ParameterDeprecated"
-	ReasonCreated               = "Created"
-	ReasonUpdated               = "Updated"
-	ReasonDeleted               = "Deleted"
+	// ReasonUpdateFailed indicates that the update operation failed.
+	ReasonUpdateFailed = "UpdateFailed"
+	// ReasonDeprecated indicates that a parameter is deprecated.
+	ReasonDeprecated = "ParameterDeprecated"
+	// ReasonCreated indicates that a resource has been created.
+	ReasonCreated = "Created"
+	// ReasonUpdated indicates that a resource has been updated.
+	ReasonUpdated = "Updated"
+	// ReasonDeleted indicates that a resource has been deleted.
+	ReasonDeleted = "Deleted"
+	// ReasonMissingProviderSecret indicates that the provider secret is missing.
 	ReasonMissingProviderSecret = "MissingProviderSecret"
 )
 
+// ExternalSecretStatus defines the observed state of ExternalSecret.
 type ExternalSecretStatus struct {
 	// +nullable
 	// refreshTime is the time and date the external secret was fetched and
@@ -570,9 +626,10 @@ type ExternalSecretStatus struct {
 	Binding corev1.LocalObjectReference `json:"binding,omitempty"`
 }
 
+// ExternalSecret is the Schema for the external-secrets API.
+// It defines how to fetch data from external APIs and make it available as Kubernetes Secrets.
 // +kubebuilder:object:root=true
 // +kubebuilder:storageversion
-// ExternalSecret is the Schema for the external-secrets API.
 // +kubebuilder:subresource:status
 // +kubebuilder:metadata:labels="external-secrets.io/component=controller"
 // +kubebuilder:resource:scope=Namespaced,categories={external-secrets},shortName=es
@@ -600,7 +657,9 @@ const (
 	AnnotationForceSync = "external-secrets.io/force-sync"
 
 	// LabelManaged all secrets managed by an ExternalSecret will have this label equal to "true".
-	LabelManaged      = "reconcile.external-secrets.io/managed"
+	LabelManaged = "reconcile.external-secrets.io/managed"
+
+	// LabelManagedValue is the value for the LabelManaged key, always set to "true".
 	LabelManagedValue = "true"
 
 	// LabelOwner points to the owning ExternalSecret resource when CreationPolicy=Owner.

apis/externalsecrets/v1/externalsecret_validator.go

@@ -25,16 +25,23 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 )
 
+// Ensures ExternalSecretValidator implements the admission.CustomValidator interface correctly.
+var _ admission.CustomValidator = &ExternalSecretValidator{}
+
+// ExternalSecretValidator implements a validating webhook for ExternalSecrets.
 type ExternalSecretValidator struct{}
 
+// ValidateCreate is called on creation of ExternalSecret resource object.
 func (esv *ExternalSecretValidator) ValidateCreate(_ context.Context, obj runtime.Object) (admission.Warnings, error) {
 	return validateExternalSecret(obj)
 }
 
+// ValidateUpdate is called when updating an ExternalSecret resource object.
 func (esv *ExternalSecretValidator) ValidateUpdate(_ context.Context, _, newObj runtime.Object) (admission.Warnings, error) {
 	return validateExternalSecret(newObj)
 }
 
+// ValidateDelete is called when deleting an ExternalSecret resource object.
 func (esv *ExternalSecretValidator) ValidateDelete(_ context.Context, _ runtime.Object) (admission.Warnings, error) {
 	return nil, nil
 }

apis/externalsecrets/v1/externalsecret_webhook.go

@@ -20,6 +20,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 )
 
+// SetupWebhookWithManager sets up the webhook for ExternalSecret.
 func (es *ExternalSecret) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(es).

apis/externalsecrets/v1/fakes/pushremoteref.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package fakes contains fake implementations for testing purposes.
 package fakes
 
 import (
@@ -22,6 +23,7 @@ import (
 	"github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 )
 
+// PushRemoteRef is a fake implementation of the PushRemoteRef interface for testing.
 type PushRemoteRef struct {
 	GetRemoteKeyStub        func() string
 	getRemoteKeyMutex       sync.RWMutex
@@ -37,6 +39,7 @@ type PushRemoteRef struct {
 	invocationsMutex sync.RWMutex
 }
 
+// GetRemoteKey returns a string representing the remote key.
 func (fake *PushRemoteRef) GetRemoteKey() string {
 	fake.getRemoteKeyMutex.Lock()
 	ret, specificReturn := fake.getRemoteKeyReturnsOnCall[len(fake.getRemoteKeyArgsForCall)]
@@ -55,22 +58,26 @@ func (fake *PushRemoteRef) GetRemoteKey() string {
 	return fakeReturns.result1
 }
 
+// GetProperty returns the property value as a string.
 func (fake *PushRemoteRef) GetProperty() string {
 	return ""
 }
 
+// GetRemoteKeyCallCount returns the number of times GetRemoteKey has been called.
 func (fake *PushRemoteRef) GetRemoteKeyCallCount() int {
 	fake.getRemoteKeyMutex.RLock()
 	defer fake.getRemoteKeyMutex.RUnlock()
 	return len(fake.getRemoteKeyArgsForCall)
 }
 
+// GetRemoteKeyCalls sets a custom stub function for the GetRemoteKey method.
 func (fake *PushRemoteRef) GetRemoteKeyCalls(stub func() string) {
 	fake.getRemoteKeyMutex.Lock()
 	defer fake.getRemoteKeyMutex.Unlock()
 	fake.GetRemoteKeyStub = stub
 }
 
+// GetRemoteKeyReturns sets return values that will be returned by GetRemoteKey.
 func (fake *PushRemoteRef) GetRemoteKeyReturns(result1 string) {
 	fake.getRemoteKeyMutex.Lock()
 	defer fake.getRemoteKeyMutex.Unlock()
@@ -80,6 +87,7 @@ func (fake *PushRemoteRef) GetRemoteKeyReturns(result1 string) {
 	}{result1}
 }
 
+// GetRemoteKeyReturnsOnCall sets return values for specific calls to GetRemoteKey.
 func (fake *PushRemoteRef) GetRemoteKeyReturnsOnCall(i int, result1 string) {
 	fake.getRemoteKeyMutex.Lock()
 	defer fake.getRemoteKeyMutex.Unlock()
@@ -94,6 +102,7 @@ func (fake *PushRemoteRef) GetRemoteKeyReturnsOnCall(i int, result1 string) {
 	}{result1}
 }
 
+// Invocations returns a map recording the calls to methods on this fake.
 func (fake *PushRemoteRef) Invocations() map[string][][]any {
 	fake.invocationsMutex.RLock()
 	defer fake.invocationsMutex.RUnlock()

apis/externalsecrets/v1/generic_store.go

@@ -49,34 +49,42 @@ type GenericStore interface {
 // +kubebuilder:object:generate:false
 var _ GenericStore = &SecretStore{}
 
+// GetObjectMeta returns the ObjectMeta of the SecretStore.
 func (c *SecretStore) GetObjectMeta() *metav1.ObjectMeta {
 	return &c.ObjectMeta
 }
 
+// GetTypeMeta returns the TypeMeta of the SecretStore.
 func (c *SecretStore) GetTypeMeta() *metav1.TypeMeta {
 	return &c.TypeMeta
 }
 
+// GetSpec returns the Spec of the SecretStore.
 func (c *SecretStore) GetSpec() *SecretStoreSpec {
 	return &c.Spec
 }
 
+// GetStatus returns the Status of the SecretStore.
 func (c *SecretStore) GetStatus() SecretStoreStatus {
 	return c.Status
 }
 
+// SetStatus sets the Status of the SecretStore.
 func (c *SecretStore) SetStatus(status SecretStoreStatus) {
 	c.Status = status
 }
 
+// GetNamespacedName returns the namespaced name of the SecretStore in the format "namespace/name".
 func (c *SecretStore) GetNamespacedName() string {
 	return fmt.Sprintf("%s/%s", c.Namespace, c.Name)
 }
 
+// GetKind returns the kind of the SecretStore.
 func (c *SecretStore) GetKind() string {
 	return SecretStoreKind
 }
 
+// Copy returns a deep copy of the SecretStore.
 func (c *SecretStore) Copy() GenericStore {
 	return c.DeepCopy()
 }
@@ -85,34 +93,42 @@ func (c *SecretStore) Copy() GenericStore {
 // +kubebuilder:object:generate:false
 var _ GenericStore = &ClusterSecretStore{}
 
+// GetObjectMeta returns the ObjectMeta of the ClusterSecretStore.
 func (c *ClusterSecretStore) GetObjectMeta() *metav1.ObjectMeta {
 	return &c.ObjectMeta
 }
 
+// GetTypeMeta returns the TypeMeta of the ClusterSecretStore.
 func (c *ClusterSecretStore) GetTypeMeta() *metav1.TypeMeta {
 	return &c.TypeMeta
 }
 
+// GetSpec returns the Spec of the ClusterSecretStore.
 func (c *ClusterSecretStore) GetSpec() *SecretStoreSpec {
 	return &c.Spec
 }
 
+// Copy returns a deep copy of the ClusterSecretStore.
 func (c *ClusterSecretStore) Copy() GenericStore {
 	return c.DeepCopy()
 }
 
+// GetStatus returns the Status of the ClusterSecretStore.
 func (c *ClusterSecretStore) GetStatus() SecretStoreStatus {
 	return c.Status
 }
 
+// SetStatus sets the Status of the ClusterSecretStore.
 func (c *ClusterSecretStore) SetStatus(status SecretStoreStatus) {
 	c.Status = status
 }
 
+// GetNamespacedName returns the namespaced name of the ClusterSecretStore in the format "namespace/name".
 func (c *ClusterSecretStore) GetNamespacedName() string {
 	return fmt.Sprintf("%s/%s", c.Namespace, c.Name)
 }
 
+// GetKind returns the kind of the ClusterSecretStore.
 func (c *ClusterSecretStore) GetKind() string {
 	return ClusterSecretStoreKind
 }

apis/externalsecrets/v1/provider.go

@@ -25,18 +25,19 @@ import (
 )
 
 const (
-	// Ready indicates that the client is configured correctly
+	// ValidationResultReady indicates that the client is configured correctly
 	// and can be used.
 	ValidationResultReady ValidationResult = iota
 
-	// Unknown indicates that the client can be used
-	// but information is missing and it can not be validated.
+	// ValidationResultUnknown indicates that the client can be used
+	// but information is missing, and it can not be validated.
 	ValidationResultUnknown
 
-	// Error indicates that there is a misconfiguration.
+	// ValidationResultError indicates that there is a misconfiguration.
 	ValidationResultError
 )
 
+// ValidationResult is defined type for the number of validation results.
 type ValidationResult uint8
 
 func (v ValidationResult) String() string {
@@ -98,6 +99,7 @@ type SecretsClient interface {
 	Close(ctx context.Context) error
 }
 
+// NoSecretErr is a sentinel error for when a secret is not found.
 var NoSecretErr = NoSecretError{}
 
 // NoSecretError shall be returned when a GetSecret can not find the
@@ -108,6 +110,8 @@ func (NoSecretError) Error() string {
 	return "Secret does not exist"
 }
 
+// NotModifiedErr is a sentinel error to signal that the webhook received no changes,
+// and it should just return without doing anything.
 var NotModifiedErr = NotModifiedError{}
 
 // NotModifiedError to signal that the webhook received no changes,

apis/externalsecrets/v1/provider_schema_maintenance.go

@@ -21,8 +21,10 @@ import (
 	"sync"
 )
 
+// MaintenanceStatus defines a type for different maintenance states of a provider schema.
 type MaintenanceStatus bool
 
+// These are the defined maintenance states for a provider schema.
 const (
 	MaintenanceStatusMaintained    MaintenanceStatus = true
 	MaintenanceStatusNotMaintained MaintenanceStatus = false
@@ -35,6 +37,8 @@ func init() {
 	maintenance = make(map[string]MaintenanceStatus)
 }
 
+// RegisterMaintenanceStatus registers the maintenance status of the provider from the generic store.
+// It panics if the provider is already registered or if there is an error getting the provider name.
 func RegisterMaintenanceStatus(status MaintenanceStatus, storeSpec *SecretStoreProvider) {
 	storeName, err := getProviderName(storeSpec)
 	if err != nil {
@@ -51,6 +55,9 @@ func RegisterMaintenanceStatus(status MaintenanceStatus, storeSpec *SecretStoreP
 	maintenance[storeName] = status
 }
 
+// ForceRegisterMaintenanceStatus registers the maintenance status of the provider from the generic store.
+// It panics if there is an error getting the provider name, it overwrites existing provider status or
+// stores new status for a provider if it exists.
 func ForceRegisterMaintenanceStatus(status MaintenanceStatus, storeSpec *SecretStoreProvider) {
 	storeName, err := getProviderName(storeSpec)
 	if err != nil {

apis/externalsecrets/v1/register.go

@@ -35,7 +35,9 @@ var (
 
 	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
 	SchemeBuilder = &scheme.Builder{GroupVersion: SchemeGroupVersion}
-	AddToScheme   = SchemeBuilder.AddToScheme
+
+	// AddToScheme adds the types in this group version to the given scheme.
+	AddToScheme = SchemeBuilder.AddToScheme
 )
 
 // ExternalSecret type metadata.

apis/externalsecrets/v1/secretsstore_delinea_types.go

@@ -18,6 +18,7 @@ package v1
 
 import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 
+// DelineaProviderSecretRef is a secret reference containing either a direct value or a reference to a secret key.
 type DelineaProviderSecretRef struct {
 
 	// Value can be specified directly to set a value without using a secret.
@@ -29,7 +30,8 @@ type DelineaProviderSecretRef struct {
 	SecretRef *esmeta.SecretKeySelector `json:"secretRef,omitempty"`
 }
 
-// See https://github.com/DelineaXPM/dsv-sdk-go/blob/main/vault/vault.go.
+// DelineaProvider provides access to Delinea secrets vault Server.
+// See: https://github.com/DelineaXPM/dsv-sdk-go/blob/main/vault/vault.go.
 type DelineaProvider struct {
 
 	// ClientID is the non-secret part of the credential.

apis/externalsecrets/v1/secretsstore_infisical_types.go

@@ -20,6 +20,7 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
+// UniversalAuthCredentials represents the client credentials for universal authentication.
 type UniversalAuthCredentials struct {
 	// +kubebuilder:validation:Required
 	ClientID esmeta.SecretKeySelector `json:"clientId"`
@@ -27,6 +28,7 @@ type UniversalAuthCredentials struct {
 	ClientSecret esmeta.SecretKeySelector `json:"clientSecret"`
 }
 
+// AzureAuthCredentials represents the credentials for Azure authentication.
 type AzureAuthCredentials struct {
 	// +kubebuilder:validation:Required
 	IdentityID esmeta.SecretKeySelector `json:"identityId"`
@@ -34,11 +36,13 @@ type AzureAuthCredentials struct {
 	Resource esmeta.SecretKeySelector `json:"resource"`
 }
 
-type GcpIdTokenAuthCredentials struct {
+// GcpIDTokenAuthCredentials represents the credentials for GCP ID token authentication.
+type GcpIDTokenAuthCredentials struct {
 	// +kubebuilder:validation:Required
 	IdentityID esmeta.SecretKeySelector `json:"identityId"`
 }
 
+// GcpIamAuthCredentials represents the credentials for GCP IAM authentication.
 type GcpIamAuthCredentials struct {
 	// +kubebuilder:validation:Required
 	IdentityID esmeta.SecretKeySelector `json:"identityId"`
@@ -46,6 +50,7 @@ type GcpIamAuthCredentials struct {
 	ServiceAccountKeyFilePath esmeta.SecretKeySelector `json:"serviceAccountKeyFilePath"`
 }
 
+// JwtAuthCredentials represents the credentials for JWT authentication.
 type JwtAuthCredentials struct {
 	// +kubebuilder:validation:Required
 	IdentityID esmeta.SecretKeySelector `json:"identityId"`
@@ -53,6 +58,7 @@ type JwtAuthCredentials struct {
 	JWT esmeta.SecretKeySelector `json:"jwt"`
 }
 
+// LdapAuthCredentials represents the credentials for LDAP authentication.
 type LdapAuthCredentials struct {
 	// +kubebuilder:validation:Required
 	IdentityID esmeta.SecretKeySelector `json:"identityId"`
@@ -62,6 +68,7 @@ type LdapAuthCredentials struct {
 	LDAPUsername esmeta.SecretKeySelector `json:"ldapUsername"`
 }
 
+// OciAuthCredentials represents the credentials for OCI authentication.
 type OciAuthCredentials struct {
 	// +kubebuilder:validation:Required
 	IdentityID esmeta.SecretKeySelector `json:"identityId"`
@@ -79,6 +86,7 @@ type OciAuthCredentials struct {
 	Region esmeta.SecretKeySelector `json:"region"`
 }
 
+// KubernetesAuthCredentials represents the credentials for Kubernetes authentication.
 type KubernetesAuthCredentials struct {
 	// +kubebuilder:validation:Required
 	IdentityID esmeta.SecretKeySelector `json:"identityId"`
@@ -86,23 +94,26 @@ type KubernetesAuthCredentials struct {
 	ServiceAccountTokenPath esmeta.SecretKeySelector `json:"serviceAccountTokenPath"`
 }
 
+// AwsAuthCredentials represents the credentials for AWS authentication.
 type AwsAuthCredentials struct {
 	// +kubebuilder:validation:Required
 	IdentityID esmeta.SecretKeySelector `json:"identityId"`
 }
 
+// TokenAuthCredentials represents the credentials for access token-based authentication.
 type TokenAuthCredentials struct {
 	// +kubebuilder:validation:Required
 	AccessToken esmeta.SecretKeySelector `json:"accessToken"`
 }
 
+// InfisicalAuth specifies the authentication configuration for Infisical.
 type InfisicalAuth struct {
 	// +optional
 	UniversalAuthCredentials *UniversalAuthCredentials `json:"universalAuthCredentials,omitempty"`
 	// +optional
 	AzureAuthCredentials *AzureAuthCredentials `json:"azureAuthCredentials,omitempty"`
 	// +optional
-	GcpIdTokenAuthCredentials *GcpIdTokenAuthCredentials `json:"gcpIdTokenAuthCredentials,omitempty"`
+	GcpIDTokenAuthCredentials *GcpIDTokenAuthCredentials `json:"gcpIdTokenAuthCredentials,omitempty"`
 	// +optional
 	GcpIamAuthCredentials *GcpIamAuthCredentials `json:"gcpIamAuthCredentials,omitempty"`
 	// +optional
@@ -119,6 +130,7 @@ type InfisicalAuth struct {
 	TokenAuthCredentials *TokenAuthCredentials `json:"tokenAuthCredentials,omitempty"`
 }
 
+// MachineIdentityScopeInWorkspace defines the scope for machine identity within a workspace.
 type MachineIdentityScopeInWorkspace struct {
 	// SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
 	// +kubebuilder:default="/"

apis/externalsecrets/v1/secretsstore_passbolt_types.go

@@ -20,12 +20,14 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
-// Passbolt contains a secretRef for the passbolt credentials.
+// PassboltAuth contains a secretRef for the passbolt credentials.
 type PassboltAuth struct {
 	PasswordSecretRef   *esmeta.SecretKeySelector `json:"passwordSecretRef"`
 	PrivateKeySecretRef *esmeta.SecretKeySelector `json:"privateKeySecretRef"`
 }
 
+// PassboltProvider provides access to Passbolt secrets manager.
+// See: https://www.passbolt.com.
 type PassboltProvider struct {
 	// Auth defines the information necessary to authenticate against Passbolt Server
 	Auth *PassboltAuth `json:"auth"`

apis/externalsecrets/v1/secretsstore_secretserver_types.go

@@ -18,6 +18,8 @@ package v1
 
 import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 
+// SecretServerProviderRef references a value that can be specified directly or via a secret
+// for a SecretServerProvider.
 type SecretServerProviderRef struct {
 
 	// Value can be specified directly to set a value without using a secret.
@@ -29,7 +31,8 @@ type SecretServerProviderRef struct {
 	SecretRef *esmeta.SecretKeySelector `json:"secretRef,omitempty"`
 }
 
-// See https://github.com/DelineaXPM/tss-sdk-go/blob/main/server/server.go.
+// SecretServerProvider provides access to authenticate to a secrets provider server.
+// See: https://github.com/DelineaXPM/tss-sdk-go/blob/main/server/server.go.
 type SecretServerProvider struct {
 
 	// Username is the secret server account username.

apis/externalsecrets/v1/secretstore_akeyless_types.go

@@ -40,6 +40,7 @@ type AkeylessProvider struct {
 	CAProvider *CAProvider `json:"caProvider,omitempty"`
 }
 
+// AkeylessAuth configures how the operator authenticates with Akeyless.
 type AkeylessAuth struct {
 
 	// Reference to a Secret that contains the details
@@ -53,7 +54,8 @@ type AkeylessAuth struct {
 	KubernetesAuth *AkeylessKubernetesAuth `json:"kubernetesAuth,omitempty"`
 }
 
-// AkeylessAuthSecretRef
+// AkeylessAuthSecretRef references a Secret that contains the details
+// to authenticate with Akeyless.
 // AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.
 type AkeylessAuthSecretRef struct {
 	// The SecretAccessID is used for authentication
@@ -62,7 +64,8 @@ type AkeylessAuthSecretRef struct {
 	AccessTypeParam esmeta.SecretKeySelector `json:"accessTypeParam,omitempty"`
 }
 
-// Authenticate with Kubernetes ServiceAccount token stored.
+// AkeylessKubernetesAuth configures Kubernetes authentication with Akeyless.
+// It authenticates with Kubernetes ServiceAccount token stored.
 type AkeylessKubernetesAuth struct {
 
 	// the Akeyless Kubernetes auth-method access-id

apis/externalsecrets/v1/secretstore_alibaba_types.go

@@ -36,7 +36,7 @@ type AlibabaAuthSecretRef struct {
 	AccessKeySecret esmeta.SecretKeySelector `json:"accessKeySecretSecretRef"`
 }
 
-// Authenticate against Alibaba using RRSA.
+// AlibabaRRSAAuth authenticates against Alibaba using RRSA.
 type AlibabaRRSAAuth struct {
 	OIDCProviderARN   string `json:"oidcProviderArn"`
 	OIDCTokenFilePath string `json:"oidcTokenFilePath"`

apis/externalsecrets/v1/secretstore_aws_types.go

@@ -46,7 +46,7 @@ type AWSAuthSecretRef struct {
 	SessionToken *esmeta.SecretKeySelector `json:"sessionTokenSecretRef,omitempty"`
 }
 
-// Authenticate against AWS using service account tokens.
+// AWSJWTAuth stores reference to Authenticate against AWS using service account tokens.
 type AWSJWTAuth struct {
 	ServiceAccountRef *esmeta.ServiceAccountSelector `json:"serviceAccountRef,omitempty"`
 }
@@ -79,12 +79,14 @@ type SecretsManager struct {
 	// The number of days from 7 to 30 that Secrets Manager waits before
 	// permanently deleting the secret. You can't use both this parameter and
 	// ForceDeleteWithoutRecovery in the same call. If you don't use either,
-	// then by default Secrets Manager uses a 30 day recovery window.
+	// then by default Secrets Manager uses a 30-day recovery window.
 	// see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
 	// +optional
 	RecoveryWindowInDays int64 `json:"recoveryWindowInDays,omitempty"`
 }
 
+// Tag is a key-value pair that can be attached to an AWS resource.
+// see: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
 type Tag struct {
 	Key   string `json:"key"`
 	Value string `json:"value"`

apis/externalsecrets/v1/secretstore_azurekv_types.go

@@ -18,7 +18,7 @@ package v1
 
 import smmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 
-// AuthType describes how to authenticate to the Azure Keyvault
+// AzureAuthType describes how to authenticate to the Azure Keyvault
 // Only one of the following auth types may be specified.
 // If none of the following auth type is specified, the default one
 // is ServicePrincipal.
@@ -26,23 +26,24 @@ import smmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 type AzureAuthType string
 
 const (
-	// Using service principal to authenticate, which needs a tenantId, a clientId and a clientSecret.
+	// AzureServicePrincipal uses service principal to authenticate, which needs a tenantId, a clientId and a clientSecret.
 	AzureServicePrincipal AzureAuthType = "ServicePrincipal"
 
-	// Using Managed Identity to authenticate. Used with aad-pod-identity installed in the cluster.
+	// AzureManagedIdentity uses Managed Identity to authenticate. Used with aad-pod-identity installed in the cluster.
 	AzureManagedIdentity AzureAuthType = "ManagedIdentity"
 
-	// Using Workload Identity service accounts to authenticate.
+	// AzureWorkloadIdentity uses Workload Identity service accounts to authenticate.
 	AzureWorkloadIdentity AzureAuthType = "WorkloadIdentity"
 )
 
 // AzureEnvironmentType specifies the Azure cloud environment endpoints to use for
-// connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
+// connecting and authenticating with Azure. By default, it points to the public cloud AAD endpoint.
 // The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
 // PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud, AzureStackCloud
 // +kubebuilder:validation:Enum=PublicCloud;USGovernmentCloud;ChinaCloud;GermanCloud;AzureStackCloud
 type AzureEnvironmentType string
 
+// These define the several AzureEnvironmentType currently supported.
 const (
 	AzureEnvironmentPublicCloud       AzureEnvironmentType = "PublicCloud"
 	AzureEnvironmentUSGovernmentCloud AzureEnvironmentType = "USGovernmentCloud"
@@ -73,7 +74,7 @@ type AzureCustomCloudConfig struct {
 	ResourceManagerEndpoint *string `json:"resourceManagerEndpoint,omitempty"`
 }
 
-// Configures an store to sync secrets using Azure KV.
+// AzureKVProvider configures a store to sync secrets using Azure KV.
 type AzureKVProvider struct {
 	// Auth type defines how to authenticate to the keyvault service.
 	// Valid values are:
@@ -125,7 +126,7 @@ type AzureKVProvider struct {
 	CustomCloudConfig *AzureCustomCloudConfig `json:"customCloudConfig,omitempty"`
 }
 
-// Configuration used to authenticate with Azure.
+// AzureKVAuth is the configuration used to authenticate with Azure.
 type AzureKVAuth struct {
 	// The Azure clientId of the service principle or managed identity used for authentication.
 	// +optional

apis/externalsecrets/v1/secretstore_beyondtrust_types.go

@@ -18,6 +18,8 @@ package v1
 
 import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 
+// BeyondTrustProviderSecretRef references a value that can be specified directly or via a secret
+// for a BeyondTrustProvider.
 type BeyondTrustProviderSecretRef struct {
 
 	// Value can be specified directly to set a value without using a secret.
@@ -29,7 +31,7 @@ type BeyondTrustProviderSecretRef struct {
 	SecretRef *esmeta.SecretKeySelector `json:"secretRef,omitempty"`
 }
 
-// Configures a store to sync secrets using BeyondTrust Password Safe.
+// BeyondtrustAuth provides different ways to authenticate to a BeyondtrustProvider server.
 type BeyondtrustAuth struct {
 	// APIKey If not provided then ClientID/ClientSecret become required.
 	APIKey *BeyondTrustProviderSecretRef `json:"apiKey,omitempty"`
@@ -43,7 +45,7 @@ type BeyondtrustAuth struct {
 	CertificateKey *BeyondTrustProviderSecretRef `json:"certificateKey,omitempty"`
 }
 
-// Configures a store to sync secrets using BeyondTrust Password Safe.
+// BeyondtrustServer configures a store to sync secrets using BeyondTrust Password Safe.
 type BeyondtrustServer struct {
 	// +required - BeyondTrust Password Safe API URL. https://example.com:443/beyondtrust/api/public/V3.
 	APIURL string `json:"apiUrl"`
@@ -59,6 +61,7 @@ type BeyondtrustServer struct {
 	ClientTimeOutSeconds int `json:"clientTimeOutSeconds,omitempty"`
 }
 
+// BeyondtrustProvider provides access to a BeyondTrust secrets provider.
 type BeyondtrustProvider struct {
 
 	// Auth configures how the operator authenticates with Beyondtrust.

apis/externalsecrets/v1/secretstore_conjur_types.go

@@ -18,6 +18,7 @@ package v1
 
 import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 
+// ConjurProvider provides access to a Conjur provider.
 type ConjurProvider struct {
 	// URL is the endpoint of the Conjur instance.
 	URL string `json:"url"`
@@ -36,6 +37,7 @@ type ConjurProvider struct {
 	Auth ConjurAuth `json:"auth"`
 }
 
+// ConjurAuth is the way to provide authentication credentials to the ConjurProvider.
 type ConjurAuth struct {
 	// Authenticates with Conjur using an API key.
 	// +optional
@@ -46,6 +48,8 @@ type ConjurAuth struct {
 	Jwt *ConjurJWT `json:"jwt,omitempty"`
 }
 
+// ConjurAPIKey contains references to a Secret resource that holds
+// the Conjur username and API key.
 type ConjurAPIKey struct {
 	// Account is the Conjur organization account name.
 	Account string `json:"account"`
@@ -59,6 +63,7 @@ type ConjurAPIKey struct {
 	APIKeyRef *esmeta.SecretKeySelector `json:"apiKeyRef"`
 }
 
+// ConjurJWT defines the JWT authentication configuration for Conjur provider.
 type ConjurJWT struct {
 	// Account is the Conjur organization account name.
 	Account string `json:"account"`

apis/externalsecrets/v1/secretstore_device42_types.go

@@ -29,10 +29,12 @@ type Device42Provider struct {
 	Auth Device42Auth `json:"auth"`
 }
 
+// Device42Auth defines the authentication method for the Device42 provider.
 type Device42Auth struct {
 	SecretRef Device42SecretRef `json:"secretRef"`
 }
 
+// Device42SecretRef contains the secret reference for accessing the Device42 instance.
 type Device42SecretRef struct {
 	// Username / Password is used for authentication.
 	// +optional

apis/externalsecrets/v1/secretstore_doppler_types.go

@@ -22,10 +22,12 @@ import (
 
 // Set DOPPLER_BASE_URL and DOPPLER_VERIFY_TLS environment variables to override defaults
 
+// DopplerAuth defines the authentication method for the Doppler provider.
 type DopplerAuth struct {
 	SecretRef DopplerAuthSecretRef `json:"secretRef"`
 }
 
+// DopplerAuthSecretRef contains the secret reference for accessing the Doppler API.
 type DopplerAuthSecretRef struct {
 	// The DopplerToken is used for authentication.
 	// See https://docs.doppler.com/reference/api#authentication for auth token types.

apis/externalsecrets/v1/secretstore_fake_types.go

@@ -22,6 +22,7 @@ type FakeProvider struct {
 	ValidationResult *ValidationResult  `json:"validationResult,omitempty"`
 }
 
+// FakeProviderData defines a key-value pair with optional version for the fake provider.
 type FakeProviderData struct {
 	Key     string `json:"key"`
 	Value   string `json:"value"`

apis/externalsecrets/v1/secretstore_fortanix_types.go

@@ -13,10 +13,12 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package v1
 
 import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 
+// FortanixProvider provides access to Fortanix SDKMS API using the provided credentials.
 type FortanixProvider struct {
 	// APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
 	APIURL string `json:"apiUrl,omitempty"`
@@ -25,6 +27,7 @@ type FortanixProvider struct {
 	APIKey *FortanixProviderSecretRef `json:"apiKey,omitempty"`
 }
 
+// FortanixProviderSecretRef is a secret reference containing the SDKMS API Key.
 type FortanixProviderSecretRef struct {
 	// SecretRef is a reference to a secret containing the SDKMS API Key.
 	SecretRef *esmeta.SecretKeySelector `json:"secretRef,omitempty"`

apis/externalsecrets/v1/secretstore_gcpsm_types.go

@@ -20,6 +20,7 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
+// SecretVersionSelectionPolicy defines the policy for selecting secret versions in GCP Secret Manager.
 type SecretVersionSelectionPolicy string
 
 const (
@@ -30,6 +31,7 @@ const (
 	SecretVersionSelectionPolicyLatestOrFetch SecretVersionSelectionPolicy = "LatestOrFetch"
 )
 
+// GCPSMAuth defines the authentication methods for Google Cloud Platform Secret Manager.
 type GCPSMAuth struct {
 	// +optional
 	SecretRef *GCPSMAuthSecretRef `json:"secretRef,omitempty"`
@@ -39,12 +41,14 @@ type GCPSMAuth struct {
 	WorkloadIdentityFederation *GCPWorkloadIdentityFederation `json:"workloadIdentityFederation,omitempty"`
 }
 
+// GCPSMAuthSecretRef contains the secret references for GCP Secret Manager authentication.
 type GCPSMAuthSecretRef struct {
 	// The SecretAccessKey is used for authentication
 	// +optional
 	SecretAccessKey esmeta.SecretKeySelector `json:"secretAccessKeySecretRef,omitempty"`
 }
 
+// GCPWorkloadIdentity defines configuration for workload identity authentication to GCP.
 type GCPWorkloadIdentity struct {
 	// +kubebuilder:validation:Required
 	ServiceAccountRef esmeta.ServiceAccountSelector `json:"serviceAccountRef"`

apis/externalsecrets/v1/secretstore_github_types.go

@@ -20,7 +20,7 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
-// Configures a store to push secrets to Github Actions.
+// GithubProvider provides access and authentication to a GitHub instance .
 type GithubProvider struct {
 	// URL configures the Github instance URL. Defaults to https://github.com/.
 	//+kubebuilder:default="https://github.com/"
@@ -49,6 +49,7 @@ type GithubProvider struct {
 	Environment string `json:"environment,omitempty"`
 }
 
+// GithubAppAuth defines authentication configuration using a GitHub App for accessing GitHub API.
 type GithubAppAuth struct {
 	PrivateKey esmeta.SecretKeySelector `json:"privateKey"`
 }

apis/externalsecrets/v1/secretstore_gitlab_types.go

@@ -20,7 +20,7 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
-// Configures a store to sync secrets with a GitLab instance.
+// GitlabProvider configures a store to sync secrets with a GitLab instance.
 type GitlabProvider struct {
 	// URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
 	URL string `json:"url,omitempty"`
@@ -49,10 +49,12 @@ type GitlabProvider struct {
 	CAProvider *CAProvider `json:"caProvider,omitempty"`
 }
 
+// GitlabAuth defines the authentication method for accessing GitLab API.
 type GitlabAuth struct {
 	SecretRef GitlabSecretRef `json:"SecretRef"`
 }
 
+// GitlabSecretRef contains the secret reference for GitLab authentication credentials.
 type GitlabSecretRef struct {
 	// AccessToken is used for authentication.
 	AccessToken esmeta.SecretKeySelector `json:"accessToken,omitempty"`

apis/externalsecrets/v1/secretstore_ibm_types.go

@@ -20,7 +20,7 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
-// Configures an store to sync secrets using a IBM Cloud Secrets Manager
+// IBMProvider configures a store to sync secrets using a IBM Cloud Secrets Manager
 // backend.
 type IBMProvider struct {
 	// Auth configures how secret-manager authenticates with the IBM secrets manager.
@@ -30,6 +30,7 @@ type IBMProvider struct {
 	ServiceURL *string `json:"serviceUrl,omitempty"`
 }
 
+// IBMAuth defines authentication options for connecting to IBM Cloud Secrets Manager.
 // +kubebuilder:validation:MinProperties=1
 // +kubebuilder:validation:MaxProperties=1
 type IBMAuth struct {
@@ -37,12 +38,13 @@ type IBMAuth struct {
 	ContainerAuth *IBMAuthContainerAuth `json:"containerAuth,omitempty"`
 }
 
+// IBMAuthSecretRef contains the secret reference for IBM Cloud API key authentication.
 type IBMAuthSecretRef struct {
 	// The SecretAccessKey is used for authentication
 	SecretAPIKey esmeta.SecretKeySelector `json:"secretApiKeySecretRef,omitempty"`
 }
 
-// IBM Container-based auth with IAM Trusted Profile.
+// IBMAuthContainerAuth defines container-based authentication with IAM Trusted Profile.
 type IBMAuthContainerAuth struct {
 	// the IBM Trusted Profile
 	Profile string `json:"profile"`

apis/externalsecrets/v1/secretstore_kubernetes_types.go

@@ -20,8 +20,8 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
+// KubernetesServer defines configuration for connecting to a Kubernetes API server.
 type KubernetesServer struct {
-
 	// configures the Kubernetes server Address.
 	// +kubebuilder:default=kubernetes.default
 	// +optional
@@ -36,7 +36,7 @@ type KubernetesServer struct {
 	CAProvider *CAProvider `json:"caProvider,omitempty"`
 }
 
-// Configures a store to sync secrets with a Kubernetes instance.
+// KubernetesProvider configures a store to sync secrets with a Kubernetes instance.
 type KubernetesProvider struct {
 	// configures the Kubernetes server Address.
 	// +optional
@@ -59,6 +59,7 @@ type KubernetesProvider struct {
 	RemoteNamespace string `json:"remoteNamespace,omitempty"`
 }
 
+// KubernetesAuth defines authentication options for connecting to a Kubernetes cluster.
 // +kubebuilder:validation:MinProperties=1
 // +kubebuilder:validation:MaxProperties=1
 type KubernetesAuth struct {
@@ -75,11 +76,13 @@ type KubernetesAuth struct {
 	ServiceAccount *esmeta.ServiceAccountSelector `json:"serviceAccount,omitempty"`
 }
 
+// CertAuth defines certificate-based authentication configuration for Kubernetes.
 type CertAuth struct {
 	ClientCert esmeta.SecretKeySelector `json:"clientCert,omitempty"`
 	ClientKey  esmeta.SecretKeySelector `json:"clientKey,omitempty"`
 }
 
+// TokenAuth defines token-based authentication configuration for Kubernetes.
 type TokenAuth struct {
 	BearerToken esmeta.SecretKeySelector `json:"bearerToken,omitempty"`
 }

apis/externalsecrets/v1/secretstore_ngrok_types.go

@@ -36,6 +36,7 @@ type NgrokProvider struct {
 	Vault NgrokVault `json:"vault"`
 }
 
+// NgrokAuth configures the authentication method for the ngrok provider.
 // +kubebuilder:validation:MinProperties=1
 // +kubebuilder:validation:MaxProperties=1
 type NgrokAuth struct {
@@ -44,12 +45,14 @@ type NgrokAuth struct {
 	APIKey *NgrokProviderSecretRef `json:"apiKey,omitempty"`
 }
 
+// NgrokVault configures the ngrok vault to sync secrets with.
 type NgrokVault struct {
 	// Name is the name of the ngrok vault to sync secrets with.
 	// +kubebuilder:validation:Required
 	Name string `json:"name"`
 }
 
+// NgrokProviderSecretRef contains the secret reference for the ngrok provider.
 type NgrokProviderSecretRef struct {
 	// SecretRef is a reference to a secret containing the ngrok API key.
 	// +optional

apis/externalsecrets/v1/secretstore_oracle_types.go

@@ -20,6 +20,7 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
+// OraclePrincipalType defines the type of principal used for authentication with Oracle Vault.
 // +kubebuilder:validation:Enum="";UserPrincipal;InstancePrincipal;Workload
 type OraclePrincipalType string
 
@@ -32,7 +33,7 @@ const (
 	WorkloadPrincipal OraclePrincipalType = "Workload"
 )
 
-// Configures an store to sync secrets using a Oracle Vault
+// OracleProvider configures a store to sync secrets using an Oracle Vault
 // backend.
 type OracleProvider struct {
 	// Region is the region where vault is located.
@@ -68,8 +69,8 @@ type OracleProvider struct {
 	ServiceAccountRef *esmeta.ServiceAccountSelector `json:"serviceAccountRef,omitempty"`
 }
 
+// OracleAuth defines the authentication method for the Oracle Vault provider.
 type OracleAuth struct {
-
 	// Tenancy is the tenancy OCID where user is located.
 	Tenancy string `json:"tenancy"`
 
@@ -80,6 +81,7 @@ type OracleAuth struct {
 	SecretRef OracleSecretRef `json:"secretRef"`
 }
 
+// OracleSecretRef contains the secret reference for Oracle Vault authentication credentials.
 type OracleSecretRef struct {
 	// PrivateKey is the user's API Signing Key in PEM format, used for authentication.
 	PrivateKey esmeta.SecretKeySelector `json:"privatekey"`

apis/externalsecrets/v1/secretstore_passworddeport_types.go

@@ -20,7 +20,7 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
-// Configures a store to sync secrets with a Password Depot instance.
+// PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
 type PasswordDepotProvider struct {
 	// URL configures the Password Depot instance URL.
 	Host string `json:"host"`
@@ -32,10 +32,12 @@ type PasswordDepotProvider struct {
 	Auth PasswordDepotAuth `json:"auth"`
 }
 
+// PasswordDepotAuth defines the authentication method for the Password Depot provider.
 type PasswordDepotAuth struct {
 	SecretRef PasswordDepotSecretRef `json:"secretRef"`
 }
 
+// PasswordDepotSecretRef contains the secret reference for Password Depot authentication.
 type PasswordDepotSecretRef struct {
 	// Username / Password is used for authentication.
 	// +optional

apis/externalsecrets/v1/secretstore_pulumi_types.go

@@ -20,6 +20,7 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
+// PulumiProvider defines configuration for accessing secrets from Pulumi ESC.
 type PulumiProvider struct {
 	// APIURL is the URL of the Pulumi API.
 	// +kubebuilder:default="https://api.pulumi.com/api/esc"
@@ -41,6 +42,7 @@ type PulumiProvider struct {
 	Environment string `json:"environment"`
 }
 
+// PulumiProviderSecretRef contains the secret reference for Pulumi authentication.
 type PulumiProviderSecretRef struct {
 	// SecretRef is a reference to a secret containing the Pulumi API token.
 	SecretRef *esmeta.SecretKeySelector `json:"secretRef,omitempty"`

apis/externalsecrets/v1/secretstore_scaleway_types.go

@@ -18,8 +18,8 @@ package v1
 
 import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 
+// ScalewayProviderSecretRef defines the configuration for Scaleway secret references.
 type ScalewayProviderSecretRef struct {
-
 	// Value can be specified directly to set a value without using a secret.
 	// +optional
 	Value string `json:"value,omitempty"`
@@ -29,8 +29,8 @@ type ScalewayProviderSecretRef struct {
 	SecretRef *esmeta.SecretKeySelector `json:"secretRef,omitempty"`
 }
 
+// ScalewayProvider defines the configuration for the Scaleway Secret Manager provider.
 type ScalewayProvider struct {
-
 	// APIURL is the url of the api to use. Defaults to https://api.scaleway.com
 	// +optional
 	APIURL string `json:"apiUrl,omitempty"`

apis/externalsecrets/v1/secretstore_types.go

@@ -220,16 +220,19 @@ type SecretStoreProvider struct {
 	Ngrok *NgrokProvider `json:"ngrok,omitempty"`
 }
 
+// CAProviderType defines the type of provider for certificate authority.
 type CAProviderType string
 
+// Supported CA provider types.
 const (
-	CAProviderTypeSecret    CAProviderType = "Secret"
+	// CAProviderTypeSecret indicates that the CA certificate is stored in a Secret resource.
+	CAProviderTypeSecret CAProviderType = "Secret"
+	// CAProviderTypeConfigMap indicates that the CA certificate is stored in a ConfigMap resource.
 	CAProviderTypeConfigMap CAProviderType = "ConfigMap"
 )
 
-// Used to provide custom certificate authority (CA) certificates
-// for a secret store. The CAProvider points to a Secret or ConfigMap resource
-// that contains a PEM-encoded certificate.
+// CAProvider provides a custom certificate authority for accessing the provider's store.
+// The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate.
 type CAProvider struct {
 	// The type of provider to use such as "Secret", or "ConfigMap".
 	// +kubebuilder:validation:Enum="Secret";"ConfigMap"
@@ -257,14 +260,18 @@ type CAProvider struct {
 	Namespace *string `json:"namespace,omitempty"`
 }
 
+// SecretStoreRetrySettings defines the retry settings for accessing external secrets manager stores.
 type SecretStoreRetrySettings struct {
 	MaxRetries    *int32  `json:"maxRetries,omitempty"`
 	RetryInterval *string `json:"retryInterval,omitempty"`
 }
 
+// SecretStoreConditionType represents the condition of the SecretStore.
 type SecretStoreConditionType string
 
+// These are valid conditions of a secret store.
 const (
+	// SecretStoreReady indicates that the store is ready and able to serve requests.
 	SecretStoreReady SecretStoreConditionType = "Ready"
 
 	ReasonInvalidStore          = "InvalidStoreConfiguration"
@@ -275,6 +282,7 @@ const (
 	StoreUnmaintained           = "StoreUnmaintained"
 )
 
+// SecretStoreStatusCondition contains condition information for a SecretStore.
 type SecretStoreStatusCondition struct {
 	Type   SecretStoreConditionType `json:"type"`
 	Status corev1.ConditionStatus   `json:"status"`
@@ -292,9 +300,13 @@ type SecretStoreStatusCondition struct {
 // SecretStoreCapabilities defines the possible operations a SecretStore can do.
 type SecretStoreCapabilities string
 
+// These are the valid capabilities of a secret store.
 const (
-	SecretStoreReadOnly  SecretStoreCapabilities = "ReadOnly"
+	// SecretStoreReadOnly indicates that the store can only read secrets.
+	SecretStoreReadOnly SecretStoreCapabilities = "ReadOnly"
+	// SecretStoreWriteOnly indicates that the store can only write secrets.
 	SecretStoreWriteOnly SecretStoreCapabilities = "WriteOnly"
+	// SecretStoreReadWrite indicates that the store can both read and write secrets.
 	SecretStoreReadWrite SecretStoreCapabilities = "ReadWrite"
 )
 

apis/externalsecrets/v1/secretstore_validator.go

@@ -26,6 +26,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 )
 
+// Ensures ExternalSecretValidator implements the admission.CustomValidator interface correctly.
 var _ admission.CustomValidator = &GenericStoreValidator{}
 
 const (
@@ -33,6 +34,7 @@ const (
 	warnStoreUnmaintained = "store %s isn't currently maintained. Please plan and prepare accordingly."
 )
 
+// GenericStoreValidator implements webhook validation for SecretStore and ClusterSecretStore resources.
 type GenericStoreValidator struct{}
 
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type.

apis/externalsecrets/v1/secretstore_vault_types.go

@@ -20,14 +20,16 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
+// VaultKVStoreVersion represents the version of the Vault KV secret engine.
 type VaultKVStoreVersion string
 
+// These are the currently supported VaultKVStoreVersion.
 const (
 	VaultKVStoreV1 VaultKVStoreVersion = "v1"
 	VaultKVStoreV2 VaultKVStoreVersion = "v2"
 )
 
-// Configures an store to sync secrets using a HashiCorp Vault
+// VaultProvider configures a store to sync secrets using a HashiCorp Vault
 // KV backend.
 type VaultProvider struct {
 	// Auth configures how secret-manager authenticates with the Vault server.
@@ -194,7 +196,7 @@ type VaultAppRole struct {
 	SecretRef esmeta.SecretKeySelector `json:"secretRef"`
 }
 
-// Authenticate against Vault using a Kubernetes ServiceAccount token stored in
+// VaultKubernetesAuth authenticates against Vault using a Kubernetes ServiceAccount token stored in
 // a Secret.
 type VaultKubernetesAuth struct {
 	// Path where the Kubernetes authentication backend is mounted in Vault, e.g:
@@ -250,7 +252,7 @@ type VaultAwsAuth struct {
 	JWTAuth *VaultAwsJWTAuth `json:"jwt,omitempty"`
 }
 
-// VaultAWSAuthSecretRef holds secret references for AWS credentials
+// VaultAwsAuthSecretRef holds secret references for AWS credentials
 // both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
 type VaultAwsAuthSecretRef struct {
 	// The AccessKeyID is used for authentication

apis/externalsecrets/v1/secretstore_webhook.go

@@ -20,6 +20,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 )
 
+// SetupWebhookWithManager registers the SecretStore webhook with the controller manager.
 func (c *SecretStore) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(c).
@@ -27,6 +28,7 @@ func (c *SecretStore) SetupWebhookWithManager(mgr ctrl.Manager) error {
 		Complete()
 }
 
+// SetupWebhookWithManager registers the ClusterSecretStore webhook with the controller manager.
 func (c *ClusterSecretStore) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(c).

apis/externalsecrets/v1/secretstore_webhook_types.go

@@ -22,7 +22,7 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
-// WebHookProvider Configures an store to sync secrets from simple web apis.
+// WebhookProvider configures a store to sync secrets from simple web APIs.
 type WebhookProvider struct {
 	// Webhook Method
 	// +optional, default GET
@@ -84,14 +84,19 @@ type NTLMProtocol struct {
 	UserName esmeta.SecretKeySelector `json:"usernameSecret"`
 	Password esmeta.SecretKeySelector `json:"passwordSecret"`
 }
+
+// WebhookCAProviderType defines the type of provider for certificate authority in webhook connections.
 type WebhookCAProviderType string
 
+// These are valid CA provider types for webhook connections.
 const (
-	WebhookCAProviderTypeSecret    WebhookCAProviderType = "Secret"
+	// WebhookCAProviderTypeSecret indicates that the CA certificate is stored in a Secret resource.
+	WebhookCAProviderTypeSecret WebhookCAProviderType = "Secret"
+	// WebhookCAProviderTypeConfigMap indicates that the CA certificate is stored in a ConfigMap resource.
 	WebhookCAProviderTypeConfigMap WebhookCAProviderType = "ConfigMap"
 )
 
-// Defines a location to fetch the cert for the webhook provider from.
+// WebhookCAProvider defines a location to fetch the cert for the webhook provider from.
 type WebhookCAProvider struct {
 	// The type of provider to use such as "Secret", or "ConfigMap".
 	// +kubebuilder:validation:Enum="Secret";"ConfigMap"
@@ -118,12 +123,14 @@ type WebhookCAProvider struct {
 	Namespace *string `json:"namespace,omitempty"`
 }
 
+// WebhookResult defines how to process and extract secrets from the webhook response.
 type WebhookResult struct {
 	// Json path of return value
 	// +optional
 	JSONPath string `json:"jsonPath,omitempty"`
 }
 
+// WebhookSecret defines a secret that will be passed to the webhook request.
 type WebhookSecret struct {
 	// Name of this secret in templates
 	Name string `json:"name"`

apis/externalsecrets/v1/secretstore_yandex_types.go

@@ -20,12 +20,14 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
+// YandexAuth defines the authentication method for the Yandex provider.
 type YandexAuth struct {
 	// The authorized key used for authentication
 	// +optional
 	AuthorizedKey esmeta.SecretKeySelector `json:"authorizedKeySecretRef,omitempty"`
 }
 
+// YandexCAProvider defines the configuration for Yandex custom certificate authority.
 type YandexCAProvider struct {
 	Certificate esmeta.SecretKeySelector `json:"certSecretRef,omitempty"`
 }
@@ -39,6 +41,7 @@ type ByName struct {
 	FolderID string `json:"folderID"`
 }
 
+// FetchingPolicy configures how the provider interprets the `data.secretKey.remoteRef.key` field in ExternalSecret.
 // +kubebuilder:validation:MinProperties=1
 // +kubebuilder:validation:MaxProperties=1
 type FetchingPolicy struct {

apis/externalsecrets/v1/zz_generated.deepcopy.go

@@ -2009,34 +2009,34 @@ func (in *GCPWorkloadIdentityFederation) DeepCopy() *GCPWorkloadIdentityFederati
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *GcpIamAuthCredentials) DeepCopyInto(out *GcpIamAuthCredentials) {
+func (in *GcpIDTokenAuthCredentials) DeepCopyInto(out *GcpIDTokenAuthCredentials) {
 	*out = *in
 	in.IdentityID.DeepCopyInto(&out.IdentityID)
-	in.ServiceAccountKeyFilePath.DeepCopyInto(&out.ServiceAccountKeyFilePath)
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GcpIamAuthCredentials.
-func (in *GcpIamAuthCredentials) DeepCopy() *GcpIamAuthCredentials {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GcpIDTokenAuthCredentials.
+func (in *GcpIDTokenAuthCredentials) DeepCopy() *GcpIDTokenAuthCredentials {
 	if in == nil {
 		return nil
 	}
-	out := new(GcpIamAuthCredentials)
+	out := new(GcpIDTokenAuthCredentials)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *GcpIdTokenAuthCredentials) DeepCopyInto(out *GcpIdTokenAuthCredentials) {
+func (in *GcpIamAuthCredentials) DeepCopyInto(out *GcpIamAuthCredentials) {
 	*out = *in
 	in.IdentityID.DeepCopyInto(&out.IdentityID)
+	in.ServiceAccountKeyFilePath.DeepCopyInto(&out.ServiceAccountKeyFilePath)
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GcpIdTokenAuthCredentials.
-func (in *GcpIdTokenAuthCredentials) DeepCopy() *GcpIdTokenAuthCredentials {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GcpIamAuthCredentials.
+func (in *GcpIamAuthCredentials) DeepCopy() *GcpIamAuthCredentials {
 	if in == nil {
 		return nil
 	}
-	out := new(GcpIdTokenAuthCredentials)
+	out := new(GcpIamAuthCredentials)
 	in.DeepCopyInto(out)
 	return out
 }
@@ -2256,9 +2256,9 @@ func (in *InfisicalAuth) DeepCopyInto(out *InfisicalAuth) {
 		*out = new(AzureAuthCredentials)
 		(*in).DeepCopyInto(*out)
 	}
-	if in.GcpIdTokenAuthCredentials != nil {
-		in, out := &in.GcpIdTokenAuthCredentials, &out.GcpIdTokenAuthCredentials
-		*out = new(GcpIdTokenAuthCredentials)
+	if in.GcpIDTokenAuthCredentials != nil {
+		in, out := &in.GcpIDTokenAuthCredentials, &out.GcpIDTokenAuthCredentials
+		*out = new(GcpIDTokenAuthCredentials)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.GcpIamAuthCredentials != nil {

apis/externalsecrets/v1alpha1/pushsecret_types.go

@@ -24,11 +24,15 @@ import (
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 )
 
+// PushSecret condition reasons.
 const (
-	ReasonSynced  = "Synced"
+	// ReasonSynced indicates that the push secret was successfully synced to the provider.
+	ReasonSynced = "Synced"
+	// ReasonErrored indicates that the push secret encountered an error during sync.
 	ReasonErrored = "Errored"
 )
 
+// PushSecretStoreRef contains a reference on how to sync to a SecretStore.
 type PushSecretStoreRef struct {
 	// Optionally, sync to the SecretStore of the given name
 	// +optional
@@ -48,27 +52,36 @@ type PushSecretStoreRef struct {
 	Kind string `json:"kind,omitempty"`
 }
 
+// PushSecretUpdatePolicy defines how push secrets are updated in the provider.
 // +kubebuilder:validation:Enum=Replace;IfNotExists
 type PushSecretUpdatePolicy string
 
 const (
-	PushSecretUpdatePolicyReplace     PushSecretUpdatePolicy = "Replace"
+	// PushSecretUpdatePolicyReplace replaces existing secrets in the provider.
+	PushSecretUpdatePolicyReplace PushSecretUpdatePolicy = "Replace"
+	// PushSecretUpdatePolicyIfNotExists only creates secrets that don't exist in the provider.
 	PushSecretUpdatePolicyIfNotExists PushSecretUpdatePolicy = "IfNotExists"
 )
 
+// PushSecretDeletionPolicy defines how push secrets are deleted in the provider.
 // +kubebuilder:validation:Enum=Delete;None
 type PushSecretDeletionPolicy string
 
 const (
+	// PushSecretDeletionPolicyDelete deletes secrets from the provider when the PushSecret is deleted.
 	PushSecretDeletionPolicyDelete PushSecretDeletionPolicy = "Delete"
-	PushSecretDeletionPolicyNone   PushSecretDeletionPolicy = "None"
+	// PushSecretDeletionPolicyNone keeps secrets in the provider when the PushSecret is deleted.
+	PushSecretDeletionPolicyNone PushSecretDeletionPolicy = "None"
 )
 
+// PushSecretConversionStrategy defines how secret values are converted when pushed to providers.
 // +kubebuilder:validation:Enum=None;ReverseUnicode
 type PushSecretConversionStrategy string
 
 const (
-	PushSecretConversionNone           PushSecretConversionStrategy = "None"
+	// PushSecretConversionNone indicates no conversion will be performed on the secret value.
+	PushSecretConversionNone PushSecretConversionStrategy = "None"
+	// PushSecretConversionReverseUnicode indicates that unicode escape sequences will be reversed.
 	PushSecretConversionReverseUnicode PushSecretConversionStrategy = "ReverseUnicode"
 )
 
@@ -101,6 +114,7 @@ type PushSecretSpec struct {
 	Template *esv1.ExternalSecretTemplate `json:"template,omitempty"`
 }
 
+// PushSecretSecret defines a Secret that will be used as a source for pushing to providers.
 type PushSecretSecret struct {
 	// Name of the Secret.
 	// The Secret must exist in the same namespace as the PushSecret manifest.
@@ -115,6 +129,7 @@ type PushSecretSecret struct {
 	Selector *metav1.LabelSelector `json:"selector,omitempty"`
 }
 
+// PushSecretSelector defines criteria for selecting the source Secret for pushing to providers.
 // +kubebuilder:validation:MinProperties=1
 // +kubebuilder:validation:MaxProperties=1
 type PushSecretSelector struct {
@@ -127,6 +142,7 @@ type PushSecretSelector struct {
 	GeneratorRef *esv1.GeneratorRef `json:"generatorRef,omitempty"`
 }
 
+// PushSecretRemoteRef defines the location of the secret in the provider.
 type PushSecretRemoteRef struct {
 	// Name of the resulting provider secret.
 	RemoteKey string `json:"remoteKey"`
@@ -136,14 +152,17 @@ type PushSecretRemoteRef struct {
 	Property string `json:"property,omitempty"`
 }
 
+// GetRemoteKey returns the RemoteKey of this reference.
 func (r PushSecretRemoteRef) GetRemoteKey() string {
 	return r.RemoteKey
 }
 
+// GetProperty returns the Property of this reference.
 func (r PushSecretRemoteRef) GetProperty() string {
 	return r.Property
 }
 
+// PushSecretMatch defines how a source Secret key maps to a destination in the provider.
 type PushSecretMatch struct {
 	// Secret Key to be pushed
 	// +optional
@@ -152,6 +171,7 @@ type PushSecretMatch struct {
 	RemoteRef PushSecretRemoteRef `json:"remoteRef"`
 }
 
+// PushSecretData defines data to be pushed to the provider and associated metadata.
 type PushSecretData struct {
 	// Match a given Secret Key to be pushed to the provider.
 	Match PushSecretMatch `json:"match"`
@@ -165,18 +185,22 @@ type PushSecretData struct {
 	ConversionStrategy PushSecretConversionStrategy `json:"conversionStrategy,omitempty"`
 }
 
+// GetMetadata returns the metadata of the PushSecretData.
 func (d PushSecretData) GetMetadata() *apiextensionsv1.JSON {
 	return d.Metadata
 }
 
+// GetSecretKey returns the secret key from the PushSecretData match.
 func (d PushSecretData) GetSecretKey() string {
 	return d.Match.SecretKey
 }
 
+// GetRemoteKey returns the remote key from the PushSecretData match.
 func (d PushSecretData) GetRemoteKey() string {
 	return d.Match.RemoteRef.RemoteKey
 }
 
+// GetProperty returns the property from the PushSecretData match.
 func (d PushSecretData) GetProperty() string {
 	return d.Match.RemoteRef.Property
 }
@@ -185,6 +209,7 @@ func (d PushSecretData) GetProperty() string {
 type PushSecretConditionType string
 
 const (
+	// PushSecretReady indicates the PushSecret resource is ready.
 	PushSecretReady PushSecretConditionType = "Ready"
 )
 
@@ -203,6 +228,8 @@ type PushSecretStatusCondition struct {
 	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"`
 }
 
+// SyncedPushSecretsMap is a map that tracks which PushSecretData was stored to which secret store.
+// The outer map's key is the secret store name, and the inner map's key is the remote key name.
 type SyncedPushSecretsMap map[string]map[string]PushSecretData
 
 // PushSecretStatus indicates the history of the status of PushSecret.
@@ -224,13 +251,13 @@ type PushSecretStatus struct {
 
 // +kubebuilder:object:root=true
 // +kubebuilder:storageversion
-// PushSecrets is the Schema for the PushSecrets API.
 // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
 // +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].reason`
 // +kubebuilder:subresource:status
 // +kubebuilder:metadata:labels="external-secrets.io/component=controller"
 // +kubebuilder:resource:scope=Namespaced,categories={external-secrets},shortName=ps
 
+// PushSecret is the Schema for the PushSecrets API that enables pushing Kubernetes secrets to external secret providers.
 type PushSecret struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
@@ -272,6 +299,7 @@ type PushSecretMetadata struct {
 	Labels map[string]string `json:"labels,omitempty"`
 }
 
+// ClusterPushSecretSpec defines the configuration for a ClusterPushSecret resource.
 type ClusterPushSecretSpec struct {
 	// PushSecretSpec defines what to do with the secrets.
 	PushSecretSpec PushSecretSpec `json:"pushSecretSpec"`
@@ -305,6 +333,7 @@ type ClusterPushSecretNamespaceFailure struct {
 	Reason string `json:"reason,omitempty"`
 }
 
+// ClusterPushSecretStatus contains the status information for the ClusterPushSecret resource.
 type ClusterPushSecretStatus struct {
 	// Failed namespaces are the namespaces that failed to apply an PushSecret
 	// +optional
@@ -321,13 +350,13 @@ type ClusterPushSecretStatus struct {
 
 // +kubebuilder:object:root=true
 // +kubebuilder:storageversion
-// ClusterPushSecretCondition is the Schema for the PushSecrets API.
 // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
 // +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].reason`
 // +kubebuilder:subresource:status
 // +kubebuilder:metadata:labels="external-secrets.io/component=controller"
 // +kubebuilder:resource:scope=Cluster,categories={external-secrets}
 
+// ClusterPushSecret is the Schema for the ClusterPushSecrets API that enables cluster-wide management of pushing Kubernetes secrets to external providers.
 type ClusterPushSecret struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

apis/externalsecrets/v1alpha1/register.go

@@ -35,20 +35,29 @@ var (
 
 	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
 	SchemeBuilder = &scheme.Builder{GroupVersion: SchemeGroupVersion}
-	AddToScheme   = SchemeBuilder.AddToScheme
+	// AddToScheme adds the types in this group-version to the given scheme.
+	AddToScheme = SchemeBuilder.AddToScheme
 )
 
 var (
-	PushSecretKind             = reflect.TypeOf(PushSecret{}).Name()
-	PushSecretGroupKind        = schema.GroupKind{Group: Group, Kind: PushSecretKind}.String()
-	PushSecretKindAPIVersion   = PushSecretKind + "." + SchemeGroupVersion.String()
+	// PushSecretKind is the kind name used for PushSecret resources.
+	PushSecretKind = reflect.TypeOf(PushSecret{}).Name()
+	// PushSecretGroupKind is the group/kind used for PushSecret resources.
+	PushSecretGroupKind = schema.GroupKind{Group: Group, Kind: PushSecretKind}.String()
+	// PushSecretKindAPIVersion is the kind/apiVersion used for PushSecret resources.
+	PushSecretKindAPIVersion = PushSecretKind + "." + SchemeGroupVersion.String()
+	// PushSecretGroupVersionKind is the GroupVersionKind for PushSecret resources.
 	PushSecretGroupVersionKind = SchemeGroupVersion.WithKind(PushSecretKind)
 )
 
 var (
-	ClusterPushSecretKind             = reflect.TypeOf(ClusterPushSecret{}).Name()
-	ClusterPushSecretGroupKind        = schema.GroupKind{Group: Group, Kind: ClusterPushSecretKind}.String()
-	ClusterPushSecretKindAPIVersion   = ClusterPushSecretKind + "." + SchemeGroupVersion.String()
+	// ClusterPushSecretKind is the kind name used for ClusterPushSecret resources.
+	ClusterPushSecretKind = reflect.TypeOf(ClusterPushSecret{}).Name()
+	// ClusterPushSecretGroupKind is the group/kind used for ClusterPushSecret resources.
+	ClusterPushSecretGroupKind = schema.GroupKind{Group: Group, Kind: ClusterPushSecretKind}.String()
+	// ClusterPushSecretKindAPIVersion is the kind/apiVersion used for ClusterPushSecret resources.
+	ClusterPushSecretKindAPIVersion = ClusterPushSecretKind + "." + SchemeGroupVersion.String()
+	// ClusterPushSecretGroupVersionKind is the GroupVersionKind for ClusterPushSecret resources.
 	ClusterPushSecretGroupVersionKind = SchemeGroupVersion.WithKind(ClusterPushSecretKind)
 )
 

apis/externalsecrets/v1beta1/clusterexternalsecret_types.go

@@ -66,10 +66,13 @@ type ExternalSecretMetadata struct {
 	Labels map[string]string `json:"labels,omitempty"`
 }
 
+// ClusterExternalSecretConditionType indicates the condition of the ClusterExternalSecret.
 type ClusterExternalSecretConditionType string
 
+// ClusterExternalSecretReady indicates the ClusterExternalSecret resource is ready.
 const ClusterExternalSecretReady ClusterExternalSecretConditionType = "Ready"
 
+// ClusterExternalSecretStatusCondition indicates the status of the ClusterExternalSecret.
 type ClusterExternalSecretStatusCondition struct {
 	Type   ClusterExternalSecretConditionType `json:"type"`
 	Status corev1.ConditionStatus             `json:"status"`
@@ -106,6 +109,7 @@ type ClusterExternalSecretStatus struct {
 	Conditions []ClusterExternalSecretStatusCondition `json:"conditions,omitempty"`
 }
 
+// ClusterExternalSecret is the schema for the clusterexternalsecrets API.
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:scope=Cluster,categories={external-secrets},shortName=ces
 // +kubebuilder:subresource:status
@@ -115,7 +119,6 @@ type ClusterExternalSecretStatus struct {
 // +kubebuilder:printcolumn:name="Store",type=string,JSONPath=`.spec.externalSecretSpec.secretStoreRef.name`
 // +kubebuilder:printcolumn:name="Refresh Interval",type=string,JSONPath=`.spec.refreshTime`
 // +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].status`
-// ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
 type ClusterExternalSecret struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

apis/externalsecrets/v1beta1/externalsecret_types.go

@@ -41,17 +41,17 @@ type SecretStoreRef struct {
 type ExternalSecretCreationPolicy string
 
 const (
-	// Owner creates the Secret and sets .metadata.ownerReferences to the ExternalSecret resource.
+	// CreatePolicyOwner creates the Secret and sets .metadata.ownerReferences to the ExternalSecret resource.
 	CreatePolicyOwner ExternalSecretCreationPolicy = "Owner"
 
-	// Orphan creates the Secret and does not set the ownerReference.
+	// CreatePolicyOrphan creates the Secret and does not set the ownerReference.
 	// I.e. it will be orphaned after the deletion of the ExternalSecret.
 	CreatePolicyOrphan ExternalSecretCreationPolicy = "Orphan"
 
-	// Merge does not create the Secret, but merges the data fields to the Secret.
+	// CreatePolicyMerge does not create the Secret, but merges the data fields to the Secret.
 	CreatePolicyMerge ExternalSecretCreationPolicy = "Merge"
 
-	// None does not create a Secret (future use with injector).
+	// CreatePolicyNone does not create a Secret (future use with injector).
 	CreatePolicyNone ExternalSecretCreationPolicy = "None"
 )
 
@@ -60,19 +60,19 @@ const (
 type ExternalSecretDeletionPolicy string
 
 const (
-	// Delete deletes the secret if all provider secrets are deleted.
+	// DeletionPolicyDelete deletes the secret if all provider secrets are deleted.
 	// If a secret gets deleted on the provider side and is not accessible
 	// anymore this is not considered an error and the ExternalSecret
 	// does not go into SecretSyncedError status.
 	DeletionPolicyDelete ExternalSecretDeletionPolicy = "Delete"
 
-	// Merge removes keys in the secret, but not the secret itself.
+	// DeletionPolicyMerge removes keys in the secret, but not the secret itself.
 	// If a secret gets deleted on the provider side and is not accessible
 	// anymore this is not considered an error and the ExternalSecret
 	// does not go into SecretSyncedError status.
 	DeletionPolicyMerge ExternalSecretDeletionPolicy = "Merge"
 
-	// Retain will retain the secret if all provider secrets have been deleted.
+	// DeletionPolicyRetain will retain the secret if all provider secrets have been deleted.
 	// If a provider secret does not exist the ExternalSecret gets into the
 	// SecretSyncedError status.
 	DeletionPolicyRetain ExternalSecretDeletionPolicy = "Retain"
@@ -112,21 +112,27 @@ type ExternalSecretTemplate struct {
 	TemplateFrom []TemplateFrom `json:"templateFrom,omitempty"`
 }
 
+// TemplateMergePolicy defines how template values should be merged when generating a secret.
 // +kubebuilder:validation:Enum=Replace;Merge
 type TemplateMergePolicy string
 
 const (
+	// MergePolicyReplace replaces the entire template content during merge operations.
 	MergePolicyReplace TemplateMergePolicy = "Replace"
-	MergePolicyMerge   TemplateMergePolicy = "Merge"
+	// MergePolicyMerge merges the template content with existing values.
+	MergePolicyMerge TemplateMergePolicy = "Merge"
 )
 
+// TemplateEngineVersion defines the version of the template engine to use.
 // +kubebuilder:validation:Enum=v2
 type TemplateEngineVersion string
 
 const (
+	// TemplateEngineV2 specifies the v2 template engine version.
 	TemplateEngineV2 TemplateEngineVersion = "v2"
 )
 
+// TemplateFrom defines a source for template data.
 type TemplateFrom struct {
 	ConfigMap *TemplateRef `json:"configMap,omitempty"`
 	Secret    *TemplateRef `json:"secret,omitempty"`
@@ -139,23 +145,31 @@ type TemplateFrom struct {
 	Literal *string `json:"literal,omitempty"`
 }
 
+// TemplateScope defines the scope of the template when processing template data.
 // +kubebuilder:validation:Enum=Values;KeysAndValues
 type TemplateScope string
 
 const (
-	TemplateScopeValues        TemplateScope = "Values"
+	// TemplateScopeValues processes only the values of the data.
+	TemplateScopeValues TemplateScope = "Values"
+	// TemplateScopeKeysAndValues processes both keys and values of the data.
 	TemplateScopeKeysAndValues TemplateScope = "KeysAndValues"
 )
 
+// TemplateTarget defines the target field where the template result will be stored.
 // +kubebuilder:validation:Enum=Data;Annotations;Labels
 type TemplateTarget string
 
 const (
-	TemplateTargetData        TemplateTarget = "Data"
+	// TemplateTargetData stores template results in the data field of the secret.
+	TemplateTargetData TemplateTarget = "Data"
+	// TemplateTargetAnnotations stores template results in the annotations field of the secret.
 	TemplateTargetAnnotations TemplateTarget = "Annotations"
-	TemplateTargetLabels      TemplateTarget = "Labels"
+	// TemplateTargetLabels stores template results in the labels field of the secret.
+	TemplateTargetLabels TemplateTarget = "Labels"
 )
 
+// TemplateRef defines a reference to a template source in a ConfigMap or Secret.
 type TemplateRef struct {
 	// The name of the ConfigMap/Secret resource
 	// +kubebuilder:validation:MinLength:=1
@@ -167,6 +181,7 @@ type TemplateRef struct {
 	Items []TemplateRefItem `json:"items"`
 }
 
+// TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.
 type TemplateRefItem struct {
 	// A key in the ConfigMap/Secret
 	// +kubebuilder:validation:MinLength:=1
@@ -256,32 +271,44 @@ type ExternalSecretDataRemoteRef struct {
 	DecodingStrategy ExternalSecretDecodingStrategy `json:"decodingStrategy,omitempty"`
 }
 
+// ExternalSecretMetadataPolicy defines the policy for fetching tags/labels from provider secrets.
 // +kubebuilder:validation:Enum=None;Fetch
 type ExternalSecretMetadataPolicy string
 
 const (
-	ExternalSecretMetadataPolicyNone  ExternalSecretMetadataPolicy = "None"
+	// ExternalSecretMetadataPolicyNone indicates that no metadata will be fetched.
+	ExternalSecretMetadataPolicyNone ExternalSecretMetadataPolicy = "None"
+	// ExternalSecretMetadataPolicyFetch indicates that metadata will be fetched from the provider.
 	ExternalSecretMetadataPolicyFetch ExternalSecretMetadataPolicy = "Fetch"
 )
 
+// ExternalSecretConversionStrategy defines how secret values are converted.
 // +kubebuilder:validation:Enum=Default;Unicode
 type ExternalSecretConversionStrategy string
 
 const (
+	// ExternalSecretConversionDefault indicates the default conversion strategy.
 	ExternalSecretConversionDefault ExternalSecretConversionStrategy = "Default"
+	// ExternalSecretConversionUnicode indicates that unicode conversion will be performed.
 	ExternalSecretConversionUnicode ExternalSecretConversionStrategy = "Unicode"
 )
 
+// ExternalSecretDecodingStrategy defines how secret values are decoded.
 // +kubebuilder:validation:Enum=Auto;Base64;Base64URL;None
 type ExternalSecretDecodingStrategy string
 
 const (
-	ExternalSecretDecodeAuto      ExternalSecretDecodingStrategy = "Auto"
-	ExternalSecretDecodeBase64    ExternalSecretDecodingStrategy = "Base64"
+	// ExternalSecretDecodeAuto indicates that the decoding strategy will be automatically determined.
+	ExternalSecretDecodeAuto ExternalSecretDecodingStrategy = "Auto"
+	// ExternalSecretDecodeBase64 indicates that base64 decoding will be used.
+	ExternalSecretDecodeBase64 ExternalSecretDecodingStrategy = "Base64"
+	// ExternalSecretDecodeBase64URL indicates that base64url decoding will be used.
 	ExternalSecretDecodeBase64URL ExternalSecretDecodingStrategy = "Base64URL"
-	ExternalSecretDecodeNone      ExternalSecretDecodingStrategy = "None"
+	// ExternalSecretDecodeNone indicates that no decoding will be performed.
+	ExternalSecretDecodeNone ExternalSecretDecodingStrategy = "None"
 )
 
+// ExternalSecretDataFromRemoteRef defines a reference to multiple secrets in the provider to be fetched using options.
 type ExternalSecretDataFromRemoteRef struct {
 	// Used to extract multiple key/value pairs from one secret
 	// Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
@@ -306,6 +333,7 @@ type ExternalSecretDataFromRemoteRef struct {
 	SourceRef *StoreGeneratorSourceRef `json:"sourceRef,omitempty"`
 }
 
+// ExternalSecretRewrite defines rules on how to rewrite secret keys.
 // +kubebuilder:validation:MinProperties=1
 // +kubebuilder:validation:MaxProperties=1
 type ExternalSecretRewrite struct {
@@ -320,6 +348,7 @@ type ExternalSecretRewrite struct {
 	Transform *ExternalSecretRewriteTransform `json:"transform,omitempty"`
 }
 
+// ExternalSecretRewriteRegexp defines how to use regular expressions for rewriting secret keys.
 type ExternalSecretRewriteRegexp struct {
 	// Used to define the regular expression of a re.Compiler.
 	Source string `json:"source"`
@@ -327,12 +356,14 @@ type ExternalSecretRewriteRegexp struct {
 	Target string `json:"target"`
 }
 
+// ExternalSecretRewriteTransform defines how to use string templates for transforming secret keys.
 type ExternalSecretRewriteTransform struct {
 	// Used to define the template to apply on the secret name.
 	// `.value ` will specify the secret name in the template.
 	Template string `json:"template"`
 }
 
+// ExternalSecretFind defines criteria for finding secrets in the provider.
 type ExternalSecretFind struct {
 	// A root path to start the find operations.
 	// +optional
@@ -357,19 +388,24 @@ type ExternalSecretFind struct {
 	DecodingStrategy ExternalSecretDecodingStrategy `json:"decodingStrategy,omitempty"`
 }
 
+// FindName defines name matching criteria for finding secrets.
 type FindName struct {
 	// Finds secrets base
 	// +optional
 	RegExp string `json:"regexp,omitempty"`
 }
 
+// ExternalSecretRefreshPolicy defines how and when the ExternalSecret should be refreshed.
 // +kubebuilder:validation:Enum=CreatedOnce;Periodic;OnChange
 type ExternalSecretRefreshPolicy string
 
 const (
+	// RefreshPolicyCreatedOnce creates the Secret only if it does not exist and does not update it thereafter.
 	RefreshPolicyCreatedOnce ExternalSecretRefreshPolicy = "CreatedOnce"
-	RefreshPolicyPeriodic    ExternalSecretRefreshPolicy = "Periodic"
-	RefreshPolicyOnChange    ExternalSecretRefreshPolicy = "OnChange"
+	// RefreshPolicyPeriodic synchronizes the Secret from the external source at regular intervals.
+	RefreshPolicyPeriodic ExternalSecretRefreshPolicy = "Periodic"
+	// RefreshPolicyOnChange only synchronizes the Secret when the ExternalSecret's metadata or specification changes.
+	RefreshPolicyOnChange ExternalSecretRefreshPolicy = "OnChange"
 )
 
 // ExternalSecretSpec defines the desired state of ExternalSecret.
@@ -454,13 +490,17 @@ type GeneratorRef struct {
 	Name string `json:"name"`
 }
 
+// ExternalSecretConditionType defines the condition type for an ExternalSecret.
 type ExternalSecretConditionType string
 
 const (
-	ExternalSecretReady   ExternalSecretConditionType = "Ready"
+	// ExternalSecretReady indicates the ExternalSecret has been successfully reconciled.
+	ExternalSecretReady ExternalSecretConditionType = "Ready"
+	// ExternalSecretDeleted indicates the ExternalSecret has been deleted.
 	ExternalSecretDeleted ExternalSecretConditionType = "Deleted"
 )
 
+// ExternalSecretStatusCondition contains condition information for an ExternalSecret.
 type ExternalSecretStatusCondition struct {
 	Type   ExternalSecretConditionType `json:"type"`
 	Status corev1.ConditionStatus      `json:"status"`
@@ -485,14 +525,21 @@ const (
 	// ConditionReasonSecretMissing indicates that the secret is missing.
 	ConditionReasonSecretMissing = "SecretMissing"
 
-	ReasonUpdateFailed          = "UpdateFailed"
-	ReasonDeprecated            = "ParameterDeprecated"
-	ReasonCreated               = "Created"
-	ReasonUpdated               = "Updated"
-	ReasonDeleted               = "Deleted"
+	// ReasonUpdateFailed indicates that the update operation failed.
+	ReasonUpdateFailed = "UpdateFailed"
+	// ReasonDeprecated indicates that a deprecated parameter was used.
+	ReasonDeprecated = "ParameterDeprecated"
+	// ReasonCreated indicates that a resource was created.
+	ReasonCreated = "Created"
+	// ReasonUpdated indicates that a resource was updated.
+	ReasonUpdated = "Updated"
+	// ReasonDeleted indicates that a resource was deleted.
+	ReasonDeleted = "Deleted"
+	// ReasonMissingProviderSecret indicates that a provider secret is missing.
 	ReasonMissingProviderSecret = "MissingProviderSecret"
 )
 
+// ExternalSecretStatus defines the observed state of ExternalSecret.
 type ExternalSecretStatus struct {
 	// +nullable
 	// refreshTime is the time and date the external secret was fetched and
@@ -509,8 +556,8 @@ type ExternalSecretStatus struct {
 	Binding corev1.LocalObjectReference `json:"binding,omitempty"`
 }
 
+// ExternalSecret is the schema for the external-secrets API.
 // +kubebuilder:object:root=true
-// ExternalSecret is the Schema for the external-secrets API.
 // +kubebuilder:subresource:status
 // +kubebuilder:unservedversion
 // +kubebuilder:deprecatedversion
@@ -534,7 +581,9 @@ const (
 	AnnotationDataHash = "reconcile.external-secrets.io/data-hash"
 
 	// LabelManaged all secrets managed by an ExternalSecret will have this label equal to "true".
-	LabelManaged      = "reconcile.external-secrets.io/managed"
+	LabelManaged = "reconcile.external-secrets.io/managed"
+
+	// LabelManagedValue is the value for the LabelManaged key, indicating a secret is managed by ESO.
 	LabelManagedValue = "true"
 
 	// LabelOwner points to the owning ExternalSecret resource when CreationPolicy=Owner.

apis/externalsecrets/v1beta1/externalsecret_validator.go

@@ -25,16 +25,20 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 )
 
+// ExternalSecretValidator implements webhook validation for ExternalSecret resources.
 type ExternalSecretValidator struct{}
 
+// ValidateCreate validates an ExternalSecret during creation.
 func (esv *ExternalSecretValidator) ValidateCreate(_ context.Context, obj runtime.Object) (admission.Warnings, error) {
 	return validateExternalSecret(obj)
 }
 
+// ValidateUpdate validates an ExternalSecret during update.
 func (esv *ExternalSecretValidator) ValidateUpdate(_ context.Context, _, newObj runtime.Object) (admission.Warnings, error) {
 	return validateExternalSecret(newObj)
 }
 
+// ValidateDelete validates an ExternalSecret during deletion.
 func (esv *ExternalSecretValidator) ValidateDelete(_ context.Context, _ runtime.Object) (admission.Warnings, error) {
 	return nil, nil
 }

apis/externalsecrets/v1beta1/externalsecret_webhook.go

@@ -20,6 +20,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 )
 
+// SetupWebhookWithManager registers the ExternalSecret webhook with the controller manager.
 func (es *ExternalSecret) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(es).

apis/externalsecrets/v1beta1/fakes/pushremoteref.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package fakes contains fake implementations for testing purposes.
 package fakes
 
 import (
@@ -22,6 +23,7 @@ import (
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 )
 
+// PushRemoteRef is a fake implementation of the PushRemoteRef interface for testing.
 type PushRemoteRef struct {
 	GetRemoteKeyStub        func() string
 	getRemoteKeyMutex       sync.RWMutex
@@ -37,6 +39,7 @@ type PushRemoteRef struct {
 	invocationsMutex sync.RWMutex
 }
 
+// GetRemoteKey returns a string representing the remote key.
 func (fake *PushRemoteRef) GetRemoteKey() string {
 	fake.getRemoteKeyMutex.Lock()
 	ret, specificReturn := fake.getRemoteKeyReturnsOnCall[len(fake.getRemoteKeyArgsForCall)]
@@ -55,22 +58,26 @@ func (fake *PushRemoteRef) GetRemoteKey() string {
 	return fakeReturns.result1
 }
 
+// GetProperty returns the property value as a string.
 func (fake *PushRemoteRef) GetProperty() string {
 	return ""
 }
 
+// GetRemoteKeyCallCount returns the number of times GetRemoteKey has been called.
 func (fake *PushRemoteRef) GetRemoteKeyCallCount() int {
 	fake.getRemoteKeyMutex.RLock()
 	defer fake.getRemoteKeyMutex.RUnlock()
 	return len(fake.getRemoteKeyArgsForCall)
 }
 
+// GetRemoteKeyCalls sets a custom stub function for the GetRemoteKey method.
 func (fake *PushRemoteRef) GetRemoteKeyCalls(stub func() string) {
 	fake.getRemoteKeyMutex.Lock()
 	defer fake.getRemoteKeyMutex.Unlock()
 	fake.GetRemoteKeyStub = stub
 }
 
+// GetRemoteKeyReturns sets return values that will be returned by GetRemoteKey.
 func (fake *PushRemoteRef) GetRemoteKeyReturns(result1 string) {
 	fake.getRemoteKeyMutex.Lock()
 	defer fake.getRemoteKeyMutex.Unlock()
@@ -80,6 +87,7 @@ func (fake *PushRemoteRef) GetRemoteKeyReturns(result1 string) {
 	}{result1}
 }
 
+// GetRemoteKeyReturnsOnCall sets return values for specific calls to GetRemoteKey.
 func (fake *PushRemoteRef) GetRemoteKeyReturnsOnCall(i int, result1 string) {
 	fake.getRemoteKeyMutex.Lock()
 	defer fake.getRemoteKeyMutex.Unlock()
@@ -94,6 +102,7 @@ func (fake *PushRemoteRef) GetRemoteKeyReturnsOnCall(i int, result1 string) {
 	}{result1}
 }
 
+// Invocations returns a map recording the calls to methods on this fake.
 func (fake *PushRemoteRef) Invocations() map[string][][]any {
 	fake.invocationsMutex.RLock()
 	defer fake.invocationsMutex.RUnlock()

apis/externalsecrets/v1beta1/generic_store.go

@@ -49,34 +49,42 @@ type GenericStore interface {
 // +kubebuilder:object:generate:false
 var _ GenericStore = &SecretStore{}
 
+// GetObjectMeta returns the ObjectMeta of the SecretStore.
 func (c *SecretStore) GetObjectMeta() *metav1.ObjectMeta {
 	return &c.ObjectMeta
 }
 
+// GetTypeMeta returns the TypeMeta of the SecretStore.
 func (c *SecretStore) GetTypeMeta() *metav1.TypeMeta {
 	return &c.TypeMeta
 }
 
+// GetSpec returns the spec of the SecretStore.
 func (c *SecretStore) GetSpec() *SecretStoreSpec {
 	return &c.Spec
 }
 
+// GetStatus returns the status of the SecretStore.
 func (c *SecretStore) GetStatus() SecretStoreStatus {
 	return c.Status
 }
 
+// SetStatus sets the status of the SecretStore.
 func (c *SecretStore) SetStatus(status SecretStoreStatus) {
 	c.Status = status
 }
 
+// GetNamespacedName returns the namespaced name of the SecretStore.
 func (c *SecretStore) GetNamespacedName() string {
 	return fmt.Sprintf("%s/%s", c.Namespace, c.Name)
 }
 
+// GetKind returns the kind of the SecretStore.
 func (c *SecretStore) GetKind() string {
 	return SecretStoreKind
 }
 
+// Copy returns a deep copy of the SecretStore.
 func (c *SecretStore) Copy() GenericStore {
 	return c.DeepCopy()
 }
@@ -85,34 +93,42 @@ func (c *SecretStore) Copy() GenericStore {
 // +kubebuilder:object:generate:false
 var _ GenericStore = &ClusterSecretStore{}
 
+// GetObjectMeta returns the ObjectMeta of the ClusterSecretStore.
 func (c *ClusterSecretStore) GetObjectMeta() *metav1.ObjectMeta {
 	return &c.ObjectMeta
 }
 
+// GetTypeMeta returns the TypeMeta of the ClusterSecretStore.
 func (c *ClusterSecretStore) GetTypeMeta() *metav1.TypeMeta {
 	return &c.TypeMeta
 }
 
+// GetSpec returns the spec of the ClusterSecretStore.
 func (c *ClusterSecretStore) GetSpec() *SecretStoreSpec {
 	return &c.Spec
 }
 
+// Copy returns a deep copy of the ClusterSecretStore.
 func (c *ClusterSecretStore) Copy() GenericStore {
 	return c.DeepCopy()
 }
 
+// GetStatus returns the status of the ClusterSecretStore.
 func (c *ClusterSecretStore) GetStatus() SecretStoreStatus {
 	return c.Status
 }
 
+// SetStatus sets the status of the ClusterSecretStore.
 func (c *ClusterSecretStore) SetStatus(status SecretStoreStatus) {
 	c.Status = status
 }
 
+// GetNamespacedName returns the namespaced name of the ClusterSecretStore.
 func (c *ClusterSecretStore) GetNamespacedName() string {
 	return fmt.Sprintf("%s/%s", c.Namespace, c.Name)
 }
 
+// GetKind returns the kind of the ClusterSecretStore.
 func (c *ClusterSecretStore) GetKind() string {
 	return ClusterSecretStoreKind
 }

apis/externalsecrets/v1beta1/provider.go

@@ -25,18 +25,17 @@ import (
 )
 
 const (
-	// Ready indicates that the client is configured correctly
-	// and can be used.
+	// ValidationResultReady indicates that the client is configured correctly and can be used.
 	ValidationResultReady ValidationResult = iota
 
-	// Unknown indicates that the client can be used
-	// but information is missing and it can not be validated.
+	// ValidationResultUnknown indicates that the client can be used but information is missing and it can not be validated.
 	ValidationResultUnknown
 
-	// Error indicates that there is a misconfiguration.
+	// ValidationResultError indicates that there is a misconfiguration.
 	ValidationResultError
 )
 
+// ValidationResult represents the result of validating a provider client configuration.
 type ValidationResult uint8
 
 func (v ValidationResult) String() string {
@@ -98,6 +97,7 @@ type SecretsClient interface {
 	Close(ctx context.Context) error
 }
 
+// NoSecretErr is an instance of NoSecretError used to indicate that a secret doesn't exist.
 var NoSecretErr = NoSecretError{}
 
 // NoSecretError shall be returned when a GetSecret can not find the
@@ -108,6 +108,7 @@ func (NoSecretError) Error() string {
 	return "Secret does not exist"
 }
 
+// NotModifiedErr is an instance of NotModifiedError used to signal that no changes were made.
 var NotModifiedErr = NotModifiedError{}
 
 // NotModifiedError to signal that the webhook received no changes,

apis/externalsecrets/v1beta1/register.go

@@ -35,7 +35,9 @@ var (
 
 	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
 	SchemeBuilder = &scheme.Builder{GroupVersion: SchemeGroupVersion}
-	AddToScheme   = SchemeBuilder.AddToScheme
+
+	// AddToScheme adds the types in this group-version to the given scheme.
+	AddToScheme = SchemeBuilder.AddToScheme
 )
 
 // ExternalSecret type metadata.

apis/externalsecrets/v1beta1/secretsstore_delinea_types.go

@@ -18,6 +18,7 @@ package v1beta1
 
 import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 
+// DelineaProviderSecretRef defines a reference to a secret containing credentials for the Delinea provider.
 type DelineaProviderSecretRef struct {
 
 	// Value can be specified directly to set a value without using a secret.
@@ -29,6 +30,7 @@ type DelineaProviderSecretRef struct {
 	SecretRef *esmeta.SecretKeySelector `json:"secretRef,omitempty"`
 }
 
+// DelineaProvider defines configuration for the Delinea DevOps Secrets Vault provider.
 // See https://github.com/DelineaXPM/dsv-sdk-go/blob/main/vault/vault.go.
 type DelineaProvider struct {
 

apis/externalsecrets/v1beta1/secretsstore_infisical_types.go

@@ -20,6 +20,7 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
+// UniversalAuthCredentials defines the credentials for Infisical Universal Auth.
 type UniversalAuthCredentials struct {
 	// +kubebuilder:validation:Required
 	ClientID esmeta.SecretKeySelector `json:"clientId"`
@@ -27,11 +28,13 @@ type UniversalAuthCredentials struct {
 	ClientSecret esmeta.SecretKeySelector `json:"clientSecret"`
 }
 
+// InfisicalAuth defines the authentication methods for the Infisical provider.
 type InfisicalAuth struct {
 	// +optional
 	UniversalAuthCredentials *UniversalAuthCredentials `json:"universalAuthCredentials,omitempty"`
 }
 
+// MachineIdentityScopeInWorkspace defines the scope of a machine identity in an Infisical workspace.
 type MachineIdentityScopeInWorkspace struct {
 	// SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
 	// +kubebuilder:default="/"

apis/externalsecrets/v1beta1/secretsstore_passbolt_types.go

@@ -20,12 +20,15 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
-// Passbolt contains a secretRef for the passbolt credentials.
+// PassboltAuth contains credentials and configuration for authenticating with the Passbolt server.
 type PassboltAuth struct {
-	PasswordSecretRef   *esmeta.SecretKeySelector `json:"passwordSecretRef"`
+	// PasswordSecretRef is a reference to the secret containing the Passbolt password
+	PasswordSecretRef *esmeta.SecretKeySelector `json:"passwordSecretRef"`
+	// PrivateKeySecretRef is a reference to the secret containing the Passbolt private key
 	PrivateKeySecretRef *esmeta.SecretKeySelector `json:"privateKeySecretRef"`
 }
 
+// PassboltProvider defines configuration for the Passbolt provider.
 type PassboltProvider struct {
 	// Auth defines the information necessary to authenticate against Passbolt Server
 	Auth *PassboltAuth `json:"auth"`

apis/externalsecrets/v1beta1/secretsstore_secretserver_types.go

@@ -18,6 +18,7 @@ package v1beta1
 
 import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 
+// SecretServerProviderRef defines a reference to a secret containing credentials for the Secret Server provider.
 type SecretServerProviderRef struct {
 
 	// Value can be specified directly to set a value without using a secret.
@@ -29,6 +30,7 @@ type SecretServerProviderRef struct {
 	SecretRef *esmeta.SecretKeySelector `json:"secretRef,omitempty"`
 }
 
+// SecretServerProvider defines configuration for the Delinea Secret Server provider.
 // See https://github.com/DelineaXPM/tss-sdk-go/blob/main/server/server.go.
 type SecretServerProvider struct {
 

apis/externalsecrets/v1beta1/secretstore_akeyless_types.go

@@ -40,6 +40,7 @@ type AkeylessProvider struct {
 	CAProvider *CAProvider `json:"caProvider,omitempty"`
 }
 
+// AkeylessAuth defines methods of authentication with Akeyless Vault.
 type AkeylessAuth struct {
 
 	// Reference to a Secret that contains the details
@@ -53,7 +54,7 @@ type AkeylessAuth struct {
 	KubernetesAuth *AkeylessKubernetesAuth `json:"kubernetesAuth,omitempty"`
 }
 
-// AkeylessAuthSecretRef
+// AkeylessAuthSecretRef defines how to authenticate using a secret reference.
 // AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.
 type AkeylessAuthSecretRef struct {
 	// The SecretAccessID is used for authentication
@@ -62,7 +63,7 @@ type AkeylessAuthSecretRef struct {
 	AccessTypeParam esmeta.SecretKeySelector `json:"accessTypeParam,omitempty"`
 }
 
-// Authenticate with Kubernetes ServiceAccount token stored.
+// AkeylessKubernetesAuth authenticates with Akeyless using a Kubernetes ServiceAccount token.
 type AkeylessKubernetesAuth struct {
 
 	// the Akeyless Kubernetes auth-method access-id

apis/externalsecrets/v1beta1/secretstore_alibaba_types.go

@@ -36,7 +36,7 @@ type AlibabaAuthSecretRef struct {
 	AccessKeySecret esmeta.SecretKeySelector `json:"accessKeySecretSecretRef"`
 }
 
-// Authenticate against Alibaba using RRSA.
+// AlibabaRRSAAuth authenticates against Alibaba using RRSA (Resource-oriented RAM-based Service Authentication).
 type AlibabaRRSAAuth struct {
 	OIDCProviderARN   string `json:"oidcProviderArn"`
 	OIDCTokenFilePath string `json:"oidcTokenFilePath"`

apis/externalsecrets/v1beta1/secretstore_aws_types.go

@@ -46,12 +46,12 @@ type AWSAuthSecretRef struct {
 	SessionToken *esmeta.SecretKeySelector `json:"sessionTokenSecretRef,omitempty"`
 }
 
-// Authenticate against AWS using service account tokens.
+// AWSJWTAuth authenticates against AWS using service account tokens from the Kubernetes cluster.
 type AWSJWTAuth struct {
 	ServiceAccountRef *esmeta.ServiceAccountSelector `json:"serviceAccountRef,omitempty"`
 }
 
-// AWSServiceType is a enum that defines the service/API that is used to fetch the secrets.
+// AWSServiceType is an enum that defines the service/API that is used to fetch the secrets.
 // +kubebuilder:validation:Enum=SecretsManager;ParameterStore
 type AWSServiceType string
 
@@ -85,6 +85,7 @@ type SecretsManager struct {
 	RecoveryWindowInDays int64 `json:"recoveryWindowInDays,omitempty"`
 }
 
+// Tag defines a tag key and value for AWS resources.
 type Tag struct {
 	Key   string `json:"key"`
 	Value string `json:"value"`

apis/externalsecrets/v1beta1/secretstore_azurekv_types.go

@@ -18,7 +18,7 @@ package v1beta1
 
 import smmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 
-// AuthType describes how to authenticate to the Azure Keyvault
+// AzureAuthType describes how to authenticate to the Azure Keyvault.
 // Only one of the following auth types may be specified.
 // If none of the following auth type is specified, the default one
 // is ServicePrincipal.
@@ -26,13 +26,13 @@ import smmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 type AzureAuthType string
 
 const (
-	// Using service principal to authenticate, which needs a tenantId, a clientId and a clientSecret.
+	// AzureServicePrincipal uses service principal to authenticate, which needs a tenantId, a clientId and a clientSecret.
 	AzureServicePrincipal AzureAuthType = "ServicePrincipal"
 
-	// Using Managed Identity to authenticate. Used with aad-pod-identity installed in the cluster.
+	// AzureManagedIdentity uses Managed Identity to authenticate. Used with aad-pod-identity installed in the cluster.
 	AzureManagedIdentity AzureAuthType = "ManagedIdentity"
 
-	// Using Workload Identity service accounts to authenticate.
+	// AzureWorkloadIdentity uses Workload Identity service accounts to authenticate.
 	AzureWorkloadIdentity AzureAuthType = "WorkloadIdentity"
 )
 
@@ -44,13 +44,17 @@ const (
 type AzureEnvironmentType string
 
 const (
-	AzureEnvironmentPublicCloud       AzureEnvironmentType = "PublicCloud"
+	// AzureEnvironmentPublicCloud represents the Azure public cloud environment.
+	AzureEnvironmentPublicCloud AzureEnvironmentType = "PublicCloud"
+	// AzureEnvironmentUSGovernmentCloud represents the Azure US government cloud environment.
 	AzureEnvironmentUSGovernmentCloud AzureEnvironmentType = "USGovernmentCloud"
-	AzureEnvironmentChinaCloud        AzureEnvironmentType = "ChinaCloud"
-	AzureEnvironmentGermanCloud       AzureEnvironmentType = "GermanCloud"
+	// AzureEnvironmentChinaCloud represents the Azure China cloud environment.
+	AzureEnvironmentChinaCloud AzureEnvironmentType = "ChinaCloud"
+	// AzureEnvironmentGermanCloud represents the Azure German cloud environment.
+	AzureEnvironmentGermanCloud AzureEnvironmentType = "GermanCloud"
 )
 
-// Configures an store to sync secrets using Azure KV.
+// AzureKVProvider configures a store to sync secrets using Azure Key Vault.
 type AzureKVProvider struct {
 	// Auth type defines how to authenticate to the keyvault service.
 	// Valid values are:
@@ -88,7 +92,7 @@ type AzureKVProvider struct {
 	IdentityID *string `json:"identityId,omitempty"`
 }
 
-// Configuration used to authenticate with Azure.
+// AzureKVAuth defines configuration for authentication with Azure Key Vault.
 type AzureKVAuth struct {
 	// The Azure clientId of the service principle or managed identity used for authentication.
 	// +optional

apis/externalsecrets/v1beta1/secretstore_beyondtrust_types.go

@@ -18,6 +18,7 @@ package v1beta1
 
 import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 
+// BeyondTrustProviderSecretRef defines a reference to a secret containing credentials for the BeyondTrust provider.
 type BeyondTrustProviderSecretRef struct {
 
 	// Value can be specified directly to set a value without using a secret.
@@ -29,7 +30,7 @@ type BeyondTrustProviderSecretRef struct {
 	SecretRef *esmeta.SecretKeySelector `json:"secretRef,omitempty"`
 }
 
-// Configures a store to sync secrets using BeyondTrust Password Safe.
+// BeyondtrustAuth configures authentication for BeyondTrust Password Safe.
 type BeyondtrustAuth struct {
 	// APIKey If not provided then ClientID/ClientSecret become required.
 	APIKey *BeyondTrustProviderSecretRef `json:"apiKey,omitempty"`
@@ -43,7 +44,7 @@ type BeyondtrustAuth struct {
 	CertificateKey *BeyondTrustProviderSecretRef `json:"certificateKey,omitempty"`
 }
 
-// Configures a store to sync secrets using BeyondTrust Password Safe.
+// BeyondtrustServer defines configuration for connecting to BeyondTrust Password Safe server.
 type BeyondtrustServer struct {
 	// +required - BeyondTrust Password Safe API URL. https://example.com:443/beyondtrust/api/public/V3.
 	APIURL string `json:"apiUrl"`
@@ -59,6 +60,7 @@ type BeyondtrustServer struct {
 	ClientTimeOutSeconds int `json:"clientTimeOutSeconds,omitempty"`
 }
 
+// BeyondtrustProvider defines configuration for the BeyondTrust Password Safe provider.
 type BeyondtrustProvider struct {
 
 	// Auth configures how the operator authenticates with Beyondtrust.

apis/externalsecrets/v1beta1/secretstore_conjur_types.go

@@ -18,6 +18,7 @@ package v1beta1
 
 import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 
+// ConjurProvider defines configuration for the CyberArk Conjur provider.
 type ConjurProvider struct {
 	// URL is the endpoint of the Conjur instance.
 	URL string `json:"url"`
@@ -36,6 +37,7 @@ type ConjurProvider struct {
 	Auth ConjurAuth `json:"auth"`
 }
 
+// ConjurAuth defines the methods of authentication with Conjur.
 type ConjurAuth struct {
 	// Authenticates with Conjur using an API key.
 	// +optional
@@ -46,6 +48,7 @@ type ConjurAuth struct {
 	Jwt *ConjurJWT `json:"jwt,omitempty"`
 }
 
+// ConjurAPIKey defines authentication using a Conjur API key.
 type ConjurAPIKey struct {
 	// Account is the Conjur organization account name.
 	Account string `json:"account"`
@@ -59,6 +62,7 @@ type ConjurAPIKey struct {
 	APIKeyRef *esmeta.SecretKeySelector `json:"apiKeyRef"`
 }
 
+// ConjurJWT defines authentication using a JWT service account token.
 type ConjurJWT struct {
 	// Account is the Conjur organization account name.
 	Account string `json:"account"`

apis/externalsecrets/v1beta1/secretstore_device42_types.go

@@ -29,10 +29,12 @@ type Device42Provider struct {
 	Auth Device42Auth `json:"auth"`
 }
 
+// Device42Auth defines the authentication method for the Device42 provider.
 type Device42Auth struct {
 	SecretRef Device42SecretRef `json:"secretRef"`
 }
 
+// Device42SecretRef defines a reference to a secret containing credentials for the Device42 provider.
 type Device42SecretRef struct {
 	// Username / Password is used for authentication.
 	// +optional

apis/externalsecrets/v1beta1/secretstore_doppler_types.go

@@ -20,12 +20,12 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
-// Set DOPPLER_BASE_URL and DOPPLER_VERIFY_TLS environment variables to override defaults
-
+// DopplerAuth defines the authentication method for the Doppler provider.
 type DopplerAuth struct {
 	SecretRef DopplerAuthSecretRef `json:"secretRef"`
 }
 
+// DopplerAuthSecretRef defines a reference to a secret containing credentials for the Doppler provider.
 type DopplerAuthSecretRef struct {
 	// The DopplerToken is used for authentication.
 	// See https://docs.doppler.com/reference/api#authentication for auth token types.

apis/externalsecrets/v1beta1/secretstore_fake_types.go

@@ -21,6 +21,7 @@ type FakeProvider struct {
 	Data []FakeProviderData `json:"data"`
 }
 
+// FakeProviderData defines a key-value pair for the fake provider used in testing.
 type FakeProviderData struct {
 	Key     string `json:"key"`
 	Value   string `json:"value"`

apis/externalsecrets/v1beta1/secretstore_fortanix_types.go

@@ -13,10 +13,12 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+
 package v1beta1
 
 import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 
+// FortanixProvider configures a store to sync secrets using the Fortanix SDKMS provider.
 type FortanixProvider struct {
 	// APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
 	APIURL string `json:"apiUrl,omitempty"`
@@ -25,6 +27,7 @@ type FortanixProvider struct {
 	APIKey *FortanixProviderSecretRef `json:"apiKey,omitempty"`
 }
 
+// FortanixProviderSecretRef defines a reference to a secret containing credentials for the Fortanix provider.
 type FortanixProviderSecretRef struct {
 	// SecretRef is a reference to a secret containing the SDKMS API Key.
 	SecretRef *esmeta.SecretKeySelector `json:"secretRef,omitempty"`

apis/externalsecrets/v1beta1/secretstore_gcpsm_types.go

@@ -20,6 +20,7 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
+// GCPSMAuth defines the authentication methods for the GCP Secret Manager provider.
 type GCPSMAuth struct {
 	// +optional
 	SecretRef *GCPSMAuthSecretRef `json:"secretRef,omitempty"`
@@ -27,12 +28,14 @@ type GCPSMAuth struct {
 	WorkloadIdentity *GCPWorkloadIdentity `json:"workloadIdentity,omitempty"`
 }
 
+// GCPSMAuthSecretRef defines a reference to a secret containing credentials for the GCP Secret Manager provider.
 type GCPSMAuthSecretRef struct {
 	// The SecretAccessKey is used for authentication
 	// +optional
 	SecretAccessKey esmeta.SecretKeySelector `json:"secretAccessKeySecretRef,omitempty"`
 }
 
+// GCPWorkloadIdentity defines configuration for using GCP Workload Identity authentication.
 type GCPWorkloadIdentity struct {
 	// +kubebuilder:validation:Required
 	ServiceAccountRef esmeta.ServiceAccountSelector `json:"serviceAccountRef"`

apis/externalsecrets/v1beta1/secretstore_github_types.go

@@ -20,7 +20,7 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
-// Configures a store to push secrets to Github Actions.
+// GithubProvider configures a store to push secrets to Github Actions.
 type GithubProvider struct {
 	// URL configures the Github instance URL. Defaults to https://github.com/.
 	//+kubebuilder:default="https://github.com/"
@@ -49,6 +49,7 @@ type GithubProvider struct {
 	Environment string `json:"environment,omitempty"`
 }
 
+// GithubAppAuth defines the GitHub App authentication mechanism for the GitHub provider.
 type GithubAppAuth struct {
 	PrivateKey esmeta.SecretKeySelector `json:"privateKey"`
 }

apis/externalsecrets/v1beta1/secretstore_gitlab_types.go

@@ -20,7 +20,7 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
-// Configures a store to sync secrets with a GitLab instance.
+// GitlabProvider configures a store to sync secrets with a GitLab instance.
 type GitlabProvider struct {
 	// URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
 	URL string `json:"url,omitempty"`
@@ -50,10 +50,12 @@ type GitlabProvider struct {
 	CAProvider *CAProvider `json:"caProvider,omitempty"`
 }
 
+// GitlabAuth defines the authentication method for the GitLab provider.
 type GitlabAuth struct {
 	SecretRef GitlabSecretRef `json:"SecretRef"`
 }
 
+// GitlabSecretRef defines a reference to a secret containing credentials for the GitLab provider.
 type GitlabSecretRef struct {
 	// AccessToken is used for authentication.
 	AccessToken esmeta.SecretKeySelector `json:"accessToken,omitempty"`

apis/externalsecrets/v1beta1/secretstore_ibm_types.go

@@ -20,8 +20,7 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
-// Configures an store to sync secrets using a IBM Cloud Secrets Manager
-// backend.
+// IBMProvider configures a store to sync secrets using a IBM Cloud Secrets Manager backend.
 type IBMProvider struct {
 	// Auth configures how secret-manager authenticates with the IBM secrets manager.
 	Auth IBMAuth `json:"auth"`
@@ -30,6 +29,7 @@ type IBMProvider struct {
 	ServiceURL *string `json:"serviceUrl,omitempty"`
 }
 
+// IBMAuth defines the authentication methods for the IBM Cloud Secrets Manager provider.
 // +kubebuilder:validation:MinProperties=1
 // +kubebuilder:validation:MaxProperties=1
 type IBMAuth struct {
@@ -37,12 +37,13 @@ type IBMAuth struct {
 	ContainerAuth *IBMAuthContainerAuth `json:"containerAuth,omitempty"`
 }
 
+// IBMAuthSecretRef defines a reference to a secret containing credentials for the IBM provider.
 type IBMAuthSecretRef struct {
 	// The SecretAccessKey is used for authentication
 	SecretAPIKey esmeta.SecretKeySelector `json:"secretApiKeySecretRef,omitempty"`
 }
 
-// IBM Container-based auth with IAM Trusted Profile.
+// IBMAuthContainerAuth defines authentication using IBM Container-based auth with IAM Trusted Profile.
 type IBMAuthContainerAuth struct {
 	// the IBM Trusted Profile
 	Profile string `json:"profile"`

apis/externalsecrets/v1beta1/secretstore_kubernetes_types.go

@@ -20,6 +20,7 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
+// KubernetesServer defines the Kubernetes server connection configuration.
 type KubernetesServer struct {
 
 	// configures the Kubernetes server Address.
@@ -36,7 +37,7 @@ type KubernetesServer struct {
 	CAProvider *CAProvider `json:"caProvider,omitempty"`
 }
 
-// Configures a store to sync secrets with a Kubernetes instance.
+// KubernetesProvider configures a store to sync secrets with a Kubernetes instance.
 type KubernetesProvider struct {
 	// configures the Kubernetes server Address.
 	// +optional
@@ -59,6 +60,7 @@ type KubernetesProvider struct {
 	RemoteNamespace string `json:"remoteNamespace,omitempty"`
 }
 
+// KubernetesAuth defines authentication methods for the Kubernetes provider.
 // +kubebuilder:validation:MinProperties=1
 // +kubebuilder:validation:MaxProperties=1
 type KubernetesAuth struct {
@@ -75,11 +77,13 @@ type KubernetesAuth struct {
 	ServiceAccount *esmeta.ServiceAccountSelector `json:"serviceAccount,omitempty"`
 }
 
+// CertAuth defines certificate-based authentication for the Kubernetes provider.
 type CertAuth struct {
 	ClientCert esmeta.SecretKeySelector `json:"clientCert,omitempty"`
 	ClientKey  esmeta.SecretKeySelector `json:"clientKey,omitempty"`
 }
 
+// TokenAuth defines token-based authentication for the Kubernetes provider.
 type TokenAuth struct {
 	BearerToken esmeta.SecretKeySelector `json:"bearerToken,omitempty"`
 }

apis/externalsecrets/v1beta1/secretstore_oracle_types.go

@@ -20,6 +20,7 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
+// OraclePrincipalType defines the type of principal used for authentication to Oracle Vault.
 // +kubebuilder:validation:Enum="";UserPrincipal;InstancePrincipal;Workload
 type OraclePrincipalType string
 
@@ -32,8 +33,7 @@ const (
 	WorkloadPrincipal OraclePrincipalType = "Workload"
 )
 
-// Configures an store to sync secrets using a Oracle Vault
-// backend.
+// OracleProvider configures a store to sync secrets using an Oracle Vault backend.
 type OracleProvider struct {
 	// Region is the region where vault is located.
 	Region string `json:"region"`
@@ -68,6 +68,7 @@ type OracleProvider struct {
 	ServiceAccountRef *esmeta.ServiceAccountSelector `json:"serviceAccountRef,omitempty"`
 }
 
+// OracleAuth defines authentication configuration for the Oracle Vault provider.
 type OracleAuth struct {
 
 	// Tenancy is the tenancy OCID where user is located.
@@ -80,6 +81,7 @@ type OracleAuth struct {
 	SecretRef OracleSecretRef `json:"secretRef"`
 }
 
+// OracleSecretRef defines references to secrets containing Oracle credentials.
 type OracleSecretRef struct {
 	// PrivateKey is the user's API Signing Key in PEM format, used for authentication.
 	PrivateKey esmeta.SecretKeySelector `json:"privatekey"`

apis/externalsecrets/v1beta1/secretstore_passworddeport_types.go

@@ -20,7 +20,7 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
-// Configures a store to sync secrets with a Password Depot instance.
+// PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
 type PasswordDepotProvider struct {
 	// URL configures the Password Depot instance URL.
 	Host string `json:"host"`
@@ -32,10 +32,12 @@ type PasswordDepotProvider struct {
 	Auth PasswordDepotAuth `json:"auth"`
 }
 
+// PasswordDepotAuth defines the authentication method for the Password Depot provider.
 type PasswordDepotAuth struct {
 	SecretRef PasswordDepotSecretRef `json:"secretRef"`
 }
 
+// PasswordDepotSecretRef defines a reference to a secret containing credentials for the Password Depot provider.
 type PasswordDepotSecretRef struct {
 	// Username / Password is used for authentication.
 	// +optional

apis/externalsecrets/v1beta1/secretstore_pulumi_types.go

@@ -20,6 +20,7 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
+// PulumiProvider defines configuration for the Pulumi provider.
 type PulumiProvider struct {
 	// APIURL is the URL of the Pulumi API.
 	// +kubebuilder:default="https://api.pulumi.com/api/esc"
@@ -41,6 +42,7 @@ type PulumiProvider struct {
 	Environment string `json:"environment"`
 }
 
+// PulumiProviderSecretRef defines a reference to a secret containing credentials for the Pulumi provider.
 type PulumiProviderSecretRef struct {
 	// SecretRef is a reference to a secret containing the Pulumi API token.
 	SecretRef *esmeta.SecretKeySelector `json:"secretRef,omitempty"`

apis/externalsecrets/v1beta1/secretstore_scaleway_types.go

@@ -18,6 +18,7 @@ package v1beta1
 
 import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 
+// ScalewayProviderSecretRef defines a reference to a secret containing credentials for the Scaleway provider.
 type ScalewayProviderSecretRef struct {
 
 	// Value can be specified directly to set a value without using a secret.
@@ -29,6 +30,7 @@ type ScalewayProviderSecretRef struct {
 	SecretRef *esmeta.SecretKeySelector `json:"secretRef,omitempty"`
 }
 
+// ScalewayProvider defines configuration for the Scaleway provider.
 type ScalewayProvider struct {
 
 	// APIURL is the url of the api to use. Defaults to https://api.scaleway.com

apis/externalsecrets/v1beta1/secretstore_types.go

@@ -208,14 +208,17 @@ type SecretStoreProvider struct {
 	CloudruSM *CloudruSMProvider `json:"cloudrusm,omitempty"`
 }
 
+// CAProviderType defines the type of provider to use for CA certificates.
 type CAProviderType string
 
 const (
-	CAProviderTypeSecret    CAProviderType = "Secret"
+	// CAProviderTypeSecret indicates that the CA certificate is stored in a Secret.
+	CAProviderTypeSecret CAProviderType = "Secret"
+	// CAProviderTypeConfigMap indicates that the CA certificate is stored in a ConfigMap.
 	CAProviderTypeConfigMap CAProviderType = "ConfigMap"
 )
 
-// Used to provide custom certificate authority (CA) certificates
+// CAProvider provides custom certificate authority (CA) certificates
 // for a secret store. The CAProvider points to a Secret or ConfigMap resource
 // that contains a PEM-encoded certificate.
 type CAProvider struct {
@@ -245,22 +248,32 @@ type CAProvider struct {
 	Namespace *string `json:"namespace,omitempty"`
 }
 
+// SecretStoreRetrySettings defines configuration for retrying failed requests to the provider.
 type SecretStoreRetrySettings struct {
-	MaxRetries    *int32  `json:"maxRetries,omitempty"`
+	// MaxRetries is the maximum number of retry attempts.
+	MaxRetries *int32 `json:"maxRetries,omitempty"`
+	// RetryInterval is the interval between retry attempts.
 	RetryInterval *string `json:"retryInterval,omitempty"`
 }
 
+// SecretStoreConditionType represents the condition type of the SecretStore.
 type SecretStoreConditionType string
 
 const (
+	// SecretStoreReady indicates that the SecretStore has been successfully configured.
 	SecretStoreReady SecretStoreConditionType = "Ready"
 
-	ReasonInvalidStore          = "InvalidStoreConfiguration"
+	// ReasonInvalidStore indicates that the SecretStore has invalid configuration.
+	ReasonInvalidStore = "InvalidStoreConfiguration"
+	// ReasonInvalidProviderConfig indicates that the provider configuration is invalid.
 	ReasonInvalidProviderConfig = "InvalidProviderConfig"
-	ReasonValidationFailed      = "ValidationFailed"
-	ReasonStoreValid            = "Valid"
+	// ReasonValidationFailed indicates that validation of the SecretStore failed.
+	ReasonValidationFailed = "ValidationFailed"
+	// ReasonStoreValid indicates that the store is valid.
+	ReasonStoreValid = "Valid"
 )
 
+// SecretStoreStatusCondition defines the observed condition of the SecretStore.
 type SecretStoreStatusCondition struct {
 	Type   SecretStoreConditionType `json:"type"`
 	Status corev1.ConditionStatus   `json:"status"`
@@ -279,8 +292,11 @@ type SecretStoreStatusCondition struct {
 type SecretStoreCapabilities string
 
 const (
-	SecretStoreReadOnly  SecretStoreCapabilities = "ReadOnly"
+	// SecretStoreReadOnly indicates that the SecretStore only supports reading secrets.
+	SecretStoreReadOnly SecretStoreCapabilities = "ReadOnly"
+	// SecretStoreWriteOnly indicates that the SecretStore only supports writing secrets.
 	SecretStoreWriteOnly SecretStoreCapabilities = "WriteOnly"
+	// SecretStoreReadWrite indicates that the SecretStore supports both reading and writing secrets.
 	SecretStoreReadWrite SecretStoreCapabilities = "ReadWrite"
 )
 

apis/externalsecrets/v1beta1/secretstore_validator.go

@@ -32,6 +32,7 @@ const (
 	errInvalidStore = "invalid store"
 )
 
+// GenericStoreValidator provides validation for SecretStore and ClusterSecretStore resources.
 type GenericStoreValidator struct{}
 
 // ValidateCreate implements webhook.Validator so a webhook will be registered for the type.

apis/externalsecrets/v1beta1/secretstore_vault_types.go

@@ -20,15 +20,17 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
+// VaultKVStoreVersion defines the version of the KV store in Vault.
 type VaultKVStoreVersion string
 
 const (
+	// VaultKVStoreV1 represents version 1 of the Vault KV store.
 	VaultKVStoreV1 VaultKVStoreVersion = "v1"
+	// VaultKVStoreV2 represents version 2 of the Vault KV store.
 	VaultKVStoreV2 VaultKVStoreVersion = "v2"
 )
 
-// Configures an store to sync secrets using a HashiCorp Vault
-// KV backend.
+// VaultProvider configures a store to sync secrets using a HashiCorp Vault KV backend.
 type VaultProvider struct {
 	// Auth configures how secret-manager authenticates with the Vault server.
 	Auth *VaultAuth `json:"auth,omitempty"`
@@ -188,8 +190,7 @@ type VaultAppRole struct {
 	SecretRef esmeta.SecretKeySelector `json:"secretRef"`
 }
 
-// Authenticate against Vault using a Kubernetes ServiceAccount token stored in
-// a Secret.
+// VaultKubernetesAuth authenticates against Vault using a Kubernetes ServiceAccount token stored in a Secret.
 type VaultKubernetesAuth struct {
 	// Path where the Kubernetes authentication backend is mounted in Vault, e.g:
 	// "kubernetes"
@@ -244,7 +245,7 @@ type VaultAwsAuth struct {
 	JWTAuth *VaultAwsJWTAuth `json:"jwt,omitempty"`
 }
 
-// VaultAWSAuthSecretRef holds secret references for AWS credentials
+// VaultAwsAuthSecretRef holds secret references for AWS credentials
 // both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
 type VaultAwsAuthSecretRef struct {
 	// The AccessKeyID is used for authentication

apis/externalsecrets/v1beta1/secretstore_webhook.go

@@ -20,6 +20,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 )
 
+// SetupWebhookWithManager configures the webhook manager for the SecretStore.
 func (c *SecretStore) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(c).
@@ -27,6 +28,7 @@ func (c *SecretStore) SetupWebhookWithManager(mgr ctrl.Manager) error {
 		Complete()
 }
 
+// SetupWebhookWithManager configures the webhook manager for the ClusterSecretStore.
 func (c *ClusterSecretStore) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(c).

apis/externalsecrets/v1beta1/secretstore_webhook_types.go

@@ -22,7 +22,7 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
-// WebHookProvider Configures an store to sync secrets from simple web apis.
+// WebhookProvider configures a store to sync secrets from simple web APIs.
 type WebhookProvider struct {
 	// Webhook Method
 	// +optional, default GET
@@ -84,14 +84,17 @@ type NTLMProtocol struct {
 	Password esmeta.SecretKeySelector `json:"passwordSecret"`
 }
 
+// WebhookCAProviderType defines the type of provider to use for CA certificates with Webhook providers.
 type WebhookCAProviderType string
 
 const (
-	WebhookCAProviderTypeSecret    WebhookCAProviderType = "Secret"
+	// WebhookCAProviderTypeSecret indicates that the CA certificate is stored in a Secret.
+	WebhookCAProviderTypeSecret WebhookCAProviderType = "Secret"
+	// WebhookCAProviderTypeConfigMap indicates that the CA certificate is stored in a ConfigMap.
 	WebhookCAProviderTypeConfigMap WebhookCAProviderType = "ConfigMap"
 )
 
-// Defines a location to fetch the cert for the webhook provider from.
+// WebhookCAProvider defines a location to fetch the certificate for the webhook provider.
 type WebhookCAProvider struct {
 	// The type of provider to use such as "Secret", or "ConfigMap".
 	// +kubebuilder:validation:Enum="Secret";"ConfigMap"
@@ -118,12 +121,14 @@ type WebhookCAProvider struct {
 	Namespace *string `json:"namespace,omitempty"`
 }
 
+// WebhookResult defines how to extract and format the result from the webhook response.
 type WebhookResult struct {
 	// Json path of return value
 	// +optional
 	JSONPath string `json:"jsonPath,omitempty"`
 }
 
+// WebhookSecret defines a secret to be used in webhook templates.
 type WebhookSecret struct {
 	// Name of this secret in templates
 	Name string `json:"name"`

apis/externalsecrets/v1beta1/secretstore_yandexcertificatemanager_types.go

@@ -20,17 +20,19 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
+// YandexCertificateManagerAuth defines authentication configuration for the Yandex Certificate Manager provider.
 type YandexCertificateManagerAuth struct {
 	// The authorized key used for authentication
 	// +optional
 	AuthorizedKey esmeta.SecretKeySelector `json:"authorizedKeySecretRef,omitempty"`
 }
 
+// YandexCertificateManagerCAProvider defines CA certificate configuration for Yandex Certificate Manager.
 type YandexCertificateManagerCAProvider struct {
 	Certificate esmeta.SecretKeySelector `json:"certSecretRef,omitempty"`
 }
 
-// YandexCertificateManagerProvider Configures a store to sync secrets using the Yandex Certificate Manager provider.
+// YandexCertificateManagerProvider configures a store to sync secrets using the Yandex Certificate Manager provider.
 type YandexCertificateManagerProvider struct {
 	// Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
 	// +optional

apis/externalsecrets/v1beta1/secretstore_yandexlockbox_types.go

@@ -20,17 +20,19 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
+// YandexLockboxAuth defines authentication configuration for the Yandex Lockbox provider.
 type YandexLockboxAuth struct {
 	// The authorized key used for authentication
 	// +optional
 	AuthorizedKey esmeta.SecretKeySelector `json:"authorizedKeySecretRef,omitempty"`
 }
 
+// YandexLockboxCAProvider defines CA certificate configuration for Yandex Lockbox.
 type YandexLockboxCAProvider struct {
 	Certificate esmeta.SecretKeySelector `json:"certSecretRef,omitempty"`
 }
 
-// YandexLockboxProvider Configures a store to sync secrets using the Yandex Lockbox provider.
+// YandexLockboxProvider configures a store to sync secrets using the Yandex Lockbox provider.
 type YandexLockboxProvider struct {
 	// Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
 	// +optional

apis/generators/v1alpha1/generator_interfaces.go

@@ -53,4 +53,5 @@ type Generator interface {
 	) error
 }
 
+// GeneratorProviderState represents the state of a generator provider that can be stored and retrieved.
 type GeneratorProviderState *apiextensions.JSON

apis/generators/v1alpha1/generator_state_types.go

@@ -23,6 +23,7 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// StatefulResource represents a Kubernetes resource that has state which can be tracked.
 // +kubebuilder:object:root=false
 // +kubebuilder:object:generate:false
 // +k8s:deepcopy-gen:interfaces=nil
@@ -33,12 +34,13 @@ type StatefulResource interface {
 }
 
 const (
-	// The owner key points to the resource which created the generator state.
+	// GeneratorStateLabelOwnerKey points to the resource which created the generator state.
 	// It is used in the garbage collection process to identify all states
 	// that belong to a specific resource.
 	GeneratorStateLabelOwnerKey = "generators.external-secrets.io/owner-key"
 )
 
+// GeneratorStateSpec defines the desired state of a generator state resource.
 type GeneratorStateSpec struct {
 	// GarbageCollectionDeadline is the time after which the generator state
 	// will be deleted.
@@ -57,12 +59,15 @@ type GeneratorStateSpec struct {
 	State *apiextensions.JSON `json:"state"`
 }
 
+// GeneratorStateConditionType represents the type of condition for a generator state.
 type GeneratorStateConditionType string
 
 const (
+	// GeneratorStateReady indicates the generator state is ready and available.
 	GeneratorStateReady GeneratorStateConditionType = "Ready"
 )
 
+// GeneratorStateStatusCondition represents the observed condition of a generator state.
 type GeneratorStateStatusCondition struct {
 	Type   GeneratorStateConditionType `json:"type"`
 	Status corev1.ConditionStatus      `json:"status"`
@@ -78,14 +83,18 @@ type GeneratorStateStatusCondition struct {
 }
 
 const (
+	// ConditionReasonCreated indicates the generator state was successfully created.
 	ConditionReasonCreated = "Created"
-	ConditionReasonError   = "Error"
+	// ConditionReasonError indicates an error occurred with the generator state.
+	ConditionReasonError = "Error"
 )
 
+// GeneratorStateStatus defines the observed state of a generator state resource.
 type GeneratorStateStatus struct {
 	Conditions []GeneratorStateStatusCondition `json:"conditions,omitempty"`
 }
 
+// GeneratorState represents the state created and managed by a generator resource.
 // +kubebuilder:object:root=true
 // +kubebuilder:storageversion
 // +kubebuilder:metadata:labels="external-secrets.io/component=controller"

apis/generators/v1alpha1/generator_types.go

@@ -16,6 +16,7 @@ limitations under the License.
 
 package v1alpha1
 
+// ControllerClassResource defines a resource that can be assigned to a specific controller class.
 type ControllerClassResource struct {
 	Spec struct {
 		ControllerClass string `json:"controller"`

apis/generators/v1alpha1/register.go

@@ -35,26 +35,44 @@ var (
 
 	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
 	SchemeBuilder = &scheme.Builder{GroupVersion: SchemeGroupVersion}
-	AddToScheme   = SchemeBuilder.AddToScheme
+
+	// AddToScheme adds the types in this group-version to the given scheme.
+	AddToScheme = SchemeBuilder.AddToScheme
 )
 
 var (
+	// ECRAuthorizationTokenKind is the kind name for ECRAuthorizationToken resource.
 	ECRAuthorizationTokenKind = reflect.TypeOf(ECRAuthorizationToken{}).Name()
-	STSSessionTokenKind       = reflect.TypeOf(STSSessionToken{}).Name()
-	GCRAccessTokenKind        = reflect.TypeOf(GCRAccessToken{}).Name()
-	ACRAccessTokenKind        = reflect.TypeOf(ACRAccessToken{}).Name()
-	PasswordKind              = reflect.TypeOf(Password{}).Name()
-	SSHKeyKind                = reflect.TypeOf(SSHKey{}).Name()
-	WebhookKind               = reflect.TypeOf(Webhook{}).Name()
-	FakeKind                  = reflect.TypeOf(Fake{}).Name()
-	VaultDynamicSecretKind    = reflect.TypeOf(VaultDynamicSecret{}).Name()
-	GithubAccessTokenKind     = reflect.TypeOf(GithubAccessToken{}).Name()
-	QuayAccessTokenKind       = reflect.TypeOf(QuayAccessToken{}).Name()
+	// STSSessionTokenKind is the kind name for STSSessionToken resource.
+	STSSessionTokenKind = reflect.TypeOf(STSSessionToken{}).Name()
+	// GCRAccessTokenKind is the kind name for GCRAccessToken resource.
+	GCRAccessTokenKind = reflect.TypeOf(GCRAccessToken{}).Name()
+	// ACRAccessTokenKind is the kind name for ACRAccessToken resource.
+	ACRAccessTokenKind = reflect.TypeOf(ACRAccessToken{}).Name()
+	// PasswordKind is the kind name for Password resource.
+	PasswordKind = reflect.TypeOf(Password{}).Name()
+	// SSHKeyKind is the kind name for SSHKey resource.
+	SSHKeyKind = reflect.TypeOf(SSHKey{}).Name()
+	// WebhookKind is the kind name for Webhook resource.
+	WebhookKind = reflect.TypeOf(Webhook{}).Name()
+	// FakeKind is the kind name for Fake resource.
+	FakeKind = reflect.TypeOf(Fake{}).Name()
+	// VaultDynamicSecretKind is the kind name for VaultDynamicSecret resource.
+	VaultDynamicSecretKind = reflect.TypeOf(VaultDynamicSecret{}).Name()
+	// GithubAccessTokenKind is the kind name for GithubAccessToken resource.
+	GithubAccessTokenKind = reflect.TypeOf(GithubAccessToken{}).Name()
+	// QuayAccessTokenKind is the kind name for QuayAccessToken resource.
+	QuayAccessTokenKind = reflect.TypeOf(QuayAccessToken{}).Name()
+	// UUIDKind is the kind name for UUID resource.
+	UUIDKind = reflect.TypeOf(UUID{}).Name()
+	// GrafanaKind is the kind name for Grafana resource.
+	GrafanaKind = reflect.TypeOf(Grafana{}).Name()
+	// MFAKind is the kind name for MFA resource.
+	MFAKind = reflect.TypeOf(MFA{}).Name()
+	// ClusterGeneratorKind is the kind name for ClusterGenerator resource.
+	ClusterGeneratorKind = reflect.TypeOf(ClusterGenerator{}).Name()
+	// CloudsmithAccessTokenKind is the kind name for CloudsmithAccessToken resource.
 	CloudsmithAccessTokenKind = reflect.TypeOf(CloudsmithAccessToken{}).Name()
-	UUIDKind                  = reflect.TypeOf(UUID{}).Name()
-	GrafanaKind               = reflect.TypeOf(Grafana{}).Name()
-	MFAKind                   = reflect.TypeOf(MFA{}).Name()
-	ClusterGeneratorKind      = reflect.TypeOf(ClusterGenerator{}).Name()
 )
 
 func init() {

apis/generators/v1alpha1/types_acr.go

@@ -48,13 +48,14 @@ type ACRAccessTokenSpec struct {
 	Scope string `json:"scope,omitempty"`
 
 	// EnvironmentType specifies the Azure cloud environment endpoints to use for
-	// connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
+	// connecting and authenticating with Azure. By default, it points to the public cloud AAD endpoint.
 	// The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
 	// PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
 	// +kubebuilder:default=PublicCloud
 	EnvironmentType esv1.AzureEnvironmentType `json:"environmentType,omitempty"`
 }
 
+// ACRAuth defines the authentication methods for Azure Container Registry.
 type ACRAuth struct {
 	// ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
 	// +optional
@@ -69,15 +70,18 @@ type ACRAuth struct {
 	WorkloadIdentity *AzureACRWorkloadIdentityAuth `json:"workloadIdentity,omitempty"`
 }
 
+// AzureACRServicePrincipalAuth defines the configuration for using Azure Service Principal authentication.
 type AzureACRServicePrincipalAuth struct {
 	SecretRef AzureACRServicePrincipalAuthSecretRef `json:"secretRef"`
 }
 
+// AzureACRManagedIdentityAuth defines the configuration for using Azure Managed Identity authentication.
 type AzureACRManagedIdentityAuth struct {
 	// If multiple Managed Identity is assigned to the pod, you can select the one to be used
 	IdentityID string `json:"identityId,omitempty"`
 }
 
+// AzureACRWorkloadIdentityAuth defines the configuration for using Azure Workload Identity authentication.
 type AzureACRWorkloadIdentityAuth struct {
 	// ServiceAccountRef specified the service account
 	// that should be used when authenticating with WorkloadIdentity.
@@ -85,8 +89,8 @@ type AzureACRWorkloadIdentityAuth struct {
 	ServiceAccountRef *smmeta.ServiceAccountSelector `json:"serviceAccountRef,omitempty"`
 }
 
-// Configuration used to authenticate with Azure using static
-// credentials stored in a Kind=Secret.
+// AzureACRServicePrincipalAuthSecretRef defines the secret references for Azure Service Principal authentication.
+// It uses static credentials stored in a Kind=Secret.
 type AzureACRServicePrincipalAuthSecretRef struct {
 	// The Azure clientId of the service principle used for authentication.
 	ClientID smmeta.SecretKeySelector `json:"clientId,omitempty"`

apis/generators/v1alpha1/types_cloudsmith.go

@@ -22,6 +22,7 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
+// CloudsmithAccessTokenSpec defines the configuration for generating a Cloudsmith access token using OIDC authentication.
 type CloudsmithAccessTokenSpec struct {
 	// APIURL configures the Cloudsmith API URL. Defaults to https://api.cloudsmith.io.
 	// +kubebuilder:validation:Optional

apis/generators/v1alpha1/types_cluster.go

@@ -20,6 +20,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
+// ClusterGeneratorSpec defines the desired state of a ClusterGenerator.
 type ClusterGeneratorSpec struct {
 	// Kind the kind of this generator.
 	Kind GeneratorKind `json:"kind"`
@@ -33,23 +34,39 @@ type ClusterGeneratorSpec struct {
 type GeneratorKind string
 
 const (
-	GeneratorKindACRAccessToken        GeneratorKind = "ACRAccessToken"
-	GeneratorKindCloudsmithAccessToken GeneratorKind = "CloudsmithAccessToken"
+	// GeneratorKindACRAccessToken represents an Azure Container Registry access token generator.
+	GeneratorKindACRAccessToken GeneratorKind = "ACRAccessToken"
+	// GeneratorKindECRAuthorizationToken represents an AWS ECR authorization token generator.
 	GeneratorKindECRAuthorizationToken GeneratorKind = "ECRAuthorizationToken"
-	GeneratorKindFake                  GeneratorKind = "Fake"
-	GeneratorKindGCRAccessToken        GeneratorKind = "GCRAccessToken"
-	GeneratorKindGithubAccessToken     GeneratorKind = "GithubAccessToken"
-	GeneratorKindQuayAccessToken       GeneratorKind = "QuayAccessToken"
-	GeneratorKindPassword              GeneratorKind = "Password"
-	GeneratorKindSSHKey                GeneratorKind = "SSHKey"
-	GeneratorKindSTSSessionToken       GeneratorKind = "STSSessionToken"
-	GeneratorKindUUID                  GeneratorKind = "UUID"
-	GeneratorKindVaultDynamicSecret    GeneratorKind = "VaultDynamicSecret"
-	GeneratorKindWebhook               GeneratorKind = "Webhook"
-	GeneratorKindGrafana               GeneratorKind = "Grafana"
-	GeneratorKindMFA                   GeneratorKind = "MFA"
+	// GeneratorKindFake represents a fake generator for testing purposes.
+	GeneratorKindFake GeneratorKind = "Fake"
+	// GeneratorKindGCRAccessToken represents a Google Container Registry access token generator.
+	GeneratorKindGCRAccessToken GeneratorKind = "GCRAccessToken"
+	// GeneratorKindGithubAccessToken represents a GitHub access token generator.
+	GeneratorKindGithubAccessToken GeneratorKind = "GithubAccessToken"
+	// GeneratorKindQuayAccessToken represents a Quay access token generator.
+	GeneratorKindQuayAccessToken GeneratorKind = "QuayAccessToken"
+	// GeneratorKindPassword represents a password generator.
+	GeneratorKindPassword GeneratorKind = "Password"
+	// GeneratorKindSSHKey represents an SSH key generator.
+	GeneratorKindSSHKey GeneratorKind = "SSHKey"
+	// GeneratorKindSTSSessionToken represents an AWS STS session token generator.
+	GeneratorKindSTSSessionToken GeneratorKind = "STSSessionToken"
+	// GeneratorKindUUID represents a UUID generator.
+	GeneratorKindUUID GeneratorKind = "UUID"
+	// GeneratorKindVaultDynamicSecret represents a HashiCorp Vault dynamic secret generator.
+	GeneratorKindVaultDynamicSecret GeneratorKind = "VaultDynamicSecret"
+	// GeneratorKindWebhook represents a webhook-based generator.
+	GeneratorKindWebhook GeneratorKind = "Webhook"
+	// GeneratorKindGrafana represents a Grafana token generator.
+	GeneratorKindGrafana GeneratorKind = "Grafana"
+	// GeneratorKindMFA represents a Multi-Factor Authentication generator.
+	GeneratorKindMFA GeneratorKind = "MFA"
+	// GeneratorKindCloudsmithAccessToken represents a Cloudsmith access token generator.
+	GeneratorKindCloudsmithAccessToken GeneratorKind = "CloudsmithAccessToken"
 )
 
+// GeneratorSpec defines the configuration for various supported generator types.
 // +kubebuilder:validation:MaxProperties=1
 // +kubebuilder:validation:MinProperties=1
 type GeneratorSpec struct {

apis/generators/v1alpha1/types_ecr.go

@@ -22,6 +22,7 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
+// ECRAuthorizationTokenSpec defines the desired state to generate an AWS ECR authorization token.
 type ECRAuthorizationTokenSpec struct {
 	// Region specifies the region to operate in.
 	Region string `json:"region"`
@@ -67,13 +68,12 @@ type AWSAuthSecretRef struct {
 	SessionToken *esmeta.SecretKeySelector `json:"sessionTokenSecretRef,omitempty"`
 }
 
-// Authenticate against AWS using service account tokens.
+// AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
 type AWSJWTAuth struct {
 	ServiceAccountRef *esmeta.ServiceAccountSelector `json:"serviceAccountRef,omitempty"`
 }
 
-// ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an
-// authorization token.
+// ECRAuthorizationToken uses the GetAuthorizationToken API to retrieve an authorization token.
 // The authorization token is valid for 12 hours.
 // The authorizationToken returned is a base64 encoded string that can be decoded
 // and used in a docker login command to authenticate to a registry.

apis/generators/v1alpha1/types_gcr.go

@@ -23,6 +23,7 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
+// GCRAccessTokenSpec defines the desired state to generate a Google Container Registry access token.
 type GCRAccessTokenSpec struct {
 	// Auth defines the means for authenticating with GCP
 	Auth GCPSMAuth `json:"auth"`
@@ -30,6 +31,7 @@ type GCRAccessTokenSpec struct {
 	ProjectID string `json:"projectID"`
 }
 
+// GCPSMAuth defines the authentication methods for Google Cloud Platform.
 type GCPSMAuth struct {
 	// +optional
 	SecretRef *GCPSMAuthSecretRef `json:"secretRef,omitempty"`
@@ -39,12 +41,14 @@ type GCPSMAuth struct {
 	WorkloadIdentityFederation *esv1.GCPWorkloadIdentityFederation `json:"workloadIdentityFederation,omitempty"`
 }
 
+// GCPSMAuthSecretRef defines the reference to a secret containing Google Cloud Platform credentials.
 type GCPSMAuthSecretRef struct {
 	// The SecretAccessKey is used for authentication
 	// +optional
 	SecretAccessKey esmeta.SecretKeySelector `json:"secretAccessKeySecretRef,omitempty"`
 }
 
+// GCPWorkloadIdentity defines the configuration for using GCP Workload Identity authentication.
 type GCPWorkloadIdentity struct {
 	ServiceAccountRef esmeta.ServiceAccountSelector `json:"serviceAccountRef"`
 	ClusterLocation   string                        `json:"clusterLocation"`

apis/generators/v1alpha1/types_github.go

@@ -22,8 +22,9 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
+// GithubAccessTokenSpec defines the desired state to generate a GitHub access token.
 type GithubAccessTokenSpec struct {
-	// URL configures the Github instance URL. Defaults to https://github.com/.
+	// URL configures the GitHub instance URL. Defaults to https://github.com/.
 	URL       string `json:"url,omitempty"`
 	AppID     string `json:"appID"`
 	InstallID string `json:"installID"`
@@ -36,10 +37,12 @@ type GithubAccessTokenSpec struct {
 	Auth GithubAuth `json:"auth"`
 }
 
+// GithubAuth defines the authentication configuration for GitHub access.
 type GithubAuth struct {
 	PrivateKey GithubSecretRef `json:"privateKey"`
 }
 
+// GithubSecretRef references a secret containing GitHub credentials.
 type GithubSecretRef struct {
 	SecretRef esmeta.SecretKeySelector `json:"secretRef"`
 }
@@ -59,7 +62,7 @@ type GithubAccessToken struct {
 
 // +kubebuilder:object:root=true
 
-// GithubAccessToken contains a list of ExternalSecret resources.
+// GithubAccessTokenList contains a list of GithubAccessToken resources.
 type GithubAccessTokenList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`

apis/generators/v1alpha1/types_grafana.go

@@ -32,6 +32,7 @@ type GrafanaSpec struct {
 	ServiceAccount GrafanaServiceAccount `json:"serviceAccount"`
 }
 
+// GrafanaServiceAccount defines the configuration for a Grafana service account to be created.
 type GrafanaServiceAccount struct {
 	// Name is the name of the service account that will be created by ESO.
 	Name string `json:"name"`
@@ -41,6 +42,7 @@ type GrafanaServiceAccount struct {
 	Role string `json:"role"`
 }
 
+// GrafanaAuth defines the authentication methods for connecting to a Grafana instance.
 type GrafanaAuth struct {
 	// A service account token used to authenticate against the Grafana instance.
 	// Note: you need a token which has elevated permissions to create service accounts.
@@ -56,6 +58,7 @@ type GrafanaAuth struct {
 	Basic *GrafanaBasicAuth `json:"basic,omitempty"`
 }
 
+// GrafanaBasicAuth defines the credentials for basic authentication with Grafana.
 type GrafanaBasicAuth struct {
 	// A basic auth username used to authenticate against the Grafana instance.
 	Username string `json:"username"`
@@ -77,6 +80,7 @@ type GrafanaStateServiceAccount struct {
 	ServiceAccountTokenID *int64  `json:"tokenID"`
 }
 
+// Grafana represents a generator for Grafana service account tokens.
 // +kubebuilder:object:root=true
 // +kubebuilder:storageversion
 // +kubebuilder:subresource:status
@@ -91,7 +95,7 @@ type Grafana struct {
 
 // +kubebuilder:object:root=true
 
-// ExternalList contains a list of Grafana Generator resources.
+// GrafanaList contains a list of Grafana Generator resources.
 type GrafanaList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`

apis/generators/v1alpha1/types_quay.go

@@ -22,6 +22,7 @@ import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
+// QuayAccessTokenSpec defines the desired state to generate a Quay access token.
 type QuayAccessTokenSpec struct {
 	// URL configures the Quay instance URL. Defaults to quay.io.
 	URL string `json:"url,omitempty"`

apis/generators/v1alpha1/types_sts.go

@@ -42,6 +42,7 @@ type RequestParameters struct {
 	TokenCode *string `json:"tokenCode,omitempty"`
 }
 
+// STSSessionTokenSpec defines the desired state to generate an AWS STS session token.
 type STSSessionTokenSpec struct {
 	// Region specifies the region to operate in.
 	Region string `json:"region"`

apis/generators/v1alpha1/types_vault.go

@@ -23,6 +23,7 @@ import (
 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 )
 
+// VaultDynamicSecretSpec defines the desired spec of VaultDynamicSecret.
 type VaultDynamicSecretSpec struct {
 	// Used to select the correct ESO controller (think: ingress.ingressClassName)
 	// The ESO controller is instantiated with a specific controller name and filters VDS based on this property
@@ -36,7 +37,7 @@ type VaultDynamicSecretSpec struct {
 	Parameters *apiextensions.JSON `json:"parameters,omitempty"`
 
 	// Result type defines which data is returned from the generator.
-	// By default it is the "data" section of the Vault API response.
+	// By default, it is the "data" section of the Vault API response.
 	// When using e.g. /auth/token/create the "data" section is empty but
 	// the "auth" section contains the generated token.
 	// Please refer to the vault docs regarding the result data structure.
@@ -60,15 +61,20 @@ type VaultDynamicSecretSpec struct {
 	AllowEmptyResponse bool `json:"allowEmptyResponse,omitempty"`
 }
 
+// VaultDynamicSecretResultType defines which part of the Vault API response should be returned.
 // +kubebuilder:validation:Enum=Data;Auth;Raw
 type VaultDynamicSecretResultType string
 
 const (
+	// VaultDynamicSecretResultTypeData specifies to return the "data" section of the Vault API response.
 	VaultDynamicSecretResultTypeData VaultDynamicSecretResultType = "Data"
+	// VaultDynamicSecretResultTypeAuth specifies to return the "auth" section of the Vault API response.
 	VaultDynamicSecretResultTypeAuth VaultDynamicSecretResultType = "Auth"
-	VaultDynamicSecretResultTypeRaw  VaultDynamicSecretResultType = "Raw"
+	// VaultDynamicSecretResultTypeRaw specifies to return the raw response from the Vault API.
+	VaultDynamicSecretResultTypeRaw VaultDynamicSecretResultType = "Raw"
 )
 
+// VaultDynamicSecret represents a generator that can create dynamic secrets from HashiCorp Vault.
 // +kubebuilder:object:root=true
 // +kubebuilder:storageversion
 // +kubebuilder:subresource:status
@@ -81,6 +87,7 @@ type VaultDynamicSecret struct {
 	Spec VaultDynamicSecretSpec `json:"spec,omitempty"`
 }
 
+// VaultDynamicSecretList contains a list of VaultDynamicSecret resources.
 // +kubebuilder:object:root=true
 type VaultDynamicSecretList struct {
 	metav1.TypeMeta `json:",inline"`

apis/generators/v1alpha1/types_webhook.go

@@ -84,14 +84,17 @@ type NTLMProtocol struct {
 	Password esmeta.SecretKeySelector `json:"passwordSecret"`
 }
 
+// WebhookCAProviderType defines the type of provider for webhook CA certificates.
 type WebhookCAProviderType string
 
 const (
-	WebhookCAProviderTypeSecret    WebhookCAProviderType = "Secret"
+	// WebhookCAProviderTypeSecret indicates the CA provider is a Secret resource.
+	WebhookCAProviderTypeSecret WebhookCAProviderType = "Secret"
+	// WebhookCAProviderTypeConfigMap indicates the CA provider is a ConfigMap resource.
 	WebhookCAProviderTypeConfigMap WebhookCAProviderType = "ConfigMap"
 )
 
-// Defines a location to fetch the cert for the webhook provider from.
+// WebhookCAProvider defines a location to fetch the cert for the webhook provider from.
 type WebhookCAProvider struct {
 	// The type of provider to use such as "Secret", or "ConfigMap".
 	// +kubebuilder:validation:Enum="Secret";"ConfigMap"
@@ -118,12 +121,14 @@ type WebhookCAProvider struct {
 	Namespace *string `json:"namespace,omitempty"`
 }
 
+// WebhookResult defines how to format and extract results from the webhook response.
 type WebhookResult struct {
 	// Json path of return value
 	// +optional
 	JSONPath string `json:"jsonPath,omitempty"`
 }
 
+// WebhookSecret defines a secret reference that will be used in webhook templates.
 type WebhookSecret struct {
 	// Name of this secret in templates
 	Name string `json:"name"`
@@ -132,6 +137,7 @@ type WebhookSecret struct {
 	SecretRef SecretKeySelector `json:"secretRef"`
 }
 
+// SecretKeySelector defines a reference to a specific key within a Kubernetes Secret.
 type SecretKeySelector struct {
 	// The name of the Secret resource being referred to.
 	// +kubebuilder:validation:MinLength:=1
@@ -164,7 +170,7 @@ type Webhook struct {
 
 // +kubebuilder:object:root=true
 
-// ExternalList contains a list of Webhook Generator resources.
+// WebhookList contains a list of Webhook Generator resources.
 type WebhookList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`

apis/meta/v1/doc.go

@@ -14,6 +14,6 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// Package meta contains meta types for external-secrets APIs
+// Package v1 contains meta types for external-secrets APIs
 // +kubebuilder:object:generate=true
 package v1

apis/meta/v1/types.go

@@ -16,7 +16,7 @@ limitations under the License.
 
 package v1
 
-// A reference to a specific 'key' within a Secret resource.
+// SecretKeySelector is a reference to a specific 'key' within a Secret resource.
 // In some instances, `key` is a required field.
 type SecretKeySelector struct {
 	// The name of the Secret resource being referred to.
@@ -42,7 +42,7 @@ type SecretKeySelector struct {
 	Key string `json:"key,omitempty"`
 }
 
-// A reference to a ServiceAccount resource.
+// ServiceAccountSelector is a reference to a ServiceAccount resource.
 type ServiceAccountSelector struct {
 	// The name of the ServiceAccount resource being referred to.
 	// +kubebuilder:validation:MinLength:=1