feat: add crd compliance tests (#4390)

* feat: add crd compliance tests

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

* add github action and cover each crd with a test

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

---------

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>

.github/workflows/crds.yml

@@ -0,0 +1,31 @@
+name: CRDs
+
+on:
+  push:
+    branches:
+      - main
+      - release-*
+    paths:
+      - 'apis/**'
+  pull_request:
+    paths:
+      - 'apis/**'
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+
+jobs:
+  crd-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Generate crds for testing
+        run: make crds.generate.tests
+
+      - name: Run crd tests
+        run: make test.crds

.gitignore

@@ -67,3 +67,4 @@ terraform.rc
 .terraform.lock.hcl
 
 tmp/
+tests/crds/*.yml

Makefile

@@ -108,6 +108,18 @@ test.e2e.managed: generate ## Run e2e tests managed
 	$(MAKE) -C ./e2e test.managed
 	@$(OK) go test e2e-tests-managed
 
+.PHONY: test.crds
+test.crds: cty crds.generate.tests ## Test CRDs for modification and backwards compatibility
+	@$(INFO) $(CTY) test tests
+	$(CTY) test tests
+	@$(OK) No breaking CRD changes detected
+
+.PHONY: test.crds.update
+test.crds.update: cty crds.generate.tests ## Update the snapshots used by the CRD tests
+	@$(INFO) $(CTY) test tests -u
+	$(CTY) test tests -u
+	@$(OK) Successfully updated all test snapshots
+
 .PHONY: build
 build: $(addprefix build-,$(ARCH)) ## Build binary
 
@@ -155,6 +167,10 @@ crds.install: generate ## Install CRDs into a cluster. This is for convenience
 crds.uninstall: ## Uninstall CRDs from a cluster. This is for convenience
 	kubectl delete -f $(BUNDLE_DIR)
 
+crds.generate.tests:
+	./hack/test.crds.generate.sh $(BUNDLE_DIR) tests/crds
+	@$(OK) Finished generating crds for testing
+
 tilt-up: tilt manifests ## Generates the local manifests that tilt will use to deploy the controller's objects.
 	$(LOCALBIN)/tilt up
 
@@ -309,15 +325,19 @@ clean:  ## Clean bins
 
 ifeq ($(OS),Windows_NT)     # is Windows_NT on XP, 2000, 7, Vista, 10...
     detected_OS := windows
+    real_OS := windows
     arch := x86_64
 else
     detected_OS := $(shell uname -s)
+    real_OS := $(detected_OS)
     arch := $(shell uname -m)
     ifeq ($(detected_OS),Darwin)
-    	detected_OS := mac
+        detected_OS := mac
+        real_OS := darwin
     endif
     ifeq ($(detected_OS),Linux)
-    	detected_OS := linux
+        detected_OS := linux
+        real_OS := linux
     endif
 endif
 
@@ -328,6 +348,7 @@ $(LOCALBIN):
 
 ## Tool Binaries
 TILT ?= $(LOCALBIN)/tilt
+CTY ?= $(LOCALBIN)/cty
 ENVTEST ?= $(LOCALBIN)/setup-envtest
 GOLANGCI_LINT ?= $(LOCALBIN)/golangci-lint
 
@@ -335,6 +356,7 @@ GOLANGCI_LINT ?= $(LOCALBIN)/golangci-lint
 GOLANGCI_VERSION := 1.61.0
 KUBERNETES_VERSION := 1.30.x
 TILT_VERSION := 0.33.21
+CTY_VERSION := 1.1.3
 
 .PHONY: envtest
 envtest: $(ENVTEST) ## Download envtest-setup locally if necessary.
@@ -353,3 +375,9 @@ $(GOLANGCI_LINT): $(LOCALBIN)
 tilt: $(TILT) ## Download tilt locally if necessary. Architecture is locked at x86_64.
 $(TILT): $(LOCALBIN)
 	test -s $(LOCALBIN)/tilt || curl -fsSL https://github.com/tilt-dev/tilt/releases/download/v$(TILT_VERSION)/tilt.$(TILT_VERSION).$(detected_OS).$(arch).tar.gz | tar -xz -C $(LOCALBIN) tilt
+
+.PHONY: cty
+.PHONY: $(CTY)
+cty: $(CTY) ## Download cty locally if necessary. Architecture is locked at x86_64.
+$(CTY): $(LOCALBIN)
+	test -s $(LOCALBIN)/cty || curl -fsSL https://github.com/Skarlso/crd-to-sample-yaml/releases/download/v$(CTY_VERSION)/cty_$(real_OS)_amd64.tar.gz | tar -xz -C $(LOCALBIN) cty

hack/test.crds.generate.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+set -euo pipefail
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+BUNDLE_DIR="${1}"
+OUTPUT_DIR="${2}"
+
+cd "${SCRIPT_DIR}"/../
+
+# Split the generated bundle yaml file
+yq e -Ns "\"${OUTPUT_DIR}/\" + .spec.names.singular" "${BUNDLE_DIR}"/bundle.yaml

tests/__snapshot__/acraccesstoken-v1alpha1.yaml

@@ -0,0 +1,26 @@
+apiVersion: generators.external-secrets.io/v1alpha1
+kind: ACRAccessToken
+metadata: {}
+spec:
+  auth:
+    managedIdentity:
+      identityId: string
+    servicePrincipal:
+      secretRef:
+        clientId:
+          key: string
+          name: string
+          namespace: string
+        clientSecret:
+          key: string
+          name: string
+          namespace: string
+    workloadIdentity:
+      serviceAccountRef:
+        audiences: [] # minItems 0 of type string
+        name: string
+        namespace: string
+  environmentType: "PublicCloud"
+  registry: string
+  scope: string
+  tenantId: string

tests/__snapshot__/clusterexternalsecret-v1beta1.yaml

@@ -0,0 +1,109 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterExternalSecret
+metadata: {}
+spec:
+  externalSecretMetadata:
+    annotations: {}
+    labels: {}
+  externalSecretName: string
+  externalSecretSpec:
+    data:
+    - remoteRef:
+        conversionStrategy: "Default"
+        decodingStrategy: "None"
+        key: string
+        metadataPolicy: "None"
+        property: string
+        version: string
+      secretKey: string
+      sourceRef:
+        generatorRef:
+          apiVersion: external-secrets.io/v1beta1
+          kind: "ACRAccessToken" # "ACRAccessToken", "ClusterGenerator", "ECRAuthorizationToken", "Fake", "GCRAccessToken", "GithubAccessToken", "QuayAccessToken", "Password", "STSSessionToken", "UUID", "VaultDynamicSecret", "Webhook", "Grafana"
+          name: string
+        storeRef:
+          kind: "SecretStore" # "SecretStore", "ClusterSecretStore"
+          name: string
+    dataFrom:
+    - extract:
+        conversionStrategy: "Default"
+        decodingStrategy: "None"
+        key: string
+        metadataPolicy: "None"
+        property: string
+        version: string
+      find:
+        conversionStrategy: "Default"
+        decodingStrategy: "None"
+        name:
+          regexp: string
+        path: string
+        tags: {}
+      rewrite:
+      - regexp:
+          source: string
+          target: string
+        transform:
+          template: string
+      sourceRef:
+        generatorRef:
+          apiVersion: external-secrets.io/v1beta1
+          kind: "ACRAccessToken" # "ACRAccessToken", "ClusterGenerator", "ECRAuthorizationToken", "Fake", "GCRAccessToken", "GithubAccessToken", "QuayAccessToken", "Password", "STSSessionToken", "UUID", "VaultDynamicSecret", "Webhook", "Grafana"
+          name: string
+        storeRef:
+          kind: "SecretStore" # "SecretStore", "ClusterSecretStore"
+          name: string
+    refreshInterval: "1h"
+    secretStoreRef:
+      kind: "SecretStore" # "SecretStore", "ClusterSecretStore"
+      name: string
+    target:
+      creationPolicy: "Owner"
+      deletionPolicy: "Retain"
+      immutable: true
+      name: string
+      template:
+        data: {}
+        engineVersion: "v2"
+        mergePolicy: "Replace"
+        metadata:
+          annotations: {}
+          labels: {}
+        templateFrom:
+        - configMap:
+            items:
+            - key: string
+              templateAs: "Values"
+            name: string
+          literal: string
+          secret:
+            items:
+            - key: string
+              templateAs: "Values"
+            name: string
+          target: "Data"
+        type: string
+  namespaceSelector:
+    matchExpressions:
+    - key: string
+      operator: string
+      values: [] # minItems 0 of type string
+    matchLabels: {}
+  namespaceSelectors:
+  - matchExpressions:
+    - key: string
+      operator: string
+      values: [] # minItems 0 of type string
+    matchLabels: {}
+  namespaces: [] # minItems 0 of type string
+  refreshTime: string
+status:
+  conditions:
+  - message: string
+    status: string
+    type: string
+  externalSecretName: string
+  failedNamespaces:
+  - namespace: string
+    reason: string
+  provisionedNamespaces: [] # minItems 0 of type string

tests/__snapshot__/clustergenerator-v1alpha1.yaml

@@ -0,0 +1,275 @@
+apiVersion: generators.external-secrets.io/v1alpha1
+kind: ClusterGenerator
+metadata: {}
+spec:
+  generator:
+    acrAccessTokenSpec:
+      auth:
+        managedIdentity:
+          identityId: string
+        servicePrincipal:
+          secretRef:
+            clientId:
+              key: string
+              name: string
+              namespace: string
+            clientSecret:
+              key: string
+              name: string
+              namespace: string
+        workloadIdentity:
+          serviceAccountRef:
+            audiences: [] # minItems 0 of type string
+            name: string
+            namespace: string
+      environmentType: "PublicCloud"
+      registry: string
+      scope: string
+      tenantId: string
+    ecrAuthorizationTokenSpec:
+      auth:
+        jwt:
+          serviceAccountRef:
+            audiences: [] # minItems 0 of type string
+            name: string
+            namespace: string
+        secretRef:
+          accessKeyIDSecretRef:
+            key: string
+            name: string
+            namespace: string
+          secretAccessKeySecretRef:
+            key: string
+            name: string
+            namespace: string
+          sessionTokenSecretRef:
+            key: string
+            name: string
+            namespace: string
+      region: string
+      role: string
+      scope: string
+    fakeSpec:
+      controller: string
+      data: {}
+    gcrAccessTokenSpec:
+      auth:
+        secretRef:
+          secretAccessKeySecretRef:
+            key: string
+            name: string
+            namespace: string
+        workloadIdentity:
+          clusterLocation: string
+          clusterName: string
+          clusterProjectID: string
+          serviceAccountRef:
+            audiences: [] # minItems 0 of type string
+            name: string
+            namespace: string
+      projectID: string
+    githubAccessTokenSpec:
+      appID: string
+      auth:
+        privateKey:
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+      installID: string
+      permissions: {}
+      repositories: [] # minItems 0 of type string
+      url: string
+    grafanaSpec:
+      auth:
+        token:
+          key: string
+          name: string
+      serviceAccount:
+        name: string
+        role: string
+      url: string
+    passwordSpec:
+      allowRepeat: false
+      digits: 1
+      length: 24
+      noUpper: false
+      symbolCharacters: string
+      symbols: 1
+    quayAccessTokenSpec:
+      robotAccount: string
+      serviceAccountRef:
+        audiences: [] # minItems 0 of type string
+        name: string
+        namespace: string
+      url: string
+    stsSessionTokenSpec:
+      auth:
+        jwt:
+          serviceAccountRef:
+            audiences: [] # minItems 0 of type string
+            name: string
+            namespace: string
+        secretRef:
+          accessKeyIDSecretRef:
+            key: string
+            name: string
+            namespace: string
+          secretAccessKeySecretRef:
+            key: string
+            name: string
+            namespace: string
+          sessionTokenSecretRef:
+            key: string
+            name: string
+            namespace: string
+      region: string
+      requestParameters:
+        serialNumber: string
+        sessionDuration: 1
+        tokenCode: string
+      role: string
+    uuidSpec: {}
+    vaultDynamicSecretSpec:
+      allowEmptyResponse: false
+      controller: string
+      method: string
+      parameters: 
+      path: string
+      provider:
+        auth:
+          appRole:
+            path: "approle"
+            roleId: string
+            roleRef:
+              key: string
+              name: string
+              namespace: string
+            secretRef:
+              key: string
+              name: string
+              namespace: string
+          cert:
+            clientCert:
+              key: string
+              name: string
+              namespace: string
+            secretRef:
+              key: string
+              name: string
+              namespace: string
+          iam:
+            externalID: string
+            jwt:
+              serviceAccountRef:
+                audiences: [] # minItems 0 of type string
+                name: string
+                namespace: string
+            path: string
+            region: string
+            role: string
+            secretRef:
+              accessKeyIDSecretRef:
+                key: string
+                name: string
+                namespace: string
+              secretAccessKeySecretRef:
+                key: string
+                name: string
+                namespace: string
+              sessionTokenSecretRef:
+                key: string
+                name: string
+                namespace: string
+            vaultAwsIamServerID: string
+            vaultRole: string
+          jwt:
+            kubernetesServiceAccountToken:
+              audiences: [] # minItems 0 of type string
+              expirationSeconds: 1
+              serviceAccountRef:
+                audiences: [] # minItems 0 of type string
+                name: string
+                namespace: string
+            path: "jwt"
+            role: string
+            secretRef:
+              key: string
+              name: string
+              namespace: string
+          kubernetes:
+            mountPath: "kubernetes"
+            role: string
+            secretRef:
+              key: string
+              name: string
+              namespace: string
+            serviceAccountRef:
+              audiences: [] # minItems 0 of type string
+              name: string
+              namespace: string
+          ldap:
+            path: "ldap"
+            secretRef:
+              key: string
+              name: string
+              namespace: string
+            username: string
+          namespace: string
+          tokenSecretRef:
+            key: string
+            name: string
+            namespace: string
+          userPass:
+            path: "user"
+            secretRef:
+              key: string
+              name: string
+              namespace: string
+            username: string
+        caBundle: c3RyaW5n
+        caProvider:
+          key: string
+          name: string
+          namespace: string
+          type: "Secret" # "Secret", "ConfigMap"
+        forwardInconsistent: true
+        headers: {}
+        namespace: string
+        path: string
+        readYourWrites: true
+        server: string
+        tls:
+          certSecretRef:
+            key: string
+            name: string
+            namespace: string
+          keySecretRef:
+            key: string
+            name: string
+            namespace: string
+        version: "v2"
+      resultType: "Data"
+      retrySettings:
+        maxRetries: 1
+        retryInterval: string
+    webhookSpec:
+      body: string
+      caBundle: c3RyaW5n
+      caProvider:
+        key: string
+        name: string
+        namespace: string
+        type: "Secret" # "Secret", "ConfigMap"
+      headers: {}
+      method: string
+      result:
+        jsonPath: string
+      secrets:
+      - name: string
+        secretRef:
+          key: string
+          name: string
+      timeout: string
+      url: string
+  kind: "ACRAccessToken" # "ACRAccessToken", "ECRAuthorizationToken", "Fake", "GCRAccessToken", "GithubAccessToken", "QuayAccessToken'Password", "STSSessionToken", "UUID", "VaultDynamicSecret", "Webhook", "Grafana"

tests/__snapshot__/clustersecretstore-v1alpha1.yaml

@@ -0,0 +1,301 @@
+apiVersion: external-secrets.io/v1alpha1
+kind: ClusterSecretStore
+metadata: {}
+spec:
+  controller: string
+  provider:
+    akeyless:
+      akeylessGWApiURL: string
+      authSecretRef:
+        kubernetesAuth:
+          accessID: string
+          k8sConfName: string
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+          serviceAccountRef:
+            audiences: [] # minItems 0 of type string
+            name: string
+            namespace: string
+        secretRef:
+          accessID:
+            key: string
+            name: string
+            namespace: string
+          accessType:
+            key: string
+            name: string
+            namespace: string
+          accessTypeParam:
+            key: string
+            name: string
+            namespace: string
+      caBundle: c3RyaW5n
+      caProvider:
+        key: string
+        name: string
+        namespace: string
+        type: "Secret" # "Secret", "ConfigMap"
+    alibaba:
+      auth:
+        rrsa:
+          oidcProviderArn: string
+          oidcTokenFilePath: string
+          roleArn: string
+          sessionName: string
+        secretRef:
+          accessKeyIDSecretRef:
+            key: string
+            name: string
+            namespace: string
+          accessKeySecretSecretRef:
+            key: string
+            name: string
+            namespace: string
+      regionID: string
+    aws:
+      auth:
+        jwt:
+          serviceAccountRef:
+            audiences: [] # minItems 0 of type string
+            name: string
+            namespace: string
+        secretRef:
+          accessKeyIDSecretRef:
+            key: string
+            name: string
+            namespace: string
+          secretAccessKeySecretRef:
+            key: string
+            name: string
+            namespace: string
+      region: string
+      role: string
+      service: "SecretsManager" # "SecretsManager", "ParameterStore"
+    azurekv:
+      authSecretRef:
+        clientId:
+          key: string
+          name: string
+          namespace: string
+        clientSecret:
+          key: string
+          name: string
+          namespace: string
+      authType: "ServicePrincipal"
+      identityId: string
+      serviceAccountRef:
+        audiences: [] # minItems 0 of type string
+        name: string
+        namespace: string
+      tenantId: string
+      vaultUrl: string
+    fake:
+      data:
+      - key: string
+        value: string
+        valueMap: {}
+        version: string
+    gcpsm:
+      auth:
+        secretRef:
+          secretAccessKeySecretRef:
+            key: string
+            name: string
+            namespace: string
+        workloadIdentity:
+          clusterLocation: string
+          clusterName: string
+          clusterProjectID: string
+          serviceAccountRef:
+            audiences: [] # minItems 0 of type string
+            name: string
+            namespace: string
+      projectID: string
+    gitlab:
+      auth:
+        SecretRef:
+          accessToken:
+            key: string
+            name: string
+            namespace: string
+      projectID: string
+      url: string
+    ibm:
+      auth:
+        secretRef:
+          secretApiKeySecretRef:
+            key: string
+            name: string
+            namespace: string
+      serviceUrl: string
+    kubernetes:
+      auth:
+        cert:
+          clientCert:
+            key: string
+            name: string
+            namespace: string
+          clientKey:
+            key: string
+            name: string
+            namespace: string
+        serviceAccount:
+          serviceAccount:
+            audiences: [] # minItems 0 of type string
+            name: string
+            namespace: string
+        token:
+          bearerToken:
+            key: string
+            name: string
+            namespace: string
+      remoteNamespace: "default"
+      server:
+        caBundle: c3RyaW5n
+        caProvider:
+          key: string
+          name: string
+          namespace: string
+          type: "Secret" # "Secret", "ConfigMap"
+        url: "kubernetes.default"
+    oracle:
+      auth:
+        secretRef:
+          fingerprint:
+            key: string
+            name: string
+            namespace: string
+          privatekey:
+            key: string
+            name: string
+            namespace: string
+        tenancy: string
+        user: string
+      compartment: string
+      encryptionKey: string
+      principalType: "" # "", "UserPrincipal", "InstancePrincipal", "Workload"
+      region: string
+      serviceAccountRef:
+        audiences: [] # minItems 0 of type string
+        name: string
+        namespace: string
+      vault: string
+    passworddepot:
+      auth:
+        secretRef:
+          credentials:
+            key: string
+            name: string
+            namespace: string
+      database: string
+      host: string
+    vault:
+      auth:
+        appRole:
+          path: "approle"
+          roleId: string
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+        cert:
+          clientCert:
+            key: string
+            name: string
+            namespace: string
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+        jwt:
+          kubernetesServiceAccountToken:
+            audiences: [] # minItems 0 of type string
+            expirationSeconds: 1
+            serviceAccountRef:
+              audiences: [] # minItems 0 of type string
+              name: string
+              namespace: string
+          path: "jwt"
+          role: string
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+        kubernetes:
+          mountPath: "kubernetes"
+          role: string
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+          serviceAccountRef:
+            audiences: [] # minItems 0 of type string
+            name: string
+            namespace: string
+        ldap:
+          path: "ldap"
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+          username: string
+        tokenSecretRef:
+          key: string
+          name: string
+          namespace: string
+      caBundle: c3RyaW5n
+      caProvider:
+        key: string
+        name: string
+        namespace: string
+        type: "Secret" # "Secret", "ConfigMap"
+      forwardInconsistent: true
+      namespace: string
+      path: string
+      readYourWrites: true
+      server: string
+      version: "v2"
+    webhook:
+      body: string
+      caBundle: c3RyaW5n
+      caProvider:
+        key: string
+        name: string
+        namespace: string
+        type: "Secret" # "Secret", "ConfigMap"
+      headers: {}
+      method: string
+      result:
+        jsonPath: string
+      secrets:
+      - name: string
+        secretRef:
+          key: string
+          name: string
+          namespace: string
+      timeout: string
+      url: string
+    yandexlockbox:
+      apiEndpoint: string
+      auth:
+        authorizedKeySecretRef:
+          key: string
+          name: string
+          namespace: string
+      caProvider:
+        certSecretRef:
+          key: string
+          name: string
+          namespace: string
+  retrySettings:
+    maxRetries: 1
+    retryInterval: string
+status:
+  conditions:
+  - lastTransitionTime: 2024-10-11T12:48:44Z
+    message: string
+    reason: string
+    status: string
+    type: string

tests/__snapshot__/clustersecretstore-v1beta1.yaml

@@ -0,0 +1,658 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata: {}
+spec:
+  conditions:
+  - namespaceRegexes: [] # minItems 0 of type string
+    namespaceSelector:
+      matchExpressions:
+      - key: string
+        operator: string
+        values: [] # minItems 0 of type string
+      matchLabels: {}
+    namespaces: [] # minItems 0 of type string
+  controller: string
+  provider:
+    akeyless:
+      akeylessGWApiURL: string
+      authSecretRef:
+        kubernetesAuth:
+          accessID: string
+          k8sConfName: string
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+          serviceAccountRef:
+            audiences: [] # minItems 0 of type string
+            name: string
+            namespace: string
+        secretRef:
+          accessID:
+            key: string
+            name: string
+            namespace: string
+          accessType:
+            key: string
+            name: string
+            namespace: string
+          accessTypeParam:
+            key: string
+            name: string
+            namespace: string
+      caBundle: c3RyaW5n
+      caProvider:
+        key: string
+        name: string
+        namespace: string
+        type: "Secret" # "Secret", "ConfigMap"
+    alibaba:
+      auth:
+        rrsa:
+          oidcProviderArn: string
+          oidcTokenFilePath: string
+          roleArn: string
+          sessionName: string
+        secretRef:
+          accessKeyIDSecretRef:
+            key: string
+            name: string
+            namespace: string
+          accessKeySecretSecretRef:
+            key: string
+            name: string
+            namespace: string
+      regionID: string
+    aws:
+      additionalRoles: [] # minItems 0 of type string
+      auth:
+        jwt:
+          serviceAccountRef:
+            audiences: [] # minItems 0 of type string
+            name: string
+            namespace: string
+        secretRef:
+          accessKeyIDSecretRef:
+            key: string
+            name: string
+            namespace: string
+          secretAccessKeySecretRef:
+            key: string
+            name: string
+            namespace: string
+          sessionTokenSecretRef:
+            key: string
+            name: string
+            namespace: string
+      externalID: string
+      prefix: string
+      region: string
+      role: string
+      secretsManager:
+        forceDeleteWithoutRecovery: true
+        recoveryWindowInDays: 1
+      service: "SecretsManager" # "SecretsManager", "ParameterStore"
+      sessionTags:
+      - key: string
+        value: string
+      transitiveTagKeys: [] # minItems 0 of type string
+    azurekv:
+      authSecretRef:
+        clientCertificate:
+          key: string
+          name: string
+          namespace: string
+        clientId:
+          key: string
+          name: string
+          namespace: string
+        clientSecret:
+          key: string
+          name: string
+          namespace: string
+        tenantId:
+          key: string
+          name: string
+          namespace: string
+      authType: "ServicePrincipal"
+      environmentType: "PublicCloud"
+      identityId: string
+      serviceAccountRef:
+        audiences: [] # minItems 0 of type string
+        name: string
+        namespace: string
+      tenantId: string
+      vaultUrl: string
+    beyondtrust:
+      auth:
+        apiKey:
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+          value: string
+        certificate:
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+          value: string
+        certificateKey:
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+          value: string
+        clientId:
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+          value: string
+        clientSecret:
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+          value: string
+      server:
+        apiUrl: string
+        apiVersion: external-secrets.io/v1beta1
+        clientTimeOutSeconds: 1
+        retrievalType: string
+        separator: string
+        verifyCA: true
+    bitwardensecretsmanager:
+      apiURL: string
+      auth:
+        secretRef:
+          credentials:
+            key: string
+            name: string
+            namespace: string
+      bitwardenServerSDKURL: string
+      caBundle: string
+      caProvider:
+        key: string
+        name: string
+        namespace: string
+        type: "Secret" # "Secret", "ConfigMap"
+      identityURL: string
+      organizationID: string
+      projectID: string
+    chef:
+      auth:
+        secretRef:
+          privateKeySecretRef:
+            key: string
+            name: string
+            namespace: string
+      serverUrl: string
+      username: string
+    conjur:
+      auth:
+        apikey:
+          account: string
+          apiKeyRef:
+            key: string
+            name: string
+            namespace: string
+          userRef:
+            key: string
+            name: string
+            namespace: string
+        jwt:
+          account: string
+          hostId: string
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+          serviceAccountRef:
+            audiences: [] # minItems 0 of type string
+            name: string
+            namespace: string
+          serviceID: string
+      caBundle: string
+      caProvider:
+        key: string
+        name: string
+        namespace: string
+        type: "Secret" # "Secret", "ConfigMap"
+      url: string
+    delinea:
+      clientId:
+        secretRef:
+          key: string
+          name: string
+          namespace: string
+        value: string
+      clientSecret:
+        secretRef:
+          key: string
+          name: string
+          namespace: string
+        value: string
+      tenant: string
+      tld: string
+      urlTemplate: string
+    device42:
+      auth:
+        secretRef:
+          credentials:
+            key: string
+            name: string
+            namespace: string
+      host: string
+    doppler:
+      auth:
+        secretRef:
+          dopplerToken:
+            key: string
+            name: string
+            namespace: string
+      config: string
+      format: "json" # "json", "dotnet-json", "env", "yaml", "docker"
+      nameTransformer: "upper-camel" # "upper-camel", "camel", "lower-snake", "tf-var", "dotnet-env", "lower-kebab"
+      project: string
+    fake:
+      data:
+      - key: string
+        value: string
+        valueMap: {}
+        version: string
+    fortanix:
+      apiKey:
+        secretRef:
+          key: string
+          name: string
+          namespace: string
+      apiUrl: string
+    gcpsm:
+      auth:
+        secretRef:
+          secretAccessKeySecretRef:
+            key: string
+            name: string
+            namespace: string
+        workloadIdentity:
+          clusterLocation: string
+          clusterName: string
+          clusterProjectID: string
+          serviceAccountRef:
+            audiences: [] # minItems 0 of type string
+            name: string
+            namespace: string
+      location: string
+      projectID: string
+    gitlab:
+      auth:
+        SecretRef:
+          accessToken:
+            key: string
+            name: string
+            namespace: string
+      environment: string
+      groupIDs: [] # minItems 0 of type string
+      inheritFromGroups: true
+      projectID: string
+      url: string
+    ibm:
+      auth:
+        containerAuth:
+          iamEndpoint: string
+          profile: string
+          tokenLocation: string
+        secretRef:
+          secretApiKeySecretRef:
+            key: string
+            name: string
+            namespace: string
+      serviceUrl: string
+    infisical:
+      auth:
+        universalAuthCredentials:
+          clientId:
+            key: string
+            name: string
+            namespace: string
+          clientSecret:
+            key: string
+            name: string
+            namespace: string
+      hostAPI: "https://app.infisical.com/api"
+      secretsScope:
+        environmentSlug: string
+        projectSlug: string
+        recursive: false
+        secretsPath: "/"
+    keepersecurity:
+      authRef:
+        key: string
+        name: string
+        namespace: string
+      folderID: string
+    kubernetes:
+      auth:
+        cert:
+          clientCert:
+            key: string
+            name: string
+            namespace: string
+          clientKey:
+            key: string
+            name: string
+            namespace: string
+        serviceAccount:
+          audiences: [] # minItems 0 of type string
+          name: string
+          namespace: string
+        token:
+          bearerToken:
+            key: string
+            name: string
+            namespace: string
+      authRef:
+        key: string
+        name: string
+        namespace: string
+      remoteNamespace: "default"
+      server:
+        caBundle: c3RyaW5n
+        caProvider:
+          key: string
+          name: string
+          namespace: string
+          type: "Secret" # "Secret", "ConfigMap"
+        url: "kubernetes.default"
+    onboardbase:
+      apiHost: "https://public.onboardbase.com/api/v1/"
+      auth:
+        apiKeyRef:
+          key: string
+          name: string
+          namespace: string
+        passcodeRef:
+          key: string
+          name: string
+          namespace: string
+      environment: "development"
+      project: "development"
+    onepassword:
+      auth:
+        secretRef:
+          connectTokenSecretRef:
+            key: string
+            name: string
+            namespace: string
+      connectHost: string
+      vaults: {}
+    oracle:
+      auth:
+        secretRef:
+          fingerprint:
+            key: string
+            name: string
+            namespace: string
+          privatekey:
+            key: string
+            name: string
+            namespace: string
+        tenancy: string
+        user: string
+      compartment: string
+      encryptionKey: string
+      principalType: "" # "", "UserPrincipal", "InstancePrincipal", "Workload"
+      region: string
+      serviceAccountRef:
+        audiences: [] # minItems 0 of type string
+        name: string
+        namespace: string
+      vault: string
+    passbolt:
+      auth:
+        passwordSecretRef:
+          key: string
+          name: string
+          namespace: string
+        privateKeySecretRef:
+          key: string
+          name: string
+          namespace: string
+      host: string
+    passworddepot:
+      auth:
+        secretRef:
+          credentials:
+            key: string
+            name: string
+            namespace: string
+      database: string
+      host: string
+    previder:
+      auth:
+        secretRef:
+          accessToken:
+            key: string
+            name: string
+            namespace: string
+      baseUri: string
+    pulumi:
+      accessToken:
+        secretRef:
+          key: string
+          name: string
+          namespace: string
+      apiUrl: "https://api.pulumi.com/api/esc"
+      environment: string
+      organization: string
+      project: string
+    scaleway:
+      accessKey:
+        secretRef:
+          key: string
+          name: string
+          namespace: string
+        value: string
+      apiUrl: string
+      projectId: string
+      region: string
+      secretKey:
+        secretRef:
+          key: string
+          name: string
+          namespace: string
+        value: string
+    secretserver:
+      password:
+        secretRef:
+          key: string
+          name: string
+          namespace: string
+        value: string
+      serverURL: string
+      username:
+        secretRef:
+          key: string
+          name: string
+          namespace: string
+        value: string
+    senhasegura:
+      auth:
+        clientId: string
+        clientSecretSecretRef:
+          key: string
+          name: string
+          namespace: string
+      ignoreSslCertificate: false
+      module: string
+      url: string
+    vault:
+      auth:
+        appRole:
+          path: "approle"
+          roleId: string
+          roleRef:
+            key: string
+            name: string
+            namespace: string
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+        cert:
+          clientCert:
+            key: string
+            name: string
+            namespace: string
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+        iam:
+          externalID: string
+          jwt:
+            serviceAccountRef:
+              audiences: [] # minItems 0 of type string
+              name: string
+              namespace: string
+          path: string
+          region: string
+          role: string
+          secretRef:
+            accessKeyIDSecretRef:
+              key: string
+              name: string
+              namespace: string
+            secretAccessKeySecretRef:
+              key: string
+              name: string
+              namespace: string
+            sessionTokenSecretRef:
+              key: string
+              name: string
+              namespace: string
+          vaultAwsIamServerID: string
+          vaultRole: string
+        jwt:
+          kubernetesServiceAccountToken:
+            audiences: [] # minItems 0 of type string
+            expirationSeconds: 1
+            serviceAccountRef:
+              audiences: [] # minItems 0 of type string
+              name: string
+              namespace: string
+          path: "jwt"
+          role: string
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+        kubernetes:
+          mountPath: "kubernetes"
+          role: string
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+          serviceAccountRef:
+            audiences: [] # minItems 0 of type string
+            name: string
+            namespace: string
+        ldap:
+          path: "ldap"
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+          username: string
+        namespace: string
+        tokenSecretRef:
+          key: string
+          name: string
+          namespace: string
+        userPass:
+          path: "user"
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+          username: string
+      caBundle: c3RyaW5n
+      caProvider:
+        key: string
+        name: string
+        namespace: string
+        type: "Secret" # "Secret", "ConfigMap"
+      forwardInconsistent: true
+      headers: {}
+      namespace: string
+      path: string
+      readYourWrites: true
+      server: string
+      tls:
+        certSecretRef:
+          key: string
+          name: string
+          namespace: string
+        keySecretRef:
+          key: string
+          name: string
+          namespace: string
+      version: "v2"
+    webhook:
+      body: string
+      caBundle: c3RyaW5n
+      caProvider:
+        key: string
+        name: string
+        namespace: string
+        type: "Secret" # "Secret", "ConfigMap"
+      headers: {}
+      method: string
+      result:
+        jsonPath: string
+      secrets:
+      - name: string
+        secretRef:
+          key: string
+          name: string
+          namespace: string
+      timeout: string
+      url: string
+    yandexcertificatemanager:
+      apiEndpoint: string
+      auth:
+        authorizedKeySecretRef:
+          key: string
+          name: string
+          namespace: string
+      caProvider:
+        certSecretRef:
+          key: string
+          name: string
+          namespace: string
+    yandexlockbox:
+      apiEndpoint: string
+      auth:
+        authorizedKeySecretRef:
+          key: string
+          name: string
+          namespace: string
+      caProvider:
+        certSecretRef:
+          key: string
+          name: string
+          namespace: string
+  refreshInterval: 1
+  retrySettings:
+    maxRetries: 1
+    retryInterval: string
+status:
+  capabilities: string
+  conditions:
+  - lastTransitionTime: 2024-10-11T12:48:44Z
+    message: string
+    reason: string
+    status: string
+    type: string

tests/__snapshot__/ecrauthorizationtoken-v1alpha1.yaml

@@ -0,0 +1,26 @@
+apiVersion: generators.external-secrets.io/v1alpha1
+kind: ECRAuthorizationToken
+metadata: {}
+spec:
+  auth:
+    jwt:
+      serviceAccountRef:
+        audiences: [] # minItems 0 of type string
+        name: string
+        namespace: string
+    secretRef:
+      accessKeyIDSecretRef:
+        key: string
+        name: string
+        namespace: string
+      secretAccessKeySecretRef:
+        key: string
+        name: string
+        namespace: string
+      sessionTokenSecretRef:
+        key: string
+        name: string
+        namespace: string
+  region: string
+  role: string
+  scope: string

tests/__snapshot__/externalsecret-v1alpha1.yaml

@@ -0,0 +1,51 @@
+apiVersion: external-secrets.io/v1alpha1
+kind: ExternalSecret
+metadata: {}
+spec:
+  data:
+  - remoteRef:
+      conversionStrategy: "Default"
+      key: string
+      property: string
+      version: string
+    secretKey: string
+  dataFrom:
+  - conversionStrategy: "Default"
+    key: string
+    property: string
+    version: string
+  refreshInterval: "1h"
+  secretStoreRef:
+    kind: "SecretStore" # "SecretStore", "ClusterSecretStore"
+    name: string
+  target:
+    creationPolicy: "Owner"
+    immutable: true
+    name: string
+    template:
+      data: {}
+      engineVersion: "v1"
+      metadata:
+        annotations: {}
+        labels: {}
+      templateFrom:
+      - configMap:
+          items:
+          - key: string
+          name: string
+        secret:
+          items:
+          - key: string
+          name: string
+      type: string
+status:
+  binding:
+    name: ""
+  conditions:
+  - lastTransitionTime: 2024-10-11T12:48:44Z
+    message: string
+    reason: string
+    status: string
+    type: string
+  refreshTime: 2024-10-11T12:48:44Z
+  syncedResourceVersion: string

tests/__snapshot__/externalsecret-v1beta1.yaml

@@ -0,0 +1,91 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata: {}
+spec:
+  data:
+  - remoteRef:
+      conversionStrategy: "Default"
+      decodingStrategy: "None"
+      key: string
+      metadataPolicy: "None"
+      property: string
+      version: string
+    secretKey: string
+    sourceRef:
+      generatorRef:
+        apiVersion: external-secrets.io/v1beta1
+        kind: "ACRAccessToken" # "ACRAccessToken", "ClusterGenerator", "ECRAuthorizationToken", "Fake", "GCRAccessToken", "GithubAccessToken", "QuayAccessToken", "Password", "STSSessionToken", "UUID", "VaultDynamicSecret", "Webhook", "Grafana"
+        name: string
+      storeRef:
+        kind: "SecretStore" # "SecretStore", "ClusterSecretStore"
+        name: string
+  dataFrom:
+  - extract:
+      conversionStrategy: "Default"
+      decodingStrategy: "None"
+      key: string
+      metadataPolicy: "None"
+      property: string
+      version: string
+    find:
+      conversionStrategy: "Default"
+      decodingStrategy: "None"
+      name:
+        regexp: string
+      path: string
+      tags: {}
+    rewrite:
+    - regexp:
+        source: string
+        target: string
+      transform:
+        template: string
+    sourceRef:
+      generatorRef:
+        apiVersion: external-secrets.io/v1beta1
+        kind: "ACRAccessToken" # "ACRAccessToken", "ClusterGenerator", "ECRAuthorizationToken", "Fake", "GCRAccessToken", "GithubAccessToken", "QuayAccessToken", "Password", "STSSessionToken", "UUID", "VaultDynamicSecret", "Webhook", "Grafana"
+        name: string
+      storeRef:
+        kind: "SecretStore" # "SecretStore", "ClusterSecretStore"
+        name: string
+  refreshInterval: "1h"
+  secretStoreRef:
+    kind: "SecretStore" # "SecretStore", "ClusterSecretStore"
+    name: string
+  target:
+    creationPolicy: "Owner"
+    deletionPolicy: "Retain"
+    immutable: true
+    name: string
+    template:
+      data: {}
+      engineVersion: "v2"
+      mergePolicy: "Replace"
+      metadata:
+        annotations: {}
+        labels: {}
+      templateFrom:
+      - configMap:
+          items:
+          - key: string
+            templateAs: "Values"
+          name: string
+        literal: string
+        secret:
+          items:
+          - key: string
+            templateAs: "Values"
+          name: string
+        target: "Data"
+      type: string
+status:
+  binding:
+    name: ""
+  conditions:
+  - lastTransitionTime: 2024-10-11T12:48:44Z
+    message: string
+    reason: string
+    status: string
+    type: string
+  refreshTime: 2024-10-11T12:48:44Z
+  syncedResourceVersion: string

tests/__snapshot__/fake-v1alpha1.yaml

@@ -0,0 +1,6 @@
+apiVersion: generators.external-secrets.io/v1alpha1
+kind: Fake
+metadata: {}
+spec:
+  controller: string
+  data: {}

tests/__snapshot__/gcraccesstoken-v1alpha1.yaml

@@ -0,0 +1,19 @@
+apiVersion: generators.external-secrets.io/v1alpha1
+kind: GCRAccessToken
+metadata: {}
+spec:
+  auth:
+    secretRef:
+      secretAccessKeySecretRef:
+        key: string
+        name: string
+        namespace: string
+    workloadIdentity:
+      clusterLocation: string
+      clusterName: string
+      clusterProjectID: string
+      serviceAccountRef:
+        audiences: [] # minItems 0 of type string
+        name: string
+        namespace: string
+  projectID: string

tests/__snapshot__/generatorstate-v1alpha1.yaml

@@ -0,0 +1,14 @@
+apiVersion: generators.external-secrets.io/v1alpha1
+kind: GeneratorState
+metadata: {}
+spec:
+  garbageCollectionDeadline: 2024-10-11T12:48:44Z
+  resource: 
+  state: 
+status:
+  conditions:
+  - lastTransitionTime: 2024-10-11T12:48:44Z
+    message: string
+    reason: string
+    status: string
+    type: string

tests/__snapshot__/githubaccesstoken-v1alpha1.yaml

@@ -0,0 +1,15 @@
+apiVersion: generators.external-secrets.io/v1alpha1
+kind: GithubAccessToken
+metadata: {}
+spec:
+  appID: string
+  auth:
+    privateKey:
+      secretRef:
+        key: string
+        name: string
+        namespace: string
+  installID: string
+  permissions: {}
+  repositories: [] # minItems 0 of type string
+  url: string

tests/__snapshot__/grafana-v1alpha1.yaml

@@ -0,0 +1,12 @@
+apiVersion: generators.external-secrets.io/v1alpha1
+kind: Grafana
+metadata: {}
+spec:
+  auth:
+    token:
+      key: string
+      name: string
+  serviceAccount:
+    name: string
+    role: string
+  url: string

tests/__snapshot__/password-v1alpha1.yaml

@@ -0,0 +1,10 @@
+apiVersion: generators.external-secrets.io/v1alpha1
+kind: Password
+metadata: {}
+spec:
+  allowRepeat: false
+  digits: 1
+  length: 24
+  noUpper: false
+  symbolCharacters: string
+  symbols: 1

tests/__snapshot__/pushsecret-v1alpha1.yaml

@@ -0,0 +1,62 @@
+apiVersion: external-secrets.io/v1alpha1
+kind: PushSecret
+metadata: {}
+spec:
+  data:
+  - conversionStrategy: "None"
+    match:
+      remoteRef:
+        property: string
+        remoteKey: string
+      secretKey: string
+    metadata: 
+  deletionPolicy: "None"
+  refreshInterval: string
+  secretStoreRefs:
+  - kind: "SecretStore"
+    labelSelector:
+      matchExpressions:
+      - key: string
+        operator: string
+        values: [] # minItems 0 of type string
+      matchLabels: {}
+    name: string
+  selector:
+    generatorRef:
+      apiVersion: external-secrets.io/v1alpha1
+      kind: "ACRAccessToken" # "ACRAccessToken", "ClusterGenerator", "ECRAuthorizationToken", "Fake", "GCRAccessToken", "GithubAccessToken", "QuayAccessToken", "Password", "STSSessionToken", "UUID", "VaultDynamicSecret", "Webhook", "Grafana"
+      name: string
+    secret:
+      name: string
+  template:
+    data: {}
+    engineVersion: "v2"
+    mergePolicy: "Replace"
+    metadata:
+      annotations: {}
+      labels: {}
+    templateFrom:
+    - configMap:
+        items:
+        - key: string
+          templateAs: "Values"
+        name: string
+      literal: string
+      secret:
+        items:
+        - key: string
+          templateAs: "Values"
+        name: string
+      target: "Data"
+    type: string
+  updatePolicy: "Replace"
+status:
+  conditions:
+  - lastTransitionTime: 2024-10-11T12:48:44Z
+    message: string
+    reason: string
+    status: string
+    type: string
+  refreshTime: 2024-10-11T12:48:44Z
+  syncedPushSecrets: {}
+  syncedResourceVersion: string

tests/__snapshot__/quayaccesstoken-v1alpha1.yaml

@@ -0,0 +1,10 @@
+apiVersion: generators.external-secrets.io/v1alpha1
+kind: QuayAccessToken
+metadata: {}
+spec:
+  robotAccount: string
+  serviceAccountRef:
+    audiences: [] # minItems 0 of type string
+    name: string
+    namespace: string
+  url: string

tests/__snapshot__/secretstore-v1alpha1.yaml

@@ -0,0 +1,301 @@
+apiVersion: external-secrets.io/v1alpha1
+kind: SecretStore
+metadata: {}
+spec:
+  controller: string
+  provider:
+    akeyless:
+      akeylessGWApiURL: string
+      authSecretRef:
+        kubernetesAuth:
+          accessID: string
+          k8sConfName: string
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+          serviceAccountRef:
+            audiences: [] # minItems 0 of type string
+            name: string
+            namespace: string
+        secretRef:
+          accessID:
+            key: string
+            name: string
+            namespace: string
+          accessType:
+            key: string
+            name: string
+            namespace: string
+          accessTypeParam:
+            key: string
+            name: string
+            namespace: string
+      caBundle: c3RyaW5n
+      caProvider:
+        key: string
+        name: string
+        namespace: string
+        type: "Secret" # "Secret", "ConfigMap"
+    alibaba:
+      auth:
+        rrsa:
+          oidcProviderArn: string
+          oidcTokenFilePath: string
+          roleArn: string
+          sessionName: string
+        secretRef:
+          accessKeyIDSecretRef:
+            key: string
+            name: string
+            namespace: string
+          accessKeySecretSecretRef:
+            key: string
+            name: string
+            namespace: string
+      regionID: string
+    aws:
+      auth:
+        jwt:
+          serviceAccountRef:
+            audiences: [] # minItems 0 of type string
+            name: string
+            namespace: string
+        secretRef:
+          accessKeyIDSecretRef:
+            key: string
+            name: string
+            namespace: string
+          secretAccessKeySecretRef:
+            key: string
+            name: string
+            namespace: string
+      region: string
+      role: string
+      service: "SecretsManager" # "SecretsManager", "ParameterStore"
+    azurekv:
+      authSecretRef:
+        clientId:
+          key: string
+          name: string
+          namespace: string
+        clientSecret:
+          key: string
+          name: string
+          namespace: string
+      authType: "ServicePrincipal"
+      identityId: string
+      serviceAccountRef:
+        audiences: [] # minItems 0 of type string
+        name: string
+        namespace: string
+      tenantId: string
+      vaultUrl: string
+    fake:
+      data:
+      - key: string
+        value: string
+        valueMap: {}
+        version: string
+    gcpsm:
+      auth:
+        secretRef:
+          secretAccessKeySecretRef:
+            key: string
+            name: string
+            namespace: string
+        workloadIdentity:
+          clusterLocation: string
+          clusterName: string
+          clusterProjectID: string
+          serviceAccountRef:
+            audiences: [] # minItems 0 of type string
+            name: string
+            namespace: string
+      projectID: string
+    gitlab:
+      auth:
+        SecretRef:
+          accessToken:
+            key: string
+            name: string
+            namespace: string
+      projectID: string
+      url: string
+    ibm:
+      auth:
+        secretRef:
+          secretApiKeySecretRef:
+            key: string
+            name: string
+            namespace: string
+      serviceUrl: string
+    kubernetes:
+      auth:
+        cert:
+          clientCert:
+            key: string
+            name: string
+            namespace: string
+          clientKey:
+            key: string
+            name: string
+            namespace: string
+        serviceAccount:
+          serviceAccount:
+            audiences: [] # minItems 0 of type string
+            name: string
+            namespace: string
+        token:
+          bearerToken:
+            key: string
+            name: string
+            namespace: string
+      remoteNamespace: "default"
+      server:
+        caBundle: c3RyaW5n
+        caProvider:
+          key: string
+          name: string
+          namespace: string
+          type: "Secret" # "Secret", "ConfigMap"
+        url: "kubernetes.default"
+    oracle:
+      auth:
+        secretRef:
+          fingerprint:
+            key: string
+            name: string
+            namespace: string
+          privatekey:
+            key: string
+            name: string
+            namespace: string
+        tenancy: string
+        user: string
+      compartment: string
+      encryptionKey: string
+      principalType: "" # "", "UserPrincipal", "InstancePrincipal", "Workload"
+      region: string
+      serviceAccountRef:
+        audiences: [] # minItems 0 of type string
+        name: string
+        namespace: string
+      vault: string
+    passworddepot:
+      auth:
+        secretRef:
+          credentials:
+            key: string
+            name: string
+            namespace: string
+      database: string
+      host: string
+    vault:
+      auth:
+        appRole:
+          path: "approle"
+          roleId: string
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+        cert:
+          clientCert:
+            key: string
+            name: string
+            namespace: string
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+        jwt:
+          kubernetesServiceAccountToken:
+            audiences: [] # minItems 0 of type string
+            expirationSeconds: 1
+            serviceAccountRef:
+              audiences: [] # minItems 0 of type string
+              name: string
+              namespace: string
+          path: "jwt"
+          role: string
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+        kubernetes:
+          mountPath: "kubernetes"
+          role: string
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+          serviceAccountRef:
+            audiences: [] # minItems 0 of type string
+            name: string
+            namespace: string
+        ldap:
+          path: "ldap"
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+          username: string
+        tokenSecretRef:
+          key: string
+          name: string
+          namespace: string
+      caBundle: c3RyaW5n
+      caProvider:
+        key: string
+        name: string
+        namespace: string
+        type: "Secret" # "Secret", "ConfigMap"
+      forwardInconsistent: true
+      namespace: string
+      path: string
+      readYourWrites: true
+      server: string
+      version: "v2"
+    webhook:
+      body: string
+      caBundle: c3RyaW5n
+      caProvider:
+        key: string
+        name: string
+        namespace: string
+        type: "Secret" # "Secret", "ConfigMap"
+      headers: {}
+      method: string
+      result:
+        jsonPath: string
+      secrets:
+      - name: string
+        secretRef:
+          key: string
+          name: string
+          namespace: string
+      timeout: string
+      url: string
+    yandexlockbox:
+      apiEndpoint: string
+      auth:
+        authorizedKeySecretRef:
+          key: string
+          name: string
+          namespace: string
+      caProvider:
+        certSecretRef:
+          key: string
+          name: string
+          namespace: string
+  retrySettings:
+    maxRetries: 1
+    retryInterval: string
+status:
+  conditions:
+  - lastTransitionTime: 2024-10-11T12:48:44Z
+    message: string
+    reason: string
+    status: string
+    type: string

tests/__snapshot__/secretstore-v1beta1.yaml

@@ -0,0 +1,658 @@
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata: {}
+spec:
+  conditions:
+  - namespaceRegexes: [] # minItems 0 of type string
+    namespaceSelector:
+      matchExpressions:
+      - key: string
+        operator: string
+        values: [] # minItems 0 of type string
+      matchLabels: {}
+    namespaces: [] # minItems 0 of type string
+  controller: string
+  provider:
+    akeyless:
+      akeylessGWApiURL: string
+      authSecretRef:
+        kubernetesAuth:
+          accessID: string
+          k8sConfName: string
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+          serviceAccountRef:
+            audiences: [] # minItems 0 of type string
+            name: string
+            namespace: string
+        secretRef:
+          accessID:
+            key: string
+            name: string
+            namespace: string
+          accessType:
+            key: string
+            name: string
+            namespace: string
+          accessTypeParam:
+            key: string
+            name: string
+            namespace: string
+      caBundle: c3RyaW5n
+      caProvider:
+        key: string
+        name: string
+        namespace: string
+        type: "Secret" # "Secret", "ConfigMap"
+    alibaba:
+      auth:
+        rrsa:
+          oidcProviderArn: string
+          oidcTokenFilePath: string
+          roleArn: string
+          sessionName: string
+        secretRef:
+          accessKeyIDSecretRef:
+            key: string
+            name: string
+            namespace: string
+          accessKeySecretSecretRef:
+            key: string
+            name: string
+            namespace: string
+      regionID: string
+    aws:
+      additionalRoles: [] # minItems 0 of type string
+      auth:
+        jwt:
+          serviceAccountRef:
+            audiences: [] # minItems 0 of type string
+            name: string
+            namespace: string
+        secretRef:
+          accessKeyIDSecretRef:
+            key: string
+            name: string
+            namespace: string
+          secretAccessKeySecretRef:
+            key: string
+            name: string
+            namespace: string
+          sessionTokenSecretRef:
+            key: string
+            name: string
+            namespace: string
+      externalID: string
+      prefix: string
+      region: string
+      role: string
+      secretsManager:
+        forceDeleteWithoutRecovery: true
+        recoveryWindowInDays: 1
+      service: "SecretsManager" # "SecretsManager", "ParameterStore"
+      sessionTags:
+      - key: string
+        value: string
+      transitiveTagKeys: [] # minItems 0 of type string
+    azurekv:
+      authSecretRef:
+        clientCertificate:
+          key: string
+          name: string
+          namespace: string
+        clientId:
+          key: string
+          name: string
+          namespace: string
+        clientSecret:
+          key: string
+          name: string
+          namespace: string
+        tenantId:
+          key: string
+          name: string
+          namespace: string
+      authType: "ServicePrincipal"
+      environmentType: "PublicCloud"
+      identityId: string
+      serviceAccountRef:
+        audiences: [] # minItems 0 of type string
+        name: string
+        namespace: string
+      tenantId: string
+      vaultUrl: string
+    beyondtrust:
+      auth:
+        apiKey:
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+          value: string
+        certificate:
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+          value: string
+        certificateKey:
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+          value: string
+        clientId:
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+          value: string
+        clientSecret:
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+          value: string
+      server:
+        apiUrl: string
+        apiVersion: external-secrets.io/v1beta1
+        clientTimeOutSeconds: 1
+        retrievalType: string
+        separator: string
+        verifyCA: true
+    bitwardensecretsmanager:
+      apiURL: string
+      auth:
+        secretRef:
+          credentials:
+            key: string
+            name: string
+            namespace: string
+      bitwardenServerSDKURL: string
+      caBundle: string
+      caProvider:
+        key: string
+        name: string
+        namespace: string
+        type: "Secret" # "Secret", "ConfigMap"
+      identityURL: string
+      organizationID: string
+      projectID: string
+    chef:
+      auth:
+        secretRef:
+          privateKeySecretRef:
+            key: string
+            name: string
+            namespace: string
+      serverUrl: string
+      username: string
+    conjur:
+      auth:
+        apikey:
+          account: string
+          apiKeyRef:
+            key: string
+            name: string
+            namespace: string
+          userRef:
+            key: string
+            name: string
+            namespace: string
+        jwt:
+          account: string
+          hostId: string
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+          serviceAccountRef:
+            audiences: [] # minItems 0 of type string
+            name: string
+            namespace: string
+          serviceID: string
+      caBundle: string
+      caProvider:
+        key: string
+        name: string
+        namespace: string
+        type: "Secret" # "Secret", "ConfigMap"
+      url: string
+    delinea:
+      clientId:
+        secretRef:
+          key: string
+          name: string
+          namespace: string
+        value: string
+      clientSecret:
+        secretRef:
+          key: string
+          name: string
+          namespace: string
+        value: string
+      tenant: string
+      tld: string
+      urlTemplate: string
+    device42:
+      auth:
+        secretRef:
+          credentials:
+            key: string
+            name: string
+            namespace: string
+      host: string
+    doppler:
+      auth:
+        secretRef:
+          dopplerToken:
+            key: string
+            name: string
+            namespace: string
+      config: string
+      format: "json" # "json", "dotnet-json", "env", "yaml", "docker"
+      nameTransformer: "upper-camel" # "upper-camel", "camel", "lower-snake", "tf-var", "dotnet-env", "lower-kebab"
+      project: string
+    fake:
+      data:
+      - key: string
+        value: string
+        valueMap: {}
+        version: string
+    fortanix:
+      apiKey:
+        secretRef:
+          key: string
+          name: string
+          namespace: string
+      apiUrl: string
+    gcpsm:
+      auth:
+        secretRef:
+          secretAccessKeySecretRef:
+            key: string
+            name: string
+            namespace: string
+        workloadIdentity:
+          clusterLocation: string
+          clusterName: string
+          clusterProjectID: string
+          serviceAccountRef:
+            audiences: [] # minItems 0 of type string
+            name: string
+            namespace: string
+      location: string
+      projectID: string
+    gitlab:
+      auth:
+        SecretRef:
+          accessToken:
+            key: string
+            name: string
+            namespace: string
+      environment: string
+      groupIDs: [] # minItems 0 of type string
+      inheritFromGroups: true
+      projectID: string
+      url: string
+    ibm:
+      auth:
+        containerAuth:
+          iamEndpoint: string
+          profile: string
+          tokenLocation: string
+        secretRef:
+          secretApiKeySecretRef:
+            key: string
+            name: string
+            namespace: string
+      serviceUrl: string
+    infisical:
+      auth:
+        universalAuthCredentials:
+          clientId:
+            key: string
+            name: string
+            namespace: string
+          clientSecret:
+            key: string
+            name: string
+            namespace: string
+      hostAPI: "https://app.infisical.com/api"
+      secretsScope:
+        environmentSlug: string
+        projectSlug: string
+        recursive: false
+        secretsPath: "/"
+    keepersecurity:
+      authRef:
+        key: string
+        name: string
+        namespace: string
+      folderID: string
+    kubernetes:
+      auth:
+        cert:
+          clientCert:
+            key: string
+            name: string
+            namespace: string
+          clientKey:
+            key: string
+            name: string
+            namespace: string
+        serviceAccount:
+          audiences: [] # minItems 0 of type string
+          name: string
+          namespace: string
+        token:
+          bearerToken:
+            key: string
+            name: string
+            namespace: string
+      authRef:
+        key: string
+        name: string
+        namespace: string
+      remoteNamespace: "default"
+      server:
+        caBundle: c3RyaW5n
+        caProvider:
+          key: string
+          name: string
+          namespace: string
+          type: "Secret" # "Secret", "ConfigMap"
+        url: "kubernetes.default"
+    onboardbase:
+      apiHost: "https://public.onboardbase.com/api/v1/"
+      auth:
+        apiKeyRef:
+          key: string
+          name: string
+          namespace: string
+        passcodeRef:
+          key: string
+          name: string
+          namespace: string
+      environment: "development"
+      project: "development"
+    onepassword:
+      auth:
+        secretRef:
+          connectTokenSecretRef:
+            key: string
+            name: string
+            namespace: string
+      connectHost: string
+      vaults: {}
+    oracle:
+      auth:
+        secretRef:
+          fingerprint:
+            key: string
+            name: string
+            namespace: string
+          privatekey:
+            key: string
+            name: string
+            namespace: string
+        tenancy: string
+        user: string
+      compartment: string
+      encryptionKey: string
+      principalType: "" # "", "UserPrincipal", "InstancePrincipal", "Workload"
+      region: string
+      serviceAccountRef:
+        audiences: [] # minItems 0 of type string
+        name: string
+        namespace: string
+      vault: string
+    passbolt:
+      auth:
+        passwordSecretRef:
+          key: string
+          name: string
+          namespace: string
+        privateKeySecretRef:
+          key: string
+          name: string
+          namespace: string
+      host: string
+    passworddepot:
+      auth:
+        secretRef:
+          credentials:
+            key: string
+            name: string
+            namespace: string
+      database: string
+      host: string
+    previder:
+      auth:
+        secretRef:
+          accessToken:
+            key: string
+            name: string
+            namespace: string
+      baseUri: string
+    pulumi:
+      accessToken:
+        secretRef:
+          key: string
+          name: string
+          namespace: string
+      apiUrl: "https://api.pulumi.com/api/esc"
+      environment: string
+      organization: string
+      project: string
+    scaleway:
+      accessKey:
+        secretRef:
+          key: string
+          name: string
+          namespace: string
+        value: string
+      apiUrl: string
+      projectId: string
+      region: string
+      secretKey:
+        secretRef:
+          key: string
+          name: string
+          namespace: string
+        value: string
+    secretserver:
+      password:
+        secretRef:
+          key: string
+          name: string
+          namespace: string
+        value: string
+      serverURL: string
+      username:
+        secretRef:
+          key: string
+          name: string
+          namespace: string
+        value: string
+    senhasegura:
+      auth:
+        clientId: string
+        clientSecretSecretRef:
+          key: string
+          name: string
+          namespace: string
+      ignoreSslCertificate: false
+      module: string
+      url: string
+    vault:
+      auth:
+        appRole:
+          path: "approle"
+          roleId: string
+          roleRef:
+            key: string
+            name: string
+            namespace: string
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+        cert:
+          clientCert:
+            key: string
+            name: string
+            namespace: string
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+        iam:
+          externalID: string
+          jwt:
+            serviceAccountRef:
+              audiences: [] # minItems 0 of type string
+              name: string
+              namespace: string
+          path: string
+          region: string
+          role: string
+          secretRef:
+            accessKeyIDSecretRef:
+              key: string
+              name: string
+              namespace: string
+            secretAccessKeySecretRef:
+              key: string
+              name: string
+              namespace: string
+            sessionTokenSecretRef:
+              key: string
+              name: string
+              namespace: string
+          vaultAwsIamServerID: string
+          vaultRole: string
+        jwt:
+          kubernetesServiceAccountToken:
+            audiences: [] # minItems 0 of type string
+            expirationSeconds: 1
+            serviceAccountRef:
+              audiences: [] # minItems 0 of type string
+              name: string
+              namespace: string
+          path: "jwt"
+          role: string
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+        kubernetes:
+          mountPath: "kubernetes"
+          role: string
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+          serviceAccountRef:
+            audiences: [] # minItems 0 of type string
+            name: string
+            namespace: string
+        ldap:
+          path: "ldap"
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+          username: string
+        namespace: string
+        tokenSecretRef:
+          key: string
+          name: string
+          namespace: string
+        userPass:
+          path: "user"
+          secretRef:
+            key: string
+            name: string
+            namespace: string
+          username: string
+      caBundle: c3RyaW5n
+      caProvider:
+        key: string
+        name: string
+        namespace: string
+        type: "Secret" # "Secret", "ConfigMap"
+      forwardInconsistent: true
+      headers: {}
+      namespace: string
+      path: string
+      readYourWrites: true
+      server: string
+      tls:
+        certSecretRef:
+          key: string
+          name: string
+          namespace: string
+        keySecretRef:
+          key: string
+          name: string
+          namespace: string
+      version: "v2"
+    webhook:
+      body: string
+      caBundle: c3RyaW5n
+      caProvider:
+        key: string
+        name: string
+        namespace: string
+        type: "Secret" # "Secret", "ConfigMap"
+      headers: {}
+      method: string
+      result:
+        jsonPath: string
+      secrets:
+      - name: string
+        secretRef:
+          key: string
+          name: string
+          namespace: string
+      timeout: string
+      url: string
+    yandexcertificatemanager:
+      apiEndpoint: string
+      auth:
+        authorizedKeySecretRef:
+          key: string
+          name: string
+          namespace: string
+      caProvider:
+        certSecretRef:
+          key: string
+          name: string
+          namespace: string
+    yandexlockbox:
+      apiEndpoint: string
+      auth:
+        authorizedKeySecretRef:
+          key: string
+          name: string
+          namespace: string
+      caProvider:
+        certSecretRef:
+          key: string
+          name: string
+          namespace: string
+  refreshInterval: 1
+  retrySettings:
+    maxRetries: 1
+    retryInterval: string
+status:
+  capabilities: string
+  conditions:
+  - lastTransitionTime: 2024-10-11T12:48:44Z
+    message: string
+    reason: string
+    status: string
+    type: string

tests/__snapshot__/stssessiontoken-v1alpha1.yaml

@@ -0,0 +1,29 @@
+apiVersion: generators.external-secrets.io/v1alpha1
+kind: STSSessionToken
+metadata: {}
+spec:
+  auth:
+    jwt:
+      serviceAccountRef:
+        audiences: [] # minItems 0 of type string
+        name: string
+        namespace: string
+    secretRef:
+      accessKeyIDSecretRef:
+        key: string
+        name: string
+        namespace: string
+      secretAccessKeySecretRef:
+        key: string
+        name: string
+        namespace: string
+      sessionTokenSecretRef:
+        key: string
+        name: string
+        namespace: string
+  region: string
+  requestParameters:
+    serialNumber: string
+    sessionDuration: 1
+    tokenCode: string
+  role: string

tests/__snapshot__/uuid-v1alpha1.yaml

@@ -0,0 +1,4 @@
+apiVersion: generators.external-secrets.io/v1alpha1
+kind: UUID
+metadata: {}
+spec: {}

tests/__snapshot__/vaultdynamicsecret-v1alpha1.yaml

@@ -0,0 +1,126 @@
+apiVersion: generators.external-secrets.io/v1alpha1
+kind: VaultDynamicSecret
+metadata: {}
+spec:
+  allowEmptyResponse: false
+  controller: string
+  method: string
+  parameters: 
+  path: string
+  provider:
+    auth:
+      appRole:
+        path: "approle"
+        roleId: string
+        roleRef:
+          key: string
+          name: string
+          namespace: string
+        secretRef:
+          key: string
+          name: string
+          namespace: string
+      cert:
+        clientCert:
+          key: string
+          name: string
+          namespace: string
+        secretRef:
+          key: string
+          name: string
+          namespace: string
+      iam:
+        externalID: string
+        jwt:
+          serviceAccountRef:
+            audiences: [] # minItems 0 of type string
+            name: string
+            namespace: string
+        path: string
+        region: string
+        role: string
+        secretRef:
+          accessKeyIDSecretRef:
+            key: string
+            name: string
+            namespace: string
+          secretAccessKeySecretRef:
+            key: string
+            name: string
+            namespace: string
+          sessionTokenSecretRef:
+            key: string
+            name: string
+            namespace: string
+        vaultAwsIamServerID: string
+        vaultRole: string
+      jwt:
+        kubernetesServiceAccountToken:
+          audiences: [] # minItems 0 of type string
+          expirationSeconds: 1
+          serviceAccountRef:
+            audiences: [] # minItems 0 of type string
+            name: string
+            namespace: string
+        path: "jwt"
+        role: string
+        secretRef:
+          key: string
+          name: string
+          namespace: string
+      kubernetes:
+        mountPath: "kubernetes"
+        role: string
+        secretRef:
+          key: string
+          name: string
+          namespace: string
+        serviceAccountRef:
+          audiences: [] # minItems 0 of type string
+          name: string
+          namespace: string
+      ldap:
+        path: "ldap"
+        secretRef:
+          key: string
+          name: string
+          namespace: string
+        username: string
+      namespace: string
+      tokenSecretRef:
+        key: string
+        name: string
+        namespace: string
+      userPass:
+        path: "user"
+        secretRef:
+          key: string
+          name: string
+          namespace: string
+        username: string
+    caBundle: c3RyaW5n
+    caProvider:
+      key: string
+      name: string
+      namespace: string
+      type: "Secret" # "Secret", "ConfigMap"
+    forwardInconsistent: true
+    headers: {}
+    namespace: string
+    path: string
+    readYourWrites: true
+    server: string
+    tls:
+      certSecretRef:
+        key: string
+        name: string
+        namespace: string
+      keySecretRef:
+        key: string
+        name: string
+        namespace: string
+    version: "v2"
+  resultType: "Data"
+  retrySettings:
+    maxRetries: 1
+    retryInterval: string

tests/__snapshot__/webhook-v1alpha1.yaml

@@ -0,0 +1,22 @@
+apiVersion: generators.external-secrets.io/v1alpha1
+kind: Webhook
+metadata: {}
+spec:
+  body: string
+  caBundle: c3RyaW5n
+  caProvider:
+    key: string
+    name: string
+    namespace: string
+    type: "Secret" # "Secret", "ConfigMap"
+  headers: {}
+  method: string
+  result:
+    jsonPath: string
+  secrets:
+  - name: string
+    secretRef:
+      key: string
+      name: string
+  timeout: string
+  url: string

tests/acraccesstoken_test.yaml

@@ -0,0 +1,7 @@
+suite: test ACRAccessToken
+template: tests/crds/acraccesstoken.yml
+tests:
+  - it: matches ACRAccessToken correctly
+    asserts:
+      - matchSnapshot:
+          path: tests/__snapshot__

tests/clusterexternalsecret_test.yaml

@@ -0,0 +1,8 @@
+suite: test ClusterExternalSecret
+template: tests/crds/clusterexternalsecret.yml
+tests:
+  - it: matches ClusterExternalSecret correctly
+    asserts:
+      - matchSnapshot:
+          path: tests/__snapshot__
+

tests/clustergenerator_test.yaml

@@ -0,0 +1,10 @@
+suite: test ClusterGenerator
+template: tests/crds/clustergenerator.yml
+tests:
+  - it: matches ClusterGenerator correctly
+    asserts:
+      - matchSnapshot:
+          path: tests/__snapshot__
+          # We deliberately want to test all the included elements.
+          ignoreErrors:
+            - "in body should have at most 1 properties"

tests/clustersecretstore_test.yaml

@@ -0,0 +1,10 @@
+suite: test ClusterSecretStore
+template: tests/crds/clustersecretstore.yml
+tests:
+  - it: matches ClusterSecretStore correctly
+    asserts:
+      - matchSnapshot:
+          path: tests/__snapshot__
+          # We deliberately want to test all the included elements.
+          ignoreErrors:
+            - "in body should have at most 1 properties"

tests/crds/README.md

@@ -0,0 +1,3 @@
+# CRDs template folder
+
+We generate the crds in here when running `make tests.crds`.

tests/ecrauthorizationtoken_test.yaml

@@ -0,0 +1,7 @@
+suite: test ECRAuthorizationToken
+template: tests/crds/ecrauthorizationtoken.yml
+tests:
+  - it: matches ECRAuthorizationToken correctly
+    asserts:
+      - matchSnapshot:
+          path: tests/__snapshot__

tests/externalsecrets_test.yaml

@@ -0,0 +1,7 @@
+suite: test ExternalSecret
+template: tests/crds/externalsecret.yml
+tests:
+  - it: matches ExternalSecret correctly
+    asserts:
+      - matchSnapshot:
+          path: tests/__snapshot__

tests/fake_test.yaml

@@ -0,0 +1,7 @@
+suite: test Fake Generator
+template: tests/crds/fake.yml
+tests:
+  - it: matches Fake generator correctly
+    asserts:
+      - matchSnapshot:
+          path: tests/__snapshot__

tests/gcraccesstoken_test.yaml

@@ -0,0 +1,7 @@
+suite: test GCRAccessToken generator
+template: tests/crds/gcraccesstoken.yml
+tests:
+  - it: matches GCRAccessToken generator correctly
+    asserts:
+      - matchSnapshot:
+          path: tests/__snapshot__

tests/generatorstate_test.yaml

@@ -0,0 +1,7 @@
+suite: test GeneratorState
+template: tests/crds/generatorstate.yml
+tests:
+  - it: matches GeneratorState correctly
+    asserts:
+      - matchSnapshot:
+          path: tests/__snapshot__

tests/githubaccesstoken_test.yaml

@@ -0,0 +1,7 @@
+suite: test GithubAccessToken
+template: tests/crds/githubaccesstoken.yml
+tests:
+  - it: matches GithubAccessToken correctly
+    asserts:
+      - matchSnapshot:
+          path: tests/__snapshot__

tests/grafana_test.yaml

@@ -0,0 +1,7 @@
+suite: test Grafana generator
+template: tests/crds/grafana.yml
+tests:
+  - it: matches Grafana correctly
+    asserts:
+      - matchSnapshot:
+          path: tests/__snapshot__

tests/password_test.yaml

@@ -0,0 +1,7 @@
+suite: test Password generator
+template: tests/crds/password.yml
+tests:
+  - it: matches Password correctly
+    asserts:
+      - matchSnapshot:
+          path: tests/__snapshot__

tests/pushsecret_test.yaml

@@ -0,0 +1,10 @@
+suite: test PushSecret generator
+template: tests/crds/pushsecret.yml
+tests:
+  - it: matches PushSecret correctly
+    asserts:
+      - matchSnapshot:
+          path: tests/__snapshot__
+          # We deliberately want to test all the included elements.
+          ignoreErrors:
+            - "in body should have at most 1 properties"

tests/quayaccesstoken_test.yaml

@@ -0,0 +1,7 @@
+suite: test QuayAccessToken generator
+template: tests/crds/quayaccesstoken.yml
+tests:
+  - it: matches QuayAccessToken correctly
+    asserts:
+      - matchSnapshot:
+          path: tests/__snapshot__

tests/secretstore_test.yaml

@@ -0,0 +1,10 @@
+suite: test SecretStore
+template: tests/crds/secretstore.yml
+tests:
+  - it: matches SecretStore correctly
+    asserts:
+      - matchSnapshot:
+          path: tests/__snapshot__
+          # We deliberately want to test all the included elements.
+          ignoreErrors:
+            - "in body should have at most 1 properties"

tests/stssessiontoken_test.yaml

@@ -0,0 +1,7 @@
+suite: test STSSessionToken
+template: tests/crds/stssessiontoken.yml
+tests:
+  - it: matches STSSessionToken correctly
+    asserts:
+      - matchSnapshot:
+          path: tests/__snapshot__

tests/uuid_test.yaml

@@ -0,0 +1,7 @@
+suite: test UUID generator
+template: tests/crds/uuid.yml
+tests:
+  - it: matches UUID generator correctly
+    asserts:
+      - matchSnapshot:
+          path: tests/__snapshot__

tests/vaultdynamicsecret_test.yaml

@@ -0,0 +1,7 @@
+suite: test VaultDynamicSecret generator
+template: tests/crds/vaultdynamicsecret.yml
+tests:
+  - it: matches VaultDynamicSecret generator correctly
+    asserts:
+      - matchSnapshot:
+          path: tests/__snapshot__

tests/webhook_test.yaml

@@ -0,0 +1,7 @@
+suite: test Webhook generator
+template: tests/crds/webhook.yml
+tests:
+  - it: matches Webhook generator correctly
+    asserts:
+      - matchSnapshot:
+          path: tests/__snapshot__