chore: promote v1 (#4635)

* chore: remove template v1

Signed-off-by: Gustavo Carvalho <gustavo@externalsecrets.com>

* chore: deprecate ValueMap from fake secretstore

Signed-off-by: Gustavo Carvalho <gustavo@externalsecrets.com>

* chore: remove v1alpha1

Signed-off-by: msfernandes <matheus@externalsecrets.com>

* chore: change default conversion injection to disabled

Signed-off-by: Gustavo Carvalho <gustavo@externalsecrets.com>

* chore: add v1

Signed-off-by: msfernandes <matheus@externalsecrets.com>

* fix: crds and helm tests

Signed-off-by: Gustavo Carvalho <gustavo@externalsecrets.com>

* chore: remove golangci exception for ValueMap

Signed-off-by: Gustavo Carvalho <gustavo@externalsecrets.com>

* chore: promote v1

Signed-off-by: msfernandes <matheus@externalsecrets.com>

* fix: remaining moves to v1

Signed-off-by: Gustavo Carvalho <gustavo@externalsecrets.com>

* fix: validating webhooks to look at v1

Signed-off-by: Gustavo Carvalho <gustavo@externalsecrets.com>

* fix: removing v1alpha1 tests. Fix template v1 tests

Signed-off-by: Gustavo Carvalho <gustavo@externalsecrets.com>

* fix: e2e testcase breaking one test

Signed-off-by: Gustavo Carvalho <gustavo@externalsecrets.com>

* fix: webhook startup on e2e

Signed-off-by: Gustavo Carvalho <gustavo@externalsecrets.com>

* feat: add maintenance status to registration

feat: adds admission warnings for unmaintained providers
Signed-off-by: Gustavo Carvalho <gustavo@externalsecrets.com>

* feat: maintenance check on reconcile

Signed-off-by: msfernandes <matheus@externalsecrets.com>

* fix: check-diff and tests

Signed-off-by: Gustavo Carvalho <gustavo@externalsecrets.com>

* fix: tests

Signed-off-by: Gustavo Carvalho <gustavo@externalsecrets.com>

* feat: unmaintained stores warning docs

feat: mark unmaintained providers

chore: mark fake provider as umaintained for tests
Signed-off-by: Gustavo Carvalho <gustavo@externalsecrets.com>

* test: retrigger fossa

Signed-off-by: Gustavo Carvalho <gustavo@externalsecrets.com>

---------

Signed-off-by: Gustavo Carvalho <gustavo@externalsecrets.com>
Signed-off-by: msfernandes <matheus@externalsecrets.com>
Co-authored-by: msfernandes <matheus@externalsecrets.com>

.golangci.yaml

@@ -115,12 +115,6 @@ issues:
       linters:
         - goheader
 
-    # excluding deprecation check introduced on purpose in #2884
-    - path: pkg/provider/fake/fake.go
-      text: 'SA1019: data.ValueMap is deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.'
-    - path: pkg/provider/fake/fake_test.go
-      text: 'SA1019: data.ValueMap is deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.'
-
   # Maximum issues count per one linter. Set to 0 to disable. Default is 50.
   max-issues-per-linter: 0
 

PROJECT

@@ -2,17 +2,7 @@ domain: io
 multigroup: true
 repo: github.com/external-secrets/external-secrets
 resources:
-- group: external-secrets
-  kind: ClusterSecretStore
-  version: v1alpha1
-- group: external-secrets
-  kind: SecretStore
-  version: v1alpha1
-- group: external-secrets
-  kind: ExternalSecret
-  version: v1alpha1
-version: "2"
-  kind: ClusterSecretStore
+- kind: ClusterSecretStore
   version: v1beta1
 - group: external-secrets
   kind: SecretStore
@@ -23,4 +13,15 @@ version: "2"
 - group: external-secrets
   kind: ClusterPushSecret
   version: v1alpha1
+- group: external-secrets
+  kind: PushSecret
+  version: v1alpha1
+- kind: ClusterSecretStore
+  version: v1
+- group: external-secrets
+  kind: SecretStore
+  version: v1
+- group: external-secrets
+  kind: ExternalSecret
+  version: v1
 version: "3"

apis/externalsecrets/v1/clusterexternalsecret_types.go

@@ -0,0 +1,133 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
+type ClusterExternalSecretSpec struct {
+	// The spec for the ExternalSecrets to be created
+	ExternalSecretSpec ExternalSecretSpec `json:"externalSecretSpec"`
+
+	// The name of the external secrets to be created.
+	// Defaults to the name of the ClusterExternalSecret
+	// +optional
+	// +kubebuilder:validation:MinLength:=1
+	// +kubebuilder:validation:MaxLength:=253
+	// +kubebuilder:validation:Pattern:=^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+	ExternalSecretName string `json:"externalSecretName,omitempty"`
+
+	// The metadata of the external secrets to be created
+	// +optional
+	ExternalSecretMetadata ExternalSecretMetadata `json:"externalSecretMetadata,omitempty"`
+
+	// The labels to select by to find the Namespaces to create the ExternalSecrets in.
+	// Deprecated: Use NamespaceSelectors instead.
+	// +optional
+	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
+
+	// A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
+	// +optional
+	NamespaceSelectors []*metav1.LabelSelector `json:"namespaceSelectors,omitempty"`
+
+	// Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
+	// Deprecated: Use NamespaceSelectors instead.
+	// +optional
+	// +kubebuilder:validation:items:MinLength:=1
+	// +kubebuilder:validation:items:MaxLength:=63
+	// +kubebuilder:validation:items:Pattern:=^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+	Namespaces []string `json:"namespaces,omitempty"`
+
+	// The time in which the controller should reconcile its objects and recheck namespaces for labels.
+	RefreshInterval *metav1.Duration `json:"refreshTime,omitempty"`
+}
+
+// ExternalSecretMetadata defines metadata fields for the ExternalSecret generated by the ClusterExternalSecret.
+type ExternalSecretMetadata struct {
+	// +optional
+	Annotations map[string]string `json:"annotations,omitempty"`
+
+	// +optional
+	Labels map[string]string `json:"labels,omitempty"`
+}
+
+type ClusterExternalSecretConditionType string
+
+const ClusterExternalSecretReady ClusterExternalSecretConditionType = "Ready"
+
+type ClusterExternalSecretStatusCondition struct {
+	Type   ClusterExternalSecretConditionType `json:"type"`
+	Status corev1.ConditionStatus             `json:"status"`
+
+	// +optional
+	Message string `json:"message,omitempty"`
+}
+
+// ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
+type ClusterExternalSecretNamespaceFailure struct {
+
+	// Namespace is the namespace that failed when trying to apply an ExternalSecret
+	Namespace string `json:"namespace"`
+
+	// Reason is why the ExternalSecret failed to apply to the namespace
+	// +optional
+	Reason string `json:"reason,omitempty"`
+}
+
+// ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
+type ClusterExternalSecretStatus struct {
+	// ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
+	ExternalSecretName string `json:"externalSecretName,omitempty"`
+
+	// Failed namespaces are the namespaces that failed to apply an ExternalSecret
+	// +optional
+	FailedNamespaces []ClusterExternalSecretNamespaceFailure `json:"failedNamespaces,omitempty"`
+
+	// ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
+	// +optional
+	ProvisionedNamespaces []string `json:"provisionedNamespaces,omitempty"`
+
+	// +optional
+	Conditions []ClusterExternalSecretStatusCondition `json:"conditions,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:storageversion
+// +kubebuilder:resource:scope=Cluster,categories={external-secrets},shortName=ces
+// +kubebuilder:subresource:status
+// +kubebuilder:metadata:labels="external-secrets.io/component=controller"
+// +kubebuilder:printcolumn:name="Store",type=string,JSONPath=`.spec.externalSecretSpec.secretStoreRef.name`
+// +kubebuilder:printcolumn:name="Refresh Interval",type=string,JSONPath=`.spec.refreshTime`
+// +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].status`
+// ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
+type ClusterExternalSecret struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   ClusterExternalSecretSpec   `json:"spec,omitempty"`
+	Status ClusterExternalSecretStatus `json:"status,omitempty"`
+}
+
+//+kubebuilder:object:root=true
+
+// ClusterExternalSecretList contains a list of ClusterExternalSecret.
+type ClusterExternalSecretList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []ClusterExternalSecret `json:"items"`
+}

apis/externalsecrets/v1beta1/externalsecret_conversion.go → apis/externalsecrets/v1/doc.go

@@ -12,8 +12,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1beta1
-
-func (*ExternalSecret) Hub() {
-	// This empty method defines the Hub convertible interface.
-}
+// Package v1 contains resources for external-secrets
+// +kubebuilder:object:generate=true
+// +groupName=external-secrets.io
+// +versionName=v1
+package v1

apis/externalsecrets/v1/externalsecret_types.go

@@ -0,0 +1,546 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
+type SecretStoreRef struct {
+	// Name of the SecretStore resource
+	// +kubebuilder:validation:MinLength:=1
+	// +kubebuilder:validation:MaxLength:=253
+	// +kubebuilder:validation:Pattern:=^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+	Name string `json:"name,omitempty"`
+
+	// Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
+	// Defaults to `SecretStore`
+	// +optional
+	// +kubebuilder:validation:Enum=SecretStore;ClusterSecretStore
+	Kind string `json:"kind,omitempty"`
+}
+
+// ExternalSecretCreationPolicy defines rules on how to create the resulting Secret.
+// +kubebuilder:validation:Enum=Owner;Orphan;Merge;None
+type ExternalSecretCreationPolicy string
+
+const (
+	// Owner creates the Secret and sets .metadata.ownerReferences to the ExternalSecret resource.
+	CreatePolicyOwner ExternalSecretCreationPolicy = "Owner"
+
+	// Orphan creates the Secret and does not set the ownerReference.
+	// I.e. it will be orphaned after the deletion of the ExternalSecret.
+	CreatePolicyOrphan ExternalSecretCreationPolicy = "Orphan"
+
+	// Merge does not create the Secret, but merges the data fields to the Secret.
+	CreatePolicyMerge ExternalSecretCreationPolicy = "Merge"
+
+	// None does not create a Secret (future use with injector).
+	CreatePolicyNone ExternalSecretCreationPolicy = "None"
+)
+
+// ExternalSecretDeletionPolicy defines rules on how to delete the resulting Secret.
+// +kubebuilder:validation:Enum=Delete;Merge;Retain
+type ExternalSecretDeletionPolicy string
+
+const (
+	// Delete deletes the secret if all provider secrets are deleted.
+	// If a secret gets deleted on the provider side and is not accessible
+	// anymore this is not considered an error and the ExternalSecret
+	// does not go into SecretSyncedError status.
+	DeletionPolicyDelete ExternalSecretDeletionPolicy = "Delete"
+
+	// Merge removes keys in the secret, but not the secret itself.
+	// If a secret gets deleted on the provider side and is not accessible
+	// anymore this is not considered an error and the ExternalSecret
+	// does not go into SecretSyncedError status.
+	DeletionPolicyMerge ExternalSecretDeletionPolicy = "Merge"
+
+	// Retain will retain the secret if all provider secrets have been deleted.
+	// If a provider secret does not exist the ExternalSecret gets into the
+	// SecretSyncedError status.
+	DeletionPolicyRetain ExternalSecretDeletionPolicy = "Retain"
+)
+
+// ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
+type ExternalSecretTemplateMetadata struct {
+	// +optional
+	Annotations map[string]string `json:"annotations,omitempty"`
+
+	// +optional
+	Labels map[string]string `json:"labels,omitempty"`
+}
+
+// ExternalSecretTemplate defines a blueprint for the created Secret resource.
+// we can not use native corev1.Secret, it will have empty ObjectMeta values: https://github.com/kubernetes-sigs/controller-tools/issues/448
+type ExternalSecretTemplate struct {
+	// +optional
+	Type corev1.SecretType `json:"type,omitempty"`
+
+	// EngineVersion specifies the template engine version
+	// that should be used to compile/execute the
+	// template specified in .data and .templateFrom[].
+	// +kubebuilder:default="v2"
+	EngineVersion TemplateEngineVersion `json:"engineVersion,omitempty"`
+
+	// +optional
+	Metadata ExternalSecretTemplateMetadata `json:"metadata,omitempty"`
+
+	// +kubebuilder:default="Replace"
+	MergePolicy TemplateMergePolicy `json:"mergePolicy,omitempty"`
+
+	// +optional
+	Data map[string]string `json:"data,omitempty"`
+
+	// +optional
+	TemplateFrom []TemplateFrom `json:"templateFrom,omitempty"`
+}
+
+// +kubebuilder:validation:Enum=Replace;Merge
+type TemplateMergePolicy string
+
+const (
+	MergePolicyReplace TemplateMergePolicy = "Replace"
+	MergePolicyMerge   TemplateMergePolicy = "Merge"
+)
+
+// +kubebuilder:validation:Enum=v2
+type TemplateEngineVersion string
+
+const (
+	TemplateEngineV2 TemplateEngineVersion = "v2"
+)
+
+type TemplateFrom struct {
+	ConfigMap *TemplateRef `json:"configMap,omitempty"`
+	Secret    *TemplateRef `json:"secret,omitempty"`
+
+	// +optional
+	// +kubebuilder:default="Data"
+	Target TemplateTarget `json:"target,omitempty"`
+
+	// +optional
+	Literal *string `json:"literal,omitempty"`
+}
+
+// +kubebuilder:validation:Enum=Values;KeysAndValues
+type TemplateScope string
+
+const (
+	TemplateScopeValues        TemplateScope = "Values"
+	TemplateScopeKeysAndValues TemplateScope = "KeysAndValues"
+)
+
+// +kubebuilder:validation:Enum=Data;Annotations;Labels
+type TemplateTarget string
+
+const (
+	TemplateTargetData        TemplateTarget = "Data"
+	TemplateTargetAnnotations TemplateTarget = "Annotations"
+	TemplateTargetLabels      TemplateTarget = "Labels"
+)
+
+type TemplateRef struct {
+	// The name of the ConfigMap/Secret resource
+	// +kubebuilder:validation:MinLength:=1
+	// +kubebuilder:validation:MaxLength:=253
+	// +kubebuilder:validation:Pattern:=^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+	Name string `json:"name"`
+
+	// A list of keys in the ConfigMap/Secret to use as templates for Secret data
+	Items []TemplateRefItem `json:"items"`
+}
+
+type TemplateRefItem struct {
+	// A key in the ConfigMap/Secret
+	// +kubebuilder:validation:MinLength:=1
+	// +kubebuilder:validation:MaxLength:=253
+	// +kubebuilder:validation:Pattern:=^[-._a-zA-Z0-9]+$
+	Key string `json:"key"`
+
+	// +kubebuilder:default="Values"
+	TemplateAs TemplateScope `json:"templateAs,omitempty"`
+}
+
+// ExternalSecretTarget defines the Kubernetes Secret to be created
+// There can be only one target per ExternalSecret.
+type ExternalSecretTarget struct {
+	// The name of the Secret resource to be managed.
+	// Defaults to the .metadata.name of the ExternalSecret resource
+	// +optional
+	// +kubebuilder:validation:MinLength:=1
+	// +kubebuilder:validation:MaxLength:=253
+	// +kubebuilder:validation:Pattern:=^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+	Name string `json:"name,omitempty"`
+
+	// CreationPolicy defines rules on how to create the resulting Secret.
+	// Defaults to "Owner"
+	// +optional
+	// +kubebuilder:default="Owner"
+	CreationPolicy ExternalSecretCreationPolicy `json:"creationPolicy,omitempty"`
+
+	// DeletionPolicy defines rules on how to delete the resulting Secret.
+	// Defaults to "Retain"
+	// +optional
+	// +kubebuilder:default="Retain"
+	DeletionPolicy ExternalSecretDeletionPolicy `json:"deletionPolicy,omitempty"`
+
+	// Template defines a blueprint for the created Secret resource.
+	// +optional
+	Template *ExternalSecretTemplate `json:"template,omitempty"`
+
+	// Immutable defines if the final secret will be immutable
+	// +optional
+	Immutable bool `json:"immutable,omitempty"`
+}
+
+// ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
+type ExternalSecretData struct {
+	// The key in the Kubernetes Secret to store the value.
+	// +kubebuilder:validation:MinLength:=1
+	// +kubebuilder:validation:MaxLength:=253
+	// +kubebuilder:validation:Pattern:=^[-._a-zA-Z0-9]+$
+	SecretKey string `json:"secretKey"`
+
+	// RemoteRef points to the remote secret and defines
+	// which secret (version/property/..) to fetch.
+	RemoteRef ExternalSecretDataRemoteRef `json:"remoteRef"`
+
+	// SourceRef allows you to override the source
+	// from which the value will be pulled.
+	SourceRef *StoreSourceRef `json:"sourceRef,omitempty"`
+}
+
+// ExternalSecretDataRemoteRef defines Provider data location.
+type ExternalSecretDataRemoteRef struct {
+	// Key is the key used in the Provider, mandatory
+	Key string `json:"key"`
+
+	// +optional
+	// Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
+	// +kubebuilder:default="None"
+	MetadataPolicy ExternalSecretMetadataPolicy `json:"metadataPolicy,omitempty"`
+
+	// +optional
+	// Used to select a specific property of the Provider value (if a map), if supported
+	Property string `json:"property,omitempty"`
+
+	// +optional
+	// Used to select a specific version of the Provider value, if supported
+	Version string `json:"version,omitempty"`
+
+	// +optional
+	// Used to define a conversion Strategy
+	// +kubebuilder:default="Default"
+	ConversionStrategy ExternalSecretConversionStrategy `json:"conversionStrategy,omitempty"`
+
+	// +optional
+	// Used to define a decoding Strategy
+	// +kubebuilder:default="None"
+	DecodingStrategy ExternalSecretDecodingStrategy `json:"decodingStrategy,omitempty"`
+}
+
+// +kubebuilder:validation:Enum=None;Fetch
+type ExternalSecretMetadataPolicy string
+
+const (
+	ExternalSecretMetadataPolicyNone  ExternalSecretMetadataPolicy = "None"
+	ExternalSecretMetadataPolicyFetch ExternalSecretMetadataPolicy = "Fetch"
+)
+
+// +kubebuilder:validation:Enum=Default;Unicode
+type ExternalSecretConversionStrategy string
+
+const (
+	ExternalSecretConversionDefault ExternalSecretConversionStrategy = "Default"
+	ExternalSecretConversionUnicode ExternalSecretConversionStrategy = "Unicode"
+)
+
+// +kubebuilder:validation:Enum=Auto;Base64;Base64URL;None
+type ExternalSecretDecodingStrategy string
+
+const (
+	ExternalSecretDecodeAuto      ExternalSecretDecodingStrategy = "Auto"
+	ExternalSecretDecodeBase64    ExternalSecretDecodingStrategy = "Base64"
+	ExternalSecretDecodeBase64URL ExternalSecretDecodingStrategy = "Base64URL"
+	ExternalSecretDecodeNone      ExternalSecretDecodingStrategy = "None"
+)
+
+type ExternalSecretDataFromRemoteRef struct {
+	// Used to extract multiple key/value pairs from one secret
+	// Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
+	// +optional
+	Extract *ExternalSecretDataRemoteRef `json:"extract,omitempty"`
+	// Used to find secrets based on tags or regular expressions
+	// Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
+	// +optional
+	Find *ExternalSecretFind `json:"find,omitempty"`
+
+	// Used to rewrite secret Keys after getting them from the secret Provider
+	// Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
+	// +optional
+	Rewrite []ExternalSecretRewrite `json:"rewrite,omitempty"`
+
+	// SourceRef points to a store or generator
+	// which contains secret values ready to use.
+	// Use this in combination with Extract or Find pull values out of
+	// a specific SecretStore.
+	// When sourceRef points to a generator Extract or Find is not supported.
+	// The generator returns a static map of values
+	SourceRef *StoreGeneratorSourceRef `json:"sourceRef,omitempty"`
+}
+
+type ExternalSecretRewrite struct {
+	// Used to rewrite with regular expressions.
+	// The resulting key will be the output of a regexp.ReplaceAll operation.
+	// +optional
+	Regexp *ExternalSecretRewriteRegexp `json:"regexp,omitempty"`
+
+	// Used to apply string transformation on the secrets.
+	// The resulting key will be the output of the template applied by the operation.
+	// +optional
+	Transform *ExternalSecretRewriteTransform `json:"transform,omitempty"`
+}
+
+type ExternalSecretRewriteRegexp struct {
+	// Used to define the regular expression of a re.Compiler.
+	Source string `json:"source"`
+	// Used to define the target pattern of a ReplaceAll operation.
+	Target string `json:"target"`
+}
+
+type ExternalSecretRewriteTransform struct {
+	// Used to define the template to apply on the secret name.
+	// `.value ` will specify the secret name in the template.
+	Template string `json:"template"`
+}
+
+type ExternalSecretFind struct {
+	// A root path to start the find operations.
+	// +optional
+	Path *string `json:"path,omitempty"`
+
+	// Finds secrets based on the name.
+	// +optional
+	Name *FindName `json:"name,omitempty"`
+
+	// Find secrets based on tags.
+	// +optional
+	Tags map[string]string `json:"tags,omitempty"`
+
+	// +optional
+	// Used to define a conversion Strategy
+	// +kubebuilder:default="Default"
+	ConversionStrategy ExternalSecretConversionStrategy `json:"conversionStrategy,omitempty"`
+
+	// +optional
+	// Used to define a decoding Strategy
+	// +kubebuilder:default="None"
+	DecodingStrategy ExternalSecretDecodingStrategy `json:"decodingStrategy,omitempty"`
+}
+
+type FindName struct {
+	// Finds secrets base
+	// +optional
+	RegExp string `json:"regexp,omitempty"`
+}
+
+// +kubebuilder:validation:Enum=CreatedOnce;Periodic;OnChange
+type ExternalSecretRefreshPolicy string
+
+const (
+	RefreshPolicyCreatedOnce ExternalSecretRefreshPolicy = "CreatedOnce"
+	RefreshPolicyPeriodic    ExternalSecretRefreshPolicy = "Periodic"
+	RefreshPolicyOnChange    ExternalSecretRefreshPolicy = "OnChange"
+)
+
+// ExternalSecretSpec defines the desired state of ExternalSecret.
+type ExternalSecretSpec struct {
+	// +optional
+	SecretStoreRef SecretStoreRef `json:"secretStoreRef,omitempty"`
+
+	// +kubebuilder:default={creationPolicy:Owner,deletionPolicy:Retain}
+	// +optional
+	Target ExternalSecretTarget `json:"target,omitempty"`
+
+	// RefreshPolicy determines how the ExternalSecret should be refreshed:
+	// - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
+	// - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
+	//   No periodic updates occur if refreshInterval is 0.
+	// - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
+	// +optional
+	RefreshPolicy ExternalSecretRefreshPolicy `json:"refreshPolicy,omitempty"`
+
+	// RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
+	// specified as Golang Duration strings.
+	// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
+	// Example values: "1h", "2h30m", "10s"
+	// May be set to zero to fetch and create it once. Defaults to 1h.
+	// +kubebuilder:default="1h"
+	RefreshInterval *metav1.Duration `json:"refreshInterval,omitempty"`
+
+	// Data defines the connection between the Kubernetes Secret keys and the Provider data
+	// +optional
+	Data []ExternalSecretData `json:"data,omitempty"`
+
+	// DataFrom is used to fetch all properties from a specific Provider data
+	// If multiple entries are specified, the Secret keys are merged in the specified order
+	// +optional
+	DataFrom []ExternalSecretDataFromRemoteRef `json:"dataFrom,omitempty"`
+}
+
+// StoreSourceRef allows you to override the SecretStore source
+// from which the secret will be pulled from.
+// You can define at maximum one property.
+// +kubebuilder:validation:MaxProperties=1
+// +kubebuilder:validation:MinProperties=1
+type StoreSourceRef struct {
+	// +optional
+	SecretStoreRef SecretStoreRef `json:"storeRef,omitempty"`
+
+	// GeneratorRef points to a generator custom resource.
+	//
+	// Deprecated: The generatorRef is not implemented in .data[].
+	// this will be removed with v1.
+	GeneratorRef *GeneratorRef `json:"generatorRef,omitempty"`
+}
+
+// StoreGeneratorSourceRef allows you to override the source
+// from which the secret will be pulled from.
+// You can define at maximum one property.
+// +kubebuilder:validation:MaxProperties=1
+// +kubebuilder:validation:MinProperties=1
+type StoreGeneratorSourceRef struct {
+	// +optional
+	SecretStoreRef *SecretStoreRef `json:"storeRef,omitempty"`
+
+	// GeneratorRef points to a generator custom resource.
+	// +optional
+	GeneratorRef *GeneratorRef `json:"generatorRef,omitempty"`
+}
+
+// GeneratorRef points to a generator custom resource.
+type GeneratorRef struct {
+	// Specify the apiVersion of the generator resource
+	// +kubebuilder:default="generators.external-secrets.io/v1alpha1"
+	APIVersion string `json:"apiVersion,omitempty"`
+
+	// Specify the Kind of the generator resource
+	// +kubebuilder:validation:Enum=ACRAccessToken;ClusterGenerator;ECRAuthorizationToken;Fake;GCRAccessToken;GithubAccessToken;QuayAccessToken;Password;STSSessionToken;UUID;VaultDynamicSecret;Webhook;Grafana
+	Kind string `json:"kind"`
+
+	// Specify the name of the generator resource
+	// +kubebuilder:validation:MinLength:=1
+	// +kubebuilder:validation:MaxLength:=253
+	// +kubebuilder:validation:Pattern:=^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+	Name string `json:"name"`
+}
+
+type ExternalSecretConditionType string
+
+const (
+	ExternalSecretReady   ExternalSecretConditionType = "Ready"
+	ExternalSecretDeleted ExternalSecretConditionType = "Deleted"
+)
+
+type ExternalSecretStatusCondition struct {
+	Type   ExternalSecretConditionType `json:"type"`
+	Status corev1.ConditionStatus      `json:"status"`
+
+	// +optional
+	Reason string `json:"reason,omitempty"`
+
+	// +optional
+	Message string `json:"message,omitempty"`
+
+	// +optional
+	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"`
+}
+
+const (
+	// ConditionReasonSecretSynced indicates that the secrets was synced.
+	ConditionReasonSecretSynced = "SecretSynced"
+	// ConditionReasonSecretSyncedError indicates that there was an error syncing the secret.
+	ConditionReasonSecretSyncedError = "SecretSyncedError"
+	// ConditionReasonSecretDeleted indicates that the secret has been deleted.
+	ConditionReasonSecretDeleted = "SecretDeleted"
+	// ConditionReasonSecretMissing indicates that the secret is missing.
+	ConditionReasonSecretMissing = "SecretMissing"
+
+	ReasonUpdateFailed          = "UpdateFailed"
+	ReasonDeprecated            = "ParameterDeprecated"
+	ReasonCreated               = "Created"
+	ReasonUpdated               = "Updated"
+	ReasonDeleted               = "Deleted"
+	ReasonMissingProviderSecret = "MissingProviderSecret"
+)
+
+type ExternalSecretStatus struct {
+	// +nullable
+	// refreshTime is the time and date the external secret was fetched and
+	// the target secret updated
+	RefreshTime metav1.Time `json:"refreshTime,omitempty"`
+
+	// SyncedResourceVersion keeps track of the last synced version
+	SyncedResourceVersion string `json:"syncedResourceVersion,omitempty"`
+
+	// +optional
+	Conditions []ExternalSecretStatusCondition `json:"conditions,omitempty"`
+
+	// Binding represents a servicebinding.io Provisioned Service reference to the secret
+	Binding corev1.LocalObjectReference `json:"binding,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:storageversion
+// ExternalSecret is the Schema for the external-secrets API.
+// +kubebuilder:subresource:status
+// +kubebuilder:metadata:labels="external-secrets.io/component=controller"
+// +kubebuilder:resource:scope=Namespaced,categories={external-secrets},shortName=es
+// +kubebuilder:printcolumn:name="StoreType",type=string,JSONPath=`.spec.secretStoreRef.kind`
+// +kubebuilder:printcolumn:name="Store",type=string,JSONPath=`.spec.secretStoreRef.name`
+// +kubebuilder:printcolumn:name="Refresh Interval",type=string,JSONPath=`.spec.refreshInterval`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].reason`
+// +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].status`
+type ExternalSecret struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   ExternalSecretSpec   `json:"spec,omitempty"`
+	Status ExternalSecretStatus `json:"status,omitempty"`
+}
+
+const (
+	// AnnotationDataHash all secrets managed by an ExternalSecret have this annotation with the hash of their data.
+	AnnotationDataHash = "reconcile.external-secrets.io/data-hash"
+
+	// LabelManaged all secrets managed by an ExternalSecret will have this label equal to "true".
+	LabelManaged      = "reconcile.external-secrets.io/managed"
+	LabelManagedValue = "true"
+
+	// LabelOwner points to the owning ExternalSecret resource when CreationPolicy=Owner.
+	LabelOwner = "reconcile.external-secrets.io/created-by"
+)
+
+// +kubebuilder:object:root=true
+
+// ExternalSecretList contains a list of ExternalSecret resources.
+type ExternalSecretList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []ExternalSecret `json:"items"`
+}

apis/externalsecrets/v1/externalsecret_validator.go

@@ -0,0 +1,124 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+)
+
+type ExternalSecretValidator struct{}
+
+func (esv *ExternalSecretValidator) ValidateCreate(_ context.Context, obj runtime.Object) (admission.Warnings, error) {
+	return validateExternalSecret(obj)
+}
+
+func (esv *ExternalSecretValidator) ValidateUpdate(_ context.Context, _, newObj runtime.Object) (admission.Warnings, error) {
+	return validateExternalSecret(newObj)
+}
+
+func (esv *ExternalSecretValidator) ValidateDelete(_ context.Context, _ runtime.Object) (admission.Warnings, error) {
+	return nil, nil
+}
+
+func validateExternalSecret(obj runtime.Object) (admission.Warnings, error) {
+	es, ok := obj.(*ExternalSecret)
+	if !ok {
+		return nil, errors.New("unexpected type")
+	}
+
+	var errs error
+	if err := validatePolicies(es); err != nil {
+		errs = errors.Join(errs, err)
+	}
+
+	if len(es.Spec.Data) == 0 && len(es.Spec.DataFrom) == 0 {
+		errs = errors.Join(errs, errors.New("either data or dataFrom should be specified"))
+	}
+
+	for _, ref := range es.Spec.DataFrom {
+		if err := validateExtractFindGenerator(ref); err != nil {
+			errs = errors.Join(errs, err)
+		}
+
+		if err := validateFindExtractSourceRef(ref); err != nil {
+			errs = errors.Join(errs, err)
+		}
+
+		if err := validateSourceRef(ref); err != nil {
+			errs = errors.Join(errs, err)
+		}
+	}
+
+	errs = validateDuplicateKeys(es, errs)
+	return nil, errs
+}
+
+func validateSourceRef(ref ExternalSecretDataFromRemoteRef) error {
+	if ref.SourceRef != nil && ref.SourceRef.GeneratorRef == nil && ref.SourceRef.SecretStoreRef == nil {
+		return errors.New("generatorRef or storeRef must be set when using sourceRef in dataFrom")
+	}
+
+	return nil
+}
+
+func validateFindExtractSourceRef(ref ExternalSecretDataFromRemoteRef) error {
+	if ref.Find == nil && ref.Extract == nil && ref.SourceRef == nil {
+		return errors.New("either extract, find, or sourceRef must be set to dataFrom")
+	}
+
+	return nil
+}
+
+func validateExtractFindGenerator(ref ExternalSecretDataFromRemoteRef) error {
+	generatorRef := ref.SourceRef != nil && ref.SourceRef.GeneratorRef != nil
+	if (ref.Find != nil && (ref.Extract != nil || generatorRef)) || (ref.Extract != nil && (ref.Find != nil || generatorRef)) || (generatorRef && (ref.Find != nil || ref.Extract != nil)) {
+		return errors.New("extract, find, or generatorRef cannot be set at the same time")
+	}
+
+	return nil
+}
+
+func validatePolicies(es *ExternalSecret) error {
+	var errs error
+	if (es.Spec.Target.DeletionPolicy == DeletionPolicyDelete && es.Spec.Target.CreationPolicy == CreatePolicyMerge) ||
+		(es.Spec.Target.DeletionPolicy == DeletionPolicyDelete && es.Spec.Target.CreationPolicy == CreatePolicyNone) {
+		errs = errors.Join(errs, errors.New("deletionPolicy=Delete must not be used when the controller doesn't own the secret. Please set creationPolicy=Owner"))
+	}
+
+	if es.Spec.Target.DeletionPolicy == DeletionPolicyMerge && es.Spec.Target.CreationPolicy == CreatePolicyNone {
+		errs = errors.Join(errs, errors.New("deletionPolicy=Merge must not be used with creationPolicy=None. There is no Secret to merge with"))
+	}
+
+	return errs
+}
+
+func validateDuplicateKeys(es *ExternalSecret, errs error) error {
+	if es.Spec.Target.DeletionPolicy == DeletionPolicyRetain {
+		seenKeys := make(map[string]struct{})
+		for _, data := range es.Spec.Data {
+			secretKey := data.SecretKey
+			if _, exists := seenKeys[secretKey]; exists {
+				errs = errors.Join(errs, fmt.Errorf("duplicate secretKey found: %s", secretKey))
+			}
+			seenKeys[secretKey] = struct{}{}
+		}
+	}
+	return errs
+}

apis/externalsecrets/v1/externalsecret_validator_test.go

@@ -0,0 +1,224 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"testing"
+
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+const (
+	errExtractFindGenerator = "extract, find, or generatorRef cannot be set at the same time"
+)
+
+func TestValidateExternalSecret(t *testing.T) {
+	tests := []struct {
+		name        string
+		obj         runtime.Object
+		expectedErr string
+	}{
+		{
+			name:        "nil",
+			obj:         nil,
+			expectedErr: "unexpected type",
+		},
+		{
+			name: "deletion policy delete",
+			obj: &ExternalSecret{
+				Spec: ExternalSecretSpec{
+					Target: ExternalSecretTarget{
+						DeletionPolicy: DeletionPolicyDelete,
+						CreationPolicy: CreatePolicyMerge,
+					},
+					Data: []ExternalSecretData{
+						{},
+					},
+				},
+			},
+			expectedErr: "deletionPolicy=Delete must not be used when the controller doesn't own the secret. Please set creationPolicy=Owner",
+		},
+		{
+			name: "deletion policy merge",
+			obj: &ExternalSecret{
+				Spec: ExternalSecretSpec{
+					Target: ExternalSecretTarget{
+						DeletionPolicy: DeletionPolicyMerge,
+						CreationPolicy: CreatePolicyNone,
+					},
+					Data: []ExternalSecretData{
+						{},
+					},
+				},
+			},
+			expectedErr: "deletionPolicy=Merge must not be used with creationPolicy=None. There is no Secret to merge with",
+		},
+		{
+			name: "both data and data_from are empty",
+			obj: &ExternalSecret{
+				Spec: ExternalSecretSpec{},
+			},
+			expectedErr: "either data or dataFrom should be specified",
+		},
+		{
+			name: "find with extract",
+			obj: &ExternalSecret{
+				Spec: ExternalSecretSpec{
+					DataFrom: []ExternalSecretDataFromRemoteRef{
+						{
+							Find:    &ExternalSecretFind{},
+							Extract: &ExternalSecretDataRemoteRef{},
+						},
+					},
+				},
+			},
+			expectedErr: errExtractFindGenerator,
+		},
+		{
+			name: "generator with find",
+			obj: &ExternalSecret{
+				Spec: ExternalSecretSpec{
+					DataFrom: []ExternalSecretDataFromRemoteRef{
+						{
+							Find: &ExternalSecretFind{},
+							SourceRef: &StoreGeneratorSourceRef{
+								GeneratorRef: &GeneratorRef{},
+							},
+						},
+					},
+				},
+			},
+			expectedErr: errExtractFindGenerator,
+		},
+		{
+			name: "generator with extract",
+			obj: &ExternalSecret{
+				Spec: ExternalSecretSpec{
+					DataFrom: []ExternalSecretDataFromRemoteRef{
+						{
+							Extract: &ExternalSecretDataRemoteRef{},
+							SourceRef: &StoreGeneratorSourceRef{
+								GeneratorRef: &GeneratorRef{},
+							},
+						},
+					},
+				},
+			},
+			expectedErr: errExtractFindGenerator,
+		},
+		{
+			name: "empty dataFrom",
+			obj: &ExternalSecret{
+				Spec: ExternalSecretSpec{
+					DataFrom: []ExternalSecretDataFromRemoteRef{
+						{},
+					},
+				},
+			},
+			expectedErr: "either extract, find, or sourceRef must be set to dataFrom",
+		},
+		{
+			name: "empty sourceRef",
+			obj: &ExternalSecret{
+				Spec: ExternalSecretSpec{
+					DataFrom: []ExternalSecretDataFromRemoteRef{
+						{
+							SourceRef: &StoreGeneratorSourceRef{},
+						},
+					},
+				},
+			},
+			expectedErr: "generatorRef or storeRef must be set when using sourceRef in dataFrom",
+		},
+		{
+			name: "multiple errors",
+			obj: &ExternalSecret{
+				Spec: ExternalSecretSpec{
+					Target: ExternalSecretTarget{
+						DeletionPolicy: DeletionPolicyMerge,
+						CreationPolicy: CreatePolicyNone,
+					},
+				},
+			},
+			expectedErr: `deletionPolicy=Merge must not be used with creationPolicy=None. There is no Secret to merge with
+either data or dataFrom should be specified`,
+		},
+		{
+			name: "valid",
+			obj: &ExternalSecret{
+				Spec: ExternalSecretSpec{
+					DataFrom: []ExternalSecretDataFromRemoteRef{
+						{
+							SourceRef: &StoreGeneratorSourceRef{
+								GeneratorRef: &GeneratorRef{},
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "duplicate secretKeys",
+			obj: &ExternalSecret{
+				Spec: ExternalSecretSpec{
+					Target: ExternalSecretTarget{
+						DeletionPolicy: DeletionPolicyRetain,
+					},
+					Data: []ExternalSecretData{
+						{SecretKey: "SERVICE_NAME"},
+						{SecretKey: "SERVICE_NAME"},
+						{SecretKey: "SERVICE_NAME-2"},
+						{SecretKey: "SERVICE_NAME-2"},
+						{SecretKey: "NOT_DUPLICATE"},
+					},
+				},
+			},
+			expectedErr: "duplicate secretKey found: SERVICE_NAME\nduplicate secretKey found: SERVICE_NAME-2",
+		},
+		{
+			name: "duplicate secretKey",
+			obj: &ExternalSecret{
+				Spec: ExternalSecretSpec{
+					Target: ExternalSecretTarget{
+						DeletionPolicy: DeletionPolicyRetain,
+					},
+					Data: []ExternalSecretData{
+						{SecretKey: "SERVICE_NAME"},
+						{SecretKey: "SERVICE_NAME"},
+					},
+				},
+			},
+			expectedErr: "duplicate secretKey found: SERVICE_NAME",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			_, err := validateExternalSecret(tt.obj)
+			if err != nil {
+				if tt.expectedErr == "" {
+					t.Fatalf("validateExternalSecret() returned an unexpected error: %v", err)
+				}
+
+				if err.Error() != tt.expectedErr {
+					t.Fatalf("validateExternalSecret() returned an unexpected error: got: %v, expected: %v", err, tt.expectedErr)
+				}
+				return
+			}
+			if tt.expectedErr != "" {
+				t.Errorf("validateExternalSecret() should have returned an error but got nil")
+			}
+		})
+	}
+}

apis/externalsecrets/v1alpha1/externalsecret_webhook.go → apis/externalsecrets/v1/externalsecret_webhook.go

@@ -12,14 +12,15 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1alpha1
+package v1
 
 import (
 	ctrl "sigs.k8s.io/controller-runtime"
 )
 
-func (alpha *ExternalSecret) SetupWebhookWithManager(mgr ctrl.Manager) error {
+func (es *ExternalSecret) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
-		For(alpha).
+		For(es).
+		WithValidator(&ExternalSecretValidator{}).
 		Complete()
 }

apis/externalsecrets/v1/fakes/pushremoteref.go

@@ -0,0 +1,106 @@
+// Code generated by counterfeiter. DO NOT EDIT.
+package fakes
+
+import (
+	"sync"
+
+	"github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
+)
+
+type PushRemoteRef struct {
+	GetRemoteKeyStub        func() string
+	getRemoteKeyMutex       sync.RWMutex
+	getRemoteKeyArgsForCall []struct {
+	}
+	getRemoteKeyReturns struct {
+		result1 string
+	}
+	getRemoteKeyReturnsOnCall map[int]struct {
+		result1 string
+	}
+	invocations      map[string][][]any
+	invocationsMutex sync.RWMutex
+}
+
+func (fake *PushRemoteRef) GetRemoteKey() string {
+	fake.getRemoteKeyMutex.Lock()
+	ret, specificReturn := fake.getRemoteKeyReturnsOnCall[len(fake.getRemoteKeyArgsForCall)]
+	fake.getRemoteKeyArgsForCall = append(fake.getRemoteKeyArgsForCall, struct {
+	}{})
+	stub := fake.GetRemoteKeyStub
+	fakeReturns := fake.getRemoteKeyReturns
+	fake.recordInvocation("GetRemoteKey", []any{})
+	fake.getRemoteKeyMutex.Unlock()
+	if stub != nil {
+		return stub()
+	}
+	if specificReturn {
+		return ret.result1
+	}
+	return fakeReturns.result1
+}
+
+func (fake *PushRemoteRef) GetProperty() string {
+	return ""
+}
+
+func (fake *PushRemoteRef) GetRemoteKeyCallCount() int {
+	fake.getRemoteKeyMutex.RLock()
+	defer fake.getRemoteKeyMutex.RUnlock()
+	return len(fake.getRemoteKeyArgsForCall)
+}
+
+func (fake *PushRemoteRef) GetRemoteKeyCalls(stub func() string) {
+	fake.getRemoteKeyMutex.Lock()
+	defer fake.getRemoteKeyMutex.Unlock()
+	fake.GetRemoteKeyStub = stub
+}
+
+func (fake *PushRemoteRef) GetRemoteKeyReturns(result1 string) {
+	fake.getRemoteKeyMutex.Lock()
+	defer fake.getRemoteKeyMutex.Unlock()
+	fake.GetRemoteKeyStub = nil
+	fake.getRemoteKeyReturns = struct {
+		result1 string
+	}{result1}
+}
+
+func (fake *PushRemoteRef) GetRemoteKeyReturnsOnCall(i int, result1 string) {
+	fake.getRemoteKeyMutex.Lock()
+	defer fake.getRemoteKeyMutex.Unlock()
+	fake.GetRemoteKeyStub = nil
+	if fake.getRemoteKeyReturnsOnCall == nil {
+		fake.getRemoteKeyReturnsOnCall = make(map[int]struct {
+			result1 string
+		})
+	}
+	fake.getRemoteKeyReturnsOnCall[i] = struct {
+		result1 string
+	}{result1}
+}
+
+func (fake *PushRemoteRef) Invocations() map[string][][]any {
+	fake.invocationsMutex.RLock()
+	defer fake.invocationsMutex.RUnlock()
+	fake.getRemoteKeyMutex.RLock()
+	defer fake.getRemoteKeyMutex.RUnlock()
+	copiedInvocations := map[string][][]any{}
+	for key, value := range fake.invocations {
+		copiedInvocations[key] = value
+	}
+	return copiedInvocations
+}
+
+func (fake *PushRemoteRef) recordInvocation(key string, args []any) {
+	fake.invocationsMutex.Lock()
+	defer fake.invocationsMutex.Unlock()
+	if fake.invocations == nil {
+		fake.invocations = map[string][][]any{}
+	}
+	if fake.invocations[key] == nil {
+		fake.invocations[key] = [][]any{}
+	}
+	fake.invocations[key] = append(fake.invocations[key], args)
+}
+
+var _ v1.PushSecretRemoteRef = new(PushRemoteRef)

apis/externalsecrets/v1alpha1/generic_store.go → apis/externalsecrets/v1/generic_store.go

@@ -12,7 +12,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1alpha1
+package v1
 
 import (
 	"fmt"
@@ -34,6 +34,7 @@ type GenericStore interface {
 
 	GetObjectMeta() *metav1.ObjectMeta
 	GetTypeMeta() *metav1.TypeMeta
+	GetKind() string
 
 	GetSpec() *SecretStoreSpec
 	GetNamespacedName() string
@@ -70,6 +71,10 @@ func (c *SecretStore) GetNamespacedName() string {
 	return fmt.Sprintf("%s/%s", c.Namespace, c.Name)
 }
 
+func (c *SecretStore) GetKind() string {
+	return SecretStoreKind
+}
+
 func (c *SecretStore) Copy() GenericStore {
 	return c.DeepCopy()
 }
@@ -105,3 +110,7 @@ func (c *ClusterSecretStore) SetStatus(status SecretStoreStatus) {
 func (c *ClusterSecretStore) GetNamespacedName() string {
 	return fmt.Sprintf("%s/%s", c.Namespace, c.Name)
 }
+
+func (c *ClusterSecretStore) GetKind() string {
+	return ClusterSecretStoreKind
+}

apis/externalsecrets/v1/provider.go

@@ -0,0 +1,117 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"context"
+
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+)
+
+const (
+	// Ready indicates that the client is configured correctly
+	// and can be used.
+	ValidationResultReady ValidationResult = iota
+
+	// Unknown indicates that the client can be used
+	// but information is missing and it can not be validated.
+	ValidationResultUnknown
+
+	// Error indicates that there is a misconfiguration.
+	ValidationResultError
+)
+
+type ValidationResult uint8
+
+func (v ValidationResult) String() string {
+	return [...]string{"Ready", "Unknown", "Error"}[v]
+}
+
+// +kubebuilder:object:root=false
+// +kubebuilder:object:generate:false
+// +k8s:deepcopy-gen:interfaces=nil
+// +k8s:deepcopy-gen=nil
+
+// Provider is a common interface for interacting with secret backends.
+type Provider interface {
+	// NewClient constructs a SecretsManager Provider
+	NewClient(ctx context.Context, store GenericStore, kube client.Client, namespace string) (SecretsClient, error)
+
+	// ValidateStore checks if the provided store is valid
+	// The provider may return a warning and an error.
+	// The intended use of the warning to indicate a deprecation of behavior
+	// or other type of message that is NOT a validation failure but should be noticed by the user.
+	ValidateStore(store GenericStore) (admission.Warnings, error)
+
+	// Capabilities returns the provider Capabilities (Read, Write, ReadWrite)
+	Capabilities() SecretStoreCapabilities
+}
+
+// +kubebuilder:object:root=false
+// +kubebuilder:object:generate:false
+// +k8s:deepcopy-gen:interfaces=nil
+// +k8s:deepcopy-gen=nil
+
+// SecretsClient provides access to secrets.
+type SecretsClient interface {
+	// GetSecret returns a single secret from the provider
+	// if GetSecret returns an error with type NoSecretError
+	// then the secret entry will be deleted depending on the deletionPolicy.
+	GetSecret(ctx context.Context, ref ExternalSecretDataRemoteRef) ([]byte, error)
+
+	// PushSecret will write a single secret into the provider
+	PushSecret(ctx context.Context, secret *corev1.Secret, data PushSecretData) error
+
+	// DeleteSecret will delete the secret from a provider
+	DeleteSecret(ctx context.Context, remoteRef PushSecretRemoteRef) error
+
+	// SecretExists checks if a secret is already present in the provider at the given location.
+	SecretExists(ctx context.Context, remoteRef PushSecretRemoteRef) (bool, error)
+
+	// Validate checks if the client is configured correctly
+	// and is able to retrieve secrets from the provider.
+	// If the validation result is unknown it will be ignored.
+	Validate() (ValidationResult, error)
+
+	// GetSecretMap returns multiple k/v pairs from the provider
+	GetSecretMap(ctx context.Context, ref ExternalSecretDataRemoteRef) (map[string][]byte, error)
+
+	// GetAllSecrets returns multiple k/v pairs from the provider
+	GetAllSecrets(ctx context.Context, ref ExternalSecretFind) (map[string][]byte, error)
+
+	Close(ctx context.Context) error
+}
+
+var NoSecretErr = NoSecretError{}
+
+// NoSecretError shall be returned when a GetSecret can not find the
+// desired secret. This is used for deletionPolicy.
+type NoSecretError struct{}
+
+func (NoSecretError) Error() string {
+	return "Secret does not exist"
+}
+
+var NotModifiedErr = NotModifiedError{}
+
+// NotModifiedError to signal that the webhook received no changes,
+// and it should just return without doing anything.
+type NotModifiedError struct{}
+
+func (NotModifiedError) Error() string {
+	return "not modified"
+}

apis/externalsecrets/v1/provider_schema.go

@@ -0,0 +1,123 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"sync"
+)
+
+var builder map[string]Provider
+var buildlock sync.RWMutex
+
+func init() {
+	builder = make(map[string]Provider)
+}
+
+// Register a store backend type. Register panics if a
+// backend with the same store is already registered.
+func Register(s Provider, storeSpec *SecretStoreProvider, maintenanceStatus MaintenanceStatus) {
+	storeName, err := getProviderName(storeSpec)
+	if err != nil {
+		panic(fmt.Sprintf("store error registering schema: %s", err.Error()))
+	}
+
+	RegisterMaintenanceStatus(maintenanceStatus, storeSpec)
+	buildlock.Lock()
+	defer buildlock.Unlock()
+	_, exists := builder[storeName]
+	if exists {
+		panic(fmt.Sprintf("store %q already registered", storeName))
+	}
+
+	builder[storeName] = s
+}
+
+// ForceRegister adds to store schema, overwriting a store if
+// already registered. Should only be used for testing.
+func ForceRegister(s Provider, storeSpec *SecretStoreProvider, maintenanceStatus MaintenanceStatus) {
+	storeName, err := getProviderName(storeSpec)
+	if err != nil {
+		panic(fmt.Sprintf("store error registering schema: %s", err.Error()))
+	}
+
+	buildlock.Lock()
+	builder[storeName] = s
+	buildlock.Unlock()
+	ForceRegisterMaintenanceStatus(maintenanceStatus, storeSpec)
+}
+
+// GetProviderByName returns the provider implementation by name.
+func GetProviderByName(name string) (Provider, bool) {
+	buildlock.RLock()
+	f, ok := builder[name]
+	buildlock.RUnlock()
+	return f, ok
+}
+
+// GetProvider returns the provider from the generic store.
+func GetProvider(s GenericStore) (Provider, error) {
+	if s == nil {
+		return nil, nil
+	}
+	spec := s.GetSpec()
+	if spec == nil {
+		// Note, this condition can never be reached, because
+		// the Spec is not a pointer in Kubernetes. It will
+		// always exist.
+		return nil, fmt.Errorf("no spec found in %#v", s)
+	}
+	storeName, err := getProviderName(spec.Provider)
+	if err != nil {
+		return nil, fmt.Errorf("store error for %s: %w", s.GetName(), err)
+	}
+
+	buildlock.RLock()
+	f, ok := builder[storeName]
+	buildlock.RUnlock()
+
+	if !ok {
+		return nil, fmt.Errorf("failed to find registered store backend for type: %s, name: %s", storeName, s.GetName())
+	}
+
+	return f, nil
+}
+
+// getProviderName returns the name of the configured provider
+// or an error if the provider is not configured.
+func getProviderName(storeSpec *SecretStoreProvider) (string, error) {
+	storeBytes, err := json.Marshal(storeSpec)
+	if err != nil || storeBytes == nil {
+		return "", fmt.Errorf("failed to marshal store spec: %w", err)
+	}
+
+	storeMap := make(map[string]any)
+	err = json.Unmarshal(storeBytes, &storeMap)
+	if err != nil {
+		return "", fmt.Errorf("failed to unmarshal store spec: %w", err)
+	}
+
+	if len(storeMap) != 1 {
+		return "", fmt.Errorf("secret stores must only have exactly one backend specified, found %d", len(storeMap))
+	}
+
+	for k := range storeMap {
+		return k, nil
+	}
+
+	return "", errors.New("failed to find registered store backend")
+}

apis/externalsecrets/v1/provider_schema_maintenance.go

@@ -0,0 +1,89 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"fmt"
+	"sync"
+)
+
+type MaintenanceStatus bool
+
+const (
+	MaintenanceStatusMaintained    MaintenanceStatus = true
+	MaintenanceStatusNotMaintained MaintenanceStatus = false
+)
+
+var maintenance map[string]MaintenanceStatus
+var mlock sync.RWMutex
+
+func init() {
+	maintenance = make(map[string]MaintenanceStatus)
+}
+
+func RegisterMaintenanceStatus(status MaintenanceStatus, storeSpec *SecretStoreProvider) {
+	storeName, err := getProviderName(storeSpec)
+	if err != nil {
+		panic(fmt.Sprintf("store error registering schema: %s", err.Error()))
+	}
+
+	mlock.Lock()
+	defer mlock.Unlock()
+	_, exists := maintenance[storeName]
+	if exists {
+		panic(fmt.Sprintf("store %q already registered", storeName))
+	}
+
+	maintenance[storeName] = status
+}
+
+func ForceRegisterMaintenanceStatus(status MaintenanceStatus, storeSpec *SecretStoreProvider) {
+	storeName, err := getProviderName(storeSpec)
+	if err != nil {
+		panic(fmt.Sprintf("store error registering schema: %s", err.Error()))
+	}
+
+	mlock.Lock()
+	defer mlock.Unlock()
+	maintenance[storeName] = status
+}
+
+// GetMaintenanceStatus returns the maintenance status of the provider from the generic store.
+func GetMaintenanceStatus(s GenericStore) (MaintenanceStatus, error) {
+	if s == nil {
+		return MaintenanceStatusNotMaintained, nil
+	}
+	spec := s.GetSpec()
+	if spec == nil {
+		// Note, this condition can never be reached, because
+		// the Spec is not a pointer in Kubernetes. It will
+		// always exist.
+		return MaintenanceStatusNotMaintained, fmt.Errorf("no spec found in %#v", s)
+	}
+	storeName, err := getProviderName(spec.Provider)
+	if err != nil {
+		return MaintenanceStatusNotMaintained, fmt.Errorf("store error for %s: %w", s.GetName(), err)
+	}
+
+	mlock.RLock()
+	status, ok := maintenance[storeName]
+	mlock.RUnlock()
+
+	if !ok {
+		return MaintenanceStatusNotMaintained, fmt.Errorf("failed to find registered store backend for type: %s, name: %s", storeName, s.GetName())
+	}
+
+	return status, nil
+}

apis/externalsecrets/v1/provider_schema_test.go

@@ -0,0 +1,206 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+)
+
+type PP struct{}
+
+const shouldBeRegistered = "provider should be registered"
+
+func (p *PP) Capabilities() SecretStoreCapabilities {
+	return SecretStoreReadOnly
+}
+
+// New constructs a SecretsManager Provider.
+func (p *PP) NewClient(_ context.Context, _ GenericStore, _ client.Client, _ string) (SecretsClient, error) {
+	return p, nil
+}
+
+// PushSecret writes a single secret into a provider.
+func (p *PP) PushSecret(_ context.Context, _ *corev1.Secret, _ PushSecretData) error {
+	return nil
+}
+
+// DeleteSecret deletes a single secret from a provider.
+func (p *PP) DeleteSecret(_ context.Context, _ PushSecretRemoteRef) error {
+	return nil
+}
+
+// Exists checks if a secret is already present in the provider at the given location.
+func (p *PP) SecretExists(_ context.Context, _ PushSecretRemoteRef) (bool, error) {
+	return false, nil
+}
+
+// GetSecret returns a single secret from the provider.
+func (p *PP) GetSecret(_ context.Context, _ ExternalSecretDataRemoteRef) ([]byte, error) {
+	return []byte("NOOP"), nil
+}
+
+// GetSecretMap returns multiple k/v pairs from the provider.
+func (p *PP) GetSecretMap(_ context.Context, _ ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+	return map[string][]byte{}, nil
+}
+
+// Empty GetAllSecrets.
+func (p *PP) GetAllSecrets(_ context.Context, _ ExternalSecretFind) (map[string][]byte, error) {
+	// TO be implemented
+	return map[string][]byte{}, nil
+}
+
+func (p *PP) Close(_ context.Context) error {
+	return nil
+}
+
+func (p *PP) Validate() (ValidationResult, error) {
+	return ValidationResultReady, nil
+}
+
+func (p *PP) ValidateStore(_ GenericStore) (admission.Warnings, error) {
+	return nil, nil
+}
+
+// TestRegister tests if the Register function
+// (1) panics if it tries to register something invalid
+// (2) stores the correct provider.
+func TestRegister(t *testing.T) {
+	tbl := []struct {
+		test      string
+		name      string
+		expPanic  bool
+		expExists bool
+		provider  *SecretStoreProvider
+	}{
+		{
+			test:      "should panic when given an invalid provider",
+			name:      "aws",
+			expPanic:  true,
+			expExists: false,
+			provider:  &SecretStoreProvider{},
+		},
+		{
+			test:      "should register an correct provider",
+			name:      "aws",
+			expExists: false,
+			provider: &SecretStoreProvider{
+				AWS: &AWSProvider{
+					Service: AWSServiceSecretsManager,
+				},
+			},
+		},
+		{
+			test:      "should panic if already exists",
+			name:      "aws",
+			expPanic:  true,
+			expExists: true,
+			provider: &SecretStoreProvider{
+				AWS: &AWSProvider{
+					Service: AWSServiceSecretsManager,
+				},
+			},
+		},
+	}
+	for i := range tbl {
+		row := tbl[i]
+		t.Run(row.test, func(t *testing.T) {
+			runTest(t,
+				row.name,
+				row.provider,
+				row.expPanic,
+			)
+		})
+	}
+}
+
+func runTest(t *testing.T, name string, provider *SecretStoreProvider, expPanic bool) {
+	testProvider := &PP{}
+	secretStore := &SecretStore{
+		Spec: SecretStoreSpec{
+			Provider: provider,
+		},
+	}
+	if expPanic {
+		defer func() {
+			if r := recover(); r == nil {
+				t.Errorf("Register should panic")
+			}
+		}()
+	}
+	Register(testProvider, secretStore.Spec.Provider, MaintenanceStatusMaintained)
+	p1, ok := GetProviderByName(name)
+	assert.True(t, ok, shouldBeRegistered)
+	assert.Equal(t, testProvider, p1)
+	p2, err := GetProvider(secretStore)
+	assert.Nil(t, err)
+	assert.Equal(t, testProvider, p2)
+}
+
+// ForceRegister is used by other tests, we should ensure it works as expected.
+func TestForceRegister(t *testing.T) {
+	testProvider := &PP{}
+	provider := &SecretStoreProvider{
+		AWS: &AWSProvider{
+			Service: AWSServiceParameterStore,
+		},
+	}
+	secretStore := &SecretStore{
+		Spec: SecretStoreSpec{
+			Provider: provider,
+		},
+	}
+	ForceRegister(testProvider, &SecretStoreProvider{
+		AWS: &AWSProvider{
+			Service: AWSServiceParameterStore,
+		},
+	}, MaintenanceStatusMaintained)
+	p1, ok := GetProviderByName("aws")
+	assert.True(t, ok, shouldBeRegistered)
+	assert.Equal(t, testProvider, p1)
+	p2, err := GetProvider(secretStore)
+	assert.Nil(t, err)
+	assert.Equal(t, testProvider, p2)
+}
+
+func TestRegisterGCP(t *testing.T) {
+	p, ok := GetProviderByName("gcpsm")
+	assert.Nil(t, p)
+	assert.False(t, ok, "provider should not be registered")
+
+	testProvider := &PP{}
+	secretStore := &SecretStore{
+		Spec: SecretStoreSpec{
+			Provider: &SecretStoreProvider{
+				GCPSM: &GCPSMProvider{},
+			},
+		},
+	}
+
+	ForceRegister(testProvider, secretStore.Spec.Provider, MaintenanceStatusMaintained)
+	p1, ok := GetProviderByName("gcpsm")
+	assert.True(t, ok, shouldBeRegistered)
+	assert.Equal(t, testProvider, p1)
+
+	p2, err := GetProvider(secretStore)
+	assert.Nil(t, err)
+	assert.Equal(t, testProvider, p2)
+}

apis/externalsecrets/v1/pushsecret_interfaces.go

@@ -0,0 +1,41 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+
+// +kubebuilder:object:root=false
+// +kubebuilder:object:generate:false
+// +k8s:deepcopy-gen:interfaces=nil
+// +k8s:deepcopy-gen=nil
+
+// PushSecretData is an interface to allow using v1alpha1.PushSecretData content in Provider registered in v1.
+type PushSecretData interface {
+	GetMetadata() *apiextensionsv1.JSON
+	GetSecretKey() string
+	GetRemoteKey() string
+	GetProperty() string
+}
+
+// +kubebuilder:object:root=false
+// +kubebuilder:object:generate:false
+// +k8s:deepcopy-gen:interfaces=nil
+// +k8s:deepcopy-gen=nil
+
+// PushSecretRemoteRef is an interface to allow using v1alpha1.PushSecretRemoteRef in Provider registered in v1.
+type PushSecretRemoteRef interface {
+	GetRemoteKey() string
+	GetProperty() string
+}

apis/externalsecrets/v1/register.go

@@ -0,0 +1,76 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"reflect"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+// Package type metadata.
+const (
+	Group   = "external-secrets.io"
+	Version = "v1"
+)
+
+var (
+	// SchemeGroupVersion is group version used to register these objects.
+	SchemeGroupVersion = schema.GroupVersion{Group: Group, Version: Version}
+
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
+	SchemeBuilder = &scheme.Builder{GroupVersion: SchemeGroupVersion}
+	AddToScheme   = SchemeBuilder.AddToScheme
+)
+
+// ExternalSecret type metadata.
+var (
+	ExtSecretKind             = reflect.TypeOf(ExternalSecret{}).Name()
+	ExtSecretGroupKind        = schema.GroupKind{Group: Group, Kind: ExtSecretKind}.String()
+	ExtSecretKindAPIVersion   = ExtSecretKind + "." + SchemeGroupVersion.String()
+	ExtSecretGroupVersionKind = SchemeGroupVersion.WithKind(ExtSecretKind)
+)
+
+// ClusterExternalSecret type metadata.
+var (
+	ClusterExtSecretKind             = reflect.TypeOf(ClusterExternalSecret{}).Name()
+	ClusterExtSecretGroupKind        = schema.GroupKind{Group: Group, Kind: ClusterExtSecretKind}.String()
+	ClusterExtSecretKindAPIVersion   = ClusterExtSecretKind + "." + SchemeGroupVersion.String()
+	ClusterExtSecretGroupVersionKind = SchemeGroupVersion.WithKind(ClusterExtSecretKind)
+)
+
+// SecretStore type metadata.
+var (
+	SecretStoreKind             = reflect.TypeOf(SecretStore{}).Name()
+	SecretStoreGroupKind        = schema.GroupKind{Group: Group, Kind: SecretStoreKind}.String()
+	SecretStoreKindAPIVersion   = SecretStoreKind + "." + SchemeGroupVersion.String()
+	SecretStoreGroupVersionKind = SchemeGroupVersion.WithKind(SecretStoreKind)
+)
+
+// ClusterSecretStore type metadata.
+var (
+	ClusterSecretStoreKind             = reflect.TypeOf(ClusterSecretStore{}).Name()
+	ClusterSecretStoreGroupKind        = schema.GroupKind{Group: Group, Kind: ClusterSecretStoreKind}.String()
+	ClusterSecretStoreKindAPIVersion   = ClusterSecretStoreKind + "." + SchemeGroupVersion.String()
+	ClusterSecretStoreGroupVersionKind = SchemeGroupVersion.WithKind(ClusterSecretStoreKind)
+)
+
+func init() {
+	SchemeBuilder.Register(&ExternalSecret{}, &ExternalSecretList{})
+	SchemeBuilder.Register(&ClusterExternalSecret{}, &ClusterExternalSecretList{})
+	SchemeBuilder.Register(&SecretStore{}, &SecretStoreList{})
+	SchemeBuilder.Register(&ClusterSecretStore{}, &ClusterSecretStoreList{})
+}

apis/externalsecrets/v1/secretsstore_bitwarden_types.go

@@ -0,0 +1,50 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+// BitwardenSecretsManagerProvider configures a store to sync secrets with a Bitwarden Secrets Manager instance.
+type BitwardenSecretsManagerProvider struct {
+	APIURL                string `json:"apiURL,omitempty"`
+	IdentityURL           string `json:"identityURL,omitempty"`
+	BitwardenServerSDKURL string `json:"bitwardenServerSDKURL,omitempty"`
+	// Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
+	// can be performed.
+	// +optional
+	CABundle string `json:"caBundle,omitempty"`
+	// see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider
+	// +optional
+	CAProvider *CAProvider `json:"caProvider,omitempty"`
+	// OrganizationID determines which organization this secret store manages.
+	OrganizationID string `json:"organizationID"`
+	// ProjectID determines which project this secret store manages.
+	ProjectID string `json:"projectID"`
+	// Auth configures how secret-manager authenticates with a bitwarden machine account instance.
+	// Make sure that the token being used has permissions on the given secret.
+	Auth BitwardenSecretsManagerAuth `json:"auth"`
+}
+
+// BitwardenSecretsManagerAuth contains the ref to the secret that contains the machine account token.
+type BitwardenSecretsManagerAuth struct {
+	SecretRef BitwardenSecretsManagerSecretRef `json:"secretRef"`
+}
+
+// BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
+type BitwardenSecretsManagerSecretRef struct {
+	// AccessToken used for the bitwarden instance.
+	// +required
+	Credentials esmeta.SecretKeySelector `json:"credentials"`
+}

apis/externalsecrets/v1/secretsstore_delinea_types.go

@@ -0,0 +1,51 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+
+type DelineaProviderSecretRef struct {
+
+	// Value can be specified directly to set a value without using a secret.
+	// +optional
+	Value string `json:"value,omitempty"`
+
+	// SecretRef references a key in a secret that will be used as value.
+	// +optional
+	SecretRef *esmeta.SecretKeySelector `json:"secretRef,omitempty"`
+}
+
+// See https://github.com/DelineaXPM/dsv-sdk-go/blob/main/vault/vault.go.
+type DelineaProvider struct {
+
+	// ClientID is the non-secret part of the credential.
+	ClientID *DelineaProviderSecretRef `json:"clientId"`
+
+	// ClientSecret is the secret part of the credential.
+	ClientSecret *DelineaProviderSecretRef `json:"clientSecret"`
+
+	// Tenant is the chosen hostname / site name.
+	Tenant string `json:"tenant"`
+
+	// URLTemplate
+	// If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
+	// +optional
+	URLTemplate string `json:"urlTemplate,omitempty"`
+
+	// TLD is based on the server location that was chosen during provisioning.
+	// If unset, defaults to "com".
+	// +optional
+	TLD string `json:"tld,omitempty"`
+}

apis/externalsecrets/v1/secretsstore_infisical_types.go

@@ -0,0 +1,66 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+type UniversalAuthCredentials struct {
+	// +kubebuilder:validation:Required
+	ClientID esmeta.SecretKeySelector `json:"clientId"`
+	// +kubebuilder:validation:Required
+	ClientSecret esmeta.SecretKeySelector `json:"clientSecret"`
+}
+
+type InfisicalAuth struct {
+	// +optional
+	UniversalAuthCredentials *UniversalAuthCredentials `json:"universalAuthCredentials,omitempty"`
+}
+
+type MachineIdentityScopeInWorkspace struct {
+	// SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
+	// +kubebuilder:default="/"
+	// +optional
+	SecretsPath string `json:"secretsPath,omitempty"`
+	// Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
+	// +kubebuilder:default=false
+	// +optional
+	Recursive bool `json:"recursive,omitempty"`
+	// EnvironmentSlug is the required slug identifier for the environment.
+	// +kubebuilder:validation:Required
+	EnvironmentSlug string `json:"environmentSlug"`
+	// ProjectSlug is the required slug identifier for the project.
+	// +kubebuilder:validation:Required
+	ProjectSlug string `json:"projectSlug"`
+	// ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
+	// +kubebuilder:default=true
+	// +optional
+	ExpandSecretReferences bool `json:"expandSecretReferences,omitempty"`
+}
+
+// InfisicalProvider configures a store to sync secrets using the Infisical provider.
+type InfisicalProvider struct {
+	// Auth configures how the Operator authenticates with the Infisical API
+	// +kubebuilder:validation:Required
+	Auth InfisicalAuth `json:"auth"`
+	// SecretsScope defines the scope of the secrets within the workspace
+	// +kubebuilder:validation:Required
+	SecretsScope MachineIdentityScopeInWorkspace `json:"secretsScope"`
+	// HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
+	// +kubebuilder:default="https://app.infisical.com/api"
+	// +optional
+	HostAPI string `json:"hostAPI,omitempty"`
+}

apis/externalsecrets/v1/secretsstore_passbolt_types.go

@@ -0,0 +1,32 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+// Passbolt contains a secretRef for the passbolt credentials.
+type PassboltAuth struct {
+	PasswordSecretRef   *esmeta.SecretKeySelector `json:"passwordSecretRef"`
+	PrivateKeySecretRef *esmeta.SecretKeySelector `json:"privateKeySecretRef"`
+}
+
+type PassboltProvider struct {
+	// Auth defines the information necessary to authenticate against Passbolt Server
+	Auth *PassboltAuth `json:"auth"`
+	// Host defines the Passbolt Server to connect to
+	Host string `json:"host"`
+}

apis/externalsecrets/v1/secretsstore_secretserver_types.go

@@ -0,0 +1,45 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+
+type SecretServerProviderRef struct {
+
+	// Value can be specified directly to set a value without using a secret.
+	// +optional
+	Value string `json:"value,omitempty"`
+
+	// SecretRef references a key in a secret that will be used as value.
+	// +optional
+	SecretRef *esmeta.SecretKeySelector `json:"secretRef,omitempty"`
+}
+
+// See https://github.com/DelineaXPM/tss-sdk-go/blob/main/server/server.go.
+type SecretServerProvider struct {
+
+	// Username is the secret server account username.
+	// +required
+	Username *SecretServerProviderRef `json:"username"`
+
+	// Password is the secret server account password.
+	// +required
+	Password *SecretServerProviderRef `json:"password"`
+
+	// ServerURL
+	// URL to your secret server installation
+	// +required
+	ServerURL string `json:"serverURL"`
+}

apis/externalsecrets/v1alpha1/secretstore_akeyless_types.go → apis/externalsecrets/v1/secretstore_akeyless_types.go

@@ -12,7 +12,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1alpha1
+package v1
 
 import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"

apis/externalsecrets/v1alpha1/secretstore_alibaba_types.go → apis/externalsecrets/v1/secretstore_alibaba_types.go

@@ -12,7 +12,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1alpha1
+package v1
 
 import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
@@ -26,14 +26,6 @@ type AlibabaAuth struct {
 	RRSAAuth *AlibabaRRSAAuth `json:"rrsa,omitempty"`
 }
 
-// Authenticate against Alibaba using RRSA.
-type AlibabaRRSAAuth struct {
-	OIDCProviderARN   string `json:"oidcProviderArn"`
-	OIDCTokenFilePath string `json:"oidcTokenFilePath"`
-	RoleARN           string `json:"roleArn"`
-	SessionName       string `json:"sessionName"`
-}
-
 // AlibabaAuthSecretRef holds secret references for Alibaba credentials.
 type AlibabaAuthSecretRef struct {
 	// The AccessKeyID is used for authentication
@@ -42,6 +34,14 @@ type AlibabaAuthSecretRef struct {
 	AccessKeySecret esmeta.SecretKeySelector `json:"accessKeySecretSecretRef"`
 }
 
+// Authenticate against Alibaba using RRSA.
+type AlibabaRRSAAuth struct {
+	OIDCProviderARN   string `json:"oidcProviderArn"`
+	OIDCTokenFilePath string `json:"oidcTokenFilePath"`
+	RoleARN           string `json:"roleArn"`
+	SessionName       string `json:"sessionName"`
+}
+
 // AlibabaProvider configures a store to sync secrets using the Alibaba Secret Manager provider.
 type AlibabaProvider struct {
 	Auth AlibabaAuth `json:"auth"`

apis/externalsecrets/v1alpha1/secretstore_aws_types.go → apis/externalsecrets/v1/secretstore_aws_types.go

@@ -12,7 +12,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1alpha1
+package v1
 
 import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
@@ -36,6 +36,12 @@ type AWSAuthSecretRef struct {
 
 	// The SecretAccessKey is used for authentication
 	SecretAccessKey esmeta.SecretKeySelector `json:"secretAccessKeySecretRef,omitempty"`
+
+	// The SessionToken used for authentication
+	// This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
+	// see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
+	// +Optional
+	SessionToken *esmeta.SecretKeySelector `json:"sessionTokenSecretRef,omitempty"`
 }
 
 // Authenticate against AWS using service account tokens.
@@ -48,14 +54,40 @@ type AWSJWTAuth struct {
 type AWSServiceType string
 
 const (
-	// AWSServiceSecretsManager is the AWS SecretsManager.
+	// AWSServiceSecretsManager is the AWS SecretsManager service.
 	// see: https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html
 	AWSServiceSecretsManager AWSServiceType = "SecretsManager"
-	// AWSServiceParameterStore is the AWS SystemsManager ParameterStore.
+	// AWSServiceParameterStore is the AWS SystemsManager ParameterStore service.
 	// see: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html
 	AWSServiceParameterStore AWSServiceType = "ParameterStore"
 )
 
+// SecretsManager defines how the provider behaves when interacting with AWS
+// SecretsManager. Some of these settings are only applicable to controlling how
+// secrets are deleted, and hence only apply to PushSecret (and only when
+// deletionPolicy is set to Delete).
+type SecretsManager struct {
+	// Specifies whether to delete the secret without any recovery window. You
+	// can't use both this parameter and RecoveryWindowInDays in the same call.
+	// If you don't use either, then by default Secrets Manager uses a 30 day
+	// recovery window.
+	// see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
+	// +optional
+	ForceDeleteWithoutRecovery bool `json:"forceDeleteWithoutRecovery,omitempty"`
+	// The number of days from 7 to 30 that Secrets Manager waits before
+	// permanently deleting the secret. You can't use both this parameter and
+	// ForceDeleteWithoutRecovery in the same call. If you don't use either,
+	// then by default Secrets Manager uses a 30 day recovery window.
+	// see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
+	// +optional
+	RecoveryWindowInDays int64 `json:"recoveryWindowInDays,omitempty"`
+}
+
+type Tag struct {
+	Key   string `json:"key"`
+	Value string `json:"value"`
+}
+
 // AWSProvider configures a store to sync secrets with AWS.
 type AWSProvider struct {
 	// Service defines which service should be used to fetch the secrets
@@ -67,10 +99,33 @@ type AWSProvider struct {
 	// +optional
 	Auth AWSAuth `json:"auth,omitempty"`
 
-	// Role is a Role ARN which the SecretManager provider will assume
+	// Role is a Role ARN which the provider will assume
 	// +optional
 	Role string `json:"role,omitempty"`
 
 	// AWS Region to be used for the provider
 	Region string `json:"region"`
+
+	// AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
+	// +optional
+	AdditionalRoles []string `json:"additionalRoles,omitempty"`
+
+	// AWS External ID set on assumed IAM roles
+	ExternalID string `json:"externalID,omitempty"`
+
+	// AWS STS assume role session tags
+	// +optional
+	SessionTags []*Tag `json:"sessionTags,omitempty"`
+
+	// SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
+	// +optional
+	SecretsManager *SecretsManager `json:"secretsManager,omitempty"`
+
+	// AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
+	// +optional
+	TransitiveTagKeys []*string `json:"transitiveTagKeys,omitempty"`
+
+	// Prefix adds a prefix to all retrieved values.
+	// +optional
+	Prefix string `json:"prefix,omitempty"`
 }

apis/externalsecrets/v1alpha1/secretstore_azurekv_types.go → apis/externalsecrets/v1/secretstore_azurekv_types.go

@@ -12,7 +12,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1alpha1
+package v1
 
 import smmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 
@@ -34,6 +34,20 @@ const (
 	AzureWorkloadIdentity AzureAuthType = "WorkloadIdentity"
 )
 
+// AzureEnvironmentType specifies the Azure cloud environment endpoints to use for
+// connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
+// The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
+// PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
+// +kubebuilder:validation:Enum=PublicCloud;USGovernmentCloud;ChinaCloud;GermanCloud
+type AzureEnvironmentType string
+
+const (
+	AzureEnvironmentPublicCloud       AzureEnvironmentType = "PublicCloud"
+	AzureEnvironmentUSGovernmentCloud AzureEnvironmentType = "USGovernmentCloud"
+	AzureEnvironmentChinaCloud        AzureEnvironmentType = "ChinaCloud"
+	AzureEnvironmentGermanCloud       AzureEnvironmentType = "GermanCloud"
+)
+
 // Configures an store to sync secrets using Azure KV.
 type AzureKVProvider struct {
 	// Auth type defines how to authenticate to the keyvault service.
@@ -47,11 +61,18 @@ type AzureKVProvider struct {
 	// Vault Url from which the secrets to be fetched from.
 	VaultURL *string `json:"vaultUrl"`
 
-	// TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
+	// TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
 	// +optional
 	TenantID *string `json:"tenantId,omitempty"`
 
-	// Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
+	// EnvironmentType specifies the Azure cloud environment endpoints to use for
+	// connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
+	// The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
+	// PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
+	// +kubebuilder:default=PublicCloud
+	EnvironmentType AzureEnvironmentType `json:"environmentType,omitempty"`
+
+	// Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
 	// +optional
 	AuthSecretRef *AzureKVAuth `json:"authSecretRef,omitempty"`
 
@@ -67,11 +88,19 @@ type AzureKVProvider struct {
 
 // Configuration used to authenticate with Azure.
 type AzureKVAuth struct {
-	// The Azure clientId of the service principle used for authentication.
+	// The Azure clientId of the service principle or managed identity used for authentication.
 	// +optional
 	ClientID *smmeta.SecretKeySelector `json:"clientId,omitempty"`
 
+	// The Azure tenantId of the managed identity used for authentication.
+	// +optional
+	TenantID *smmeta.SecretKeySelector `json:"tenantId,omitempty"`
+
 	// The Azure ClientSecret of the service principle used for authentication.
 	// +optional
 	ClientSecret *smmeta.SecretKeySelector `json:"clientSecret,omitempty"`
+
+	// The Azure ClientCertificate of the service principle used for authentication.
+	// +optional
+	ClientCertificate *smmeta.SecretKeySelector `json:"clientCertificate,omitempty"`
 }

apis/externalsecrets/v1/secretstore_beyondtrust_types.go

@@ -0,0 +1,67 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+
+type BeyondTrustProviderSecretRef struct {
+
+	// Value can be specified directly to set a value without using a secret.
+	// +optional
+	Value string `json:"value,omitempty"`
+
+	// SecretRef references a key in a secret that will be used as value.
+	// +optional
+	SecretRef *esmeta.SecretKeySelector `json:"secretRef,omitempty"`
+}
+
+// Configures a store to sync secrets using BeyondTrust Password Safe.
+type BeyondtrustAuth struct {
+	// APIKey If not provided then ClientID/ClientSecret become required.
+	APIKey *BeyondTrustProviderSecretRef `json:"apiKey,omitempty"`
+	// ClientID is the API OAuth Client ID.
+	ClientID *BeyondTrustProviderSecretRef `json:"clientId,omitempty"`
+	// ClientSecret is the API OAuth Client Secret.
+	ClientSecret *BeyondTrustProviderSecretRef `json:"clientSecret,omitempty"`
+	// Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
+	Certificate *BeyondTrustProviderSecretRef `json:"certificate,omitempty"`
+	// Certificate private key (key.pem). For use when authenticating with an OAuth client Id
+	CertificateKey *BeyondTrustProviderSecretRef `json:"certificateKey,omitempty"`
+}
+
+// Configures a store to sync secrets using BeyondTrust Password Safe.
+type BeyondtrustServer struct {
+	// +required - BeyondTrust Password Safe API URL. https://example.com:443/beyondtrust/api/public/V3.
+	APIURL string `json:"apiUrl"`
+	// +optional - The recommended version is 3.1. If no version is specified, the default API version 3.0 will be used
+	APIVersion string `json:"apiVersion,omitempty"`
+	// The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
+	RetrievalType string `json:"retrievalType,omitempty"`
+	// A character that separates the folder names.
+	Separator string `json:"separator,omitempty"`
+	// +required - Indicates whether to verify the certificate authority on the Secrets Safe instance. Warning - false is insecure, instructs the BT provider not to verify the certificate authority.
+	VerifyCA bool `json:"verifyCA"`
+	// Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
+	ClientTimeOutSeconds int `json:"clientTimeOutSeconds,omitempty"`
+}
+
+type BeyondtrustProvider struct {
+
+	// Auth configures how the operator authenticates with Beyondtrust.
+	Auth *BeyondtrustAuth `json:"auth"`
+
+	// Auth configures how API server works.
+	Server *BeyondtrustServer `json:"server"`
+}

apis/externalsecrets/v1/secretstore_chef_types.go

@@ -0,0 +1,38 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+// ChefAuth contains a secretRef for credentials.
+type ChefAuth struct {
+	SecretRef ChefAuthSecretRef `json:"secretRef"`
+}
+
+// ChefAuthSecretRef holds secret references for chef server login credentials.
+type ChefAuthSecretRef struct {
+	// SecretKey is the Signing Key in PEM format, used for authentication.
+	SecretKey esmeta.SecretKeySelector `json:"privateKeySecretRef"`
+}
+
+// ChefProvider configures a store to sync secrets using basic chef server connection credentials.
+type ChefProvider struct {
+	// Auth defines the information necessary to authenticate against chef Server
+	Auth *ChefAuth `json:"auth"`
+	// UserName should be the user ID on the chef server
+	UserName string `json:"username"`
+	// ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
+	ServerURL string `json:"serverUrl"`
+}

apis/externalsecrets/v1/secretstore_cloudru_types.go

@@ -0,0 +1,41 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+// CSMAuth contains a secretRef for credentials.
+type CSMAuth struct {
+	// +optional
+	SecretRef *CSMAuthSecretRef `json:"secretRef,omitempty"`
+}
+
+// CSMAuthSecretRef holds secret references for Cloud.ru credentials.
+type CSMAuthSecretRef struct {
+	// The AccessKeyID is used for authentication
+	AccessKeyID esmeta.SecretKeySelector `json:"accessKeyIDSecretRef"`
+	// The AccessKeySecret is used for authentication
+	AccessKeySecret esmeta.SecretKeySelector `json:"accessKeySecretSecretRef"`
+}
+
+// CloudruSMProvider configures a store to sync secrets using the Cloud.ru Secret Manager provider.
+type CloudruSMProvider struct {
+	Auth CSMAuth `json:"auth"`
+
+	// ProjectID is the project, which the secrets are stored in.
+	ProjectID string `json:"projectID,omitempty"`
+}

apis/externalsecrets/v1/secretstore_conjur_types.go

@@ -0,0 +1,81 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+
+type ConjurProvider struct {
+	// URL is the endpoint of the Conjur instance.
+	URL string `json:"url"`
+
+	// CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
+	// +optional
+	CABundle string `json:"caBundle,omitempty"`
+
+	// Used to provide custom certificate authority (CA) certificates
+	// for a secret store. The CAProvider points to a Secret or ConfigMap resource
+	// that contains a PEM-encoded certificate.
+	// +optional
+	CAProvider *CAProvider `json:"caProvider,omitempty"`
+
+	// Defines authentication settings for connecting to Conjur.
+	Auth ConjurAuth `json:"auth"`
+}
+
+type ConjurAuth struct {
+	// Authenticates with Conjur using an API key.
+	// +optional
+	APIKey *ConjurAPIKey `json:"apikey,omitempty"`
+
+	// Jwt enables JWT authentication using Kubernetes service account tokens.
+	// +optional
+	Jwt *ConjurJWT `json:"jwt,omitempty"`
+}
+
+type ConjurAPIKey struct {
+	// Account is the Conjur organization account name.
+	Account string `json:"account"`
+
+	// A reference to a specific 'key' containing the Conjur username
+	// within a Secret resource. In some instances, `key` is a required field.
+	UserRef *esmeta.SecretKeySelector `json:"userRef"`
+
+	// A reference to a specific 'key' containing the Conjur API key
+	// within a Secret resource. In some instances, `key` is a required field.
+	APIKeyRef *esmeta.SecretKeySelector `json:"apiKeyRef"`
+}
+
+type ConjurJWT struct {
+	// Account is the Conjur organization account name.
+	Account string `json:"account"`
+
+	// The conjur authn jwt webservice id
+	ServiceID string `json:"serviceID"`
+
+	// Optional HostID for JWT authentication. This may be used depending
+	// on how the Conjur JWT authenticator policy is configured.
+	// +optional
+	HostID string `json:"hostId"`
+
+	// Optional SecretRef that refers to a key in a Secret resource containing JWT token to
+	// authenticate with Conjur using the JWT authentication method.
+	// +optional
+	SecretRef *esmeta.SecretKeySelector `json:"secretRef,omitempty"`
+
+	// Optional ServiceAccountRef specifies the Kubernetes service account for which to request
+	// a token for with the `TokenRequest` API.
+	// +optional
+	ServiceAccountRef *esmeta.ServiceAccountSelector `json:"serviceAccountRef,omitempty"`
+}

apis/externalsecrets/v1/secretstore_device42_types.go

@@ -0,0 +1,38 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+// Device42Provider configures a store to sync secrets with a Device42 instance.
+type Device42Provider struct {
+	// URL configures the Device42 instance URL.
+	Host string `json:"host"`
+
+	// Auth configures how secret-manager authenticates with a Device42 instance.
+	Auth Device42Auth `json:"auth"`
+}
+
+type Device42Auth struct {
+	SecretRef Device42SecretRef `json:"secretRef"`
+}
+
+type Device42SecretRef struct {
+	// Username / Password is used for authentication.
+	// +optional
+	Credentials esmeta.SecretKeySelector `json:"credentials,omitempty"`
+}

apis/externalsecrets/v1/secretstore_doppler_types.go

@@ -0,0 +1,57 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+// Set DOPPLER_BASE_URL and DOPPLER_VERIFY_TLS environment variables to override defaults
+
+type DopplerAuth struct {
+	SecretRef DopplerAuthSecretRef `json:"secretRef"`
+}
+
+type DopplerAuthSecretRef struct {
+	// The DopplerToken is used for authentication.
+	// See https://docs.doppler.com/reference/api#authentication for auth token types.
+	// The Key attribute defaults to dopplerToken if not specified.
+	DopplerToken esmeta.SecretKeySelector `json:"dopplerToken"`
+}
+
+// DopplerProvider configures a store to sync secrets using the Doppler provider.
+// Project and Config are required if not using a Service Token.
+type DopplerProvider struct {
+	// Auth configures how the Operator authenticates with the Doppler API
+	Auth *DopplerAuth `json:"auth"`
+
+	// Doppler project (required if not using a Service Token)
+	// +optional
+	Project string `json:"project,omitempty"`
+
+	// Doppler config (required if not using a Service Token)
+	// +optional
+	Config string `json:"config,omitempty"`
+
+	// Environment variable compatible name transforms that change secret names to a different format
+	// +kubebuilder:validation:Enum=upper-camel;camel;lower-snake;tf-var;dotnet-env;lower-kebab
+	// +optional
+	NameTransformer string `json:"nameTransformer,omitempty"`
+
+	// Format enables the downloading of secrets as a file (string)
+	// +kubebuilder:validation:Enum=json;dotnet-json;env;yaml;docker
+	// +optional
+	Format string `json:"format,omitempty"`
+}

apis/externalsecrets/v1alpha1/secretstore_fake_types.go → apis/externalsecrets/v1/secretstore_fake_types.go

@@ -12,7 +12,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1alpha1
+package v1
 
 // FakeProvider configures a fake provider that returns static values.
 type FakeProvider struct {
@@ -20,8 +20,7 @@ type FakeProvider struct {
 }
 
 type FakeProviderData struct {
-	Key      string            `json:"key"`
-	Value    string            `json:"value,omitempty"`
-	ValueMap map[string]string `json:"valueMap,omitempty"`
-	Version  string            `json:"version,omitempty"`
+	Key     string `json:"key"`
+	Value   string `json:"value"`
+	Version string `json:"version,omitempty"`
 }

apis/externalsecrets/v1/secretstore_fortanix_types.go

@@ -0,0 +1,29 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package v1
+
+import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+
+type FortanixProvider struct {
+	// APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
+	APIURL string `json:"apiUrl,omitempty"`
+
+	// APIKey is the API token to access SDKMS Applications.
+	APIKey *FortanixProviderSecretRef `json:"apiKey,omitempty"`
+}
+
+type FortanixProviderSecretRef struct {
+	// SecretRef is a reference to a secret containing the SDKMS API Key.
+	SecretRef *esmeta.SecretKeySelector `json:"secretRef,omitempty"`
+}

apis/externalsecrets/v1alpha1/secretstore_gcpsm_types.go → apis/externalsecrets/v1/secretstore_gcpsm_types.go

@@ -12,7 +12,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1alpha1
+package v1
 
 import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
@@ -32,10 +32,20 @@ type GCPSMAuthSecretRef struct {
 }
 
 type GCPWorkloadIdentity struct {
+	// +kubebuilder:validation:Required
 	ServiceAccountRef esmeta.ServiceAccountSelector `json:"serviceAccountRef"`
-	ClusterLocation   string                        `json:"clusterLocation"`
-	ClusterName       string                        `json:"clusterName"`
-	ClusterProjectID  string                        `json:"clusterProjectID,omitempty"`
+	// ClusterLocation is the location of the cluster
+	// If not specified, it fetches information from the metadata server
+	// +optional
+	ClusterLocation string `json:"clusterLocation,omitempty"`
+	// ClusterName is the name of the cluster
+	// If not specified, it fetches information from the metadata server
+	// +optional
+	ClusterName string `json:"clusterName,omitempty"`
+	// ClusterProjectID is the project ID of the cluster
+	// If not specified, it fetches information from the metadata server
+	// +optional
+	ClusterProjectID string `json:"clusterProjectID,omitempty"`
 }
 
 // GCPSMProvider Configures a store to sync secrets using the GCP Secret Manager provider.
@@ -46,4 +56,7 @@ type GCPSMProvider struct {
 
 	// ProjectID project where secret is located
 	ProjectID string `json:"projectID,omitempty"`
+
+	// Location optionally defines a location for a secret
+	Location string `json:"location,omitempty"`
 }

apis/externalsecrets/v1/secretstore_github_types.go

@@ -0,0 +1,52 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+// Configures a store to push secrets to Github Actions.
+type GithubProvider struct {
+	// URL configures the Github instance URL. Defaults to https://github.com/.
+	//+kubebuilder:default="https://github.com/"
+	URL string `json:"url,omitempty"`
+	// Upload URL for enterprise instances. Default to URL.
+	//+optional
+	UploadURL string `json:"uploadURL,omitempty"`
+	// auth configures how secret-manager authenticates with a Github instance.
+	Auth GithubAppAuth `json:"auth"`
+
+	// appID specifies the Github APP that will be used to authenticate the client
+	AppID int64 `json:"appID"`
+
+	// installationID specifies the Github APP installation that will be used to authenticate the client
+	InstallationID int64 `json:"installationID"`
+
+	// organization will be used to fetch secrets from the Github organization
+	Organization string `json:"organization"`
+
+	// repository will be used to fetch secrets from the Github repository within an organization
+	//+optional
+	Repository string `json:"repository,omitempty"`
+
+	// environment will be used to fetch secrets from a particular environment within a github repository
+	//+optional
+	Environment string `json:"environment,omitempty"`
+}
+
+type GithubAppAuth struct {
+	PrivateKey esmeta.SecretKeySelector `json:"privateKey"`
+}

apis/externalsecrets/v1alpha1/secretstore_gitlab_types.go → apis/externalsecrets/v1/secretstore_gitlab_types.go

@@ -12,7 +12,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1alpha1
+package v1
 
 import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
@@ -28,6 +28,15 @@ type GitlabProvider struct {
 
 	// ProjectID specifies a project where secrets are located.
 	ProjectID string `json:"projectID,omitempty"`
+
+	// InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
+	InheritFromGroups bool `json:"inheritFromGroups,omitempty"`
+
+	// GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
+	GroupIDs []string `json:"groupIDs,omitempty"`
+
+	// Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
+	Environment string `json:"environment,omitempty"`
 }
 
 type GitlabAuth struct {

apis/externalsecrets/v1alpha1/secretstore_ibm_types.go → apis/externalsecrets/v1/secretstore_ibm_types.go

@@ -12,7 +12,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1alpha1
+package v1
 
 import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
@@ -28,12 +28,25 @@ type IBMProvider struct {
 	ServiceURL *string `json:"serviceUrl,omitempty"`
 }
 
+// +kubebuilder:validation:MinProperties=1
+// +kubebuilder:validation:MaxProperties=1
 type IBMAuth struct {
-	SecretRef IBMAuthSecretRef `json:"secretRef"`
+	SecretRef     *IBMAuthSecretRef     `json:"secretRef,omitempty"`
+	ContainerAuth *IBMAuthContainerAuth `json:"containerAuth,omitempty"`
 }
 
 type IBMAuthSecretRef struct {
 	// The SecretAccessKey is used for authentication
-	// +optional
 	SecretAPIKey esmeta.SecretKeySelector `json:"secretApiKeySecretRef,omitempty"`
 }
+
+// IBM Container-based auth with IAM Trusted Profile.
+type IBMAuthContainerAuth struct {
+	// the IBM Trusted Profile
+	Profile string `json:"profile"`
+
+	// Location the token is mounted on the pod
+	TokenLocation string `json:"tokenLocation,omitempty"`
+
+	IAMEndpoint string `json:"iamEndpoint,omitempty"`
+}

apis/externalsecrets/v1beta1/secretstore_conversion.go → apis/externalsecrets/v1/secretstore_keepersecurity_types.go

@@ -12,12 +12,12 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1beta1
+package v1
 
-func (*SecretStore) Hub() {
-	// Hub() method to be compliant with the conversion Hub interface
-}
+import smmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 
-func (*ClusterSecretStore) Hub() {
-	// Hub() method to be compliant with the conversion Hub interface
+// KeeperSecurityProvider Configures a store to sync secrets using Keeper Security.
+type KeeperSecurityProvider struct {
+	Auth     smmeta.SecretKeySelector `json:"authRef"`
+	FolderID string                   `json:"folderID"`
 }

apis/externalsecrets/v1alpha1/secretstore_kubernetes_types.go → apis/externalsecrets/v1/secretstore_kubernetes_types.go

@@ -12,7 +12,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1alpha1
+package v1
 
 import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
@@ -32,23 +32,22 @@ type KubernetesServer struct {
 	// see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider
 	// +optional
 	CAProvider *CAProvider `json:"caProvider,omitempty"`
-
-	// there's still room for impersonation or proxy settings:
-	// Impersonate-User
-	// Impersonate-Group
-	// Impersonate-Extra-( extra name )
-	// Impersonate-Uid
-	// Proxy Settings
 }
 
 // Configures a store to sync secrets with a Kubernetes instance.
 type KubernetesProvider struct {
 	// configures the Kubernetes server Address.
+	// +optional
 	Server KubernetesServer `json:"server,omitempty"`
 
 	// Auth configures how secret-manager authenticates with a Kubernetes instance.
+	// +optional
 	Auth KubernetesAuth `json:"auth"`
 
+	// A reference to a secret that contains the auth information.
+	// +optional
+	AuthRef *esmeta.SecretKeySelector `json:"authRef,omitempty"`
+
 	// Remote namespace to fetch the secrets from
 	// +optional
 	// +kubebuilder:default=default
@@ -71,9 +70,7 @@ type KubernetesAuth struct {
 
 	// points to a service account that should be used for authentication
 	// +optional
-	ServiceAccount *ServiceAccountAuth `json:"serviceAccount,omitempty"`
-
-	// possibly exec or webhook
+	ServiceAccount *esmeta.ServiceAccountSelector `json:"serviceAccount,omitempty"`
 }
 
 type CertAuth struct {
@@ -84,7 +81,3 @@ type CertAuth struct {
 type TokenAuth struct {
 	BearerToken esmeta.SecretKeySelector `json:"bearerToken,omitempty"`
 }
-
-type ServiceAccountAuth struct {
-	ServiceAccountRef esmeta.ServiceAccountSelector `json:"serviceAccount,omitempty"`
-}

apis/externalsecrets/v1/secretstore_onboardbase_types.go

@@ -0,0 +1,50 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+// OnboardbaseAuthSecretRef holds secret references for onboardbase API Key credentials.
+type OnboardbaseAuthSecretRef struct {
+	// OnboardbaseAPIKey is the APIKey generated by an admin account.
+	// It is used to recognize and authorize access to a project and environment within onboardbase
+	// +kubebuilder:validation:Required
+	OnboardbaseAPIKeyRef esmeta.SecretKeySelector `json:"apiKeyRef"`
+	// OnboardbasePasscode is the passcode attached to the API Key
+	// +kubebuilder:validation:Required
+	OnboardbasePasscodeRef esmeta.SecretKeySelector `json:"passcodeRef"`
+}
+
+// OnboardbaseProvider configures a store to sync secrets using the Onboardbase provider.
+// Project and Config are required if not using a Service Token.
+type OnboardbaseProvider struct {
+	// Auth configures how the Operator authenticates with the Onboardbase API
+	Auth *OnboardbaseAuthSecretRef `json:"auth"`
+
+	// APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
+	// +kubebuilder:default:="https://public.onboardbase.com/api/v1/"
+	APIHost string `json:"apiHost"`
+
+	// Project is an onboardbase project that the secrets should be pulled from
+	// +kubebuilder:validation:Required
+	// +kubebuilder:default:="development"
+	Project string `json:"project"`
+	// Environment is the name of an environmnent within a project to pull the secrets from
+	// +kubebuilder:validation:Required
+	// +kubebuilder:default:="development"
+	Environment string `json:"environment"`
+}

apis/externalsecrets/v1/secretstore_onepassword_types.go

@@ -0,0 +1,40 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+// OnePasswordAuth contains a secretRef for credentials.
+type OnePasswordAuth struct {
+	SecretRef *OnePasswordAuthSecretRef `json:"secretRef"`
+}
+
+// OnePasswordAuthSecretRef holds secret references for 1Password credentials.
+type OnePasswordAuthSecretRef struct {
+	// The ConnectToken is used for authentication to a 1Password Connect Server.
+	ConnectToken esmeta.SecretKeySelector `json:"connectTokenSecretRef"`
+}
+
+// OnePasswordProvider configures a store to sync secrets using the 1Password Secret Manager provider.
+type OnePasswordProvider struct {
+	// Auth defines the information necessary to authenticate against OnePassword Connect Server
+	Auth *OnePasswordAuth `json:"auth"`
+	// ConnectHost defines the OnePassword Connect Server to connect to
+	ConnectHost string `json:"connectHost"`
+	// Vaults defines which OnePassword vaults to search in which order
+	Vaults map[string]int `json:"vaults"`
+}

apis/externalsecrets/v1alpha1/secretstore_oracle_types.go → apis/externalsecrets/v1/secretstore_oracle_types.go

@@ -10,7 +10,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1alpha1
+package v1
 
 import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
@@ -54,8 +54,7 @@ type OracleProvider struct {
 	PrincipalType OraclePrincipalType `json:"principalType,omitempty"`
 
 	// Auth configures how secret-manager authenticates with the Oracle Vault.
-	// If empty, instance principal is used. Optionally, the authenticating principal type
-	// and/or user data may be supplied for the use of workload identity and user principal.
+	// If empty, use the instance principal, otherwise the user credentials specified in Auth.
 	// +optional
 	Auth *OracleAuth `json:"auth,omitempty"`
 
@@ -66,6 +65,7 @@ type OracleProvider struct {
 }
 
 type OracleAuth struct {
+
 	// Tenancy is the tenancy OCID where user is located.
 	Tenancy string `json:"tenancy"`
 

apis/externalsecrets/v1alpha1/secretstore_passworddepot_types.go → apis/externalsecrets/v1/secretstore_passworddeport_types.go

@@ -12,7 +12,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1alpha1
+package v1
 
 import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
@@ -36,5 +36,6 @@ type PasswordDepotAuth struct {
 
 type PasswordDepotSecretRef struct {
 	// Username / Password is used for authentication.
+	// +optional
 	Credentials esmeta.SecretKeySelector `json:"credentials,omitempty"`
 }

apis/externalsecrets/v1/secretstore_previder_types.go

@@ -0,0 +1,38 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+// PreviderProvider configures a store to sync secrets using the Previder Secret Manager provider.
+type PreviderProvider struct {
+	Auth PreviderAuth `json:"auth"`
+	// +optional
+	BaseURI string `json:"baseUri,omitempty"`
+}
+
+// PreviderAuth contains a secretRef for credentials.
+type PreviderAuth struct {
+	// +optional
+	SecretRef *PreviderAuthSecretRef `json:"secretRef,omitempty"`
+}
+
+// PreviderAuthSecretRef holds secret references for Previder Vault credentials.
+type PreviderAuthSecretRef struct {
+	// The AccessToken is used for authentication
+	AccessToken esmeta.SecretKeySelector `json:"accessToken"`
+}

apis/externalsecrets/v1/secretstore_pulumi_types.go

@@ -0,0 +1,45 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+type PulumiProvider struct {
+	// APIURL is the URL of the Pulumi API.
+	// +kubebuilder:default="https://api.pulumi.com/api/esc"
+	APIURL string `json:"apiUrl,omitempty"`
+
+	// AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
+	AccessToken *PulumiProviderSecretRef `json:"accessToken"`
+
+	// Organization are a space to collaborate on shared projects and stacks.
+	// To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
+	Organization string `json:"organization"`
+
+	// Project is the name of the Pulumi ESC project the environment belongs to.
+	Project string `json:"project"`
+	// Environment are YAML documents composed of static key-value pairs, programmatic expressions,
+	// dynamically retrieved values from supported providers including all major clouds,
+	// and other Pulumi ESC environments.
+	// To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
+	Environment string `json:"environment"`
+}
+
+type PulumiProviderSecretRef struct {
+	// SecretRef is a reference to a secret containing the Pulumi API token.
+	SecretRef *esmeta.SecretKeySelector `json:"secretRef,omitempty"`
+}

apis/externalsecrets/v1/secretstore_scaleway_types.go

@@ -0,0 +1,47 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+
+type ScalewayProviderSecretRef struct {
+
+	// Value can be specified directly to set a value without using a secret.
+	// +optional
+	Value string `json:"value,omitempty"`
+
+	// SecretRef references a key in a secret that will be used as value.
+	// +optional
+	SecretRef *esmeta.SecretKeySelector `json:"secretRef,omitempty"`
+}
+
+type ScalewayProvider struct {
+
+	// APIURL is the url of the api to use. Defaults to https://api.scaleway.com
+	// +optional
+	APIURL string `json:"apiUrl,omitempty"`
+
+	// Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone
+	Region string `json:"region"`
+
+	// ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings
+	ProjectID string `json:"projectId"`
+
+	// AccessKey is the non-secret part of the api key.
+	AccessKey *ScalewayProviderSecretRef `json:"accessKey"`
+
+	// SecretKey is the non-secret part of the api key.
+	SecretKey *ScalewayProviderSecretRef `json:"secretKey"`
+}

apis/externalsecrets/v1/secretstore_senhasegura_types.go

@@ -0,0 +1,57 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+
+/*
+SenhaseguraAuth tells the controller how to do auth in senhasegura.
+*/
+type SenhaseguraAuth struct {
+	ClientID     string                   `json:"clientId"`
+	ClientSecret esmeta.SecretKeySelector `json:"clientSecretSecretRef"`
+}
+
+/*
+SenhaseguraModuleType enum defines senhasegura target module to fetch secrets
++kubebuilder:validation:Enum=DSM
+*/
+type SenhaseguraModuleType string
+
+const (
+	/*
+		SenhaseguraModuleDSM is the senhasegura DevOps Secrets Management module
+		see: https://senhasegura.com/devops
+	*/
+	SenhaseguraModuleDSM SenhaseguraModuleType = "DSM"
+)
+
+/*
+SenhaseguraProvider setup a store to sync secrets with senhasegura.
+*/
+type SenhaseguraProvider struct {
+	/* URL of senhasegura */
+	URL string `json:"url"`
+
+	/* Module defines which senhasegura module should be used to get secrets */
+	Module SenhaseguraModuleType `json:"module"`
+
+	/* Auth defines parameters to authenticate in senhasegura */
+	Auth SenhaseguraAuth `json:"auth"`
+
+	// IgnoreSslCertificate defines if SSL certificate must be ignored
+	// +kubebuilder:default=false
+	IgnoreSslCertificate bool `json:"ignoreSslCertificate,omitempty"`
+}

apis/externalsecrets/v1/secretstore_types.go

@@ -0,0 +1,348 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// SecretStoreSpec defines the desired state of SecretStore.
+type SecretStoreSpec struct {
+	// Used to select the correct ESO controller (think: ingress.ingressClassName)
+	// The ESO controller is instantiated with a specific controller name and filters ES based on this property
+	// +optional
+	Controller string `json:"controller,omitempty"`
+
+	// Used to configure the provider. Only one provider may be set
+	Provider *SecretStoreProvider `json:"provider"`
+
+	// Used to configure http retries if failed
+	// +optional
+	RetrySettings *SecretStoreRetrySettings `json:"retrySettings,omitempty"`
+
+	// Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
+	// +optional
+	RefreshInterval int `json:"refreshInterval,omitempty"`
+
+	// Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
+	// +optional
+	Conditions []ClusterSecretStoreCondition `json:"conditions,omitempty"`
+}
+
+// ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
+// for a ClusterSecretStore instance.
+type ClusterSecretStoreCondition struct {
+	// Choose namespace using a labelSelector
+	// +optional
+	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
+
+	// Choose namespaces by name
+	// +optional
+	// +kubebuilder:validation:items:MinLength:=1
+	// +kubebuilder:validation:items:MaxLength:=63
+	// +kubebuilder:validation:items:Pattern:=^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+	Namespaces []string `json:"namespaces,omitempty"`
+
+	// Choose namespaces by using regex matching
+	// +optional
+	NamespaceRegexes []string `json:"namespaceRegexes,omitempty"`
+}
+
+// SecretStoreProvider contains the provider-specific configuration.
+// +kubebuilder:validation:MinProperties=1
+// +kubebuilder:validation:MaxProperties=1
+type SecretStoreProvider struct {
+	// AWS configures this store to sync secrets using AWS Secret Manager provider
+	// +optional
+	AWS *AWSProvider `json:"aws,omitempty"`
+
+	// AzureKV configures this store to sync secrets using Azure Key Vault provider
+	// +optional
+	AzureKV *AzureKVProvider `json:"azurekv,omitempty"`
+
+	// Akeyless configures this store to sync secrets using Akeyless Vault provider
+	// +optional
+	Akeyless *AkeylessProvider `json:"akeyless,omitempty"`
+
+	// BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
+	// +optional
+	BitwardenSecretsManager *BitwardenSecretsManagerProvider `json:"bitwardensecretsmanager,omitempty"`
+
+	// Vault configures this store to sync secrets using Hashi provider
+	// +optional
+	Vault *VaultProvider `json:"vault,omitempty"`
+
+	// GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
+	// +optional
+	GCPSM *GCPSMProvider `json:"gcpsm,omitempty"`
+
+	// Oracle configures this store to sync secrets using Oracle Vault provider
+	// +optional
+	Oracle *OracleProvider `json:"oracle,omitempty"`
+
+	// IBM configures this store to sync secrets using IBM Cloud provider
+	// +optional
+	IBM *IBMProvider `json:"ibm,omitempty"`
+
+	// YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
+	// +optional
+	YandexCertificateManager *YandexCertificateManagerProvider `json:"yandexcertificatemanager,omitempty"`
+
+	// YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
+	// +optional
+	YandexLockbox *YandexLockboxProvider `json:"yandexlockbox,omitempty"`
+
+	// Github configures this store to push Github Action secrets using Github API provider
+	// +optional
+	Github *GithubProvider `json:"github,omitempty"`
+
+	// GitLab configures this store to sync secrets using GitLab Variables provider
+	// +optional
+	Gitlab *GitlabProvider `json:"gitlab,omitempty"`
+
+	// Alibaba configures this store to sync secrets using Alibaba Cloud provider
+	// +optional
+	Alibaba *AlibabaProvider `json:"alibaba,omitempty"`
+
+	// OnePassword configures this store to sync secrets using the 1Password Cloud provider
+	// +optional
+	OnePassword *OnePasswordProvider `json:"onepassword,omitempty"`
+
+	// Webhook configures this store to sync secrets using a generic templated webhook
+	// +optional
+	Webhook *WebhookProvider `json:"webhook,omitempty"`
+
+	// Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
+	// +optional
+	Kubernetes *KubernetesProvider `json:"kubernetes,omitempty"`
+
+	// Fake configures a store with static key/value pairs
+	// +optional
+	Fake *FakeProvider `json:"fake,omitempty"`
+
+	// Senhasegura configures this store to sync secrets using senhasegura provider
+	// +optional
+	Senhasegura *SenhaseguraProvider `json:"senhasegura,omitempty"`
+
+	// Scaleway
+	// +optional
+	Scaleway *ScalewayProvider `json:"scaleway,omitempty"`
+
+	// Doppler configures this store to sync secrets using the Doppler provider
+	// +optional
+	Doppler *DopplerProvider `json:"doppler,omitempty"`
+
+	// Previder configures this store to sync secrets using the Previder provider
+	// +optional
+	Previder *PreviderProvider `json:"previder,omitempty"`
+
+	// Onboardbase configures this store to sync secrets using the Onboardbase provider
+	// +optional
+	Onboardbase *OnboardbaseProvider `json:"onboardbase,omitempty"`
+
+	// KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
+	// +optional
+	KeeperSecurity *KeeperSecurityProvider `json:"keepersecurity,omitempty"`
+
+	// Conjur configures this store to sync secrets using conjur provider
+	// +optional
+	Conjur *ConjurProvider `json:"conjur,omitempty"`
+
+	// Delinea DevOps Secrets Vault
+	// https://docs.delinea.com/online-help/products/devops-secrets-vault/current
+	// +optional
+	Delinea *DelineaProvider `json:"delinea,omitempty"`
+
+	// SecretServer configures this store to sync secrets using SecretServer provider
+	// https://docs.delinea.com/online-help/secret-server/start.htm
+	// +optional
+	SecretServer *SecretServerProvider `json:"secretserver,omitempty"`
+
+	// Chef configures this store to sync secrets with chef server
+	// +optional
+	Chef *ChefProvider `json:"chef,omitempty"`
+
+	// Pulumi configures this store to sync secrets using the Pulumi provider
+	// +optional
+	Pulumi *PulumiProvider `json:"pulumi,omitempty"`
+
+	// Fortanix configures this store to sync secrets using the Fortanix provider
+	// +optional
+	Fortanix *FortanixProvider `json:"fortanix,omitempty"`
+
+	// +optional
+	PasswordDepot *PasswordDepotProvider `json:"passworddepot,omitempty"`
+
+	// +optional
+	Passbolt *PassboltProvider `json:"passbolt,omitempty"`
+
+	// Device42 configures this store to sync secrets using the Device42 provider
+	// +optional
+	Device42 *Device42Provider `json:"device42,omitempty"`
+
+	// Infisical configures this store to sync secrets using the Infisical provider
+	// +optional
+	Infisical *InfisicalProvider `json:"infisical,omitempty"`
+
+	// Beyondtrust configures this store to sync secrets using Password Safe provider.
+	// +optional
+	Beyondtrust *BeyondtrustProvider `json:"beyondtrust,omitempty"`
+
+	// CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
+	// +optional
+	CloudruSM *CloudruSMProvider `json:"cloudrusm,omitempty"`
+}
+
+type CAProviderType string
+
+const (
+	CAProviderTypeSecret    CAProviderType = "Secret"
+	CAProviderTypeConfigMap CAProviderType = "ConfigMap"
+)
+
+// Used to provide custom certificate authority (CA) certificates
+// for a secret store. The CAProvider points to a Secret or ConfigMap resource
+// that contains a PEM-encoded certificate.
+type CAProvider struct {
+	// The type of provider to use such as "Secret", or "ConfigMap".
+	// +kubebuilder:validation:Enum="Secret";"ConfigMap"
+	Type CAProviderType `json:"type"`
+
+	// The name of the object located at the provider type.
+	// +kubebuilder:validation:MinLength:=1
+	// +kubebuilder:validation:MaxLength:=253
+	// +kubebuilder:validation:Pattern:=^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+	Name string `json:"name"`
+
+	// The key where the CA certificate can be found in the Secret or ConfigMap.
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:MinLength:=1
+	// +kubebuilder:validation:MaxLength:=253
+	// +kubebuilder:validation:Pattern:=^[-._a-zA-Z0-9]+$
+	Key string `json:"key,omitempty"`
+
+	// The namespace the Provider type is in.
+	// Can only be defined when used in a ClusterSecretStore.
+	// +optional
+	// +kubebuilder:validation:MinLength:=1
+	// +kubebuilder:validation:MaxLength:=63
+	// +kubebuilder:validation:Pattern:=^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+	Namespace *string `json:"namespace,omitempty"`
+}
+
+type SecretStoreRetrySettings struct {
+	MaxRetries    *int32  `json:"maxRetries,omitempty"`
+	RetryInterval *string `json:"retryInterval,omitempty"`
+}
+
+type SecretStoreConditionType string
+
+const (
+	SecretStoreReady SecretStoreConditionType = "Ready"
+
+	ReasonInvalidStore          = "InvalidStoreConfiguration"
+	ReasonInvalidProviderConfig = "InvalidProviderConfig"
+	ReasonValidationFailed      = "ValidationFailed"
+	ReasonStoreValid            = "Valid"
+	StoreUnmaintained           = "StoreUnmaintained"
+)
+
+type SecretStoreStatusCondition struct {
+	Type   SecretStoreConditionType `json:"type"`
+	Status corev1.ConditionStatus   `json:"status"`
+
+	// +optional
+	Reason string `json:"reason,omitempty"`
+
+	// +optional
+	Message string `json:"message,omitempty"`
+
+	// +optional
+	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"`
+}
+
+// SecretStoreCapabilities defines the possible operations a SecretStore can do.
+type SecretStoreCapabilities string
+
+const (
+	SecretStoreReadOnly  SecretStoreCapabilities = "ReadOnly"
+	SecretStoreWriteOnly SecretStoreCapabilities = "WriteOnly"
+	SecretStoreReadWrite SecretStoreCapabilities = "ReadWrite"
+)
+
+// SecretStoreStatus defines the observed state of the SecretStore.
+type SecretStoreStatus struct {
+	// +optional
+	Conditions []SecretStoreStatusCondition `json:"conditions,omitempty"`
+	// +optional
+	Capabilities SecretStoreCapabilities `json:"capabilities,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:storageversion
+
+// SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
+// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].reason`
+// +kubebuilder:printcolumn:name="Capabilities",type=string,JSONPath=`.status.capabilities`
+// +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].status`
+// +kubebuilder:subresource:status
+// +kubebuilder:metadata:labels="external-secrets.io/component=controller"
+// +kubebuilder:resource:scope=Namespaced,categories={external-secrets},shortName=ss
+type SecretStore struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   SecretStoreSpec   `json:"spec,omitempty"`
+	Status SecretStoreStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// SecretStoreList contains a list of SecretStore resources.
+type SecretStoreList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []SecretStore `json:"items"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:storageversion
+
+// ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
+// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].reason`
+// +kubebuilder:printcolumn:name="Capabilities",type=string,JSONPath=`.status.capabilities`
+// +kubebuilder:printcolumn:name="Ready",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].status`
+// +kubebuilder:subresource:status
+// +kubebuilder:metadata:labels="external-secrets.io/component=controller"
+// +kubebuilder:resource:scope=Cluster,categories={external-secrets},shortName=css
+type ClusterSecretStore struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   SecretStoreSpec   `json:"spec,omitempty"`
+	Status SecretStoreStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// ClusterSecretStoreList contains a list of ClusterSecretStore resources.
+type ClusterSecretStoreList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []ClusterSecretStore `json:"items"`
+}

apis/externalsecrets/v1/secretstore_validator.go

@@ -0,0 +1,90 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"regexp"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+)
+
+var _ admission.CustomValidator = &GenericStoreValidator{}
+
+const (
+	errInvalidStore       = "invalid store"
+	warnStoreUnmaintained = "store %s isn't currently maintained. Please plan and prepare accordingly."
+)
+
+type GenericStoreValidator struct{}
+
+// ValidateCreate implements webhook.Validator so a webhook will be registered for the type.
+func (r *GenericStoreValidator) ValidateCreate(_ context.Context, obj runtime.Object) (admission.Warnings, error) {
+	st, ok := obj.(GenericStore)
+	if !ok {
+		return nil, errors.New(errInvalidStore)
+	}
+	return validateStore(st)
+}
+
+// ValidateUpdate implements webhook.Validator so a webhook will be registered for the type.
+func (r *GenericStoreValidator) ValidateUpdate(_ context.Context, _, newObj runtime.Object) (admission.Warnings, error) {
+	st, ok := newObj.(GenericStore)
+	if !ok {
+		return nil, errors.New(errInvalidStore)
+	}
+	return validateStore(st)
+}
+
+// ValidateDelete implements webhook.Validator so a webhook will be registered for the type.
+func (r *GenericStoreValidator) ValidateDelete(_ context.Context, _ runtime.Object) (admission.Warnings, error) {
+	return nil, nil
+}
+
+func validateStore(store GenericStore) (admission.Warnings, error) {
+	if err := validateConditions(store); err != nil {
+		return nil, err
+	}
+
+	provider, err := GetProvider(store)
+	if err != nil {
+		return nil, err
+	}
+	isMaintained, err := GetMaintenanceStatus(store)
+	if err != nil {
+		return nil, err
+	}
+	warns, err := provider.ValidateStore(store)
+	if !isMaintained {
+		warns = append(warns, fmt.Sprintf(warnStoreUnmaintained, store.GetName()))
+	}
+	return warns, err
+}
+
+func validateConditions(store GenericStore) error {
+	var errs error
+	for ci, condition := range store.GetSpec().Conditions {
+		for ri, r := range condition.NamespaceRegexes {
+			if _, err := regexp.Compile(r); err != nil {
+				errs = errors.Join(errs, fmt.Errorf("failed to compile %dth namespace regex in %dth condition: %w", ri, ci, err))
+			}
+		}
+	}
+
+	return errs
+}

apis/externalsecrets/v1/secretstore_validator_test.go

@@ -0,0 +1,196 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+)
+
+// ValidationProvider is a simple provider that we can use without cyclic import.
+type ValidationProvider struct {
+	Provider
+}
+
+func (v *ValidationProvider) ValidateStore(_ GenericStore) (admission.Warnings, error) {
+	return nil, nil
+}
+
+func TestValidateSecretStore(t *testing.T) {
+	tests := []struct {
+		name        string
+		obj         *SecretStore
+		mock        func()
+		assertWarns func(t *testing.T, warns admission.Warnings)
+		assertErr   func(t *testing.T, err error)
+	}{
+		{
+			name: "valid regex",
+			obj: &SecretStore{
+				Spec: SecretStoreSpec{
+					Conditions: []ClusterSecretStoreCondition{
+						{
+							NamespaceRegexes: []string{`.*`},
+						},
+					},
+					Provider: &SecretStoreProvider{
+						AWS: &AWSProvider{},
+					},
+				},
+			},
+			mock: func() {
+				ForceRegister(&ValidationProvider{}, &SecretStoreProvider{
+					AWS: &AWSProvider{},
+				}, MaintenanceStatusMaintained)
+			},
+			assertErr: func(t *testing.T, err error) {
+				require.NoError(t, err)
+			},
+			assertWarns: func(t *testing.T, warns admission.Warnings) {
+				require.Equal(t, 0, len(warns))
+			},
+		},
+		{
+			name: "invalid regex",
+			obj: &SecretStore{
+				Spec: SecretStoreSpec{
+					Conditions: []ClusterSecretStoreCondition{
+						{
+							NamespaceRegexes: []string{`\1`},
+						},
+					},
+					Provider: &SecretStoreProvider{
+						AWS: &AWSProvider{},
+					},
+				},
+			},
+			mock: func() {
+				ForceRegister(&ValidationProvider{}, &SecretStoreProvider{
+					AWS: &AWSProvider{},
+				}, MaintenanceStatusMaintained)
+			},
+			assertErr: func(t *testing.T, err error) {
+				assert.EqualError(t, err, "failed to compile 0th namespace regex in 0th condition: error parsing regexp: invalid escape sequence: `\\1`")
+			},
+			assertWarns: func(t *testing.T, warns admission.Warnings) {
+				require.Equal(t, 0, len(warns))
+			},
+		},
+		{
+			name: "multiple errors",
+			obj: &SecretStore{
+				Spec: SecretStoreSpec{
+					Conditions: []ClusterSecretStoreCondition{
+						{
+							NamespaceRegexes: []string{`\1`, `\2`},
+						},
+					},
+					Provider: &SecretStoreProvider{
+						AWS: &AWSProvider{},
+					},
+				},
+			},
+			assertWarns: func(t *testing.T, warns admission.Warnings) {
+				require.Equal(t, 0, len(warns))
+			},
+
+			mock: func() {
+				ForceRegister(&ValidationProvider{}, &SecretStoreProvider{
+					AWS: &AWSProvider{},
+				}, MaintenanceStatusMaintained)
+			},
+			assertErr: func(t *testing.T, err error) {
+				assert.EqualError(t, err, "failed to compile 0th namespace regex in 0th condition: error parsing regexp: invalid escape sequence: `\\1`\nfailed to compile 1th namespace regex in 0th condition: error parsing regexp: invalid escape sequence: `\\2`")
+			},
+		},
+		{
+			name: "secret store must have only a single backend",
+			obj: &SecretStore{
+				Spec: SecretStoreSpec{
+					Provider: &SecretStoreProvider{
+						AWS:   &AWSProvider{},
+						GCPSM: &GCPSMProvider{},
+					},
+				},
+			},
+			assertErr: func(t *testing.T, err error) {
+				assert.EqualError(t, err, "store error for : secret stores must only have exactly one backend specified, found 2")
+			},
+			assertWarns: func(t *testing.T, warns admission.Warnings) {
+				require.Equal(t, 0, len(warns))
+			},
+		},
+		{
+			name: "no registered store backend",
+			obj: &SecretStore{
+				Spec: SecretStoreSpec{
+					Conditions: []ClusterSecretStoreCondition{
+						{
+							Namespaces: []string{"default"},
+						},
+					},
+				},
+			},
+			assertErr: func(t *testing.T, err error) {
+				assert.EqualError(t, err, "store error for : secret stores must only have exactly one backend specified, found 0")
+			},
+			assertWarns: func(t *testing.T, warns admission.Warnings) {
+				require.Equal(t, 0, len(warns))
+			},
+		},
+		{
+			name: "unmaintained warning",
+			obj: &SecretStore{
+				Spec: SecretStoreSpec{
+					Conditions: []ClusterSecretStoreCondition{
+						{
+							NamespaceRegexes: []string{`.*`},
+						},
+					},
+					Provider: &SecretStoreProvider{
+						AWS: &AWSProvider{},
+					},
+				},
+			},
+			mock: func() {
+				ForceRegister(&ValidationProvider{}, &SecretStoreProvider{
+					AWS: &AWSProvider{},
+				}, MaintenanceStatusNotMaintained)
+			},
+			assertErr: func(t *testing.T, err error) {
+				require.NoError(t, err)
+			},
+			assertWarns: func(t *testing.T, warns admission.Warnings) {
+				require.Equal(t, 1, len(warns))
+				assert.Equal(t, warns[0], fmt.Sprintf(warnStoreUnmaintained, ""))
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.mock != nil {
+				tt.mock()
+			}
+
+			warns, err := validateStore(tt.obj)
+			tt.assertErr(t, err)
+			tt.assertWarns(t, warns)
+		})
+	}
+}

apis/externalsecrets/v1alpha1/secretstore_vault_types.go → apis/externalsecrets/v1/secretstore_vault_types.go

@@ -12,7 +12,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1alpha1
+package v1
 
 import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
@@ -25,45 +25,11 @@ const (
 	VaultKVStoreV2 VaultKVStoreVersion = "v2"
 )
 
-type CAProviderType string
-
-const (
-	CAProviderTypeSecret    CAProviderType = "Secret"
-	CAProviderTypeConfigMap CAProviderType = "ConfigMap"
-)
-
-// Defines a location to fetch the cert for the vault provider from.
-type CAProvider struct {
-	// The type of provider to use such as "Secret", or "ConfigMap".
-	// +kubebuilder:validation:Enum="Secret";"ConfigMap"
-	Type CAProviderType `json:"type"`
-
-	// The name of the object located at the provider type.
-	// +kubebuilder:validation:MinLength:=1
-	// +kubebuilder:validation:MaxLength:=253
-	// +kubebuilder:validation:Pattern:=^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
-	Name string `json:"name"`
-
-	// The key where the CA certificate can be found in the Secret or ConfigMap.
-	// +kubebuilder:validation:Optional
-	// +kubebuilder:validation:MinLength:=1
-	// +kubebuilder:validation:MaxLength:=253
-	// +kubebuilder:validation:Pattern:=^[-._a-zA-Z0-9]+$
-	Key string `json:"key,omitempty"`
-
-	// The namespace the Provider type is in.
-	// +optional
-	// +kubebuilder:validation:MinLength:=1
-	// +kubebuilder:validation:MaxLength:=63
-	// +kubebuilder:validation:Pattern:=^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
-	Namespace *string `json:"namespace,omitempty"`
-}
-
 // Configures an store to sync secrets using a HashiCorp Vault
 // KV backend.
 type VaultProvider struct {
 	// Auth configures how secret-manager authenticates with the Vault server.
-	Auth VaultAuth `json:"auth"`
+	Auth *VaultAuth `json:"auth,omitempty"`
 
 	// Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
 	Server string `json:"server"`
@@ -95,6 +61,14 @@ type VaultProvider struct {
 	// +optional
 	CABundle []byte `json:"caBundle,omitempty"`
 
+	// The configuration used for client side related TLS communication, when the Vault server
+	// requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
+	// This parameter is ignored for plain HTTP protocol connection.
+	// It's worth noting this configuration is different from the "TLS certificates auth method",
+	// which is available under the `auth.cert` section.
+	// +optional
+	ClientTLS VaultClientTLS `json:"tls,omitempty"`
+
 	// The provider for the CA bundle to use to validate Vault server certificate.
 	// +optional
 	CAProvider *CAProvider `json:"caProvider,omitempty"`
@@ -112,12 +86,40 @@ type VaultProvider struct {
 	// https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
 	// +optional
 	ForwardInconsistent bool `json:"forwardInconsistent,omitempty"`
+
+	// Headers to be added in Vault request
+	// +optional
+	Headers map[string]string `json:"headers,omitempty"`
+}
+
+// VaultClientTLS is the configuration used for client side related TLS communication,
+// when the Vault server requires mutual authentication.
+type VaultClientTLS struct {
+	// CertSecretRef is a certificate added to the transport layer
+	// when communicating with the Vault server.
+	// If no key for the Secret is specified, external-secret will default to 'tls.crt'.
+	// +optional
+	CertSecretRef *esmeta.SecretKeySelector `json:"certSecretRef,omitempty"`
+
+	// KeySecretRef to a key in a Secret resource containing client private key
+	// added to the transport layer when communicating with the Vault server.
+	// If no key for the Secret is specified, external-secret will default to 'tls.key'.
+	// +optional
+	KeySecretRef *esmeta.SecretKeySelector `json:"keySecretRef,omitempty"`
 }
 
 // VaultAuth is the configuration used to authenticate with a Vault server.
-// Only one of `tokenSecretRef`, `appRole`,  `kubernetes`, `ldap`, `jwt` or `cert`
-// can be specified.
+// Only one of `tokenSecretRef`, `appRole`,  `kubernetes`, `ldap`, `userPass`, `jwt` or `cert`
+// can be specified. A namespace to authenticate against can optionally be specified.
 type VaultAuth struct {
+	// Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
+	// Namespaces is a set of features within Vault Enterprise that allows
+	// Vault environments to support Secure Multi-tenancy. e.g: "ns1".
+	// More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
+	// This will default to Vault.Namespace field if set, or empty otherwise
+	// +optional
+	Namespace *string `json:"namespace,omitempty"`
+
 	// TokenSecretRef authenticates with Vault by presenting a token.
 	// +optional
 	TokenSecretRef *esmeta.SecretKeySelector `json:"tokenSecretRef,omitempty"`
@@ -146,6 +148,15 @@ type VaultAuth struct {
 	// Cert authentication method
 	// +optional
 	Cert *VaultCertAuth `json:"cert,omitempty"`
+
+	// Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
+	// AWS IAM authentication method
+	// +optional
+	Iam *VaultIamAuth `json:"iam,omitempty"`
+
+	// UserPass authenticates with Vault by passing username/password pair
+	// +optional
+	UserPass *VaultUserPassAuth `json:"userPass,omitempty"`
 }
 
 // VaultAppRole authenticates with Vault using the App Role auth mechanism,
@@ -158,7 +169,15 @@ type VaultAppRole struct {
 
 	// RoleID configured in the App Role authentication backend when setting
 	// up the authentication backend in Vault.
-	RoleID string `json:"roleId"`
+	//+optional
+	RoleID string `json:"roleId,omitempty"`
+
+	// Reference to a key in a Secret that contains the App Role ID used
+	// to authenticate with Vault.
+	// The `key` field must be specified and denotes which entry within the Secret
+	// resource is used as the app role id.
+	//+optional
+	RoleRef *esmeta.SecretKeySelector `json:"roleRef,omitempty"`
 
 	// Reference to a key in a Secret that contains the App Role secret used
 	// to authenticate with Vault.
@@ -202,16 +221,51 @@ type VaultLdapAuth struct {
 	// +kubebuilder:default=ldap
 	Path string `json:"path"`
 
-	// Username is a LDAP user name used to authenticate using the LDAP Vault
+	// Username is an LDAP username used to authenticate using the LDAP Vault
 	// authentication method
 	Username string `json:"username"`
 
 	// SecretRef to a key in a Secret resource containing password for the LDAP
 	// user used to authenticate with Vault using the LDAP authentication
 	// method
+	// +optional
 	SecretRef esmeta.SecretKeySelector `json:"secretRef,omitempty"`
 }
 
+// VaultAwsAuth tells the controller how to do authentication with aws.
+// Only one of secretRef or jwt can be specified.
+// if none is specified the controller will try to load credentials from its own service account assuming it is IRSA enabled.
+type VaultAwsAuth struct {
+	// +optional
+	SecretRef *VaultAwsAuthSecretRef `json:"secretRef,omitempty"`
+	// +optional
+	JWTAuth *VaultAwsJWTAuth `json:"jwt,omitempty"`
+}
+
+// VaultAWSAuthSecretRef holds secret references for AWS credentials
+// both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
+type VaultAwsAuthSecretRef struct {
+	// The AccessKeyID is used for authentication
+	// +optional
+	AccessKeyID esmeta.SecretKeySelector `json:"accessKeyIDSecretRef,omitempty"`
+
+	// The SecretAccessKey is used for authentication
+	// +optional
+	SecretAccessKey esmeta.SecretKeySelector `json:"secretAccessKeySecretRef,omitempty"`
+
+	// The SessionToken used for authentication
+	// This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
+	// see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
+	// +optional
+	SessionToken *esmeta.SecretKeySelector `json:"sessionTokenSecretRef,omitempty"`
+}
+
+// VaultAwsJWTAuth Authenticate against AWS using service account tokens.
+type VaultAwsJWTAuth struct {
+	// +optional
+	ServiceAccountRef *esmeta.ServiceAccountSelector `json:"serviceAccountRef,omitempty"`
+}
+
 // VaultKubernetesServiceAccountTokenAuth authenticates with Vault using a temporary
 // Kubernetes service account token retrieved by the `TokenRequest` API.
 type VaultKubernetesServiceAccountTokenAuth struct {
@@ -221,12 +275,14 @@ type VaultKubernetesServiceAccountTokenAuth struct {
 	// Optional audiences field that will be used to request a temporary Kubernetes service
 	// account token for the service account referenced by `serviceAccountRef`.
 	// Defaults to a single audience `vault` it not specified.
+	// Deprecated: use serviceAccountRef.Audiences instead
 	// +optional
 	Audiences *[]string `json:"audiences,omitempty"`
 
 	// Optional expiration time in seconds that will be used to request a temporary
 	// Kubernetes service account token for the service account referenced by
 	// `serviceAccountRef`.
+	// Deprecated: this will be removed in the future.
 	// Defaults to 10 minutes.
 	// +optional
 	ExpirationSeconds *int64 `json:"expirationSeconds,omitempty"`
@@ -257,7 +313,7 @@ type VaultJwtAuth struct {
 	KubernetesServiceAccountToken *VaultKubernetesServiceAccountTokenAuth `json:"kubernetesServiceAccountToken,omitempty"`
 }
 
-// VaultJwtAuth authenticates with Vault using the JWT/OIDC authentication
+// VaultCertAuth authenticates with Vault using the JWT/OIDC authentication
 // method, with the role name and token stored in a Kubernetes Secret resource.
 type VaultCertAuth struct {
 	// ClientCert is a certificate to authenticate using the Cert Vault
@@ -267,5 +323,51 @@ type VaultCertAuth struct {
 
 	// SecretRef to a key in a Secret resource containing client private key to
 	// authenticate with Vault using the Cert authentication method
+	// +optional
+	SecretRef esmeta.SecretKeySelector `json:"secretRef,omitempty"`
+}
+
+// VaultIamAuth authenticates with Vault using the Vault's AWS IAM authentication method. Refer: https://developer.hashicorp.com/vault/docs/auth/aws
+type VaultIamAuth struct {
+	// Path where the AWS auth method is enabled in Vault, e.g: "aws"
+	// +optional
+	Path string `json:"path,omitempty"`
+	// AWS region
+	// +optional
+	Region string `json:"region,omitempty"`
+	// This is the AWS role to be assumed before talking to vault
+	// +optional
+	AWSIAMRole string `json:"role,omitempty"`
+	// Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
+	Role string `json:"vaultRole"`
+	// AWS External ID set on assumed IAM roles
+	ExternalID string `json:"externalID,omitempty"`
+	// X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws
+	// +optional
+	VaultAWSIAMServerID string `json:"vaultAwsIamServerID,omitempty"`
+	// Specify credentials in a Secret object
+	// +optional
+	SecretRef *VaultAwsAuthSecretRef `json:"secretRef,omitempty"`
+	// Specify a service account with IRSA enabled
+	// +optional
+	JWTAuth *VaultAwsJWTAuth `json:"jwt,omitempty"`
+}
+
+// VaultUserPassAuth authenticates with Vault using UserPass authentication method,
+// with the username and password stored in a Kubernetes Secret resource.
+type VaultUserPassAuth struct {
+	// Path where the UserPassword authentication backend is mounted
+	// in Vault, e.g: "userpass"
+	// +kubebuilder:default=userpass
+	Path string `json:"path"`
+
+	// Username is a username used to authenticate using the UserPass Vault
+	// authentication method
+	Username string `json:"username"`
+
+	// SecretRef to a key in a Secret resource containing password for the
+	// user used to authenticate with Vault using the UserPass authentication
+	// method
+	// +optional
 	SecretRef esmeta.SecretKeySelector `json:"secretRef,omitempty"`
 }

apis/externalsecrets/v1alpha1/secretstore_webhook.go → apis/externalsecrets/v1/secretstore_webhook.go

@@ -12,7 +12,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1alpha1
+package v1
 
 import (
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -21,11 +21,13 @@ import (
 func (c *SecretStore) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(c).
+		WithValidator(&GenericStoreValidator{}).
 		Complete()
 }
 
 func (c *ClusterSecretStore) SetupWebhookWithManager(mgr ctrl.Manager) error {
 	return ctrl.NewWebhookManagedBy(mgr).
 		For(c).
+		WithValidator(&GenericStoreValidator{}).
 		Complete()
 }

apis/externalsecrets/v1alpha1/secretstore_webhook_types.go → apis/externalsecrets/v1/secretstore_webhook_types.go

@@ -12,7 +12,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1alpha1
+package v1
 
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

apis/externalsecrets/v1/secretstore_yandexcertificatemanager_types.go

@@ -0,0 +1,43 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+type YandexCertificateManagerAuth struct {
+	// The authorized key used for authentication
+	// +optional
+	AuthorizedKey esmeta.SecretKeySelector `json:"authorizedKeySecretRef,omitempty"`
+}
+
+type YandexCertificateManagerCAProvider struct {
+	Certificate esmeta.SecretKeySelector `json:"certSecretRef,omitempty"`
+}
+
+// YandexCertificateManagerProvider Configures a store to sync secrets using the Yandex Certificate Manager provider.
+type YandexCertificateManagerProvider struct {
+	// Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
+	// +optional
+	APIEndpoint string `json:"apiEndpoint,omitempty"`
+
+	// Auth defines the information necessary to authenticate against Yandex Certificate Manager
+	Auth YandexCertificateManagerAuth `json:"auth"`
+
+	// The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
+	// +optional
+	CAProvider *YandexCertificateManagerCAProvider `json:"caProvider,omitempty"`
+}

apis/externalsecrets/v1alpha1/secretstore_yandexlockbox_types.go → apis/externalsecrets/v1/secretstore_yandexlockbox_types.go

@@ -12,7 +12,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package v1alpha1
+package v1
 
 import (
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"

apis/externalsecrets/v1/zz_generated.deepcopy.go

@@ -0,0 +1,3702 @@
+//go:build !ignore_autogenerated
+
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by controller-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	apismetav1 "github.com/external-secrets/external-secrets/apis/meta/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AWSAuth) DeepCopyInto(out *AWSAuth) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(AWSAuthSecretRef)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.JWTAuth != nil {
+		in, out := &in.JWTAuth, &out.JWTAuth
+		*out = new(AWSJWTAuth)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSAuth.
+func (in *AWSAuth) DeepCopy() *AWSAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(AWSAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AWSAuthSecretRef) DeepCopyInto(out *AWSAuthSecretRef) {
+	*out = *in
+	in.AccessKeyID.DeepCopyInto(&out.AccessKeyID)
+	in.SecretAccessKey.DeepCopyInto(&out.SecretAccessKey)
+	if in.SessionToken != nil {
+		in, out := &in.SessionToken, &out.SessionToken
+		*out = new(apismetav1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSAuthSecretRef.
+func (in *AWSAuthSecretRef) DeepCopy() *AWSAuthSecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(AWSAuthSecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AWSJWTAuth) DeepCopyInto(out *AWSJWTAuth) {
+	*out = *in
+	if in.ServiceAccountRef != nil {
+		in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
+		*out = new(apismetav1.ServiceAccountSelector)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSJWTAuth.
+func (in *AWSJWTAuth) DeepCopy() *AWSJWTAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(AWSJWTAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AWSProvider) DeepCopyInto(out *AWSProvider) {
+	*out = *in
+	in.Auth.DeepCopyInto(&out.Auth)
+	if in.AdditionalRoles != nil {
+		in, out := &in.AdditionalRoles, &out.AdditionalRoles
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.SessionTags != nil {
+		in, out := &in.SessionTags, &out.SessionTags
+		*out = make([]*Tag, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(Tag)
+				**out = **in
+			}
+		}
+	}
+	if in.SecretsManager != nil {
+		in, out := &in.SecretsManager, &out.SecretsManager
+		*out = new(SecretsManager)
+		**out = **in
+	}
+	if in.TransitiveTagKeys != nil {
+		in, out := &in.TransitiveTagKeys, &out.TransitiveTagKeys
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSProvider.
+func (in *AWSProvider) DeepCopy() *AWSProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(AWSProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AkeylessAuth) DeepCopyInto(out *AkeylessAuth) {
+	*out = *in
+	in.SecretRef.DeepCopyInto(&out.SecretRef)
+	if in.KubernetesAuth != nil {
+		in, out := &in.KubernetesAuth, &out.KubernetesAuth
+		*out = new(AkeylessKubernetesAuth)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AkeylessAuth.
+func (in *AkeylessAuth) DeepCopy() *AkeylessAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(AkeylessAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AkeylessAuthSecretRef) DeepCopyInto(out *AkeylessAuthSecretRef) {
+	*out = *in
+	in.AccessID.DeepCopyInto(&out.AccessID)
+	in.AccessType.DeepCopyInto(&out.AccessType)
+	in.AccessTypeParam.DeepCopyInto(&out.AccessTypeParam)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AkeylessAuthSecretRef.
+func (in *AkeylessAuthSecretRef) DeepCopy() *AkeylessAuthSecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(AkeylessAuthSecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AkeylessKubernetesAuth) DeepCopyInto(out *AkeylessKubernetesAuth) {
+	*out = *in
+	if in.ServiceAccountRef != nil {
+		in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
+		*out = new(apismetav1.ServiceAccountSelector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(apismetav1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AkeylessKubernetesAuth.
+func (in *AkeylessKubernetesAuth) DeepCopy() *AkeylessKubernetesAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(AkeylessKubernetesAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AkeylessProvider) DeepCopyInto(out *AkeylessProvider) {
+	*out = *in
+	if in.AkeylessGWApiURL != nil {
+		in, out := &in.AkeylessGWApiURL, &out.AkeylessGWApiURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Auth != nil {
+		in, out := &in.Auth, &out.Auth
+		*out = new(AkeylessAuth)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.CABundle != nil {
+		in, out := &in.CABundle, &out.CABundle
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.CAProvider != nil {
+		in, out := &in.CAProvider, &out.CAProvider
+		*out = new(CAProvider)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AkeylessProvider.
+func (in *AkeylessProvider) DeepCopy() *AkeylessProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(AkeylessProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AlibabaAuth) DeepCopyInto(out *AlibabaAuth) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(AlibabaAuthSecretRef)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.RRSAAuth != nil {
+		in, out := &in.RRSAAuth, &out.RRSAAuth
+		*out = new(AlibabaRRSAAuth)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AlibabaAuth.
+func (in *AlibabaAuth) DeepCopy() *AlibabaAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(AlibabaAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AlibabaAuthSecretRef) DeepCopyInto(out *AlibabaAuthSecretRef) {
+	*out = *in
+	in.AccessKeyID.DeepCopyInto(&out.AccessKeyID)
+	in.AccessKeySecret.DeepCopyInto(&out.AccessKeySecret)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AlibabaAuthSecretRef.
+func (in *AlibabaAuthSecretRef) DeepCopy() *AlibabaAuthSecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(AlibabaAuthSecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AlibabaProvider) DeepCopyInto(out *AlibabaProvider) {
+	*out = *in
+	in.Auth.DeepCopyInto(&out.Auth)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AlibabaProvider.
+func (in *AlibabaProvider) DeepCopy() *AlibabaProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(AlibabaProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AlibabaRRSAAuth) DeepCopyInto(out *AlibabaRRSAAuth) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AlibabaRRSAAuth.
+func (in *AlibabaRRSAAuth) DeepCopy() *AlibabaRRSAAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(AlibabaRRSAAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AzureKVAuth) DeepCopyInto(out *AzureKVAuth) {
+	*out = *in
+	if in.ClientID != nil {
+		in, out := &in.ClientID, &out.ClientID
+		*out = new(apismetav1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.TenantID != nil {
+		in, out := &in.TenantID, &out.TenantID
+		*out = new(apismetav1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ClientSecret != nil {
+		in, out := &in.ClientSecret, &out.ClientSecret
+		*out = new(apismetav1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ClientCertificate != nil {
+		in, out := &in.ClientCertificate, &out.ClientCertificate
+		*out = new(apismetav1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureKVAuth.
+func (in *AzureKVAuth) DeepCopy() *AzureKVAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(AzureKVAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AzureKVProvider) DeepCopyInto(out *AzureKVProvider) {
+	*out = *in
+	if in.AuthType != nil {
+		in, out := &in.AuthType, &out.AuthType
+		*out = new(AzureAuthType)
+		**out = **in
+	}
+	if in.VaultURL != nil {
+		in, out := &in.VaultURL, &out.VaultURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.TenantID != nil {
+		in, out := &in.TenantID, &out.TenantID
+		*out = new(string)
+		**out = **in
+	}
+	if in.AuthSecretRef != nil {
+		in, out := &in.AuthSecretRef, &out.AuthSecretRef
+		*out = new(AzureKVAuth)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ServiceAccountRef != nil {
+		in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
+		*out = new(apismetav1.ServiceAccountSelector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.IdentityID != nil {
+		in, out := &in.IdentityID, &out.IdentityID
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureKVProvider.
+func (in *AzureKVProvider) DeepCopy() *AzureKVProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(AzureKVProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BeyondTrustProviderSecretRef) DeepCopyInto(out *BeyondTrustProviderSecretRef) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(apismetav1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BeyondTrustProviderSecretRef.
+func (in *BeyondTrustProviderSecretRef) DeepCopy() *BeyondTrustProviderSecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(BeyondTrustProviderSecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BeyondtrustAuth) DeepCopyInto(out *BeyondtrustAuth) {
+	*out = *in
+	if in.APIKey != nil {
+		in, out := &in.APIKey, &out.APIKey
+		*out = new(BeyondTrustProviderSecretRef)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ClientID != nil {
+		in, out := &in.ClientID, &out.ClientID
+		*out = new(BeyondTrustProviderSecretRef)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ClientSecret != nil {
+		in, out := &in.ClientSecret, &out.ClientSecret
+		*out = new(BeyondTrustProviderSecretRef)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Certificate != nil {
+		in, out := &in.Certificate, &out.Certificate
+		*out = new(BeyondTrustProviderSecretRef)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.CertificateKey != nil {
+		in, out := &in.CertificateKey, &out.CertificateKey
+		*out = new(BeyondTrustProviderSecretRef)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BeyondtrustAuth.
+func (in *BeyondtrustAuth) DeepCopy() *BeyondtrustAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(BeyondtrustAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BeyondtrustProvider) DeepCopyInto(out *BeyondtrustProvider) {
+	*out = *in
+	if in.Auth != nil {
+		in, out := &in.Auth, &out.Auth
+		*out = new(BeyondtrustAuth)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Server != nil {
+		in, out := &in.Server, &out.Server
+		*out = new(BeyondtrustServer)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BeyondtrustProvider.
+func (in *BeyondtrustProvider) DeepCopy() *BeyondtrustProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(BeyondtrustProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BeyondtrustServer) DeepCopyInto(out *BeyondtrustServer) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BeyondtrustServer.
+func (in *BeyondtrustServer) DeepCopy() *BeyondtrustServer {
+	if in == nil {
+		return nil
+	}
+	out := new(BeyondtrustServer)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BitwardenSecretsManagerAuth) DeepCopyInto(out *BitwardenSecretsManagerAuth) {
+	*out = *in
+	in.SecretRef.DeepCopyInto(&out.SecretRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BitwardenSecretsManagerAuth.
+func (in *BitwardenSecretsManagerAuth) DeepCopy() *BitwardenSecretsManagerAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(BitwardenSecretsManagerAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BitwardenSecretsManagerProvider) DeepCopyInto(out *BitwardenSecretsManagerProvider) {
+	*out = *in
+	if in.CAProvider != nil {
+		in, out := &in.CAProvider, &out.CAProvider
+		*out = new(CAProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	in.Auth.DeepCopyInto(&out.Auth)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BitwardenSecretsManagerProvider.
+func (in *BitwardenSecretsManagerProvider) DeepCopy() *BitwardenSecretsManagerProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(BitwardenSecretsManagerProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BitwardenSecretsManagerSecretRef) DeepCopyInto(out *BitwardenSecretsManagerSecretRef) {
+	*out = *in
+	in.Credentials.DeepCopyInto(&out.Credentials)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BitwardenSecretsManagerSecretRef.
+func (in *BitwardenSecretsManagerSecretRef) DeepCopy() *BitwardenSecretsManagerSecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(BitwardenSecretsManagerSecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CAProvider) DeepCopyInto(out *CAProvider) {
+	*out = *in
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CAProvider.
+func (in *CAProvider) DeepCopy() *CAProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(CAProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CSMAuth) DeepCopyInto(out *CSMAuth) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(CSMAuthSecretRef)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CSMAuth.
+func (in *CSMAuth) DeepCopy() *CSMAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(CSMAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CSMAuthSecretRef) DeepCopyInto(out *CSMAuthSecretRef) {
+	*out = *in
+	in.AccessKeyID.DeepCopyInto(&out.AccessKeyID)
+	in.AccessKeySecret.DeepCopyInto(&out.AccessKeySecret)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CSMAuthSecretRef.
+func (in *CSMAuthSecretRef) DeepCopy() *CSMAuthSecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(CSMAuthSecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CertAuth) DeepCopyInto(out *CertAuth) {
+	*out = *in
+	in.ClientCert.DeepCopyInto(&out.ClientCert)
+	in.ClientKey.DeepCopyInto(&out.ClientKey)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertAuth.
+func (in *CertAuth) DeepCopy() *CertAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(CertAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ChefAuth) DeepCopyInto(out *ChefAuth) {
+	*out = *in
+	in.SecretRef.DeepCopyInto(&out.SecretRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ChefAuth.
+func (in *ChefAuth) DeepCopy() *ChefAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(ChefAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ChefAuthSecretRef) DeepCopyInto(out *ChefAuthSecretRef) {
+	*out = *in
+	in.SecretKey.DeepCopyInto(&out.SecretKey)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ChefAuthSecretRef.
+func (in *ChefAuthSecretRef) DeepCopy() *ChefAuthSecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(ChefAuthSecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ChefProvider) DeepCopyInto(out *ChefProvider) {
+	*out = *in
+	if in.Auth != nil {
+		in, out := &in.Auth, &out.Auth
+		*out = new(ChefAuth)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ChefProvider.
+func (in *ChefProvider) DeepCopy() *ChefProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(ChefProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CloudruSMProvider) DeepCopyInto(out *CloudruSMProvider) {
+	*out = *in
+	in.Auth.DeepCopyInto(&out.Auth)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloudruSMProvider.
+func (in *CloudruSMProvider) DeepCopy() *CloudruSMProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(CloudruSMProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterExternalSecret) DeepCopyInto(out *ClusterExternalSecret) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterExternalSecret.
+func (in *ClusterExternalSecret) DeepCopy() *ClusterExternalSecret {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterExternalSecret)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterExternalSecret) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterExternalSecretList) DeepCopyInto(out *ClusterExternalSecretList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ClusterExternalSecret, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterExternalSecretList.
+func (in *ClusterExternalSecretList) DeepCopy() *ClusterExternalSecretList {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterExternalSecretList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterExternalSecretList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterExternalSecretNamespaceFailure) DeepCopyInto(out *ClusterExternalSecretNamespaceFailure) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterExternalSecretNamespaceFailure.
+func (in *ClusterExternalSecretNamespaceFailure) DeepCopy() *ClusterExternalSecretNamespaceFailure {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterExternalSecretNamespaceFailure)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterExternalSecretSpec) DeepCopyInto(out *ClusterExternalSecretSpec) {
+	*out = *in
+	in.ExternalSecretSpec.DeepCopyInto(&out.ExternalSecretSpec)
+	in.ExternalSecretMetadata.DeepCopyInto(&out.ExternalSecretMetadata)
+	if in.NamespaceSelector != nil {
+		in, out := &in.NamespaceSelector, &out.NamespaceSelector
+		*out = new(metav1.LabelSelector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.NamespaceSelectors != nil {
+		in, out := &in.NamespaceSelectors, &out.NamespaceSelectors
+		*out = make([]*metav1.LabelSelector, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(metav1.LabelSelector)
+				(*in).DeepCopyInto(*out)
+			}
+		}
+	}
+	if in.Namespaces != nil {
+		in, out := &in.Namespaces, &out.Namespaces
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.RefreshInterval != nil {
+		in, out := &in.RefreshInterval, &out.RefreshInterval
+		*out = new(metav1.Duration)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterExternalSecretSpec.
+func (in *ClusterExternalSecretSpec) DeepCopy() *ClusterExternalSecretSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterExternalSecretSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterExternalSecretStatus) DeepCopyInto(out *ClusterExternalSecretStatus) {
+	*out = *in
+	if in.FailedNamespaces != nil {
+		in, out := &in.FailedNamespaces, &out.FailedNamespaces
+		*out = make([]ClusterExternalSecretNamespaceFailure, len(*in))
+		copy(*out, *in)
+	}
+	if in.ProvisionedNamespaces != nil {
+		in, out := &in.ProvisionedNamespaces, &out.ProvisionedNamespaces
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]ClusterExternalSecretStatusCondition, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterExternalSecretStatus.
+func (in *ClusterExternalSecretStatus) DeepCopy() *ClusterExternalSecretStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterExternalSecretStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterExternalSecretStatusCondition) DeepCopyInto(out *ClusterExternalSecretStatusCondition) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterExternalSecretStatusCondition.
+func (in *ClusterExternalSecretStatusCondition) DeepCopy() *ClusterExternalSecretStatusCondition {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterExternalSecretStatusCondition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterSecretStore) DeepCopyInto(out *ClusterSecretStore) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterSecretStore.
+func (in *ClusterSecretStore) DeepCopy() *ClusterSecretStore {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterSecretStore)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterSecretStore) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterSecretStoreCondition) DeepCopyInto(out *ClusterSecretStoreCondition) {
+	*out = *in
+	if in.NamespaceSelector != nil {
+		in, out := &in.NamespaceSelector, &out.NamespaceSelector
+		*out = new(metav1.LabelSelector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Namespaces != nil {
+		in, out := &in.Namespaces, &out.Namespaces
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.NamespaceRegexes != nil {
+		in, out := &in.NamespaceRegexes, &out.NamespaceRegexes
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterSecretStoreCondition.
+func (in *ClusterSecretStoreCondition) DeepCopy() *ClusterSecretStoreCondition {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterSecretStoreCondition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterSecretStoreList) DeepCopyInto(out *ClusterSecretStoreList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ClusterSecretStore, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterSecretStoreList.
+func (in *ClusterSecretStoreList) DeepCopy() *ClusterSecretStoreList {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterSecretStoreList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterSecretStoreList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ConjurAPIKey) DeepCopyInto(out *ConjurAPIKey) {
+	*out = *in
+	if in.UserRef != nil {
+		in, out := &in.UserRef, &out.UserRef
+		*out = new(apismetav1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.APIKeyRef != nil {
+		in, out := &in.APIKeyRef, &out.APIKeyRef
+		*out = new(apismetav1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConjurAPIKey.
+func (in *ConjurAPIKey) DeepCopy() *ConjurAPIKey {
+	if in == nil {
+		return nil
+	}
+	out := new(ConjurAPIKey)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ConjurAuth) DeepCopyInto(out *ConjurAuth) {
+	*out = *in
+	if in.APIKey != nil {
+		in, out := &in.APIKey, &out.APIKey
+		*out = new(ConjurAPIKey)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Jwt != nil {
+		in, out := &in.Jwt, &out.Jwt
+		*out = new(ConjurJWT)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConjurAuth.
+func (in *ConjurAuth) DeepCopy() *ConjurAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(ConjurAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ConjurJWT) DeepCopyInto(out *ConjurJWT) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(apismetav1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ServiceAccountRef != nil {
+		in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
+		*out = new(apismetav1.ServiceAccountSelector)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConjurJWT.
+func (in *ConjurJWT) DeepCopy() *ConjurJWT {
+	if in == nil {
+		return nil
+	}
+	out := new(ConjurJWT)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ConjurProvider) DeepCopyInto(out *ConjurProvider) {
+	*out = *in
+	if in.CAProvider != nil {
+		in, out := &in.CAProvider, &out.CAProvider
+		*out = new(CAProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	in.Auth.DeepCopyInto(&out.Auth)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConjurProvider.
+func (in *ConjurProvider) DeepCopy() *ConjurProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(ConjurProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DelineaProvider) DeepCopyInto(out *DelineaProvider) {
+	*out = *in
+	if in.ClientID != nil {
+		in, out := &in.ClientID, &out.ClientID
+		*out = new(DelineaProviderSecretRef)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ClientSecret != nil {
+		in, out := &in.ClientSecret, &out.ClientSecret
+		*out = new(DelineaProviderSecretRef)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DelineaProvider.
+func (in *DelineaProvider) DeepCopy() *DelineaProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(DelineaProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DelineaProviderSecretRef) DeepCopyInto(out *DelineaProviderSecretRef) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(apismetav1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DelineaProviderSecretRef.
+func (in *DelineaProviderSecretRef) DeepCopy() *DelineaProviderSecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(DelineaProviderSecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Device42Auth) DeepCopyInto(out *Device42Auth) {
+	*out = *in
+	in.SecretRef.DeepCopyInto(&out.SecretRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Device42Auth.
+func (in *Device42Auth) DeepCopy() *Device42Auth {
+	if in == nil {
+		return nil
+	}
+	out := new(Device42Auth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Device42Provider) DeepCopyInto(out *Device42Provider) {
+	*out = *in
+	in.Auth.DeepCopyInto(&out.Auth)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Device42Provider.
+func (in *Device42Provider) DeepCopy() *Device42Provider {
+	if in == nil {
+		return nil
+	}
+	out := new(Device42Provider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Device42SecretRef) DeepCopyInto(out *Device42SecretRef) {
+	*out = *in
+	in.Credentials.DeepCopyInto(&out.Credentials)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Device42SecretRef.
+func (in *Device42SecretRef) DeepCopy() *Device42SecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(Device42SecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DopplerAuth) DeepCopyInto(out *DopplerAuth) {
+	*out = *in
+	in.SecretRef.DeepCopyInto(&out.SecretRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DopplerAuth.
+func (in *DopplerAuth) DeepCopy() *DopplerAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(DopplerAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DopplerAuthSecretRef) DeepCopyInto(out *DopplerAuthSecretRef) {
+	*out = *in
+	in.DopplerToken.DeepCopyInto(&out.DopplerToken)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DopplerAuthSecretRef.
+func (in *DopplerAuthSecretRef) DeepCopy() *DopplerAuthSecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(DopplerAuthSecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DopplerProvider) DeepCopyInto(out *DopplerProvider) {
+	*out = *in
+	if in.Auth != nil {
+		in, out := &in.Auth, &out.Auth
+		*out = new(DopplerAuth)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DopplerProvider.
+func (in *DopplerProvider) DeepCopy() *DopplerProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(DopplerProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecret) DeepCopyInto(out *ExternalSecret) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecret.
+func (in *ExternalSecret) DeepCopy() *ExternalSecret {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecret)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ExternalSecret) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretData) DeepCopyInto(out *ExternalSecretData) {
+	*out = *in
+	out.RemoteRef = in.RemoteRef
+	if in.SourceRef != nil {
+		in, out := &in.SourceRef, &out.SourceRef
+		*out = new(StoreSourceRef)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretData.
+func (in *ExternalSecretData) DeepCopy() *ExternalSecretData {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretData)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretDataFromRemoteRef) DeepCopyInto(out *ExternalSecretDataFromRemoteRef) {
+	*out = *in
+	if in.Extract != nil {
+		in, out := &in.Extract, &out.Extract
+		*out = new(ExternalSecretDataRemoteRef)
+		**out = **in
+	}
+	if in.Find != nil {
+		in, out := &in.Find, &out.Find
+		*out = new(ExternalSecretFind)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Rewrite != nil {
+		in, out := &in.Rewrite, &out.Rewrite
+		*out = make([]ExternalSecretRewrite, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SourceRef != nil {
+		in, out := &in.SourceRef, &out.SourceRef
+		*out = new(StoreGeneratorSourceRef)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretDataFromRemoteRef.
+func (in *ExternalSecretDataFromRemoteRef) DeepCopy() *ExternalSecretDataFromRemoteRef {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretDataFromRemoteRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretDataRemoteRef) DeepCopyInto(out *ExternalSecretDataRemoteRef) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretDataRemoteRef.
+func (in *ExternalSecretDataRemoteRef) DeepCopy() *ExternalSecretDataRemoteRef {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretDataRemoteRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretFind) DeepCopyInto(out *ExternalSecretFind) {
+	*out = *in
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(FindName)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretFind.
+func (in *ExternalSecretFind) DeepCopy() *ExternalSecretFind {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretFind)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretList) DeepCopyInto(out *ExternalSecretList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ExternalSecret, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretList.
+func (in *ExternalSecretList) DeepCopy() *ExternalSecretList {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ExternalSecretList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretMetadata) DeepCopyInto(out *ExternalSecretMetadata) {
+	*out = *in
+	if in.Annotations != nil {
+		in, out := &in.Annotations, &out.Annotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.Labels != nil {
+		in, out := &in.Labels, &out.Labels
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretMetadata.
+func (in *ExternalSecretMetadata) DeepCopy() *ExternalSecretMetadata {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretMetadata)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretRewrite) DeepCopyInto(out *ExternalSecretRewrite) {
+	*out = *in
+	if in.Regexp != nil {
+		in, out := &in.Regexp, &out.Regexp
+		*out = new(ExternalSecretRewriteRegexp)
+		**out = **in
+	}
+	if in.Transform != nil {
+		in, out := &in.Transform, &out.Transform
+		*out = new(ExternalSecretRewriteTransform)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretRewrite.
+func (in *ExternalSecretRewrite) DeepCopy() *ExternalSecretRewrite {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretRewrite)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretRewriteRegexp) DeepCopyInto(out *ExternalSecretRewriteRegexp) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretRewriteRegexp.
+func (in *ExternalSecretRewriteRegexp) DeepCopy() *ExternalSecretRewriteRegexp {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretRewriteRegexp)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretRewriteTransform) DeepCopyInto(out *ExternalSecretRewriteTransform) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretRewriteTransform.
+func (in *ExternalSecretRewriteTransform) DeepCopy() *ExternalSecretRewriteTransform {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretRewriteTransform)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretSpec) DeepCopyInto(out *ExternalSecretSpec) {
+	*out = *in
+	out.SecretStoreRef = in.SecretStoreRef
+	in.Target.DeepCopyInto(&out.Target)
+	if in.RefreshInterval != nil {
+		in, out := &in.RefreshInterval, &out.RefreshInterval
+		*out = new(metav1.Duration)
+		**out = **in
+	}
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = make([]ExternalSecretData, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DataFrom != nil {
+		in, out := &in.DataFrom, &out.DataFrom
+		*out = make([]ExternalSecretDataFromRemoteRef, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretSpec.
+func (in *ExternalSecretSpec) DeepCopy() *ExternalSecretSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretStatus) DeepCopyInto(out *ExternalSecretStatus) {
+	*out = *in
+	in.RefreshTime.DeepCopyInto(&out.RefreshTime)
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]ExternalSecretStatusCondition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	out.Binding = in.Binding
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretStatus.
+func (in *ExternalSecretStatus) DeepCopy() *ExternalSecretStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretStatusCondition) DeepCopyInto(out *ExternalSecretStatusCondition) {
+	*out = *in
+	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretStatusCondition.
+func (in *ExternalSecretStatusCondition) DeepCopy() *ExternalSecretStatusCondition {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretStatusCondition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretTarget) DeepCopyInto(out *ExternalSecretTarget) {
+	*out = *in
+	if in.Template != nil {
+		in, out := &in.Template, &out.Template
+		*out = new(ExternalSecretTemplate)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretTarget.
+func (in *ExternalSecretTarget) DeepCopy() *ExternalSecretTarget {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretTarget)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretTemplate) DeepCopyInto(out *ExternalSecretTemplate) {
+	*out = *in
+	in.Metadata.DeepCopyInto(&out.Metadata)
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.TemplateFrom != nil {
+		in, out := &in.TemplateFrom, &out.TemplateFrom
+		*out = make([]TemplateFrom, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretTemplate.
+func (in *ExternalSecretTemplate) DeepCopy() *ExternalSecretTemplate {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretTemplate)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretTemplateMetadata) DeepCopyInto(out *ExternalSecretTemplateMetadata) {
+	*out = *in
+	if in.Annotations != nil {
+		in, out := &in.Annotations, &out.Annotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.Labels != nil {
+		in, out := &in.Labels, &out.Labels
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretTemplateMetadata.
+func (in *ExternalSecretTemplateMetadata) DeepCopy() *ExternalSecretTemplateMetadata {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretTemplateMetadata)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretValidator) DeepCopyInto(out *ExternalSecretValidator) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretValidator.
+func (in *ExternalSecretValidator) DeepCopy() *ExternalSecretValidator {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretValidator)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FakeProvider) DeepCopyInto(out *FakeProvider) {
+	*out = *in
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = make([]FakeProviderData, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FakeProvider.
+func (in *FakeProvider) DeepCopy() *FakeProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(FakeProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FakeProviderData) DeepCopyInto(out *FakeProviderData) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FakeProviderData.
+func (in *FakeProviderData) DeepCopy() *FakeProviderData {
+	if in == nil {
+		return nil
+	}
+	out := new(FakeProviderData)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FindName) DeepCopyInto(out *FindName) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FindName.
+func (in *FindName) DeepCopy() *FindName {
+	if in == nil {
+		return nil
+	}
+	out := new(FindName)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FortanixProvider) DeepCopyInto(out *FortanixProvider) {
+	*out = *in
+	if in.APIKey != nil {
+		in, out := &in.APIKey, &out.APIKey
+		*out = new(FortanixProviderSecretRef)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FortanixProvider.
+func (in *FortanixProvider) DeepCopy() *FortanixProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(FortanixProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FortanixProviderSecretRef) DeepCopyInto(out *FortanixProviderSecretRef) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(apismetav1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FortanixProviderSecretRef.
+func (in *FortanixProviderSecretRef) DeepCopy() *FortanixProviderSecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(FortanixProviderSecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GCPSMAuth) DeepCopyInto(out *GCPSMAuth) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(GCPSMAuthSecretRef)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.WorkloadIdentity != nil {
+		in, out := &in.WorkloadIdentity, &out.WorkloadIdentity
+		*out = new(GCPWorkloadIdentity)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCPSMAuth.
+func (in *GCPSMAuth) DeepCopy() *GCPSMAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(GCPSMAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GCPSMAuthSecretRef) DeepCopyInto(out *GCPSMAuthSecretRef) {
+	*out = *in
+	in.SecretAccessKey.DeepCopyInto(&out.SecretAccessKey)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCPSMAuthSecretRef.
+func (in *GCPSMAuthSecretRef) DeepCopy() *GCPSMAuthSecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(GCPSMAuthSecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GCPSMProvider) DeepCopyInto(out *GCPSMProvider) {
+	*out = *in
+	in.Auth.DeepCopyInto(&out.Auth)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCPSMProvider.
+func (in *GCPSMProvider) DeepCopy() *GCPSMProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(GCPSMProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GCPWorkloadIdentity) DeepCopyInto(out *GCPWorkloadIdentity) {
+	*out = *in
+	in.ServiceAccountRef.DeepCopyInto(&out.ServiceAccountRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCPWorkloadIdentity.
+func (in *GCPWorkloadIdentity) DeepCopy() *GCPWorkloadIdentity {
+	if in == nil {
+		return nil
+	}
+	out := new(GCPWorkloadIdentity)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GeneratorRef) DeepCopyInto(out *GeneratorRef) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GeneratorRef.
+func (in *GeneratorRef) DeepCopy() *GeneratorRef {
+	if in == nil {
+		return nil
+	}
+	out := new(GeneratorRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GenericStoreValidator) DeepCopyInto(out *GenericStoreValidator) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GenericStoreValidator.
+func (in *GenericStoreValidator) DeepCopy() *GenericStoreValidator {
+	if in == nil {
+		return nil
+	}
+	out := new(GenericStoreValidator)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GithubAppAuth) DeepCopyInto(out *GithubAppAuth) {
+	*out = *in
+	in.PrivateKey.DeepCopyInto(&out.PrivateKey)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GithubAppAuth.
+func (in *GithubAppAuth) DeepCopy() *GithubAppAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(GithubAppAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GithubProvider) DeepCopyInto(out *GithubProvider) {
+	*out = *in
+	in.Auth.DeepCopyInto(&out.Auth)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GithubProvider.
+func (in *GithubProvider) DeepCopy() *GithubProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(GithubProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GitlabAuth) DeepCopyInto(out *GitlabAuth) {
+	*out = *in
+	in.SecretRef.DeepCopyInto(&out.SecretRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitlabAuth.
+func (in *GitlabAuth) DeepCopy() *GitlabAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(GitlabAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GitlabProvider) DeepCopyInto(out *GitlabProvider) {
+	*out = *in
+	in.Auth.DeepCopyInto(&out.Auth)
+	if in.GroupIDs != nil {
+		in, out := &in.GroupIDs, &out.GroupIDs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitlabProvider.
+func (in *GitlabProvider) DeepCopy() *GitlabProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(GitlabProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GitlabSecretRef) DeepCopyInto(out *GitlabSecretRef) {
+	*out = *in
+	in.AccessToken.DeepCopyInto(&out.AccessToken)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitlabSecretRef.
+func (in *GitlabSecretRef) DeepCopy() *GitlabSecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(GitlabSecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IBMAuth) DeepCopyInto(out *IBMAuth) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(IBMAuthSecretRef)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ContainerAuth != nil {
+		in, out := &in.ContainerAuth, &out.ContainerAuth
+		*out = new(IBMAuthContainerAuth)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IBMAuth.
+func (in *IBMAuth) DeepCopy() *IBMAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(IBMAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IBMAuthContainerAuth) DeepCopyInto(out *IBMAuthContainerAuth) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IBMAuthContainerAuth.
+func (in *IBMAuthContainerAuth) DeepCopy() *IBMAuthContainerAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(IBMAuthContainerAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IBMAuthSecretRef) DeepCopyInto(out *IBMAuthSecretRef) {
+	*out = *in
+	in.SecretAPIKey.DeepCopyInto(&out.SecretAPIKey)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IBMAuthSecretRef.
+func (in *IBMAuthSecretRef) DeepCopy() *IBMAuthSecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(IBMAuthSecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IBMProvider) DeepCopyInto(out *IBMProvider) {
+	*out = *in
+	in.Auth.DeepCopyInto(&out.Auth)
+	if in.ServiceURL != nil {
+		in, out := &in.ServiceURL, &out.ServiceURL
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IBMProvider.
+func (in *IBMProvider) DeepCopy() *IBMProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(IBMProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *InfisicalAuth) DeepCopyInto(out *InfisicalAuth) {
+	*out = *in
+	if in.UniversalAuthCredentials != nil {
+		in, out := &in.UniversalAuthCredentials, &out.UniversalAuthCredentials
+		*out = new(UniversalAuthCredentials)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InfisicalAuth.
+func (in *InfisicalAuth) DeepCopy() *InfisicalAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(InfisicalAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *InfisicalProvider) DeepCopyInto(out *InfisicalProvider) {
+	*out = *in
+	in.Auth.DeepCopyInto(&out.Auth)
+	out.SecretsScope = in.SecretsScope
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InfisicalProvider.
+func (in *InfisicalProvider) DeepCopy() *InfisicalProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(InfisicalProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *KeeperSecurityProvider) DeepCopyInto(out *KeeperSecurityProvider) {
+	*out = *in
+	in.Auth.DeepCopyInto(&out.Auth)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KeeperSecurityProvider.
+func (in *KeeperSecurityProvider) DeepCopy() *KeeperSecurityProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(KeeperSecurityProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *KubernetesAuth) DeepCopyInto(out *KubernetesAuth) {
+	*out = *in
+	if in.Cert != nil {
+		in, out := &in.Cert, &out.Cert
+		*out = new(CertAuth)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Token != nil {
+		in, out := &in.Token, &out.Token
+		*out = new(TokenAuth)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ServiceAccount != nil {
+		in, out := &in.ServiceAccount, &out.ServiceAccount
+		*out = new(apismetav1.ServiceAccountSelector)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesAuth.
+func (in *KubernetesAuth) DeepCopy() *KubernetesAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(KubernetesAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *KubernetesProvider) DeepCopyInto(out *KubernetesProvider) {
+	*out = *in
+	in.Server.DeepCopyInto(&out.Server)
+	in.Auth.DeepCopyInto(&out.Auth)
+	if in.AuthRef != nil {
+		in, out := &in.AuthRef, &out.AuthRef
+		*out = new(apismetav1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesProvider.
+func (in *KubernetesProvider) DeepCopy() *KubernetesProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(KubernetesProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *KubernetesServer) DeepCopyInto(out *KubernetesServer) {
+	*out = *in
+	if in.CABundle != nil {
+		in, out := &in.CABundle, &out.CABundle
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.CAProvider != nil {
+		in, out := &in.CAProvider, &out.CAProvider
+		*out = new(CAProvider)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesServer.
+func (in *KubernetesServer) DeepCopy() *KubernetesServer {
+	if in == nil {
+		return nil
+	}
+	out := new(KubernetesServer)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MachineIdentityScopeInWorkspace) DeepCopyInto(out *MachineIdentityScopeInWorkspace) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineIdentityScopeInWorkspace.
+func (in *MachineIdentityScopeInWorkspace) DeepCopy() *MachineIdentityScopeInWorkspace {
+	if in == nil {
+		return nil
+	}
+	out := new(MachineIdentityScopeInWorkspace)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NoSecretError) DeepCopyInto(out *NoSecretError) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NoSecretError.
+func (in *NoSecretError) DeepCopy() *NoSecretError {
+	if in == nil {
+		return nil
+	}
+	out := new(NoSecretError)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NotModifiedError) DeepCopyInto(out *NotModifiedError) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NotModifiedError.
+func (in *NotModifiedError) DeepCopy() *NotModifiedError {
+	if in == nil {
+		return nil
+	}
+	out := new(NotModifiedError)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OnboardbaseAuthSecretRef) DeepCopyInto(out *OnboardbaseAuthSecretRef) {
+	*out = *in
+	in.OnboardbaseAPIKeyRef.DeepCopyInto(&out.OnboardbaseAPIKeyRef)
+	in.OnboardbasePasscodeRef.DeepCopyInto(&out.OnboardbasePasscodeRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OnboardbaseAuthSecretRef.
+func (in *OnboardbaseAuthSecretRef) DeepCopy() *OnboardbaseAuthSecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(OnboardbaseAuthSecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OnboardbaseProvider) DeepCopyInto(out *OnboardbaseProvider) {
+	*out = *in
+	if in.Auth != nil {
+		in, out := &in.Auth, &out.Auth
+		*out = new(OnboardbaseAuthSecretRef)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OnboardbaseProvider.
+func (in *OnboardbaseProvider) DeepCopy() *OnboardbaseProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(OnboardbaseProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OnePasswordAuth) DeepCopyInto(out *OnePasswordAuth) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(OnePasswordAuthSecretRef)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OnePasswordAuth.
+func (in *OnePasswordAuth) DeepCopy() *OnePasswordAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(OnePasswordAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OnePasswordAuthSecretRef) DeepCopyInto(out *OnePasswordAuthSecretRef) {
+	*out = *in
+	in.ConnectToken.DeepCopyInto(&out.ConnectToken)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OnePasswordAuthSecretRef.
+func (in *OnePasswordAuthSecretRef) DeepCopy() *OnePasswordAuthSecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(OnePasswordAuthSecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OnePasswordProvider) DeepCopyInto(out *OnePasswordProvider) {
+	*out = *in
+	if in.Auth != nil {
+		in, out := &in.Auth, &out.Auth
+		*out = new(OnePasswordAuth)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Vaults != nil {
+		in, out := &in.Vaults, &out.Vaults
+		*out = make(map[string]int, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OnePasswordProvider.
+func (in *OnePasswordProvider) DeepCopy() *OnePasswordProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(OnePasswordProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OracleAuth) DeepCopyInto(out *OracleAuth) {
+	*out = *in
+	in.SecretRef.DeepCopyInto(&out.SecretRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OracleAuth.
+func (in *OracleAuth) DeepCopy() *OracleAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(OracleAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OracleProvider) DeepCopyInto(out *OracleProvider) {
+	*out = *in
+	if in.Auth != nil {
+		in, out := &in.Auth, &out.Auth
+		*out = new(OracleAuth)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ServiceAccountRef != nil {
+		in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
+		*out = new(apismetav1.ServiceAccountSelector)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OracleProvider.
+func (in *OracleProvider) DeepCopy() *OracleProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(OracleProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OracleSecretRef) DeepCopyInto(out *OracleSecretRef) {
+	*out = *in
+	in.PrivateKey.DeepCopyInto(&out.PrivateKey)
+	in.Fingerprint.DeepCopyInto(&out.Fingerprint)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OracleSecretRef.
+func (in *OracleSecretRef) DeepCopy() *OracleSecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(OracleSecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PassboltAuth) DeepCopyInto(out *PassboltAuth) {
+	*out = *in
+	if in.PasswordSecretRef != nil {
+		in, out := &in.PasswordSecretRef, &out.PasswordSecretRef
+		*out = new(apismetav1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.PrivateKeySecretRef != nil {
+		in, out := &in.PrivateKeySecretRef, &out.PrivateKeySecretRef
+		*out = new(apismetav1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PassboltAuth.
+func (in *PassboltAuth) DeepCopy() *PassboltAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(PassboltAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PassboltProvider) DeepCopyInto(out *PassboltProvider) {
+	*out = *in
+	if in.Auth != nil {
+		in, out := &in.Auth, &out.Auth
+		*out = new(PassboltAuth)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PassboltProvider.
+func (in *PassboltProvider) DeepCopy() *PassboltProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(PassboltProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PasswordDepotAuth) DeepCopyInto(out *PasswordDepotAuth) {
+	*out = *in
+	in.SecretRef.DeepCopyInto(&out.SecretRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PasswordDepotAuth.
+func (in *PasswordDepotAuth) DeepCopy() *PasswordDepotAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(PasswordDepotAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PasswordDepotProvider) DeepCopyInto(out *PasswordDepotProvider) {
+	*out = *in
+	in.Auth.DeepCopyInto(&out.Auth)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PasswordDepotProvider.
+func (in *PasswordDepotProvider) DeepCopy() *PasswordDepotProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(PasswordDepotProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PasswordDepotSecretRef) DeepCopyInto(out *PasswordDepotSecretRef) {
+	*out = *in
+	in.Credentials.DeepCopyInto(&out.Credentials)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PasswordDepotSecretRef.
+func (in *PasswordDepotSecretRef) DeepCopy() *PasswordDepotSecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(PasswordDepotSecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PreviderAuth) DeepCopyInto(out *PreviderAuth) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(PreviderAuthSecretRef)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PreviderAuth.
+func (in *PreviderAuth) DeepCopy() *PreviderAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(PreviderAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PreviderAuthSecretRef) DeepCopyInto(out *PreviderAuthSecretRef) {
+	*out = *in
+	in.AccessToken.DeepCopyInto(&out.AccessToken)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PreviderAuthSecretRef.
+func (in *PreviderAuthSecretRef) DeepCopy() *PreviderAuthSecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(PreviderAuthSecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PreviderProvider) DeepCopyInto(out *PreviderProvider) {
+	*out = *in
+	in.Auth.DeepCopyInto(&out.Auth)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PreviderProvider.
+func (in *PreviderProvider) DeepCopy() *PreviderProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(PreviderProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PulumiProvider) DeepCopyInto(out *PulumiProvider) {
+	*out = *in
+	if in.AccessToken != nil {
+		in, out := &in.AccessToken, &out.AccessToken
+		*out = new(PulumiProviderSecretRef)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PulumiProvider.
+func (in *PulumiProvider) DeepCopy() *PulumiProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(PulumiProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PulumiProviderSecretRef) DeepCopyInto(out *PulumiProviderSecretRef) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(apismetav1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PulumiProviderSecretRef.
+func (in *PulumiProviderSecretRef) DeepCopy() *PulumiProviderSecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(PulumiProviderSecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ScalewayProvider) DeepCopyInto(out *ScalewayProvider) {
+	*out = *in
+	if in.AccessKey != nil {
+		in, out := &in.AccessKey, &out.AccessKey
+		*out = new(ScalewayProviderSecretRef)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.SecretKey != nil {
+		in, out := &in.SecretKey, &out.SecretKey
+		*out = new(ScalewayProviderSecretRef)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScalewayProvider.
+func (in *ScalewayProvider) DeepCopy() *ScalewayProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(ScalewayProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ScalewayProviderSecretRef) DeepCopyInto(out *ScalewayProviderSecretRef) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(apismetav1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScalewayProviderSecretRef.
+func (in *ScalewayProviderSecretRef) DeepCopy() *ScalewayProviderSecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(ScalewayProviderSecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretServerProvider) DeepCopyInto(out *SecretServerProvider) {
+	*out = *in
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(SecretServerProviderRef)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Password != nil {
+		in, out := &in.Password, &out.Password
+		*out = new(SecretServerProviderRef)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretServerProvider.
+func (in *SecretServerProvider) DeepCopy() *SecretServerProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretServerProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretServerProviderRef) DeepCopyInto(out *SecretServerProviderRef) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(apismetav1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretServerProviderRef.
+func (in *SecretServerProviderRef) DeepCopy() *SecretServerProviderRef {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretServerProviderRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretStore) DeepCopyInto(out *SecretStore) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStore.
+func (in *SecretStore) DeepCopy() *SecretStore {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretStore)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *SecretStore) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretStoreList) DeepCopyInto(out *SecretStoreList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]SecretStore, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreList.
+func (in *SecretStoreList) DeepCopy() *SecretStoreList {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretStoreList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *SecretStoreList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretStoreProvider) DeepCopyInto(out *SecretStoreProvider) {
+	*out = *in
+	if in.AWS != nil {
+		in, out := &in.AWS, &out.AWS
+		*out = new(AWSProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.AzureKV != nil {
+		in, out := &in.AzureKV, &out.AzureKV
+		*out = new(AzureKVProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Akeyless != nil {
+		in, out := &in.Akeyless, &out.Akeyless
+		*out = new(AkeylessProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.BitwardenSecretsManager != nil {
+		in, out := &in.BitwardenSecretsManager, &out.BitwardenSecretsManager
+		*out = new(BitwardenSecretsManagerProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Vault != nil {
+		in, out := &in.Vault, &out.Vault
+		*out = new(VaultProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.GCPSM != nil {
+		in, out := &in.GCPSM, &out.GCPSM
+		*out = new(GCPSMProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Oracle != nil {
+		in, out := &in.Oracle, &out.Oracle
+		*out = new(OracleProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.IBM != nil {
+		in, out := &in.IBM, &out.IBM
+		*out = new(IBMProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.YandexCertificateManager != nil {
+		in, out := &in.YandexCertificateManager, &out.YandexCertificateManager
+		*out = new(YandexCertificateManagerProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.YandexLockbox != nil {
+		in, out := &in.YandexLockbox, &out.YandexLockbox
+		*out = new(YandexLockboxProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Github != nil {
+		in, out := &in.Github, &out.Github
+		*out = new(GithubProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Gitlab != nil {
+		in, out := &in.Gitlab, &out.Gitlab
+		*out = new(GitlabProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Alibaba != nil {
+		in, out := &in.Alibaba, &out.Alibaba
+		*out = new(AlibabaProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.OnePassword != nil {
+		in, out := &in.OnePassword, &out.OnePassword
+		*out = new(OnePasswordProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Webhook != nil {
+		in, out := &in.Webhook, &out.Webhook
+		*out = new(WebhookProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Kubernetes != nil {
+		in, out := &in.Kubernetes, &out.Kubernetes
+		*out = new(KubernetesProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Fake != nil {
+		in, out := &in.Fake, &out.Fake
+		*out = new(FakeProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Senhasegura != nil {
+		in, out := &in.Senhasegura, &out.Senhasegura
+		*out = new(SenhaseguraProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Scaleway != nil {
+		in, out := &in.Scaleway, &out.Scaleway
+		*out = new(ScalewayProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Doppler != nil {
+		in, out := &in.Doppler, &out.Doppler
+		*out = new(DopplerProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Previder != nil {
+		in, out := &in.Previder, &out.Previder
+		*out = new(PreviderProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Onboardbase != nil {
+		in, out := &in.Onboardbase, &out.Onboardbase
+		*out = new(OnboardbaseProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.KeeperSecurity != nil {
+		in, out := &in.KeeperSecurity, &out.KeeperSecurity
+		*out = new(KeeperSecurityProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Conjur != nil {
+		in, out := &in.Conjur, &out.Conjur
+		*out = new(ConjurProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Delinea != nil {
+		in, out := &in.Delinea, &out.Delinea
+		*out = new(DelineaProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.SecretServer != nil {
+		in, out := &in.SecretServer, &out.SecretServer
+		*out = new(SecretServerProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Chef != nil {
+		in, out := &in.Chef, &out.Chef
+		*out = new(ChefProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Pulumi != nil {
+		in, out := &in.Pulumi, &out.Pulumi
+		*out = new(PulumiProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Fortanix != nil {
+		in, out := &in.Fortanix, &out.Fortanix
+		*out = new(FortanixProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.PasswordDepot != nil {
+		in, out := &in.PasswordDepot, &out.PasswordDepot
+		*out = new(PasswordDepotProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Passbolt != nil {
+		in, out := &in.Passbolt, &out.Passbolt
+		*out = new(PassboltProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Device42 != nil {
+		in, out := &in.Device42, &out.Device42
+		*out = new(Device42Provider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Infisical != nil {
+		in, out := &in.Infisical, &out.Infisical
+		*out = new(InfisicalProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Beyondtrust != nil {
+		in, out := &in.Beyondtrust, &out.Beyondtrust
+		*out = new(BeyondtrustProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.CloudruSM != nil {
+		in, out := &in.CloudruSM, &out.CloudruSM
+		*out = new(CloudruSMProvider)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreProvider.
+func (in *SecretStoreProvider) DeepCopy() *SecretStoreProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretStoreProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretStoreRef) DeepCopyInto(out *SecretStoreRef) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreRef.
+func (in *SecretStoreRef) DeepCopy() *SecretStoreRef {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretStoreRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretStoreRetrySettings) DeepCopyInto(out *SecretStoreRetrySettings) {
+	*out = *in
+	if in.MaxRetries != nil {
+		in, out := &in.MaxRetries, &out.MaxRetries
+		*out = new(int32)
+		**out = **in
+	}
+	if in.RetryInterval != nil {
+		in, out := &in.RetryInterval, &out.RetryInterval
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreRetrySettings.
+func (in *SecretStoreRetrySettings) DeepCopy() *SecretStoreRetrySettings {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretStoreRetrySettings)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretStoreSpec) DeepCopyInto(out *SecretStoreSpec) {
+	*out = *in
+	if in.Provider != nil {
+		in, out := &in.Provider, &out.Provider
+		*out = new(SecretStoreProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.RetrySettings != nil {
+		in, out := &in.RetrySettings, &out.RetrySettings
+		*out = new(SecretStoreRetrySettings)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]ClusterSecretStoreCondition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreSpec.
+func (in *SecretStoreSpec) DeepCopy() *SecretStoreSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretStoreSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretStoreStatus) DeepCopyInto(out *SecretStoreStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]SecretStoreStatusCondition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreStatus.
+func (in *SecretStoreStatus) DeepCopy() *SecretStoreStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretStoreStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretStoreStatusCondition) DeepCopyInto(out *SecretStoreStatusCondition) {
+	*out = *in
+	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreStatusCondition.
+func (in *SecretStoreStatusCondition) DeepCopy() *SecretStoreStatusCondition {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretStoreStatusCondition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretsManager) DeepCopyInto(out *SecretsManager) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsManager.
+func (in *SecretsManager) DeepCopy() *SecretsManager {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretsManager)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SenhaseguraAuth) DeepCopyInto(out *SenhaseguraAuth) {
+	*out = *in
+	in.ClientSecret.DeepCopyInto(&out.ClientSecret)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SenhaseguraAuth.
+func (in *SenhaseguraAuth) DeepCopy() *SenhaseguraAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(SenhaseguraAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SenhaseguraProvider) DeepCopyInto(out *SenhaseguraProvider) {
+	*out = *in
+	in.Auth.DeepCopyInto(&out.Auth)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SenhaseguraProvider.
+func (in *SenhaseguraProvider) DeepCopy() *SenhaseguraProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(SenhaseguraProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *StoreGeneratorSourceRef) DeepCopyInto(out *StoreGeneratorSourceRef) {
+	*out = *in
+	if in.SecretStoreRef != nil {
+		in, out := &in.SecretStoreRef, &out.SecretStoreRef
+		*out = new(SecretStoreRef)
+		**out = **in
+	}
+	if in.GeneratorRef != nil {
+		in, out := &in.GeneratorRef, &out.GeneratorRef
+		*out = new(GeneratorRef)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StoreGeneratorSourceRef.
+func (in *StoreGeneratorSourceRef) DeepCopy() *StoreGeneratorSourceRef {
+	if in == nil {
+		return nil
+	}
+	out := new(StoreGeneratorSourceRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *StoreSourceRef) DeepCopyInto(out *StoreSourceRef) {
+	*out = *in
+	out.SecretStoreRef = in.SecretStoreRef
+	if in.GeneratorRef != nil {
+		in, out := &in.GeneratorRef, &out.GeneratorRef
+		*out = new(GeneratorRef)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StoreSourceRef.
+func (in *StoreSourceRef) DeepCopy() *StoreSourceRef {
+	if in == nil {
+		return nil
+	}
+	out := new(StoreSourceRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Tag) DeepCopyInto(out *Tag) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Tag.
+func (in *Tag) DeepCopy() *Tag {
+	if in == nil {
+		return nil
+	}
+	out := new(Tag)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TemplateFrom) DeepCopyInto(out *TemplateFrom) {
+	*out = *in
+	if in.ConfigMap != nil {
+		in, out := &in.ConfigMap, &out.ConfigMap
+		*out = new(TemplateRef)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Secret != nil {
+		in, out := &in.Secret, &out.Secret
+		*out = new(TemplateRef)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Literal != nil {
+		in, out := &in.Literal, &out.Literal
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TemplateFrom.
+func (in *TemplateFrom) DeepCopy() *TemplateFrom {
+	if in == nil {
+		return nil
+	}
+	out := new(TemplateFrom)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TemplateRef) DeepCopyInto(out *TemplateRef) {
+	*out = *in
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]TemplateRefItem, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TemplateRef.
+func (in *TemplateRef) DeepCopy() *TemplateRef {
+	if in == nil {
+		return nil
+	}
+	out := new(TemplateRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TemplateRefItem) DeepCopyInto(out *TemplateRefItem) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TemplateRefItem.
+func (in *TemplateRefItem) DeepCopy() *TemplateRefItem {
+	if in == nil {
+		return nil
+	}
+	out := new(TemplateRefItem)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenAuth) DeepCopyInto(out *TokenAuth) {
+	*out = *in
+	in.BearerToken.DeepCopyInto(&out.BearerToken)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenAuth.
+func (in *TokenAuth) DeepCopy() *TokenAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UniversalAuthCredentials) DeepCopyInto(out *UniversalAuthCredentials) {
+	*out = *in
+	in.ClientID.DeepCopyInto(&out.ClientID)
+	in.ClientSecret.DeepCopyInto(&out.ClientSecret)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UniversalAuthCredentials.
+func (in *UniversalAuthCredentials) DeepCopy() *UniversalAuthCredentials {
+	if in == nil {
+		return nil
+	}
+	out := new(UniversalAuthCredentials)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VaultAppRole) DeepCopyInto(out *VaultAppRole) {
+	*out = *in
+	if in.RoleRef != nil {
+		in, out := &in.RoleRef, &out.RoleRef
+		*out = new(apismetav1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+	in.SecretRef.DeepCopyInto(&out.SecretRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAppRole.
+func (in *VaultAppRole) DeepCopy() *VaultAppRole {
+	if in == nil {
+		return nil
+	}
+	out := new(VaultAppRole)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VaultAuth) DeepCopyInto(out *VaultAuth) {
+	*out = *in
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.TokenSecretRef != nil {
+		in, out := &in.TokenSecretRef, &out.TokenSecretRef
+		*out = new(apismetav1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.AppRole != nil {
+		in, out := &in.AppRole, &out.AppRole
+		*out = new(VaultAppRole)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Kubernetes != nil {
+		in, out := &in.Kubernetes, &out.Kubernetes
+		*out = new(VaultKubernetesAuth)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Ldap != nil {
+		in, out := &in.Ldap, &out.Ldap
+		*out = new(VaultLdapAuth)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Jwt != nil {
+		in, out := &in.Jwt, &out.Jwt
+		*out = new(VaultJwtAuth)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Cert != nil {
+		in, out := &in.Cert, &out.Cert
+		*out = new(VaultCertAuth)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Iam != nil {
+		in, out := &in.Iam, &out.Iam
+		*out = new(VaultIamAuth)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.UserPass != nil {
+		in, out := &in.UserPass, &out.UserPass
+		*out = new(VaultUserPassAuth)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAuth.
+func (in *VaultAuth) DeepCopy() *VaultAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(VaultAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VaultAwsAuth) DeepCopyInto(out *VaultAwsAuth) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(VaultAwsAuthSecretRef)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.JWTAuth != nil {
+		in, out := &in.JWTAuth, &out.JWTAuth
+		*out = new(VaultAwsJWTAuth)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAwsAuth.
+func (in *VaultAwsAuth) DeepCopy() *VaultAwsAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(VaultAwsAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VaultAwsAuthSecretRef) DeepCopyInto(out *VaultAwsAuthSecretRef) {
+	*out = *in
+	in.AccessKeyID.DeepCopyInto(&out.AccessKeyID)
+	in.SecretAccessKey.DeepCopyInto(&out.SecretAccessKey)
+	if in.SessionToken != nil {
+		in, out := &in.SessionToken, &out.SessionToken
+		*out = new(apismetav1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAwsAuthSecretRef.
+func (in *VaultAwsAuthSecretRef) DeepCopy() *VaultAwsAuthSecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(VaultAwsAuthSecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VaultAwsJWTAuth) DeepCopyInto(out *VaultAwsJWTAuth) {
+	*out = *in
+	if in.ServiceAccountRef != nil {
+		in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
+		*out = new(apismetav1.ServiceAccountSelector)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAwsJWTAuth.
+func (in *VaultAwsJWTAuth) DeepCopy() *VaultAwsJWTAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(VaultAwsJWTAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VaultCertAuth) DeepCopyInto(out *VaultCertAuth) {
+	*out = *in
+	in.ClientCert.DeepCopyInto(&out.ClientCert)
+	in.SecretRef.DeepCopyInto(&out.SecretRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultCertAuth.
+func (in *VaultCertAuth) DeepCopy() *VaultCertAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(VaultCertAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VaultClientTLS) DeepCopyInto(out *VaultClientTLS) {
+	*out = *in
+	if in.CertSecretRef != nil {
+		in, out := &in.CertSecretRef, &out.CertSecretRef
+		*out = new(apismetav1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.KeySecretRef != nil {
+		in, out := &in.KeySecretRef, &out.KeySecretRef
+		*out = new(apismetav1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultClientTLS.
+func (in *VaultClientTLS) DeepCopy() *VaultClientTLS {
+	if in == nil {
+		return nil
+	}
+	out := new(VaultClientTLS)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VaultIamAuth) DeepCopyInto(out *VaultIamAuth) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(VaultAwsAuthSecretRef)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.JWTAuth != nil {
+		in, out := &in.JWTAuth, &out.JWTAuth
+		*out = new(VaultAwsJWTAuth)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultIamAuth.
+func (in *VaultIamAuth) DeepCopy() *VaultIamAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(VaultIamAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VaultJwtAuth) DeepCopyInto(out *VaultJwtAuth) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(apismetav1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.KubernetesServiceAccountToken != nil {
+		in, out := &in.KubernetesServiceAccountToken, &out.KubernetesServiceAccountToken
+		*out = new(VaultKubernetesServiceAccountTokenAuth)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultJwtAuth.
+func (in *VaultJwtAuth) DeepCopy() *VaultJwtAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(VaultJwtAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth) {
+	*out = *in
+	if in.ServiceAccountRef != nil {
+		in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
+		*out = new(apismetav1.ServiceAccountSelector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(apismetav1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultKubernetesAuth.
+func (in *VaultKubernetesAuth) DeepCopy() *VaultKubernetesAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(VaultKubernetesAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VaultKubernetesServiceAccountTokenAuth) DeepCopyInto(out *VaultKubernetesServiceAccountTokenAuth) {
+	*out = *in
+	in.ServiceAccountRef.DeepCopyInto(&out.ServiceAccountRef)
+	if in.Audiences != nil {
+		in, out := &in.Audiences, &out.Audiences
+		*out = new([]string)
+		if **in != nil {
+			in, out := *in, *out
+			*out = make([]string, len(*in))
+			copy(*out, *in)
+		}
+	}
+	if in.ExpirationSeconds != nil {
+		in, out := &in.ExpirationSeconds, &out.ExpirationSeconds
+		*out = new(int64)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultKubernetesServiceAccountTokenAuth.
+func (in *VaultKubernetesServiceAccountTokenAuth) DeepCopy() *VaultKubernetesServiceAccountTokenAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(VaultKubernetesServiceAccountTokenAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VaultLdapAuth) DeepCopyInto(out *VaultLdapAuth) {
+	*out = *in
+	in.SecretRef.DeepCopyInto(&out.SecretRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultLdapAuth.
+func (in *VaultLdapAuth) DeepCopy() *VaultLdapAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(VaultLdapAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VaultProvider) DeepCopyInto(out *VaultProvider) {
+	*out = *in
+	if in.Auth != nil {
+		in, out := &in.Auth, &out.Auth
+		*out = new(VaultAuth)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.CABundle != nil {
+		in, out := &in.CABundle, &out.CABundle
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	in.ClientTLS.DeepCopyInto(&out.ClientTLS)
+	if in.CAProvider != nil {
+		in, out := &in.CAProvider, &out.CAProvider
+		*out = new(CAProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Headers != nil {
+		in, out := &in.Headers, &out.Headers
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultProvider.
+func (in *VaultProvider) DeepCopy() *VaultProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(VaultProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VaultUserPassAuth) DeepCopyInto(out *VaultUserPassAuth) {
+	*out = *in
+	in.SecretRef.DeepCopyInto(&out.SecretRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultUserPassAuth.
+func (in *VaultUserPassAuth) DeepCopy() *VaultUserPassAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(VaultUserPassAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WebhookCAProvider) DeepCopyInto(out *WebhookCAProvider) {
+	*out = *in
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookCAProvider.
+func (in *WebhookCAProvider) DeepCopy() *WebhookCAProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(WebhookCAProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WebhookProvider) DeepCopyInto(out *WebhookProvider) {
+	*out = *in
+	if in.Headers != nil {
+		in, out := &in.Headers, &out.Headers
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.Timeout != nil {
+		in, out := &in.Timeout, &out.Timeout
+		*out = new(metav1.Duration)
+		**out = **in
+	}
+	out.Result = in.Result
+	if in.Secrets != nil {
+		in, out := &in.Secrets, &out.Secrets
+		*out = make([]WebhookSecret, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CABundle != nil {
+		in, out := &in.CABundle, &out.CABundle
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.CAProvider != nil {
+		in, out := &in.CAProvider, &out.CAProvider
+		*out = new(WebhookCAProvider)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookProvider.
+func (in *WebhookProvider) DeepCopy() *WebhookProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(WebhookProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WebhookResult) DeepCopyInto(out *WebhookResult) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookResult.
+func (in *WebhookResult) DeepCopy() *WebhookResult {
+	if in == nil {
+		return nil
+	}
+	out := new(WebhookResult)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WebhookSecret) DeepCopyInto(out *WebhookSecret) {
+	*out = *in
+	in.SecretRef.DeepCopyInto(&out.SecretRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookSecret.
+func (in *WebhookSecret) DeepCopy() *WebhookSecret {
+	if in == nil {
+		return nil
+	}
+	out := new(WebhookSecret)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *YandexCertificateManagerAuth) DeepCopyInto(out *YandexCertificateManagerAuth) {
+	*out = *in
+	in.AuthorizedKey.DeepCopyInto(&out.AuthorizedKey)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new YandexCertificateManagerAuth.
+func (in *YandexCertificateManagerAuth) DeepCopy() *YandexCertificateManagerAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(YandexCertificateManagerAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *YandexCertificateManagerCAProvider) DeepCopyInto(out *YandexCertificateManagerCAProvider) {
+	*out = *in
+	in.Certificate.DeepCopyInto(&out.Certificate)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new YandexCertificateManagerCAProvider.
+func (in *YandexCertificateManagerCAProvider) DeepCopy() *YandexCertificateManagerCAProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(YandexCertificateManagerCAProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *YandexCertificateManagerProvider) DeepCopyInto(out *YandexCertificateManagerProvider) {
+	*out = *in
+	in.Auth.DeepCopyInto(&out.Auth)
+	if in.CAProvider != nil {
+		in, out := &in.CAProvider, &out.CAProvider
+		*out = new(YandexCertificateManagerCAProvider)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new YandexCertificateManagerProvider.
+func (in *YandexCertificateManagerProvider) DeepCopy() *YandexCertificateManagerProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(YandexCertificateManagerProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *YandexLockboxAuth) DeepCopyInto(out *YandexLockboxAuth) {
+	*out = *in
+	in.AuthorizedKey.DeepCopyInto(&out.AuthorizedKey)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new YandexLockboxAuth.
+func (in *YandexLockboxAuth) DeepCopy() *YandexLockboxAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(YandexLockboxAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *YandexLockboxCAProvider) DeepCopyInto(out *YandexLockboxCAProvider) {
+	*out = *in
+	in.Certificate.DeepCopyInto(&out.Certificate)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new YandexLockboxCAProvider.
+func (in *YandexLockboxCAProvider) DeepCopy() *YandexLockboxCAProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(YandexLockboxCAProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *YandexLockboxProvider) DeepCopyInto(out *YandexLockboxProvider) {
+	*out = *in
+	in.Auth.DeepCopyInto(&out.Auth)
+	if in.CAProvider != nil {
+		in, out := &in.CAProvider, &out.CAProvider
+		*out = new(YandexLockboxCAProvider)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new YandexLockboxProvider.
+func (in *YandexLockboxProvider) DeepCopy() *YandexLockboxProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(YandexLockboxProvider)
+	in.DeepCopyInto(out)
+	return out
+}

apis/externalsecrets/v1alpha1/externalsecret_conversion.go

@@ -1,129 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1alpha1
-
-import (
-	"encoding/json"
-
-	"sigs.k8s.io/controller-runtime/pkg/conversion"
-
-	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
-)
-
-func (alpha *ExternalSecret) ConvertTo(betaRaw conversion.Hub) error {
-	beta := betaRaw.(*esv1beta1.ExternalSecret)
-	// Actual converted code that needs to be like this
-	v1beta1DataFrom := make([]esv1beta1.ExternalSecretDataFromRemoteRef, 0)
-	for _, v1alpha1RemoteRef := range alpha.Spec.DataFrom {
-		v1beta1RemoteRef := esv1beta1.ExternalSecretDataFromRemoteRef{
-			Extract: &esv1beta1.ExternalSecretDataRemoteRef{
-				Key:      v1alpha1RemoteRef.Key,
-				Property: v1alpha1RemoteRef.Property,
-				Version:  v1alpha1RemoteRef.Version,
-			},
-		}
-		v1beta1DataFrom = append(v1beta1DataFrom, v1beta1RemoteRef)
-	}
-	beta.Spec.DataFrom = v1beta1DataFrom
-	tmp, err := json.Marshal(alpha.Spec.Data)
-	if err != nil {
-		return err
-	}
-	data := make([]esv1beta1.ExternalSecretData, 0)
-	err = json.Unmarshal(tmp, &data)
-	if err != nil {
-		return err
-	}
-	beta.Spec.Data = data
-
-	tmp, err = json.Marshal(alpha.Spec.Target)
-	if err != nil {
-		return err
-	}
-	target := esv1beta1.ExternalSecretTarget{}
-	err = json.Unmarshal(tmp, &target)
-	if err != nil {
-		return err
-	}
-	beta.Spec.Target = target
-	beta.Spec.RefreshInterval = alpha.Spec.RefreshInterval
-	beta.Spec.SecretStoreRef = esv1beta1.SecretStoreRef(alpha.Spec.SecretStoreRef)
-	beta.ObjectMeta = alpha.ObjectMeta
-	tmp, err = json.Marshal(alpha.Status)
-	if err != nil {
-		return err
-	}
-	status := esv1beta1.ExternalSecretStatus{}
-	err = json.Unmarshal(tmp, &status)
-	if err != nil {
-		return err
-	}
-	beta.Status = status
-	return nil
-}
-
-func (alpha *ExternalSecret) ConvertFrom(betaRaw conversion.Hub) error {
-	beta := betaRaw.(*esv1beta1.ExternalSecret)
-	v1alpha1DataFrom := make([]ExternalSecretDataRemoteRef, 0)
-	for _, v1beta1RemoteRef := range beta.Spec.DataFrom {
-		if v1beta1RemoteRef.Extract != nil {
-			if v1beta1RemoteRef.Extract.Key != "" {
-				v1alpha1RemoteRef := ExternalSecretDataRemoteRef{
-					Key:      v1beta1RemoteRef.Extract.Key,
-					Property: v1beta1RemoteRef.Extract.Property,
-					Version:  v1beta1RemoteRef.Extract.Version,
-				}
-				v1alpha1DataFrom = append(v1alpha1DataFrom, v1alpha1RemoteRef)
-			}
-		}
-	}
-	alpha.Spec.DataFrom = v1alpha1DataFrom
-
-	tmp, err := json.Marshal(beta.Spec.Data)
-	if err != nil {
-		return err
-	}
-	data := make([]ExternalSecretData, 0)
-	err = json.Unmarshal(tmp, &data)
-	if err != nil {
-		return err
-	}
-	alpha.Spec.Data = data
-
-	tmp, err = json.Marshal(beta.Spec.Target)
-	if err != nil {
-		return err
-	}
-	target := ExternalSecretTarget{}
-	err = json.Unmarshal(tmp, &target)
-	if err != nil {
-		return err
-	}
-	alpha.Spec.Target = target
-	alpha.Spec.RefreshInterval = beta.Spec.RefreshInterval
-	alpha.Spec.SecretStoreRef = SecretStoreRef(beta.Spec.SecretStoreRef)
-	alpha.ObjectMeta = beta.ObjectMeta
-	tmp, err = json.Marshal(beta.Status)
-	if err != nil {
-		return err
-	}
-	status := ExternalSecretStatus{}
-	err = json.Unmarshal(tmp, &status)
-	if err != nil {
-		return err
-	}
-	alpha.Status = status
-	return nil
-}

apis/externalsecrets/v1alpha1/externalsecret_conversion_test.go

@@ -1,228 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1alpha1
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-
-	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
-)
-
-const (
-	keyName    = "my-key"
-	testTarget = "test-target"
-)
-
-func newExternalSecretV1Alpha1() *ExternalSecret {
-	return &ExternalSecret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "full-es",
-			Namespace: "my-ns",
-		},
-		Status: ExternalSecretStatus{
-			SyncedResourceVersion: "123",
-			Conditions: []ExternalSecretStatusCondition{
-				{
-					Type:    ExternalSecretReady,
-					Status:  corev1.ConditionTrue,
-					Reason:  "it's a mock, it's always ready",
-					Message: "...why wouldn't it be?",
-				},
-			},
-			Binding: corev1.LocalObjectReference{
-				Name: testTarget,
-			},
-		},
-		Spec: ExternalSecretSpec{
-			SecretStoreRef: SecretStoreRef{
-				Name: "test-secret-store",
-				Kind: "ClusterSecretStore",
-			},
-			Target: ExternalSecretTarget{
-				Name:           testTarget,
-				CreationPolicy: Owner,
-				Immutable:      false,
-				Template: &ExternalSecretTemplate{
-					Type: corev1.SecretTypeOpaque,
-					Metadata: ExternalSecretTemplateMetadata{
-						Annotations: map[string]string{
-							"foo": "bar",
-						},
-						Labels: map[string]string{
-							"foolbl": "barlbl",
-						},
-					},
-					Data: map[string]string{
-						keyName: "{{.data | toString}}",
-					},
-					TemplateFrom: []TemplateFrom{
-						{
-							ConfigMap: &TemplateRef{
-								Name: "test-configmap",
-								Items: []TemplateRefItem{
-									{
-										Key: keyName,
-									},
-								},
-							},
-							Secret: &TemplateRef{
-								Name: "test-secret",
-								Items: []TemplateRefItem{
-									{
-										Key: keyName,
-									},
-								},
-							},
-						},
-					},
-				},
-			},
-			Data: []ExternalSecretData{
-				{
-					SecretKey: keyName,
-					RemoteRef: ExternalSecretDataRemoteRef{
-						Key:      "datakey",
-						Property: "dataproperty",
-						Version:  "dataversion",
-					},
-				},
-			},
-			DataFrom: []ExternalSecretDataRemoteRef{
-				{
-					Key:      "key",
-					Property: "property",
-					Version:  "version",
-				},
-			},
-		},
-	}
-}
-
-func newExternalSecretV1Beta1() *esv1beta1.ExternalSecret {
-	return &esv1beta1.ExternalSecret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "full-es",
-			Namespace: "my-ns",
-		},
-		Status: esv1beta1.ExternalSecretStatus{
-			SyncedResourceVersion: "123",
-			Conditions: []esv1beta1.ExternalSecretStatusCondition{
-				{
-					Type:    esv1beta1.ExternalSecretReady,
-					Status:  corev1.ConditionTrue,
-					Reason:  "it's a mock, it's always ready",
-					Message: "...why wouldn't it be?",
-				},
-			},
-			Binding: corev1.LocalObjectReference{
-				Name: testTarget,
-			},
-		},
-		Spec: esv1beta1.ExternalSecretSpec{
-			SecretStoreRef: esv1beta1.SecretStoreRef{
-				Name: "test-secret-store",
-				Kind: "ClusterSecretStore",
-			},
-			Target: esv1beta1.ExternalSecretTarget{
-				Name:           testTarget,
-				CreationPolicy: esv1beta1.CreatePolicyOwner,
-				Immutable:      false,
-				Template: &esv1beta1.ExternalSecretTemplate{
-					Type: corev1.SecretTypeOpaque,
-					Metadata: esv1beta1.ExternalSecretTemplateMetadata{
-						Annotations: map[string]string{
-							"foo": "bar",
-						},
-						Labels: map[string]string{
-							"foolbl": "barlbl",
-						},
-					},
-					Data: map[string]string{
-						keyName: "{{.data | toString}}",
-					},
-					TemplateFrom: []esv1beta1.TemplateFrom{
-						{
-							ConfigMap: &esv1beta1.TemplateRef{
-								Name: "test-configmap",
-								Items: []esv1beta1.TemplateRefItem{
-									{
-										Key: keyName,
-									},
-								},
-							},
-							Secret: &esv1beta1.TemplateRef{
-								Name: "test-secret",
-								Items: []esv1beta1.TemplateRefItem{
-									{
-										Key: keyName,
-									},
-								},
-							},
-						},
-					},
-				},
-			},
-			Data: []esv1beta1.ExternalSecretData{
-				{
-					SecretKey: keyName,
-					RemoteRef: esv1beta1.ExternalSecretDataRemoteRef{
-						Key:      "datakey",
-						Property: "dataproperty",
-						Version:  "dataversion",
-					},
-				},
-			},
-			DataFrom: []esv1beta1.ExternalSecretDataFromRemoteRef{
-				{
-					Extract: &esv1beta1.ExternalSecretDataRemoteRef{
-						Key:      "key",
-						Property: "property",
-						Version:  "version",
-					},
-				},
-			},
-		},
-	}
-}
-
-func TestExternalSecretConvertFrom(t *testing.T) {
-	given := newExternalSecretV1Beta1()
-	want := newExternalSecretV1Alpha1()
-	got := &ExternalSecret{}
-	err := got.ConvertFrom(given)
-	if err != nil {
-		t.Errorf("test failed with error: %v", err)
-	}
-	if !assert.Equal(t, want, got) {
-		t.Errorf("test failed, expected: %v, got: %v", want, got)
-	}
-}
-
-func TestExternalSecretConvertTo(t *testing.T) {
-	want := newExternalSecretV1Beta1()
-	given := newExternalSecretV1Alpha1()
-	got := &esv1beta1.ExternalSecret{}
-	err := given.ConvertTo(got)
-	if err != nil {
-		t.Errorf("test failed with error: %v", err)
-	}
-	if !assert.Equal(t, want, got) {
-		t.Errorf("test failed, expected: %v, got: %v", want, got)
-	}
-}

apis/externalsecrets/v1alpha1/externalsecret_types.go

@@ -1,284 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1alpha1
-
-import (
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-// SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
-type SecretStoreRef struct {
-	// Name of the SecretStore resource
-	// +kubebuilder:validation:MinLength:=1
-	// +kubebuilder:validation:MaxLength:=253
-	// +kubebuilder:validation:Pattern:=^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
-	Name string `json:"name,omitempty"`
-
-	// Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
-	// Defaults to `SecretStore`
-	// +optional
-	// +kubebuilder:validation:Enum=SecretStore;ClusterSecretStore
-	Kind string `json:"kind,omitempty"`
-}
-
-// ExternalSecretCreationPolicy defines rules on how to create the resulting Secret.
-// +kubebuilder:validation:Enum=Owner;Merge;None
-type ExternalSecretCreationPolicy string
-
-const (
-	// Owner creates the Secret and sets .metadata.ownerReferences to the ExternalSecret resource.
-	Owner ExternalSecretCreationPolicy = "Owner"
-
-	// Merge does not create the Secret, but merges the data fields to the Secret.
-	Merge ExternalSecretCreationPolicy = "Merge"
-
-	// None does not create a Secret (future use with injector).
-	None ExternalSecretCreationPolicy = "None"
-)
-
-// ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
-type ExternalSecretTemplateMetadata struct {
-	// +optional
-	Annotations map[string]string `json:"annotations,omitempty"`
-
-	// +optional
-	Labels map[string]string `json:"labels,omitempty"`
-}
-
-// ExternalSecretTemplate defines a blueprint for the created Secret resource.
-// we can not use native corev1.Secret, it will have empty ObjectMeta values: https://github.com/kubernetes-sigs/controller-tools/issues/448
-type ExternalSecretTemplate struct {
-	// +optional
-	Type corev1.SecretType `json:"type,omitempty"`
-
-	// EngineVersion specifies the template engine version
-	// that should be used to compile/execute the
-	// template specified in .data and .templateFrom[].
-	// +kubebuilder:default="v1"
-	EngineVersion TemplateEngineVersion `json:"engineVersion,omitempty"`
-
-	// +optional
-	Metadata ExternalSecretTemplateMetadata `json:"metadata,omitempty"`
-
-	// +optional
-	Data map[string]string `json:"data,omitempty"`
-
-	// +optional
-	TemplateFrom []TemplateFrom `json:"templateFrom,omitempty"`
-}
-
-// +kubebuilder:validation:Enum=v1;v2
-type TemplateEngineVersion string
-
-const (
-	TemplateEngineV1 TemplateEngineVersion = "v1"
-	TemplateEngineV2 TemplateEngineVersion = "v2"
-)
-
-// +kubebuilder:validation:MinProperties=1
-// +kubebuilder:validation:MaxProperties=1
-type TemplateFrom struct {
-	ConfigMap *TemplateRef `json:"configMap,omitempty"`
-	Secret    *TemplateRef `json:"secret,omitempty"`
-}
-
-type TemplateRef struct {
-	// The name of the ConfigMap/Secret resource
-	// +kubebuilder:validation:MinLength:=1
-	// +kubebuilder:validation:MaxLength:=253
-	// +kubebuilder:validation:Pattern:=^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
-	Name string `json:"name"`
-
-	// A list of keys in the ConfigMap/Secret to use as templates for Secret data
-	Items []TemplateRefItem `json:"items"`
-}
-
-type TemplateRefItem struct {
-	// A key in the ConfigMap/Secret
-	// +kubebuilder:validation:MinLength:=1
-	// +kubebuilder:validation:MaxLength:=253
-	// +kubebuilder:validation:Pattern:=^[-._a-zA-Z0-9]+$
-	Key string `json:"key"`
-}
-
-// ExternalSecretTarget defines the Kubernetes Secret to be created
-// There can be only one target per ExternalSecret.
-type ExternalSecretTarget struct {
-	// The name of the Secret resource to be managed.
-	// Defaults to the .metadata.name of the ExternalSecret resource
-	// +optional
-	// +kubebuilder:validation:MinLength:=1
-	// +kubebuilder:validation:MaxLength:=253
-	// +kubebuilder:validation:Pattern:=^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
-	Name string `json:"name,omitempty"`
-
-	// CreationPolicy defines rules on how to create the resulting Secret.
-	// Defaults to "Owner"
-	// +optional
-	// +kubebuilder:default="Owner"
-	CreationPolicy ExternalSecretCreationPolicy `json:"creationPolicy,omitempty"`
-
-	// Template defines a blueprint for the created Secret resource.
-	// +optional
-	Template *ExternalSecretTemplate `json:"template,omitempty"`
-
-	// Immutable defines if the final secret will be immutable
-	// +optional
-	Immutable bool `json:"immutable,omitempty"`
-}
-
-// ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
-type ExternalSecretData struct {
-	// The key in the Kubernetes Secret to store the value.
-	// +kubebuilder:validation:MinLength:=1
-	// +kubebuilder:validation:MaxLength:=253
-	// +kubebuilder:validation:Pattern:=^[-._a-zA-Z0-9]+$
-	SecretKey string `json:"secretKey"`
-
-	RemoteRef ExternalSecretDataRemoteRef `json:"remoteRef"`
-}
-
-// ExternalSecretDataRemoteRef defines Provider data location.
-type ExternalSecretDataRemoteRef struct {
-	// Key is the key used in the Provider, mandatory
-	Key string `json:"key"`
-
-	// Used to select a specific version of the Provider value, if supported
-	// +optional
-	Version string `json:"version,omitempty"`
-
-	// Used to select a specific property of the Provider value (if a map), if supported
-	// +optional
-	Property string `json:"property,omitempty"`
-
-	// Used to define a conversion Strategy
-	// +optional
-	// +kubebuilder:default="Default"
-	ConversionStrategy ExternalSecretConversionStrategy `json:"conversionStrategy,omitempty"`
-}
-
-// +kubebuilder:validation:Enum=Default;Unicode
-type ExternalSecretConversionStrategy string
-
-const (
-	ExternalSecretConversionDefault ExternalSecretConversionStrategy = "Default"
-	ExternalSecretConversionUnicode ExternalSecretConversionStrategy = "Unicode"
-)
-
-// ExternalSecretSpec defines the desired state of ExternalSecret.
-type ExternalSecretSpec struct {
-	SecretStoreRef SecretStoreRef `json:"secretStoreRef"`
-
-	Target ExternalSecretTarget `json:"target"`
-
-	// RefreshInterval is the amount of time before the values are read again from the SecretStore provider
-	// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
-	// May be set to zero to fetch and create it once. Defaults to 1h.
-	// +kubebuilder:default="1h"
-	RefreshInterval *metav1.Duration `json:"refreshInterval,omitempty"`
-
-	// Data defines the connection between the Kubernetes Secret keys and the Provider data
-	// +optional
-	Data []ExternalSecretData `json:"data,omitempty"`
-
-	// DataFrom is used to fetch all properties from a specific Provider data
-	// If multiple entries are specified, the Secret keys are merged in the specified order
-	// +optional
-	DataFrom []ExternalSecretDataRemoteRef `json:"dataFrom,omitempty"`
-}
-
-type ExternalSecretConditionType string
-
-const (
-	ExternalSecretReady   ExternalSecretConditionType = "Ready"
-	ExternalSecretDeleted ExternalSecretConditionType = "Deleted"
-)
-
-type ExternalSecretStatusCondition struct {
-	Type   ExternalSecretConditionType `json:"type"`
-	Status corev1.ConditionStatus      `json:"status"`
-
-	// +optional
-	Reason string `json:"reason,omitempty"`
-
-	// +optional
-	Message string `json:"message,omitempty"`
-
-	// +optional
-	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"`
-}
-
-const (
-	// ConditionReasonSecretSynced indicates that the secrets was synced.
-	ConditionReasonSecretSynced = "SecretSynced"
-	// ConditionReasonSecretSyncedError indicates that there was an error syncing the secret.
-	ConditionReasonSecretSyncedError = "SecretSyncedError"
-	// ConditionReasonSecretDeleted indicates that the secret has been deleted.
-	ConditionReasonSecretDeleted = "SecretDeleted"
-
-	ReasonInvalidStoreRef      = "InvalidStoreRef"
-	ReasonProviderClientConfig = "InvalidProviderClientConfig"
-	ReasonUpdateFailed         = "UpdateFailed"
-	ReasonUpdated              = "Updated"
-)
-
-type ExternalSecretStatus struct {
-	// +nullable
-	// refreshTime is the time and date the external secret was fetched and
-	// the target secret updated
-	RefreshTime metav1.Time `json:"refreshTime,omitempty"`
-
-	// SyncedResourceVersion keeps track of the last synced version
-	SyncedResourceVersion string `json:"syncedResourceVersion,omitempty"`
-
-	// +optional
-	Conditions []ExternalSecretStatusCondition `json:"conditions,omitempty"`
-
-	// Binding represents a servicebinding.io Provisioned Service reference to the secret
-	Binding corev1.LocalObjectReference `json:"binding,omitempty"`
-}
-
-// +kubebuilder:object:root=true
-
-// ExternalSecret is the Schema for the external-secrets API.
-// +kubebuilder:subresource:status
-// +kubebuilder:deprecatedversion
-// +kubebuilder:resource:scope=Namespaced,categories={external-secrets},shortName=es
-// +kubebuilder:printcolumn:name="Store",type=string,JSONPath=`.spec.secretStoreRef.kind`
-// +kubebuilder:printcolumn:name="Store",type=string,JSONPath=`.spec.secretStoreRef.name`
-// +kubebuilder:printcolumn:name="Refresh Interval",type=string,JSONPath=`.spec.refreshInterval`
-// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].reason`
-type ExternalSecret struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	Spec   ExternalSecretSpec   `json:"spec,omitempty"`
-	Status ExternalSecretStatus `json:"status,omitempty"`
-}
-
-const (
-	// AnnotationDataHash is used to ensure consistency.
-	AnnotationDataHash = "reconcile.external-secrets.io/data-hash"
-)
-
-// +kubebuilder:object:root=true
-
-// ExternalSecretList contains a list of ExternalSecret resources.
-type ExternalSecretList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []ExternalSecret `json:"items"`
-}

apis/externalsecrets/v1alpha1/pushsecret_types.go

@@ -19,7 +19,7 @@ import (
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
+	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 )
 
 const (
@@ -96,7 +96,7 @@ type PushSecretSpec struct {
 
 	// Template defines a blueprint for the created Secret resource.
 	// +optional
-	Template *esv1beta1.ExternalSecretTemplate `json:"template,omitempty"`
+	Template *esv1.ExternalSecretTemplate `json:"template,omitempty"`
 }
 
 type PushSecretSecret struct {
@@ -122,7 +122,7 @@ type PushSecretSelector struct {
 
 	// Point to a generator to create a Secret.
 	// +optional
-	GeneratorRef *esv1beta1.GeneratorRef `json:"generatorRef,omitempty"`
+	GeneratorRef *esv1.GeneratorRef `json:"generatorRef,omitempty"`
 }
 
 type PushSecretRemoteRef struct {

apis/externalsecrets/v1alpha1/register.go

@@ -36,30 +36,6 @@ var (
 	AddToScheme   = SchemeBuilder.AddToScheme
 )
 
-// ExternalSecret type metadata.
-var (
-	ExtSecretKind             = reflect.TypeOf(ExternalSecret{}).Name()
-	ExtSecretGroupKind        = schema.GroupKind{Group: Group, Kind: ExtSecretKind}.String()
-	ExtSecretKindAPIVersion   = ExtSecretKind + "." + SchemeGroupVersion.String()
-	ExtSecretGroupVersionKind = SchemeGroupVersion.WithKind(ExtSecretKind)
-)
-
-// SecretStore type metadata.
-var (
-	SecretStoreKind             = reflect.TypeOf(SecretStore{}).Name()
-	SecretStoreGroupKind        = schema.GroupKind{Group: Group, Kind: SecretStoreKind}.String()
-	SecretStoreKindAPIVersion   = SecretStoreKind + "." + SchemeGroupVersion.String()
-	SecretStoreGroupVersionKind = SchemeGroupVersion.WithKind(SecretStoreKind)
-)
-
-// ClusterSecretStore type metadata.
-var (
-	ClusterSecretStoreKind             = reflect.TypeOf(ClusterSecretStore{}).Name()
-	ClusterSecretStoreGroupKind        = schema.GroupKind{Group: Group, Kind: ClusterSecretStoreKind}.String()
-	ClusterSecretStoreKindAPIVersion   = ClusterSecretStoreKind + "." + SchemeGroupVersion.String()
-	ClusterSecretStoreGroupVersionKind = SchemeGroupVersion.WithKind(ClusterSecretStoreKind)
-)
-
 var (
 	PushSecretKind             = reflect.TypeOf(PushSecret{}).Name()
 	PushSecretGroupKind        = schema.GroupKind{Group: Group, Kind: PushSecretKind}.String()
@@ -75,9 +51,6 @@ var (
 )
 
 func init() {
-	SchemeBuilder.Register(&ExternalSecret{}, &ExternalSecretList{})
-	SchemeBuilder.Register(&SecretStore{}, &SecretStoreList{})
-	SchemeBuilder.Register(&ClusterSecretStore{}, &ClusterSecretStoreList{})
 	SchemeBuilder.Register(&PushSecret{}, &PushSecretList{})
 	SchemeBuilder.Register(&ClusterPushSecret{}, &ClusterPushSecretList{})
 }

apis/externalsecrets/v1alpha1/secretstore_conversion.go

@@ -1,91 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1alpha1
-
-import (
-	"encoding/json"
-
-	"sigs.k8s.io/controller-runtime/pkg/conversion"
-
-	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
-)
-
-func (c *SecretStore) ConvertTo(betaRaw conversion.Hub) error {
-	beta := betaRaw.(*esv1beta1.SecretStore)
-	tmp := &esv1beta1.SecretStore{}
-	alphajson, err := json.Marshal(c)
-	if err != nil {
-		return err
-	}
-	err = json.Unmarshal(alphajson, tmp)
-	if err != nil {
-		return err
-	}
-	beta.Spec = tmp.Spec
-	beta.ObjectMeta = tmp.ObjectMeta
-	beta.Status = tmp.Status
-	return nil
-}
-
-func (c *SecretStore) ConvertFrom(betaRaw conversion.Hub) error {
-	beta := betaRaw.(*esv1beta1.SecretStore)
-	tmp := &SecretStore{}
-	betajson, err := json.Marshal(beta)
-	if err != nil {
-		return err
-	}
-	err = json.Unmarshal(betajson, tmp)
-	if err != nil {
-		return err
-	}
-	c.Spec = tmp.Spec
-	c.ObjectMeta = tmp.ObjectMeta
-	c.Status = tmp.Status
-	return nil
-}
-
-func (c *ClusterSecretStore) ConvertTo(betaRaw conversion.Hub) error {
-	beta := betaRaw.(*esv1beta1.ClusterSecretStore)
-	tmp := &esv1beta1.ClusterSecretStore{}
-	alphajson, err := json.Marshal(c)
-	if err != nil {
-		return err
-	}
-	err = json.Unmarshal(alphajson, tmp)
-	if err != nil {
-		return err
-	}
-	beta.Spec = tmp.Spec
-	beta.ObjectMeta = tmp.ObjectMeta
-	beta.Status = tmp.Status
-	return nil
-}
-
-func (c *ClusterSecretStore) ConvertFrom(betaRaw conversion.Hub) error {
-	beta := betaRaw.(*esv1beta1.ClusterSecretStore)
-	tmp := &ClusterSecretStore{}
-	betajson, err := json.Marshal(beta)
-	if err != nil {
-		return err
-	}
-	err = json.Unmarshal(betajson, tmp)
-	if err != nil {
-		return err
-	}
-	c.Spec = tmp.Spec
-	c.ObjectMeta = tmp.ObjectMeta
-	c.Status = tmp.Status
-	return nil
-}

apis/externalsecrets/v1alpha1/secretstore_conversion_test.go

@@ -1,259 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1alpha1
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-
-	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
-	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
-)
-
-const (
-	storeName                = "secret-store"
-	storeNamespace           = "my-namespace"
-	storeReason              = "it's a mock, it's always ready"
-	storeMessage             = "...why wouldn't it be?"
-	storeAWSRegion           = "us-east-1"
-	storeAWSRole             = "arn:aws:iam::123456789012:role/my-role"
-	storeAccessName          = "my-access"
-	storeKey                 = "my-key"
-	storeSecretName          = "my-secret"
-	defaultErrorMessage      = "test failed with error: %v"
-	defaultComparisonMessage = "test failed, expected: %v, got: %v"
-)
-
-func newSecretStoreV1Alpha1() *SecretStore {
-	return &SecretStore{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      storeName,
-			Namespace: storeNamespace,
-		},
-		Status: SecretStoreStatus{
-			Conditions: []SecretStoreStatusCondition{
-				{
-					Type:    SecretStoreReady,
-					Status:  corev1.ConditionTrue,
-					Reason:  storeReason,
-					Message: storeMessage,
-				},
-			},
-		},
-		Spec: SecretStoreSpec{
-			Controller: "dev",
-			Provider: &SecretStoreProvider{
-				AWS: &AWSProvider{
-					Service: AWSServiceSecretsManager,
-					Region:  storeAWSRegion,
-					Role:    storeAWSRole,
-					Auth: AWSAuth{
-						SecretRef: &AWSAuthSecretRef{
-							AccessKeyID: esmeta.SecretKeySelector{
-								Name: storeAccessName,
-								Key:  storeKey,
-							},
-							SecretAccessKey: esmeta.SecretKeySelector{
-								Name: storeSecretName,
-								Key:  storeKey,
-							},
-						},
-					},
-				},
-			},
-		},
-	}
-}
-
-func newSecretStoreV1Beta1() *esv1beta1.SecretStore {
-	return &esv1beta1.SecretStore{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      storeName,
-			Namespace: storeNamespace,
-		},
-		Status: esv1beta1.SecretStoreStatus{
-			Conditions: []esv1beta1.SecretStoreStatusCondition{
-				{
-					Type:    esv1beta1.SecretStoreReady,
-					Status:  corev1.ConditionTrue,
-					Reason:  storeReason,
-					Message: storeMessage,
-				},
-			},
-		},
-		Spec: esv1beta1.SecretStoreSpec{
-			Controller: "dev",
-			Provider: &esv1beta1.SecretStoreProvider{
-				AWS: &esv1beta1.AWSProvider{
-					Service: esv1beta1.AWSServiceSecretsManager,
-					Region:  storeAWSRegion,
-					Role:    storeAWSRole,
-					Auth: esv1beta1.AWSAuth{
-						SecretRef: &esv1beta1.AWSAuthSecretRef{
-							AccessKeyID: esmeta.SecretKeySelector{
-								Name: storeAccessName,
-								Key:  storeKey,
-							},
-							SecretAccessKey: esmeta.SecretKeySelector{
-								Name: storeSecretName,
-								Key:  storeKey,
-							},
-						},
-					},
-				},
-			},
-		},
-	}
-}
-
-func newClusterSecretStoreV1Alpha1() *ClusterSecretStore {
-	ns := storeNamespace
-	return &ClusterSecretStore{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: storeName,
-		},
-		Status: SecretStoreStatus{
-			Conditions: []SecretStoreStatusCondition{
-				{
-					Type:    SecretStoreReady,
-					Status:  corev1.ConditionTrue,
-					Reason:  storeReason,
-					Message: storeMessage,
-				},
-			},
-		},
-		Spec: SecretStoreSpec{
-			Controller: "dev",
-			Provider: &SecretStoreProvider{
-				AWS: &AWSProvider{
-					Service: AWSServiceSecretsManager,
-					Region:  storeAWSRegion,
-					Role:    storeAWSRole,
-					Auth: AWSAuth{
-						SecretRef: &AWSAuthSecretRef{
-							AccessKeyID: esmeta.SecretKeySelector{
-								Name:      storeAccessName,
-								Key:       storeKey,
-								Namespace: &ns,
-							},
-							SecretAccessKey: esmeta.SecretKeySelector{
-								Name:      storeSecretName,
-								Key:       storeKey,
-								Namespace: &ns,
-							},
-						},
-					},
-				},
-			},
-		},
-	}
-}
-
-func newClusterSecretStoreV1Beta1() *esv1beta1.ClusterSecretStore {
-	ns := storeNamespace
-	return &esv1beta1.ClusterSecretStore{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: storeName,
-		},
-		Status: esv1beta1.SecretStoreStatus{
-			Conditions: []esv1beta1.SecretStoreStatusCondition{
-				{
-					Type:    esv1beta1.SecretStoreReady,
-					Status:  corev1.ConditionTrue,
-					Reason:  storeReason,
-					Message: storeMessage,
-				},
-			},
-		},
-		Spec: esv1beta1.SecretStoreSpec{
-			Controller: "dev",
-			Provider: &esv1beta1.SecretStoreProvider{
-				AWS: &esv1beta1.AWSProvider{
-					Service: esv1beta1.AWSServiceSecretsManager,
-					Region:  storeAWSRegion,
-					Role:    storeAWSRole,
-					Auth: esv1beta1.AWSAuth{
-						SecretRef: &esv1beta1.AWSAuthSecretRef{
-							AccessKeyID: esmeta.SecretKeySelector{
-								Name:      storeAccessName,
-								Key:       storeKey,
-								Namespace: &ns,
-							},
-							SecretAccessKey: esmeta.SecretKeySelector{
-								Name:      storeSecretName,
-								Key:       storeKey,
-								Namespace: &ns,
-							},
-						},
-					},
-				},
-			},
-		},
-	}
-}
-func TestSecretStoreConvertFrom(t *testing.T) {
-	given := newSecretStoreV1Beta1()
-	want := newSecretStoreV1Alpha1()
-	got := &SecretStore{}
-	err := got.ConvertFrom(given)
-	if err != nil {
-		t.Errorf(defaultErrorMessage, err)
-	}
-	if !assert.Equal(t, want, got) {
-		t.Errorf("test failed, expected: %v, got: %v", want, got)
-	}
-}
-
-func TestSecretStoreConvertTo(t *testing.T) {
-	want := newSecretStoreV1Beta1()
-	given := newSecretStoreV1Alpha1()
-	got := &esv1beta1.SecretStore{}
-	err := given.ConvertTo(got)
-	if err != nil {
-		t.Errorf(defaultErrorMessage, err)
-	}
-	if !assert.Equal(t, want, got) {
-		t.Errorf(defaultComparisonMessage, want, got)
-	}
-}
-
-func TestClusterSecretStoreConvertFrom(t *testing.T) {
-	given := newClusterSecretStoreV1Beta1()
-	want := newClusterSecretStoreV1Alpha1()
-	got := &ClusterSecretStore{}
-	err := got.ConvertFrom(given)
-	if err != nil {
-		t.Errorf(defaultErrorMessage, err)
-	}
-	if !assert.Equal(t, want, got) {
-		t.Errorf(defaultComparisonMessage, want, got)
-	}
-}
-
-func TestClusterSecretStoreConvertTo(t *testing.T) {
-	want := newClusterSecretStoreV1Beta1()
-	given := newClusterSecretStoreV1Alpha1()
-	got := &esv1beta1.ClusterSecretStore{}
-	err := given.ConvertTo(got)
-	if err != nil {
-		t.Errorf(defaultErrorMessage, err)
-	}
-	if !assert.Equal(t, want, got) {
-		t.Errorf(defaultComparisonMessage, want, got)
-	}
-}

apis/externalsecrets/v1alpha1/secretstore_types.go

@@ -1,180 +0,0 @@
-/*
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1alpha1
-
-import (
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-// SecretStoreSpec defines the desired state of SecretStore.
-type SecretStoreSpec struct {
-	// Used to select the correct ESO controller (think: ingress.ingressClassName)
-	// The ESO controller is instantiated with a specific controller name and filters ES based on this property
-	// +optional
-	Controller string `json:"controller,omitempty"`
-
-	// Used to configure the provider. Only one provider may be set
-	Provider *SecretStoreProvider `json:"provider"`
-
-	// Used to configure http retries if failed
-	// +optional
-	RetrySettings *SecretStoreRetrySettings `json:"retrySettings,omitempty"`
-}
-
-// SecretStoreProvider contains the provider-specific configration.
-// +kubebuilder:validation:MinProperties=1
-// +kubebuilder:validation:MaxProperties=1
-type SecretStoreProvider struct {
-	// AWS configures this store to sync secrets using AWS Secret Manager provider
-	// +optional
-	AWS *AWSProvider `json:"aws,omitempty"`
-
-	// AzureKV configures this store to sync secrets using Azure Key Vault provider
-	// +optional
-	AzureKV *AzureKVProvider `json:"azurekv,omitempty"`
-
-	// Akeyless configures this store to sync secrets using Akeyless Vault provider
-	// +optional
-	Akeyless *AkeylessProvider `json:"akeyless,omitempty"`
-
-	// Vault configures this store to sync secrets using Hashi provider
-	// +optional
-	Vault *VaultProvider `json:"vault,omitempty"`
-
-	// GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
-	// +optional
-	GCPSM *GCPSMProvider `json:"gcpsm,omitempty"`
-
-	// Oracle configures this store to sync secrets using Oracle Vault provider
-	// +optional
-	Oracle *OracleProvider `json:"oracle,omitempty"`
-
-	// IBM configures this store to sync secrets using IBM Cloud provider
-	// +optional
-	IBM *IBMProvider `json:"ibm,omitempty"`
-
-	// YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
-	// +optional
-	YandexLockbox *YandexLockboxProvider `json:"yandexlockbox,omitempty"`
-
-	// GitLab configures this store to sync secrets using GitLab Variables provider
-	// +optional
-	Gitlab *GitlabProvider `json:"gitlab,omitempty"`
-
-	// Alibaba configures this store to sync secrets using Alibaba Cloud provider
-	// +optional
-	Alibaba *AlibabaProvider `json:"alibaba,omitempty"`
-
-	// Webhook configures this store to sync secrets using a generic templated webhook
-	// +optional
-	Webhook *WebhookProvider `json:"webhook,omitempty"`
-
-	// Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
-	// +optional
-	Kubernetes *KubernetesProvider `json:"kubernetes,omitempty"`
-
-	PasswordDepot *PasswordDepotProvider `json:"passworddepot,omitempty"`
-
-	// Fake configures a store with static key/value pairs
-	// +optional
-	Fake *FakeProvider `json:"fake,omitempty"`
-}
-
-type SecretStoreRetrySettings struct {
-	MaxRetries    *int32  `json:"maxRetries,omitempty"`
-	RetryInterval *string `json:"retryInterval,omitempty"`
-}
-
-type SecretStoreConditionType string
-
-const (
-	SecretStoreReady SecretStoreConditionType = "Ready"
-
-	ReasonInvalidStore          = "InvalidStoreConfiguration"
-	ReasonInvalidProviderConfig = "InvalidProviderConfig"
-	ReasonValidationFailed      = "ValidationFailed"
-	ReasonStoreValid            = "Valid"
-)
-
-type SecretStoreStatusCondition struct {
-	Type   SecretStoreConditionType `json:"type"`
-	Status corev1.ConditionStatus   `json:"status"`
-
-	// +optional
-	Reason string `json:"reason,omitempty"`
-
-	// +optional
-	Message string `json:"message,omitempty"`
-
-	// +optional
-	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"`
-}
-
-// SecretStoreStatus defines the observed state of the SecretStore.
-type SecretStoreStatus struct {
-	// +optional
-	Conditions []SecretStoreStatusCondition `json:"conditions,omitempty"`
-}
-
-// +kubebuilder:object:root=true
-
-// SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
-// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].reason`
-// +kubebuilder:subresource:status
-// +kubebuilder:deprecatedversion
-// +kubebuilder:resource:scope=Namespaced,categories={external-secrets},shortName=ss
-type SecretStore struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	Spec   SecretStoreSpec   `json:"spec,omitempty"`
-	Status SecretStoreStatus `json:"status,omitempty"`
-}
-
-// +kubebuilder:object:root=true
-
-// SecretStoreList contains a list of SecretStore resources.
-type SecretStoreList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []SecretStore `json:"items"`
-}
-
-// +kubebuilder:object:root=true
-
-// ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
-// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
-// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].reason`
-// +kubebuilder:deprecatedversion
-// +kubebuilder:subresource:status
-// +kubebuilder:resource:scope=Cluster,categories={external-secrets},shortName=css
-type ClusterSecretStore struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	Spec   SecretStoreSpec   `json:"spec,omitempty"`
-	Status SecretStoreStatus `json:"status,omitempty"`
-}
-
-// +kubebuilder:object:root=true
-
-// ClusterSecretStoreList contains a list of ClusterSecretStore resources.
-type ClusterSecretStoreList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []ClusterSecretStore `json:"items"`
-}

apis/externalsecrets/v1alpha1/zz_generated.deepcopy.go

@@ -19,370 +19,12 @@ limitations under the License.
 package v1alpha1
 
 import (
-	"github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
-	metav1 "github.com/external-secrets/external-secrets/apis/meta/v1"
+	externalsecretsv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
+	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AWSAuth) DeepCopyInto(out *AWSAuth) {
-	*out = *in
-	if in.SecretRef != nil {
-		in, out := &in.SecretRef, &out.SecretRef
-		*out = new(AWSAuthSecretRef)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.JWTAuth != nil {
-		in, out := &in.JWTAuth, &out.JWTAuth
-		*out = new(AWSJWTAuth)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSAuth.
-func (in *AWSAuth) DeepCopy() *AWSAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(AWSAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AWSAuthSecretRef) DeepCopyInto(out *AWSAuthSecretRef) {
-	*out = *in
-	in.AccessKeyID.DeepCopyInto(&out.AccessKeyID)
-	in.SecretAccessKey.DeepCopyInto(&out.SecretAccessKey)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSAuthSecretRef.
-func (in *AWSAuthSecretRef) DeepCopy() *AWSAuthSecretRef {
-	if in == nil {
-		return nil
-	}
-	out := new(AWSAuthSecretRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AWSJWTAuth) DeepCopyInto(out *AWSJWTAuth) {
-	*out = *in
-	if in.ServiceAccountRef != nil {
-		in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
-		*out = new(metav1.ServiceAccountSelector)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSJWTAuth.
-func (in *AWSJWTAuth) DeepCopy() *AWSJWTAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(AWSJWTAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AWSProvider) DeepCopyInto(out *AWSProvider) {
-	*out = *in
-	in.Auth.DeepCopyInto(&out.Auth)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSProvider.
-func (in *AWSProvider) DeepCopy() *AWSProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(AWSProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AkeylessAuth) DeepCopyInto(out *AkeylessAuth) {
-	*out = *in
-	in.SecretRef.DeepCopyInto(&out.SecretRef)
-	if in.KubernetesAuth != nil {
-		in, out := &in.KubernetesAuth, &out.KubernetesAuth
-		*out = new(AkeylessKubernetesAuth)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AkeylessAuth.
-func (in *AkeylessAuth) DeepCopy() *AkeylessAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(AkeylessAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AkeylessAuthSecretRef) DeepCopyInto(out *AkeylessAuthSecretRef) {
-	*out = *in
-	in.AccessID.DeepCopyInto(&out.AccessID)
-	in.AccessType.DeepCopyInto(&out.AccessType)
-	in.AccessTypeParam.DeepCopyInto(&out.AccessTypeParam)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AkeylessAuthSecretRef.
-func (in *AkeylessAuthSecretRef) DeepCopy() *AkeylessAuthSecretRef {
-	if in == nil {
-		return nil
-	}
-	out := new(AkeylessAuthSecretRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AkeylessKubernetesAuth) DeepCopyInto(out *AkeylessKubernetesAuth) {
-	*out = *in
-	if in.ServiceAccountRef != nil {
-		in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
-		*out = new(metav1.ServiceAccountSelector)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.SecretRef != nil {
-		in, out := &in.SecretRef, &out.SecretRef
-		*out = new(metav1.SecretKeySelector)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AkeylessKubernetesAuth.
-func (in *AkeylessKubernetesAuth) DeepCopy() *AkeylessKubernetesAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(AkeylessKubernetesAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AkeylessProvider) DeepCopyInto(out *AkeylessProvider) {
-	*out = *in
-	if in.AkeylessGWApiURL != nil {
-		in, out := &in.AkeylessGWApiURL, &out.AkeylessGWApiURL
-		*out = new(string)
-		**out = **in
-	}
-	if in.Auth != nil {
-		in, out := &in.Auth, &out.Auth
-		*out = new(AkeylessAuth)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.CABundle != nil {
-		in, out := &in.CABundle, &out.CABundle
-		*out = make([]byte, len(*in))
-		copy(*out, *in)
-	}
-	if in.CAProvider != nil {
-		in, out := &in.CAProvider, &out.CAProvider
-		*out = new(CAProvider)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AkeylessProvider.
-func (in *AkeylessProvider) DeepCopy() *AkeylessProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(AkeylessProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AlibabaAuth) DeepCopyInto(out *AlibabaAuth) {
-	*out = *in
-	if in.SecretRef != nil {
-		in, out := &in.SecretRef, &out.SecretRef
-		*out = new(AlibabaAuthSecretRef)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.RRSAAuth != nil {
-		in, out := &in.RRSAAuth, &out.RRSAAuth
-		*out = new(AlibabaRRSAAuth)
-		**out = **in
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AlibabaAuth.
-func (in *AlibabaAuth) DeepCopy() *AlibabaAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(AlibabaAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AlibabaAuthSecretRef) DeepCopyInto(out *AlibabaAuthSecretRef) {
-	*out = *in
-	in.AccessKeyID.DeepCopyInto(&out.AccessKeyID)
-	in.AccessKeySecret.DeepCopyInto(&out.AccessKeySecret)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AlibabaAuthSecretRef.
-func (in *AlibabaAuthSecretRef) DeepCopy() *AlibabaAuthSecretRef {
-	if in == nil {
-		return nil
-	}
-	out := new(AlibabaAuthSecretRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AlibabaProvider) DeepCopyInto(out *AlibabaProvider) {
-	*out = *in
-	in.Auth.DeepCopyInto(&out.Auth)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AlibabaProvider.
-func (in *AlibabaProvider) DeepCopy() *AlibabaProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(AlibabaProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AlibabaRRSAAuth) DeepCopyInto(out *AlibabaRRSAAuth) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AlibabaRRSAAuth.
-func (in *AlibabaRRSAAuth) DeepCopy() *AlibabaRRSAAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(AlibabaRRSAAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AzureKVAuth) DeepCopyInto(out *AzureKVAuth) {
-	*out = *in
-	if in.ClientID != nil {
-		in, out := &in.ClientID, &out.ClientID
-		*out = new(metav1.SecretKeySelector)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.ClientSecret != nil {
-		in, out := &in.ClientSecret, &out.ClientSecret
-		*out = new(metav1.SecretKeySelector)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureKVAuth.
-func (in *AzureKVAuth) DeepCopy() *AzureKVAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(AzureKVAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AzureKVProvider) DeepCopyInto(out *AzureKVProvider) {
-	*out = *in
-	if in.AuthType != nil {
-		in, out := &in.AuthType, &out.AuthType
-		*out = new(AzureAuthType)
-		**out = **in
-	}
-	if in.VaultURL != nil {
-		in, out := &in.VaultURL, &out.VaultURL
-		*out = new(string)
-		**out = **in
-	}
-	if in.TenantID != nil {
-		in, out := &in.TenantID, &out.TenantID
-		*out = new(string)
-		**out = **in
-	}
-	if in.AuthSecretRef != nil {
-		in, out := &in.AuthSecretRef, &out.AuthSecretRef
-		*out = new(AzureKVAuth)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.ServiceAccountRef != nil {
-		in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
-		*out = new(metav1.ServiceAccountSelector)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.IdentityID != nil {
-		in, out := &in.IdentityID, &out.IdentityID
-		*out = new(string)
-		**out = **in
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureKVProvider.
-func (in *AzureKVProvider) DeepCopy() *AzureKVProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(AzureKVProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CAProvider) DeepCopyInto(out *CAProvider) {
-	*out = *in
-	if in.Namespace != nil {
-		in, out := &in.Namespace, &out.Namespace
-		*out = new(string)
-		**out = **in
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CAProvider.
-func (in *CAProvider) DeepCopy() *CAProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(CAProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CertAuth) DeepCopyInto(out *CertAuth) {
-	*out = *in
-	in.ClientCert.DeepCopyInto(&out.ClientCert)
-	in.ClientKey.DeepCopyInto(&out.ClientKey)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertAuth.
-func (in *CertAuth) DeepCopy() *CertAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(CertAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterPushSecret) DeepCopyInto(out *ClusterPushSecret) {
 	*out = *in
@@ -548,7 +190,7 @@ func (in *ClusterPushSecretStatus) DeepCopy() *ClusterPushSecretStatus {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ClusterSecretStore) DeepCopyInto(out *ClusterSecretStore) {
+func (in *PushSecret) DeepCopyInto(out *PushSecret) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
@@ -556,18 +198,18 @@ func (in *ClusterSecretStore) DeepCopyInto(out *ClusterSecretStore) {
 	in.Status.DeepCopyInto(&out.Status)
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterSecretStore.
-func (in *ClusterSecretStore) DeepCopy() *ClusterSecretStore {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PushSecret.
+func (in *PushSecret) DeepCopy() *PushSecret {
 	if in == nil {
 		return nil
 	}
-	out := new(ClusterSecretStore)
+	out := new(PushSecret)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *ClusterSecretStore) DeepCopyObject() runtime.Object {
+func (in *PushSecret) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@@ -575,31 +217,52 @@ func (in *ClusterSecretStore) DeepCopyObject() runtime.Object {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ClusterSecretStoreList) DeepCopyInto(out *ClusterSecretStoreList) {
+func (in *PushSecretData) DeepCopyInto(out *PushSecretData) {
+	*out = *in
+	out.Match = in.Match
+	if in.Metadata != nil {
+		in, out := &in.Metadata, &out.Metadata
+		*out = new(apiextensionsv1.JSON)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PushSecretData.
+func (in *PushSecretData) DeepCopy() *PushSecretData {
+	if in == nil {
+		return nil
+	}
+	out := new(PushSecretData)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PushSecretList) DeepCopyInto(out *PushSecretList) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
-		*out = make([]ClusterSecretStore, len(*in))
+		*out = make([]PushSecret, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterSecretStoreList.
-func (in *ClusterSecretStoreList) DeepCopy() *ClusterSecretStoreList {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PushSecretList.
+func (in *PushSecretList) DeepCopy() *PushSecretList {
 	if in == nil {
 		return nil
 	}
-	out := new(ClusterSecretStoreList)
+	out := new(PushSecretList)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *ClusterSecretStoreList) DeepCopyObject() runtime.Object {
+func (in *PushSecretList) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@@ -607,1670 +270,255 @@ func (in *ClusterSecretStoreList) DeepCopyObject() runtime.Object {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExternalSecret) DeepCopyInto(out *ExternalSecret) {
+func (in *PushSecretMatch) DeepCopyInto(out *PushSecretMatch) {
 	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	in.Spec.DeepCopyInto(&out.Spec)
-	in.Status.DeepCopyInto(&out.Status)
+	out.RemoteRef = in.RemoteRef
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecret.
-func (in *ExternalSecret) DeepCopy() *ExternalSecret {
-	if in == nil {
-		return nil
-	}
-	out := new(ExternalSecret)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *ExternalSecret) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExternalSecretData) DeepCopyInto(out *ExternalSecretData) {
-	*out = *in
-	out.RemoteRef = in.RemoteRef
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretData.
-func (in *ExternalSecretData) DeepCopy() *ExternalSecretData {
-	if in == nil {
-		return nil
-	}
-	out := new(ExternalSecretData)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExternalSecretDataRemoteRef) DeepCopyInto(out *ExternalSecretDataRemoteRef) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretDataRemoteRef.
-func (in *ExternalSecretDataRemoteRef) DeepCopy() *ExternalSecretDataRemoteRef {
-	if in == nil {
-		return nil
-	}
-	out := new(ExternalSecretDataRemoteRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExternalSecretList) DeepCopyInto(out *ExternalSecretList) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]ExternalSecret, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretList.
-func (in *ExternalSecretList) DeepCopy() *ExternalSecretList {
-	if in == nil {
-		return nil
-	}
-	out := new(ExternalSecretList)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *ExternalSecretList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExternalSecretSpec) DeepCopyInto(out *ExternalSecretSpec) {
-	*out = *in
-	out.SecretStoreRef = in.SecretStoreRef
-	in.Target.DeepCopyInto(&out.Target)
-	if in.RefreshInterval != nil {
-		in, out := &in.RefreshInterval, &out.RefreshInterval
-		*out = new(v1.Duration)
-		**out = **in
-	}
-	if in.Data != nil {
-		in, out := &in.Data, &out.Data
-		*out = make([]ExternalSecretData, len(*in))
-		copy(*out, *in)
-	}
-	if in.DataFrom != nil {
-		in, out := &in.DataFrom, &out.DataFrom
-		*out = make([]ExternalSecretDataRemoteRef, len(*in))
-		copy(*out, *in)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretSpec.
-func (in *ExternalSecretSpec) DeepCopy() *ExternalSecretSpec {
-	if in == nil {
-		return nil
-	}
-	out := new(ExternalSecretSpec)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExternalSecretStatus) DeepCopyInto(out *ExternalSecretStatus) {
-	*out = *in
-	in.RefreshTime.DeepCopyInto(&out.RefreshTime)
-	if in.Conditions != nil {
-		in, out := &in.Conditions, &out.Conditions
-		*out = make([]ExternalSecretStatusCondition, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	out.Binding = in.Binding
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretStatus.
-func (in *ExternalSecretStatus) DeepCopy() *ExternalSecretStatus {
-	if in == nil {
-		return nil
-	}
-	out := new(ExternalSecretStatus)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExternalSecretStatusCondition) DeepCopyInto(out *ExternalSecretStatusCondition) {
-	*out = *in
-	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretStatusCondition.
-func (in *ExternalSecretStatusCondition) DeepCopy() *ExternalSecretStatusCondition {
-	if in == nil {
-		return nil
-	}
-	out := new(ExternalSecretStatusCondition)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExternalSecretTarget) DeepCopyInto(out *ExternalSecretTarget) {
-	*out = *in
-	if in.Template != nil {
-		in, out := &in.Template, &out.Template
-		*out = new(ExternalSecretTemplate)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretTarget.
-func (in *ExternalSecretTarget) DeepCopy() *ExternalSecretTarget {
-	if in == nil {
-		return nil
-	}
-	out := new(ExternalSecretTarget)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExternalSecretTemplate) DeepCopyInto(out *ExternalSecretTemplate) {
-	*out = *in
-	in.Metadata.DeepCopyInto(&out.Metadata)
-	if in.Data != nil {
-		in, out := &in.Data, &out.Data
-		*out = make(map[string]string, len(*in))
-		for key, val := range *in {
-			(*out)[key] = val
-		}
-	}
-	if in.TemplateFrom != nil {
-		in, out := &in.TemplateFrom, &out.TemplateFrom
-		*out = make([]TemplateFrom, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretTemplate.
-func (in *ExternalSecretTemplate) DeepCopy() *ExternalSecretTemplate {
-	if in == nil {
-		return nil
-	}
-	out := new(ExternalSecretTemplate)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExternalSecretTemplateMetadata) DeepCopyInto(out *ExternalSecretTemplateMetadata) {
-	*out = *in
-	if in.Annotations != nil {
-		in, out := &in.Annotations, &out.Annotations
-		*out = make(map[string]string, len(*in))
-		for key, val := range *in {
-			(*out)[key] = val
-		}
-	}
-	if in.Labels != nil {
-		in, out := &in.Labels, &out.Labels
-		*out = make(map[string]string, len(*in))
-		for key, val := range *in {
-			(*out)[key] = val
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretTemplateMetadata.
-func (in *ExternalSecretTemplateMetadata) DeepCopy() *ExternalSecretTemplateMetadata {
-	if in == nil {
-		return nil
-	}
-	out := new(ExternalSecretTemplateMetadata)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FakeProvider) DeepCopyInto(out *FakeProvider) {
-	*out = *in
-	if in.Data != nil {
-		in, out := &in.Data, &out.Data
-		*out = make([]FakeProviderData, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FakeProvider.
-func (in *FakeProvider) DeepCopy() *FakeProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(FakeProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FakeProviderData) DeepCopyInto(out *FakeProviderData) {
-	*out = *in
-	if in.ValueMap != nil {
-		in, out := &in.ValueMap, &out.ValueMap
-		*out = make(map[string]string, len(*in))
-		for key, val := range *in {
-			(*out)[key] = val
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FakeProviderData.
-func (in *FakeProviderData) DeepCopy() *FakeProviderData {
-	if in == nil {
-		return nil
-	}
-	out := new(FakeProviderData)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *GCPSMAuth) DeepCopyInto(out *GCPSMAuth) {
-	*out = *in
-	if in.SecretRef != nil {
-		in, out := &in.SecretRef, &out.SecretRef
-		*out = new(GCPSMAuthSecretRef)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.WorkloadIdentity != nil {
-		in, out := &in.WorkloadIdentity, &out.WorkloadIdentity
-		*out = new(GCPWorkloadIdentity)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCPSMAuth.
-func (in *GCPSMAuth) DeepCopy() *GCPSMAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(GCPSMAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *GCPSMAuthSecretRef) DeepCopyInto(out *GCPSMAuthSecretRef) {
-	*out = *in
-	in.SecretAccessKey.DeepCopyInto(&out.SecretAccessKey)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCPSMAuthSecretRef.
-func (in *GCPSMAuthSecretRef) DeepCopy() *GCPSMAuthSecretRef {
-	if in == nil {
-		return nil
-	}
-	out := new(GCPSMAuthSecretRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *GCPSMProvider) DeepCopyInto(out *GCPSMProvider) {
-	*out = *in
-	in.Auth.DeepCopyInto(&out.Auth)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCPSMProvider.
-func (in *GCPSMProvider) DeepCopy() *GCPSMProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(GCPSMProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *GCPWorkloadIdentity) DeepCopyInto(out *GCPWorkloadIdentity) {
-	*out = *in
-	in.ServiceAccountRef.DeepCopyInto(&out.ServiceAccountRef)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCPWorkloadIdentity.
-func (in *GCPWorkloadIdentity) DeepCopy() *GCPWorkloadIdentity {
-	if in == nil {
-		return nil
-	}
-	out := new(GCPWorkloadIdentity)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *GitlabAuth) DeepCopyInto(out *GitlabAuth) {
-	*out = *in
-	in.SecretRef.DeepCopyInto(&out.SecretRef)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitlabAuth.
-func (in *GitlabAuth) DeepCopy() *GitlabAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(GitlabAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *GitlabProvider) DeepCopyInto(out *GitlabProvider) {
-	*out = *in
-	in.Auth.DeepCopyInto(&out.Auth)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitlabProvider.
-func (in *GitlabProvider) DeepCopy() *GitlabProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(GitlabProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *GitlabSecretRef) DeepCopyInto(out *GitlabSecretRef) {
-	*out = *in
-	in.AccessToken.DeepCopyInto(&out.AccessToken)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitlabSecretRef.
-func (in *GitlabSecretRef) DeepCopy() *GitlabSecretRef {
-	if in == nil {
-		return nil
-	}
-	out := new(GitlabSecretRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *IBMAuth) DeepCopyInto(out *IBMAuth) {
-	*out = *in
-	in.SecretRef.DeepCopyInto(&out.SecretRef)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IBMAuth.
-func (in *IBMAuth) DeepCopy() *IBMAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(IBMAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *IBMAuthSecretRef) DeepCopyInto(out *IBMAuthSecretRef) {
-	*out = *in
-	in.SecretAPIKey.DeepCopyInto(&out.SecretAPIKey)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IBMAuthSecretRef.
-func (in *IBMAuthSecretRef) DeepCopy() *IBMAuthSecretRef {
-	if in == nil {
-		return nil
-	}
-	out := new(IBMAuthSecretRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *IBMProvider) DeepCopyInto(out *IBMProvider) {
-	*out = *in
-	in.Auth.DeepCopyInto(&out.Auth)
-	if in.ServiceURL != nil {
-		in, out := &in.ServiceURL, &out.ServiceURL
-		*out = new(string)
-		**out = **in
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IBMProvider.
-func (in *IBMProvider) DeepCopy() *IBMProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(IBMProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *KubernetesAuth) DeepCopyInto(out *KubernetesAuth) {
-	*out = *in
-	if in.Cert != nil {
-		in, out := &in.Cert, &out.Cert
-		*out = new(CertAuth)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Token != nil {
-		in, out := &in.Token, &out.Token
-		*out = new(TokenAuth)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.ServiceAccount != nil {
-		in, out := &in.ServiceAccount, &out.ServiceAccount
-		*out = new(ServiceAccountAuth)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesAuth.
-func (in *KubernetesAuth) DeepCopy() *KubernetesAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(KubernetesAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *KubernetesProvider) DeepCopyInto(out *KubernetesProvider) {
-	*out = *in
-	in.Server.DeepCopyInto(&out.Server)
-	in.Auth.DeepCopyInto(&out.Auth)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesProvider.
-func (in *KubernetesProvider) DeepCopy() *KubernetesProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(KubernetesProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *KubernetesServer) DeepCopyInto(out *KubernetesServer) {
-	*out = *in
-	if in.CABundle != nil {
-		in, out := &in.CABundle, &out.CABundle
-		*out = make([]byte, len(*in))
-		copy(*out, *in)
-	}
-	if in.CAProvider != nil {
-		in, out := &in.CAProvider, &out.CAProvider
-		*out = new(CAProvider)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesServer.
-func (in *KubernetesServer) DeepCopy() *KubernetesServer {
-	if in == nil {
-		return nil
-	}
-	out := new(KubernetesServer)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *OracleAuth) DeepCopyInto(out *OracleAuth) {
-	*out = *in
-	in.SecretRef.DeepCopyInto(&out.SecretRef)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OracleAuth.
-func (in *OracleAuth) DeepCopy() *OracleAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(OracleAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *OracleProvider) DeepCopyInto(out *OracleProvider) {
-	*out = *in
-	if in.Auth != nil {
-		in, out := &in.Auth, &out.Auth
-		*out = new(OracleAuth)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.ServiceAccountRef != nil {
-		in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
-		*out = new(metav1.ServiceAccountSelector)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OracleProvider.
-func (in *OracleProvider) DeepCopy() *OracleProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(OracleProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *OracleSecretRef) DeepCopyInto(out *OracleSecretRef) {
-	*out = *in
-	in.PrivateKey.DeepCopyInto(&out.PrivateKey)
-	in.Fingerprint.DeepCopyInto(&out.Fingerprint)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OracleSecretRef.
-func (in *OracleSecretRef) DeepCopy() *OracleSecretRef {
-	if in == nil {
-		return nil
-	}
-	out := new(OracleSecretRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PasswordDepotAuth) DeepCopyInto(out *PasswordDepotAuth) {
-	*out = *in
-	in.SecretRef.DeepCopyInto(&out.SecretRef)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PasswordDepotAuth.
-func (in *PasswordDepotAuth) DeepCopy() *PasswordDepotAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(PasswordDepotAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PasswordDepotProvider) DeepCopyInto(out *PasswordDepotProvider) {
-	*out = *in
-	in.Auth.DeepCopyInto(&out.Auth)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PasswordDepotProvider.
-func (in *PasswordDepotProvider) DeepCopy() *PasswordDepotProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(PasswordDepotProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PasswordDepotSecretRef) DeepCopyInto(out *PasswordDepotSecretRef) {
-	*out = *in
-	in.Credentials.DeepCopyInto(&out.Credentials)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PasswordDepotSecretRef.
-func (in *PasswordDepotSecretRef) DeepCopy() *PasswordDepotSecretRef {
-	if in == nil {
-		return nil
-	}
-	out := new(PasswordDepotSecretRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PushSecret) DeepCopyInto(out *PushSecret) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	in.Spec.DeepCopyInto(&out.Spec)
-	in.Status.DeepCopyInto(&out.Status)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PushSecret.
-func (in *PushSecret) DeepCopy() *PushSecret {
-	if in == nil {
-		return nil
-	}
-	out := new(PushSecret)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *PushSecret) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PushSecretData) DeepCopyInto(out *PushSecretData) {
-	*out = *in
-	out.Match = in.Match
-	if in.Metadata != nil {
-		in, out := &in.Metadata, &out.Metadata
-		*out = new(apiextensionsv1.JSON)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PushSecretData.
-func (in *PushSecretData) DeepCopy() *PushSecretData {
-	if in == nil {
-		return nil
-	}
-	out := new(PushSecretData)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PushSecretList) DeepCopyInto(out *PushSecretList) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]PushSecret, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PushSecretList.
-func (in *PushSecretList) DeepCopy() *PushSecretList {
-	if in == nil {
-		return nil
-	}
-	out := new(PushSecretList)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *PushSecretList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PushSecretMatch) DeepCopyInto(out *PushSecretMatch) {
-	*out = *in
-	out.RemoteRef = in.RemoteRef
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PushSecretMatch.
-func (in *PushSecretMatch) DeepCopy() *PushSecretMatch {
-	if in == nil {
-		return nil
-	}
-	out := new(PushSecretMatch)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PushSecretMetadata) DeepCopyInto(out *PushSecretMetadata) {
-	*out = *in
-	if in.Annotations != nil {
-		in, out := &in.Annotations, &out.Annotations
-		*out = make(map[string]string, len(*in))
-		for key, val := range *in {
-			(*out)[key] = val
-		}
-	}
-	if in.Labels != nil {
-		in, out := &in.Labels, &out.Labels
-		*out = make(map[string]string, len(*in))
-		for key, val := range *in {
-			(*out)[key] = val
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PushSecretMetadata.
-func (in *PushSecretMetadata) DeepCopy() *PushSecretMetadata {
-	if in == nil {
-		return nil
-	}
-	out := new(PushSecretMetadata)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PushSecretRemoteRef) DeepCopyInto(out *PushSecretRemoteRef) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PushSecretRemoteRef.
-func (in *PushSecretRemoteRef) DeepCopy() *PushSecretRemoteRef {
-	if in == nil {
-		return nil
-	}
-	out := new(PushSecretRemoteRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PushSecretSecret) DeepCopyInto(out *PushSecretSecret) {
-	*out = *in
-	if in.Selector != nil {
-		in, out := &in.Selector, &out.Selector
-		*out = new(v1.LabelSelector)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PushSecretSecret.
-func (in *PushSecretSecret) DeepCopy() *PushSecretSecret {
-	if in == nil {
-		return nil
-	}
-	out := new(PushSecretSecret)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PushSecretSelector) DeepCopyInto(out *PushSecretSelector) {
-	*out = *in
-	if in.Secret != nil {
-		in, out := &in.Secret, &out.Secret
-		*out = new(PushSecretSecret)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.GeneratorRef != nil {
-		in, out := &in.GeneratorRef, &out.GeneratorRef
-		*out = new(v1beta1.GeneratorRef)
-		**out = **in
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PushSecretSelector.
-func (in *PushSecretSelector) DeepCopy() *PushSecretSelector {
-	if in == nil {
-		return nil
-	}
-	out := new(PushSecretSelector)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PushSecretSpec) DeepCopyInto(out *PushSecretSpec) {
-	*out = *in
-	if in.RefreshInterval != nil {
-		in, out := &in.RefreshInterval, &out.RefreshInterval
-		*out = new(v1.Duration)
-		**out = **in
-	}
-	if in.SecretStoreRefs != nil {
-		in, out := &in.SecretStoreRefs, &out.SecretStoreRefs
-		*out = make([]PushSecretStoreRef, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	in.Selector.DeepCopyInto(&out.Selector)
-	if in.Data != nil {
-		in, out := &in.Data, &out.Data
-		*out = make([]PushSecretData, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.Template != nil {
-		in, out := &in.Template, &out.Template
-		*out = new(v1beta1.ExternalSecretTemplate)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PushSecretSpec.
-func (in *PushSecretSpec) DeepCopy() *PushSecretSpec {
-	if in == nil {
-		return nil
-	}
-	out := new(PushSecretSpec)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PushSecretStatus) DeepCopyInto(out *PushSecretStatus) {
-	*out = *in
-	in.RefreshTime.DeepCopyInto(&out.RefreshTime)
-	if in.SyncedPushSecrets != nil {
-		in, out := &in.SyncedPushSecrets, &out.SyncedPushSecrets
-		*out = make(SyncedPushSecretsMap, len(*in))
-		for key, val := range *in {
-			var outVal map[string]PushSecretData
-			if val == nil {
-				(*out)[key] = nil
-			} else {
-				inVal := (*in)[key]
-				in, out := &inVal, &outVal
-				*out = make(map[string]PushSecretData, len(*in))
-				for key, val := range *in {
-					(*out)[key] = *val.DeepCopy()
-				}
-			}
-			(*out)[key] = outVal
-		}
-	}
-	if in.Conditions != nil {
-		in, out := &in.Conditions, &out.Conditions
-		*out = make([]PushSecretStatusCondition, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PushSecretStatus.
-func (in *PushSecretStatus) DeepCopy() *PushSecretStatus {
-	if in == nil {
-		return nil
-	}
-	out := new(PushSecretStatus)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PushSecretStatusCondition) DeepCopyInto(out *PushSecretStatusCondition) {
-	*out = *in
-	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PushSecretStatusCondition.
-func (in *PushSecretStatusCondition) DeepCopy() *PushSecretStatusCondition {
-	if in == nil {
-		return nil
-	}
-	out := new(PushSecretStatusCondition)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PushSecretStoreRef) DeepCopyInto(out *PushSecretStoreRef) {
-	*out = *in
-	if in.LabelSelector != nil {
-		in, out := &in.LabelSelector, &out.LabelSelector
-		*out = new(v1.LabelSelector)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PushSecretStoreRef.
-func (in *PushSecretStoreRef) DeepCopy() *PushSecretStoreRef {
-	if in == nil {
-		return nil
-	}
-	out := new(PushSecretStoreRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretStore) DeepCopyInto(out *SecretStore) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	in.Spec.DeepCopyInto(&out.Spec)
-	in.Status.DeepCopyInto(&out.Status)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStore.
-func (in *SecretStore) DeepCopy() *SecretStore {
-	if in == nil {
-		return nil
-	}
-	out := new(SecretStore)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *SecretStore) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretStoreList) DeepCopyInto(out *SecretStoreList) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]SecretStore, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreList.
-func (in *SecretStoreList) DeepCopy() *SecretStoreList {
-	if in == nil {
-		return nil
-	}
-	out := new(SecretStoreList)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *SecretStoreList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretStoreProvider) DeepCopyInto(out *SecretStoreProvider) {
-	*out = *in
-	if in.AWS != nil {
-		in, out := &in.AWS, &out.AWS
-		*out = new(AWSProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.AzureKV != nil {
-		in, out := &in.AzureKV, &out.AzureKV
-		*out = new(AzureKVProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Akeyless != nil {
-		in, out := &in.Akeyless, &out.Akeyless
-		*out = new(AkeylessProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Vault != nil {
-		in, out := &in.Vault, &out.Vault
-		*out = new(VaultProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.GCPSM != nil {
-		in, out := &in.GCPSM, &out.GCPSM
-		*out = new(GCPSMProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Oracle != nil {
-		in, out := &in.Oracle, &out.Oracle
-		*out = new(OracleProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.IBM != nil {
-		in, out := &in.IBM, &out.IBM
-		*out = new(IBMProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.YandexLockbox != nil {
-		in, out := &in.YandexLockbox, &out.YandexLockbox
-		*out = new(YandexLockboxProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Gitlab != nil {
-		in, out := &in.Gitlab, &out.Gitlab
-		*out = new(GitlabProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Alibaba != nil {
-		in, out := &in.Alibaba, &out.Alibaba
-		*out = new(AlibabaProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Webhook != nil {
-		in, out := &in.Webhook, &out.Webhook
-		*out = new(WebhookProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Kubernetes != nil {
-		in, out := &in.Kubernetes, &out.Kubernetes
-		*out = new(KubernetesProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.PasswordDepot != nil {
-		in, out := &in.PasswordDepot, &out.PasswordDepot
-		*out = new(PasswordDepotProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Fake != nil {
-		in, out := &in.Fake, &out.Fake
-		*out = new(FakeProvider)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreProvider.
-func (in *SecretStoreProvider) DeepCopy() *SecretStoreProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(SecretStoreProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretStoreRef) DeepCopyInto(out *SecretStoreRef) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreRef.
-func (in *SecretStoreRef) DeepCopy() *SecretStoreRef {
-	if in == nil {
-		return nil
-	}
-	out := new(SecretStoreRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretStoreRetrySettings) DeepCopyInto(out *SecretStoreRetrySettings) {
-	*out = *in
-	if in.MaxRetries != nil {
-		in, out := &in.MaxRetries, &out.MaxRetries
-		*out = new(int32)
-		**out = **in
-	}
-	if in.RetryInterval != nil {
-		in, out := &in.RetryInterval, &out.RetryInterval
-		*out = new(string)
-		**out = **in
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreRetrySettings.
-func (in *SecretStoreRetrySettings) DeepCopy() *SecretStoreRetrySettings {
-	if in == nil {
-		return nil
-	}
-	out := new(SecretStoreRetrySettings)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretStoreSpec) DeepCopyInto(out *SecretStoreSpec) {
-	*out = *in
-	if in.Provider != nil {
-		in, out := &in.Provider, &out.Provider
-		*out = new(SecretStoreProvider)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.RetrySettings != nil {
-		in, out := &in.RetrySettings, &out.RetrySettings
-		*out = new(SecretStoreRetrySettings)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreSpec.
-func (in *SecretStoreSpec) DeepCopy() *SecretStoreSpec {
-	if in == nil {
-		return nil
-	}
-	out := new(SecretStoreSpec)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretStoreStatus) DeepCopyInto(out *SecretStoreStatus) {
-	*out = *in
-	if in.Conditions != nil {
-		in, out := &in.Conditions, &out.Conditions
-		*out = make([]SecretStoreStatusCondition, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreStatus.
-func (in *SecretStoreStatus) DeepCopy() *SecretStoreStatus {
-	if in == nil {
-		return nil
-	}
-	out := new(SecretStoreStatus)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SecretStoreStatusCondition) DeepCopyInto(out *SecretStoreStatusCondition) {
-	*out = *in
-	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreStatusCondition.
-func (in *SecretStoreStatusCondition) DeepCopy() *SecretStoreStatusCondition {
-	if in == nil {
-		return nil
-	}
-	out := new(SecretStoreStatusCondition)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ServiceAccountAuth) DeepCopyInto(out *ServiceAccountAuth) {
-	*out = *in
-	in.ServiceAccountRef.DeepCopyInto(&out.ServiceAccountRef)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccountAuth.
-func (in *ServiceAccountAuth) DeepCopy() *ServiceAccountAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(ServiceAccountAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in SyncedPushSecretsMap) DeepCopyInto(out *SyncedPushSecretsMap) {
-	{
-		in := &in
-		*out = make(SyncedPushSecretsMap, len(*in))
-		for key, val := range *in {
-			var outVal map[string]PushSecretData
-			if val == nil {
-				(*out)[key] = nil
-			} else {
-				inVal := (*in)[key]
-				in, out := &inVal, &outVal
-				*out = make(map[string]PushSecretData, len(*in))
-				for key, val := range *in {
-					(*out)[key] = *val.DeepCopy()
-				}
-			}
-			(*out)[key] = outVal
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SyncedPushSecretsMap.
-func (in SyncedPushSecretsMap) DeepCopy() SyncedPushSecretsMap {
-	if in == nil {
-		return nil
-	}
-	out := new(SyncedPushSecretsMap)
-	in.DeepCopyInto(out)
-	return *out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *TemplateFrom) DeepCopyInto(out *TemplateFrom) {
-	*out = *in
-	if in.ConfigMap != nil {
-		in, out := &in.ConfigMap, &out.ConfigMap
-		*out = new(TemplateRef)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Secret != nil {
-		in, out := &in.Secret, &out.Secret
-		*out = new(TemplateRef)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TemplateFrom.
-func (in *TemplateFrom) DeepCopy() *TemplateFrom {
-	if in == nil {
-		return nil
-	}
-	out := new(TemplateFrom)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *TemplateRef) DeepCopyInto(out *TemplateRef) {
-	*out = *in
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]TemplateRefItem, len(*in))
-		copy(*out, *in)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TemplateRef.
-func (in *TemplateRef) DeepCopy() *TemplateRef {
-	if in == nil {
-		return nil
-	}
-	out := new(TemplateRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *TemplateRefItem) DeepCopyInto(out *TemplateRefItem) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TemplateRefItem.
-func (in *TemplateRefItem) DeepCopy() *TemplateRefItem {
-	if in == nil {
-		return nil
-	}
-	out := new(TemplateRefItem)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *TokenAuth) DeepCopyInto(out *TokenAuth) {
-	*out = *in
-	in.BearerToken.DeepCopyInto(&out.BearerToken)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenAuth.
-func (in *TokenAuth) DeepCopy() *TokenAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(TokenAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *VaultAppRole) DeepCopyInto(out *VaultAppRole) {
-	*out = *in
-	in.SecretRef.DeepCopyInto(&out.SecretRef)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAppRole.
-func (in *VaultAppRole) DeepCopy() *VaultAppRole {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PushSecretMatch.
+func (in *PushSecretMatch) DeepCopy() *PushSecretMatch {
 	if in == nil {
 		return nil
 	}
-	out := new(VaultAppRole)
+	out := new(PushSecretMatch)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *VaultAuth) DeepCopyInto(out *VaultAuth) {
+func (in *PushSecretMetadata) DeepCopyInto(out *PushSecretMetadata) {
 	*out = *in
-	if in.TokenSecretRef != nil {
-		in, out := &in.TokenSecretRef, &out.TokenSecretRef
-		*out = new(metav1.SecretKeySelector)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.AppRole != nil {
-		in, out := &in.AppRole, &out.AppRole
-		*out = new(VaultAppRole)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Kubernetes != nil {
-		in, out := &in.Kubernetes, &out.Kubernetes
-		*out = new(VaultKubernetesAuth)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Ldap != nil {
-		in, out := &in.Ldap, &out.Ldap
-		*out = new(VaultLdapAuth)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Jwt != nil {
-		in, out := &in.Jwt, &out.Jwt
-		*out = new(VaultJwtAuth)
-		(*in).DeepCopyInto(*out)
+	if in.Annotations != nil {
+		in, out := &in.Annotations, &out.Annotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
 	}
-	if in.Cert != nil {
-		in, out := &in.Cert, &out.Cert
-		*out = new(VaultCertAuth)
-		(*in).DeepCopyInto(*out)
+	if in.Labels != nil {
+		in, out := &in.Labels, &out.Labels
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAuth.
-func (in *VaultAuth) DeepCopy() *VaultAuth {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PushSecretMetadata.
+func (in *PushSecretMetadata) DeepCopy() *PushSecretMetadata {
 	if in == nil {
 		return nil
 	}
-	out := new(VaultAuth)
+	out := new(PushSecretMetadata)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *VaultCertAuth) DeepCopyInto(out *VaultCertAuth) {
+func (in *PushSecretRemoteRef) DeepCopyInto(out *PushSecretRemoteRef) {
 	*out = *in
-	in.ClientCert.DeepCopyInto(&out.ClientCert)
-	in.SecretRef.DeepCopyInto(&out.SecretRef)
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultCertAuth.
-func (in *VaultCertAuth) DeepCopy() *VaultCertAuth {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PushSecretRemoteRef.
+func (in *PushSecretRemoteRef) DeepCopy() *PushSecretRemoteRef {
 	if in == nil {
 		return nil
 	}
-	out := new(VaultCertAuth)
+	out := new(PushSecretRemoteRef)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *VaultJwtAuth) DeepCopyInto(out *VaultJwtAuth) {
+func (in *PushSecretSecret) DeepCopyInto(out *PushSecretSecret) {
 	*out = *in
-	if in.SecretRef != nil {
-		in, out := &in.SecretRef, &out.SecretRef
-		*out = new(metav1.SecretKeySelector)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.KubernetesServiceAccountToken != nil {
-		in, out := &in.KubernetesServiceAccountToken, &out.KubernetesServiceAccountToken
-		*out = new(VaultKubernetesServiceAccountTokenAuth)
+	if in.Selector != nil {
+		in, out := &in.Selector, &out.Selector
+		*out = new(v1.LabelSelector)
 		(*in).DeepCopyInto(*out)
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultJwtAuth.
-func (in *VaultJwtAuth) DeepCopy() *VaultJwtAuth {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PushSecretSecret.
+func (in *PushSecretSecret) DeepCopy() *PushSecretSecret {
 	if in == nil {
 		return nil
 	}
-	out := new(VaultJwtAuth)
+	out := new(PushSecretSecret)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth) {
+func (in *PushSecretSelector) DeepCopyInto(out *PushSecretSelector) {
 	*out = *in
-	if in.ServiceAccountRef != nil {
-		in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
-		*out = new(metav1.ServiceAccountSelector)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.SecretRef != nil {
-		in, out := &in.SecretRef, &out.SecretRef
-		*out = new(metav1.SecretKeySelector)
+	if in.Secret != nil {
+		in, out := &in.Secret, &out.Secret
+		*out = new(PushSecretSecret)
 		(*in).DeepCopyInto(*out)
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultKubernetesAuth.
-func (in *VaultKubernetesAuth) DeepCopy() *VaultKubernetesAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(VaultKubernetesAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *VaultKubernetesServiceAccountTokenAuth) DeepCopyInto(out *VaultKubernetesServiceAccountTokenAuth) {
-	*out = *in
-	in.ServiceAccountRef.DeepCopyInto(&out.ServiceAccountRef)
-	if in.Audiences != nil {
-		in, out := &in.Audiences, &out.Audiences
-		*out = new([]string)
-		if **in != nil {
-			in, out := *in, *out
-			*out = make([]string, len(*in))
-			copy(*out, *in)
-		}
-	}
-	if in.ExpirationSeconds != nil {
-		in, out := &in.ExpirationSeconds, &out.ExpirationSeconds
-		*out = new(int64)
+	if in.GeneratorRef != nil {
+		in, out := &in.GeneratorRef, &out.GeneratorRef
+		*out = new(externalsecretsv1.GeneratorRef)
 		**out = **in
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultKubernetesServiceAccountTokenAuth.
-func (in *VaultKubernetesServiceAccountTokenAuth) DeepCopy() *VaultKubernetesServiceAccountTokenAuth {
-	if in == nil {
-		return nil
-	}
-	out := new(VaultKubernetesServiceAccountTokenAuth)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *VaultLdapAuth) DeepCopyInto(out *VaultLdapAuth) {
-	*out = *in
-	in.SecretRef.DeepCopyInto(&out.SecretRef)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultLdapAuth.
-func (in *VaultLdapAuth) DeepCopy() *VaultLdapAuth {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PushSecretSelector.
+func (in *PushSecretSelector) DeepCopy() *PushSecretSelector {
 	if in == nil {
 		return nil
 	}
-	out := new(VaultLdapAuth)
+	out := new(PushSecretSelector)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *VaultProvider) DeepCopyInto(out *VaultProvider) {
+func (in *PushSecretSpec) DeepCopyInto(out *PushSecretSpec) {
 	*out = *in
-	in.Auth.DeepCopyInto(&out.Auth)
-	if in.Path != nil {
-		in, out := &in.Path, &out.Path
-		*out = new(string)
+	if in.RefreshInterval != nil {
+		in, out := &in.RefreshInterval, &out.RefreshInterval
+		*out = new(v1.Duration)
 		**out = **in
 	}
-	if in.Namespace != nil {
-		in, out := &in.Namespace, &out.Namespace
-		*out = new(string)
-		**out = **in
+	if in.SecretStoreRefs != nil {
+		in, out := &in.SecretStoreRefs, &out.SecretStoreRefs
+		*out = make([]PushSecretStoreRef, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
-	if in.CABundle != nil {
-		in, out := &in.CABundle, &out.CABundle
-		*out = make([]byte, len(*in))
-		copy(*out, *in)
+	in.Selector.DeepCopyInto(&out.Selector)
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = make([]PushSecretData, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
-	if in.CAProvider != nil {
-		in, out := &in.CAProvider, &out.CAProvider
-		*out = new(CAProvider)
+	if in.Template != nil {
+		in, out := &in.Template, &out.Template
+		*out = new(externalsecretsv1.ExternalSecretTemplate)
 		(*in).DeepCopyInto(*out)
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultProvider.
-func (in *VaultProvider) DeepCopy() *VaultProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(VaultProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *WebhookCAProvider) DeepCopyInto(out *WebhookCAProvider) {
-	*out = *in
-	if in.Namespace != nil {
-		in, out := &in.Namespace, &out.Namespace
-		*out = new(string)
-		**out = **in
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookCAProvider.
-func (in *WebhookCAProvider) DeepCopy() *WebhookCAProvider {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PushSecretSpec.
+func (in *PushSecretSpec) DeepCopy() *PushSecretSpec {
 	if in == nil {
 		return nil
 	}
-	out := new(WebhookCAProvider)
+	out := new(PushSecretSpec)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *WebhookProvider) DeepCopyInto(out *WebhookProvider) {
+func (in *PushSecretStatus) DeepCopyInto(out *PushSecretStatus) {
 	*out = *in
-	if in.Headers != nil {
-		in, out := &in.Headers, &out.Headers
-		*out = make(map[string]string, len(*in))
+	in.RefreshTime.DeepCopyInto(&out.RefreshTime)
+	if in.SyncedPushSecrets != nil {
+		in, out := &in.SyncedPushSecrets, &out.SyncedPushSecrets
+		*out = make(SyncedPushSecretsMap, len(*in))
 		for key, val := range *in {
-			(*out)[key] = val
+			var outVal map[string]PushSecretData
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				inVal := (*in)[key]
+				in, out := &inVal, &outVal
+				*out = make(map[string]PushSecretData, len(*in))
+				for key, val := range *in {
+					(*out)[key] = *val.DeepCopy()
+				}
+			}
+			(*out)[key] = outVal
 		}
 	}
-	if in.Timeout != nil {
-		in, out := &in.Timeout, &out.Timeout
-		*out = new(v1.Duration)
-		**out = **in
-	}
-	out.Result = in.Result
-	if in.Secrets != nil {
-		in, out := &in.Secrets, &out.Secrets
-		*out = make([]WebhookSecret, len(*in))
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]PushSecretStatusCondition, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-	if in.CABundle != nil {
-		in, out := &in.CABundle, &out.CABundle
-		*out = make([]byte, len(*in))
-		copy(*out, *in)
-	}
-	if in.CAProvider != nil {
-		in, out := &in.CAProvider, &out.CAProvider
-		*out = new(WebhookCAProvider)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookProvider.
-func (in *WebhookProvider) DeepCopy() *WebhookProvider {
-	if in == nil {
-		return nil
-	}
-	out := new(WebhookProvider)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *WebhookResult) DeepCopyInto(out *WebhookResult) {
-	*out = *in
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookResult.
-func (in *WebhookResult) DeepCopy() *WebhookResult {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PushSecretStatus.
+func (in *PushSecretStatus) DeepCopy() *PushSecretStatus {
 	if in == nil {
 		return nil
 	}
-	out := new(WebhookResult)
+	out := new(PushSecretStatus)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *WebhookSecret) DeepCopyInto(out *WebhookSecret) {
+func (in *PushSecretStatusCondition) DeepCopyInto(out *PushSecretStatusCondition) {
 	*out = *in
-	in.SecretRef.DeepCopyInto(&out.SecretRef)
+	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookSecret.
-func (in *WebhookSecret) DeepCopy() *WebhookSecret {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PushSecretStatusCondition.
+func (in *PushSecretStatusCondition) DeepCopy() *PushSecretStatusCondition {
 	if in == nil {
 		return nil
 	}
-	out := new(WebhookSecret)
+	out := new(PushSecretStatusCondition)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *YandexLockboxAuth) DeepCopyInto(out *YandexLockboxAuth) {
+func (in *PushSecretStoreRef) DeepCopyInto(out *PushSecretStoreRef) {
 	*out = *in
-	in.AuthorizedKey.DeepCopyInto(&out.AuthorizedKey)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new YandexLockboxAuth.
-func (in *YandexLockboxAuth) DeepCopy() *YandexLockboxAuth {
-	if in == nil {
-		return nil
+	if in.LabelSelector != nil {
+		in, out := &in.LabelSelector, &out.LabelSelector
+		*out = new(v1.LabelSelector)
+		(*in).DeepCopyInto(*out)
 	}
-	out := new(YandexLockboxAuth)
-	in.DeepCopyInto(out)
-	return out
 }
 
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *YandexLockboxCAProvider) DeepCopyInto(out *YandexLockboxCAProvider) {
-	*out = *in
-	in.Certificate.DeepCopyInto(&out.Certificate)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new YandexLockboxCAProvider.
-func (in *YandexLockboxCAProvider) DeepCopy() *YandexLockboxCAProvider {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PushSecretStoreRef.
+func (in *PushSecretStoreRef) DeepCopy() *PushSecretStoreRef {
 	if in == nil {
 		return nil
 	}
-	out := new(YandexLockboxCAProvider)
+	out := new(PushSecretStoreRef)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *YandexLockboxProvider) DeepCopyInto(out *YandexLockboxProvider) {
-	*out = *in
-	in.Auth.DeepCopyInto(&out.Auth)
-	if in.CAProvider != nil {
-		in, out := &in.CAProvider, &out.CAProvider
-		*out = new(YandexLockboxCAProvider)
-		(*in).DeepCopyInto(*out)
+func (in SyncedPushSecretsMap) DeepCopyInto(out *SyncedPushSecretsMap) {
+	{
+		in := &in
+		*out = make(SyncedPushSecretsMap, len(*in))
+		for key, val := range *in {
+			var outVal map[string]PushSecretData
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				inVal := (*in)[key]
+				in, out := &inVal, &outVal
+				*out = make(map[string]PushSecretData, len(*in))
+				for key, val := range *in {
+					(*out)[key] = *val.DeepCopy()
+				}
+			}
+			(*out)[key] = outVal
+		}
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new YandexLockboxProvider.
-func (in *YandexLockboxProvider) DeepCopy() *YandexLockboxProvider {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SyncedPushSecretsMap.
+func (in SyncedPushSecretsMap) DeepCopy() SyncedPushSecretsMap {
 	if in == nil {
 		return nil
 	}
-	out := new(YandexLockboxProvider)
+	out := new(SyncedPushSecretsMap)
 	in.DeepCopyInto(out)
-	return out
+	return *out
 }

apis/externalsecrets/v1beta1/clusterexternalsecret_types.go

@@ -107,7 +107,6 @@ type ClusterExternalSecretStatus struct {
 }
 
 // +kubebuilder:object:root=true
-// +kubebuilder:storageversion
 // +kubebuilder:resource:scope=Cluster,categories={external-secrets},shortName=ces
 // +kubebuilder:subresource:status
 // +kubebuilder:metadata:labels="external-secrets.io/component=controller"

apis/externalsecrets/v1beta1/externalsecret_types.go

@@ -118,11 +118,10 @@ const (
 	MergePolicyMerge   TemplateMergePolicy = "Merge"
 )
 
-// +kubebuilder:validation:Enum=v1;v2
+// +kubebuilder:validation:Enum=v2
 type TemplateEngineVersion string
 
 const (
-	TemplateEngineV1 TemplateEngineVersion = "v1"
 	TemplateEngineV2 TemplateEngineVersion = "v2"
 )
 
@@ -507,7 +506,6 @@ type ExternalSecretStatus struct {
 }
 
 // +kubebuilder:object:root=true
-// +kubebuilder:storageversion
 // ExternalSecret is the Schema for the external-secrets API.
 // +kubebuilder:subresource:status
 // +kubebuilder:metadata:labels="external-secrets.io/component=controller"

apis/externalsecrets/v1beta1/fakes/pushremoteref.go

@@ -4,7 +4,7 @@ package fakes
 import (
 	"sync"
 
-	"github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
+	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 )
 
 type PushRemoteRef struct {
@@ -103,4 +103,4 @@ func (fake *PushRemoteRef) recordInvocation(key string, args []any) {
 	fake.invocations[key] = append(fake.invocations[key], args)
 }
 
-var _ v1beta1.PushSecretRemoteRef = new(PushRemoteRef)
+var _ esv1.PushSecretRemoteRef = new(PushRemoteRef)

apis/externalsecrets/v1beta1/secretstore_fake_types.go

@@ -20,9 +20,7 @@ type FakeProvider struct {
 }
 
 type FakeProviderData struct {
-	Key   string `json:"key"`
-	Value string `json:"value,omitempty"`
-	// Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.
-	ValueMap map[string]string `json:"valueMap,omitempty"`
-	Version  string            `json:"version,omitempty"`
+	Key     string `json:"key"`
+	Value   string `json:"value"`
+	Version string `json:"version,omitempty"`
 }

apis/externalsecrets/v1beta1/secretstore_types.go

@@ -291,7 +291,6 @@ type SecretStoreStatus struct {
 }
 
 // +kubebuilder:object:root=true
-// +kubebuilder:storageversion
 
 // SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
 // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
@@ -319,7 +318,6 @@ type SecretStoreList struct {
 }
 
 // +kubebuilder:object:root=true
-// +kubebuilder:storageversion
 
 // ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
 // +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"

apis/externalsecrets/v1beta1/zz_generated.deepcopy.go

@@ -1602,9 +1602,7 @@ func (in *FakeProvider) DeepCopyInto(out *FakeProvider) {
 	if in.Data != nil {
 		in, out := &in.Data, &out.Data
 		*out = make([]FakeProviderData, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+		copy(*out, *in)
 	}
 }
 
@@ -1621,13 +1619,6 @@ func (in *FakeProvider) DeepCopy() *FakeProvider {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FakeProviderData) DeepCopyInto(out *FakeProviderData) {
 	*out = *in
-	if in.ValueMap != nil {
-		in, out := &in.ValueMap, &out.ValueMap
-		*out = make(map[string]string, len(*in))
-		for key, val := range *in {
-			(*out)[key] = val
-		}
-	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FakeProviderData.

apis/generators/v1alpha1/types_acr.go

@@ -17,7 +17,7 @@ package v1alpha1
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	"github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
+	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	smmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
@@ -50,7 +50,7 @@ type ACRAccessTokenSpec struct {
 	// The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
 	// PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
 	// +kubebuilder:default=PublicCloud
-	EnvironmentType v1beta1.AzureEnvironmentType `json:"environmentType,omitempty"`
+	EnvironmentType esv1.AzureEnvironmentType `json:"environmentType,omitempty"`
 }
 
 type ACRAuth struct {

apis/generators/v1alpha1/types_vault.go

@@ -18,7 +18,7 @@ import (
 	apiextensions "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
+	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 )
 
 type VaultDynamicSecretSpec struct {
@@ -44,10 +44,10 @@ type VaultDynamicSecretSpec struct {
 
 	// Used to configure http retries if failed
 	// +optional
-	RetrySettings *esv1beta1.SecretStoreRetrySettings `json:"retrySettings,omitempty"`
+	RetrySettings *esv1.SecretStoreRetrySettings `json:"retrySettings,omitempty"`
 
 	// Vault provider common spec
-	Provider *esv1beta1.VaultProvider `json:"provider"`
+	Provider *esv1.VaultProvider `json:"provider"`
 
 	// Vault path to obtain the dynamic secret from
 	Path string `json:"path"`

apis/generators/v1alpha1/zz_generated.deepcopy.go

@@ -19,7 +19,7 @@ limitations under the License.
 package v1alpha1
 
 import (
-	"github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
+	externalsecretsv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	metav1 "github.com/external-secrets/external-secrets/apis/meta/v1"
 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	apismetav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -1563,12 +1563,12 @@ func (in *VaultDynamicSecretSpec) DeepCopyInto(out *VaultDynamicSecretSpec) {
 	}
 	if in.RetrySettings != nil {
 		in, out := &in.RetrySettings, &out.RetrySettings
-		*out = new(v1beta1.SecretStoreRetrySettings)
+		*out = new(externalsecretsv1.SecretStoreRetrySettings)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.Provider != nil {
 		in, out := &in.Provider, &out.Provider
-		*out = new(v1beta1.VaultProvider)
+		*out = new(externalsecretsv1.VaultProvider)
 		(*in).DeepCopyInto(*out)
 	}
 }

cmd/controller/root.go

@@ -33,8 +33,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/metrics/server"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
+	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
-	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	genv1alpha1 "github.com/external-secrets/external-secrets/apis/generators/v1alpha1"
 	"github.com/external-secrets/external-secrets/pkg/controllers/clusterexternalsecret"
 	"github.com/external-secrets/external-secrets/pkg/controllers/clusterexternalsecret/cesmetrics"
@@ -103,7 +103,7 @@ func init() {
 	utilruntime.Must(apiextensionsv1.AddToScheme(scheme))
 
 	// external-secrets schemes
-	utilruntime.Must(esv1beta1.AddToScheme(scheme))
+	utilruntime.Must(esv1.AddToScheme(scheme))
 	utilruntime.Must(esv1alpha1.AddToScheme(scheme))
 	utilruntime.Must(genv1alpha1.AddToScheme(scheme))
 }

cmd/controller/webhook.go

@@ -34,6 +34,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/metrics/server"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
+	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	"github.com/external-secrets/external-secrets/pkg/controllers/crds"
@@ -48,6 +49,7 @@ func init() {
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
 
 	// external-secrets schemes
+	utilruntime.Must(esv1.AddToScheme(scheme))
 	utilruntime.Must(esv1beta1.AddToScheme(scheme))
 	utilruntime.Must(esv1alpha1.AddToScheme(scheme))
 }
@@ -123,28 +125,16 @@ var webhookCmd = &cobra.Command{
 			setupLog.Error(err, "unable to start manager")
 			os.Exit(1)
 		}
-		if err = (&esv1beta1.ExternalSecret{}).SetupWebhookWithManager(mgr); err != nil {
-			setupLog.Error(err, errCreateWebhook, "webhook", "ExternalSecret-v1beta1")
+		if err = (&esv1.ExternalSecret{}).SetupWebhookWithManager(mgr); err != nil {
+			setupLog.Error(err, errCreateWebhook, "webhook", "ExternalSecret-v1")
 			os.Exit(1)
 		}
-		if err = (&esv1beta1.SecretStore{}).SetupWebhookWithManager(mgr); err != nil {
-			setupLog.Error(err, errCreateWebhook, "webhook", "SecretStore-v1beta1")
+		if err = (&esv1.SecretStore{}).SetupWebhookWithManager(mgr); err != nil {
+			setupLog.Error(err, errCreateWebhook, "webhook", "SecretStore-v1")
 			os.Exit(1)
 		}
-		if err = (&esv1beta1.ClusterSecretStore{}).SetupWebhookWithManager(mgr); err != nil {
-			setupLog.Error(err, errCreateWebhook, "webhook", "ClusterSecretStore-v1beta1")
-			os.Exit(1)
-		}
-		if err = (&esv1alpha1.ExternalSecret{}).SetupWebhookWithManager(mgr); err != nil {
-			setupLog.Error(err, errCreateWebhook, "webhook", "ExternalSecret-v1alpha1")
-			os.Exit(1)
-		}
-		if err = (&esv1alpha1.SecretStore{}).SetupWebhookWithManager(mgr); err != nil {
-			setupLog.Error(err, errCreateWebhook, "webhook", "SecretStore-v1alpha1")
-			os.Exit(1)
-		}
-		if err = (&esv1alpha1.ClusterSecretStore{}).SetupWebhookWithManager(mgr); err != nil {
-			setupLog.Error(err, errCreateWebhook, "webhook", "ClusterSecretStore-v1alpha1")
+		if err = (&esv1.ClusterSecretStore{}).SetupWebhookWithManager(mgr); err != nil {
+			setupLog.Error(err, errCreateWebhook, "webhook", "ClusterSecretStore-v1")
 			os.Exit(1)
 		}
 

cmd/esoctl/template.go

@@ -27,8 +27,8 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"sigs.k8s.io/yaml"
 
+	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	"github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
-	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	"github.com/external-secrets/external-secrets/pkg/controllers/templating"
 	"github.com/external-secrets/external-secrets/pkg/template"
 )
@@ -143,11 +143,11 @@ func templateRun(_ *cobra.Command, _ []string) error {
 	return err
 }
 
-func fetchTemplateFromSourceObject(obj *unstructured.Unstructured) (*esv1beta1.ExternalSecretTemplate, error) {
-	var tmpl *esv1beta1.ExternalSecretTemplate
+func fetchTemplateFromSourceObject(obj *unstructured.Unstructured) (*esv1.ExternalSecretTemplate, error) {
+	var tmpl *esv1.ExternalSecretTemplate
 	switch obj.GetKind() {
 	case "ExternalSecret":
-		es := &esv1beta1.ExternalSecret{}
+		es := &esv1.ExternalSecret{}
 		if err := runtime.DefaultUnstructuredConverter.FromUnstructured(obj.Object, es); err != nil {
 			return nil, err
 		}
@@ -167,7 +167,7 @@ func fetchTemplateFromSourceObject(obj *unstructured.Unstructured) (*esv1beta1.E
 	return tmpl, nil
 }
 
-func executeTemplate(p *templating.Parser, ctx context.Context, tmpl *esv1beta1.ExternalSecretTemplate) error {
+func executeTemplate(p *templating.Parser, ctx context.Context, tmpl *esv1.ExternalSecretTemplate) error {
 	// apply templates defined in template.templateFrom
 	err := p.MergeTemplateFrom(ctx, "default", tmpl)
 	if err != nil {
@@ -176,21 +176,21 @@ func executeTemplate(p *templating.Parser, ctx context.Context, tmpl *esv1beta1.
 
 	// apply data templates
 	// NOTE: explicitly defined template.data templates take precedence over templateFrom
-	err = p.MergeMap(tmpl.Data, esv1beta1.TemplateTargetData)
+	err = p.MergeMap(tmpl.Data, esv1.TemplateTargetData)
 	if err != nil {
 		return fmt.Errorf("could not merge data: %w", err)
 	}
 
 	// apply templates for labels
 	// NOTE: this only works for v2 templates
-	err = p.MergeMap(tmpl.Metadata.Labels, esv1beta1.TemplateTargetLabels)
+	err = p.MergeMap(tmpl.Metadata.Labels, esv1.TemplateTargetLabels)
 	if err != nil {
 		return fmt.Errorf("could not merge labels: %w", err)
 	}
 
 	// apply template for annotations
 	// NOTE: this only works for v2 templates
-	err = p.MergeMap(tmpl.Metadata.Annotations, esv1beta1.TemplateTargetAnnotations)
+	err = p.MergeMap(tmpl.Metadata.Annotations, esv1.TemplateTargetAnnotations)
 	if err != nil {
 		return fmt.Errorf("could not merge annotations: %w", err)
 	}

config/crds/bases/external-secrets.io_clusterexternalsecrets.yaml

@@ -19,6 +19,764 @@ spec:
     singular: clusterexternalsecret
   scope: Cluster
   versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
+      name: Store
+      type: string
+    - jsonPath: .spec.refreshTime
+      name: Refresh Interval
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: ClusterExternalSecret is the Schema for the clusterexternalsecrets
+          API.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
+            properties:
+              externalSecretMetadata:
+                description: The metadata of the external secrets to be created
+                properties:
+                  annotations:
+                    additionalProperties:
+                      type: string
+                    type: object
+                  labels:
+                    additionalProperties:
+                      type: string
+                    type: object
+                type: object
+              externalSecretName:
+                description: |-
+                  The name of the external secrets to be created.
+                  Defaults to the name of the ClusterExternalSecret
+                maxLength: 253
+                minLength: 1
+                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                type: string
+              externalSecretSpec:
+                description: The spec for the ExternalSecrets to be created
+                properties:
+                  data:
+                    description: Data defines the connection between the Kubernetes
+                      Secret keys and the Provider data
+                    items:
+                      description: ExternalSecretData defines the connection between
+                        the Kubernetes Secret key (spec.data.<key>) and the Provider
+                        data.
+                      properties:
+                        remoteRef:
+                          description: |-
+                            RemoteRef points to the remote secret and defines
+                            which secret (version/property/..) to fetch.
+                          properties:
+                            conversionStrategy:
+                              default: Default
+                              description: Used to define a conversion Strategy
+                              enum:
+                              - Default
+                              - Unicode
+                              type: string
+                            decodingStrategy:
+                              default: None
+                              description: Used to define a decoding Strategy
+                              enum:
+                              - Auto
+                              - Base64
+                              - Base64URL
+                              - None
+                              type: string
+                            key:
+                              description: Key is the key used in the Provider, mandatory
+                              type: string
+                            metadataPolicy:
+                              default: None
+                              description: Policy for fetching tags/labels from provider
+                                secrets, possible options are Fetch, None. Defaults
+                                to None
+                              enum:
+                              - None
+                              - Fetch
+                              type: string
+                            property:
+                              description: Used to select a specific property of the
+                                Provider value (if a map), if supported
+                              type: string
+                            version:
+                              description: Used to select a specific version of the
+                                Provider value, if supported
+                              type: string
+                          required:
+                          - key
+                          type: object
+                        secretKey:
+                          description: The key in the Kubernetes Secret to store the
+                            value.
+                          maxLength: 253
+                          minLength: 1
+                          pattern: ^[-._a-zA-Z0-9]+$
+                          type: string
+                        sourceRef:
+                          description: |-
+                            SourceRef allows you to override the source
+                            from which the value will be pulled.
+                          maxProperties: 1
+                          minProperties: 1
+                          properties:
+                            generatorRef:
+                              description: |-
+                                GeneratorRef points to a generator custom resource.
+
+                                Deprecated: The generatorRef is not implemented in .data[].
+                                this will be removed with v1.
+                              properties:
+                                apiVersion:
+                                  default: generators.external-secrets.io/v1alpha1
+                                  description: Specify the apiVersion of the generator
+                                    resource
+                                  type: string
+                                kind:
+                                  description: Specify the Kind of the generator resource
+                                  enum:
+                                  - ACRAccessToken
+                                  - ClusterGenerator
+                                  - ECRAuthorizationToken
+                                  - Fake
+                                  - GCRAccessToken
+                                  - GithubAccessToken
+                                  - QuayAccessToken
+                                  - Password
+                                  - STSSessionToken
+                                  - UUID
+                                  - VaultDynamicSecret
+                                  - Webhook
+                                  - Grafana
+                                  type: string
+                                name:
+                                  description: Specify the name of the generator resource
+                                  maxLength: 253
+                                  minLength: 1
+                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                                  type: string
+                              required:
+                              - kind
+                              - name
+                              type: object
+                            storeRef:
+                              description: SecretStoreRef defines which SecretStore
+                                to fetch the ExternalSecret data.
+                              properties:
+                                kind:
+                                  description: |-
+                                    Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
+                                    Defaults to `SecretStore`
+                                  enum:
+                                  - SecretStore
+                                  - ClusterSecretStore
+                                  type: string
+                                name:
+                                  description: Name of the SecretStore resource
+                                  maxLength: 253
+                                  minLength: 1
+                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                                  type: string
+                              type: object
+                          type: object
+                      required:
+                      - remoteRef
+                      - secretKey
+                      type: object
+                    type: array
+                  dataFrom:
+                    description: |-
+                      DataFrom is used to fetch all properties from a specific Provider data
+                      If multiple entries are specified, the Secret keys are merged in the specified order
+                    items:
+                      properties:
+                        extract:
+                          description: |-
+                            Used to extract multiple key/value pairs from one secret
+                            Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
+                          properties:
+                            conversionStrategy:
+                              default: Default
+                              description: Used to define a conversion Strategy
+                              enum:
+                              - Default
+                              - Unicode
+                              type: string
+                            decodingStrategy:
+                              default: None
+                              description: Used to define a decoding Strategy
+                              enum:
+                              - Auto
+                              - Base64
+                              - Base64URL
+                              - None
+                              type: string
+                            key:
+                              description: Key is the key used in the Provider, mandatory
+                              type: string
+                            metadataPolicy:
+                              default: None
+                              description: Policy for fetching tags/labels from provider
+                                secrets, possible options are Fetch, None. Defaults
+                                to None
+                              enum:
+                              - None
+                              - Fetch
+                              type: string
+                            property:
+                              description: Used to select a specific property of the
+                                Provider value (if a map), if supported
+                              type: string
+                            version:
+                              description: Used to select a specific version of the
+                                Provider value, if supported
+                              type: string
+                          required:
+                          - key
+                          type: object
+                        find:
+                          description: |-
+                            Used to find secrets based on tags or regular expressions
+                            Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
+                          properties:
+                            conversionStrategy:
+                              default: Default
+                              description: Used to define a conversion Strategy
+                              enum:
+                              - Default
+                              - Unicode
+                              type: string
+                            decodingStrategy:
+                              default: None
+                              description: Used to define a decoding Strategy
+                              enum:
+                              - Auto
+                              - Base64
+                              - Base64URL
+                              - None
+                              type: string
+                            name:
+                              description: Finds secrets based on the name.
+                              properties:
+                                regexp:
+                                  description: Finds secrets base
+                                  type: string
+                              type: object
+                            path:
+                              description: A root path to start the find operations.
+                              type: string
+                            tags:
+                              additionalProperties:
+                                type: string
+                              description: Find secrets based on tags.
+                              type: object
+                          type: object
+                        rewrite:
+                          description: |-
+                            Used to rewrite secret Keys after getting them from the secret Provider
+                            Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
+                          items:
+                            properties:
+                              regexp:
+                                description: |-
+                                  Used to rewrite with regular expressions.
+                                  The resulting key will be the output of a regexp.ReplaceAll operation.
+                                properties:
+                                  source:
+                                    description: Used to define the regular expression
+                                      of a re.Compiler.
+                                    type: string
+                                  target:
+                                    description: Used to define the target pattern
+                                      of a ReplaceAll operation.
+                                    type: string
+                                required:
+                                - source
+                                - target
+                                type: object
+                              transform:
+                                description: |-
+                                  Used to apply string transformation on the secrets.
+                                  The resulting key will be the output of the template applied by the operation.
+                                properties:
+                                  template:
+                                    description: |-
+                                      Used to define the template to apply on the secret name.
+                                      `.value ` will specify the secret name in the template.
+                                    type: string
+                                required:
+                                - template
+                                type: object
+                            type: object
+                          type: array
+                        sourceRef:
+                          description: |-
+                            SourceRef points to a store or generator
+                            which contains secret values ready to use.
+                            Use this in combination with Extract or Find pull values out of
+                            a specific SecretStore.
+                            When sourceRef points to a generator Extract or Find is not supported.
+                            The generator returns a static map of values
+                          maxProperties: 1
+                          minProperties: 1
+                          properties:
+                            generatorRef:
+                              description: GeneratorRef points to a generator custom
+                                resource.
+                              properties:
+                                apiVersion:
+                                  default: generators.external-secrets.io/v1alpha1
+                                  description: Specify the apiVersion of the generator
+                                    resource
+                                  type: string
+                                kind:
+                                  description: Specify the Kind of the generator resource
+                                  enum:
+                                  - ACRAccessToken
+                                  - ClusterGenerator
+                                  - ECRAuthorizationToken
+                                  - Fake
+                                  - GCRAccessToken
+                                  - GithubAccessToken
+                                  - QuayAccessToken
+                                  - Password
+                                  - STSSessionToken
+                                  - UUID
+                                  - VaultDynamicSecret
+                                  - Webhook
+                                  - Grafana
+                                  type: string
+                                name:
+                                  description: Specify the name of the generator resource
+                                  maxLength: 253
+                                  minLength: 1
+                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                                  type: string
+                              required:
+                              - kind
+                              - name
+                              type: object
+                            storeRef:
+                              description: SecretStoreRef defines which SecretStore
+                                to fetch the ExternalSecret data.
+                              properties:
+                                kind:
+                                  description: |-
+                                    Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
+                                    Defaults to `SecretStore`
+                                  enum:
+                                  - SecretStore
+                                  - ClusterSecretStore
+                                  type: string
+                                name:
+                                  description: Name of the SecretStore resource
+                                  maxLength: 253
+                                  minLength: 1
+                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                                  type: string
+                              type: object
+                          type: object
+                      type: object
+                    type: array
+                  refreshInterval:
+                    default: 1h
+                    description: |-
+                      RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
+                      specified as Golang Duration strings.
+                      Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
+                      Example values: "1h", "2h30m", "10s"
+                      May be set to zero to fetch and create it once. Defaults to 1h.
+                    type: string
+                  refreshPolicy:
+                    description: |-
+                      RefreshPolicy determines how the ExternalSecret should be refreshed:
+                      - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
+                      - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
+                        No periodic updates occur if refreshInterval is 0.
+                      - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
+                    enum:
+                    - CreatedOnce
+                    - Periodic
+                    - OnChange
+                    type: string
+                  secretStoreRef:
+                    description: SecretStoreRef defines which SecretStore to fetch
+                      the ExternalSecret data.
+                    properties:
+                      kind:
+                        description: |-
+                          Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
+                          Defaults to `SecretStore`
+                        enum:
+                        - SecretStore
+                        - ClusterSecretStore
+                        type: string
+                      name:
+                        description: Name of the SecretStore resource
+                        maxLength: 253
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                        type: string
+                    type: object
+                  target:
+                    default:
+                      creationPolicy: Owner
+                      deletionPolicy: Retain
+                    description: |-
+                      ExternalSecretTarget defines the Kubernetes Secret to be created
+                      There can be only one target per ExternalSecret.
+                    properties:
+                      creationPolicy:
+                        default: Owner
+                        description: |-
+                          CreationPolicy defines rules on how to create the resulting Secret.
+                          Defaults to "Owner"
+                        enum:
+                        - Owner
+                        - Orphan
+                        - Merge
+                        - None
+                        type: string
+                      deletionPolicy:
+                        default: Retain
+                        description: |-
+                          DeletionPolicy defines rules on how to delete the resulting Secret.
+                          Defaults to "Retain"
+                        enum:
+                        - Delete
+                        - Merge
+                        - Retain
+                        type: string
+                      immutable:
+                        description: Immutable defines if the final secret will be
+                          immutable
+                        type: boolean
+                      name:
+                        description: |-
+                          The name of the Secret resource to be managed.
+                          Defaults to the .metadata.name of the ExternalSecret resource
+                        maxLength: 253
+                        minLength: 1
+                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                        type: string
+                      template:
+                        description: Template defines a blueprint for the created
+                          Secret resource.
+                        properties:
+                          data:
+                            additionalProperties:
+                              type: string
+                            type: object
+                          engineVersion:
+                            default: v2
+                            description: |-
+                              EngineVersion specifies the template engine version
+                              that should be used to compile/execute the
+                              template specified in .data and .templateFrom[].
+                            enum:
+                            - v2
+                            type: string
+                          mergePolicy:
+                            default: Replace
+                            enum:
+                            - Replace
+                            - Merge
+                            type: string
+                          metadata:
+                            description: ExternalSecretTemplateMetadata defines metadata
+                              fields for the Secret blueprint.
+                            properties:
+                              annotations:
+                                additionalProperties:
+                                  type: string
+                                type: object
+                              labels:
+                                additionalProperties:
+                                  type: string
+                                type: object
+                            type: object
+                          templateFrom:
+                            items:
+                              properties:
+                                configMap:
+                                  properties:
+                                    items:
+                                      description: A list of keys in the ConfigMap/Secret
+                                        to use as templates for Secret data
+                                      items:
+                                        properties:
+                                          key:
+                                            description: A key in the ConfigMap/Secret
+                                            maxLength: 253
+                                            minLength: 1
+                                            pattern: ^[-._a-zA-Z0-9]+$
+                                            type: string
+                                          templateAs:
+                                            default: Values
+                                            enum:
+                                            - Values
+                                            - KeysAndValues
+                                            type: string
+                                        required:
+                                        - key
+                                        type: object
+                                      type: array
+                                    name:
+                                      description: The name of the ConfigMap/Secret
+                                        resource
+                                      maxLength: 253
+                                      minLength: 1
+                                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                                      type: string
+                                  required:
+                                  - items
+                                  - name
+                                  type: object
+                                literal:
+                                  type: string
+                                secret:
+                                  properties:
+                                    items:
+                                      description: A list of keys in the ConfigMap/Secret
+                                        to use as templates for Secret data
+                                      items:
+                                        properties:
+                                          key:
+                                            description: A key in the ConfigMap/Secret
+                                            maxLength: 253
+                                            minLength: 1
+                                            pattern: ^[-._a-zA-Z0-9]+$
+                                            type: string
+                                          templateAs:
+                                            default: Values
+                                            enum:
+                                            - Values
+                                            - KeysAndValues
+                                            type: string
+                                        required:
+                                        - key
+                                        type: object
+                                      type: array
+                                    name:
+                                      description: The name of the ConfigMap/Secret
+                                        resource
+                                      maxLength: 253
+                                      minLength: 1
+                                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                                      type: string
+                                  required:
+                                  - items
+                                  - name
+                                  type: object
+                                target:
+                                  default: Data
+                                  enum:
+                                  - Data
+                                  - Annotations
+                                  - Labels
+                                  type: string
+                              type: object
+                            type: array
+                          type:
+                            type: string
+                        type: object
+                    type: object
+                type: object
+              namespaceSelector:
+                description: |-
+                  The labels to select by to find the Namespaces to create the ExternalSecrets in.
+                  Deprecated: Use NamespaceSelectors instead.
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: |-
+                        A label selector requirement is a selector that contains values, a key, and an operator that
+                        relates the key and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: |-
+                            operator represents a key's relationship to a set of values.
+                            Valid operators are In, NotIn, Exists and DoesNotExist.
+                          type: string
+                        values:
+                          description: |-
+                            values is an array of string values. If the operator is In or NotIn,
+                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                            the values array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                          x-kubernetes-list-type: atomic
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: |-
+                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                      map is equivalent to an element of matchExpressions, whose key field is "key", the
+                      operator is "In", and the values array contains only "value". The requirements are ANDed.
+                    type: object
+                type: object
+                x-kubernetes-map-type: atomic
+              namespaceSelectors:
+                description: A list of labels to select by to find the Namespaces
+                  to create the ExternalSecrets in. The selectors are ORed.
+                items:
+                  description: |-
+                    A label selector is a label query over a set of resources. The result of matchLabels and
+                    matchExpressions are ANDed. An empty label selector matches all objects. A null
+                    label selector matches no objects.
+                  properties:
+                    matchExpressions:
+                      description: matchExpressions is a list of label selector requirements.
+                        The requirements are ANDed.
+                      items:
+                        description: |-
+                          A label selector requirement is a selector that contains values, a key, and an operator that
+                          relates the key and values.
+                        properties:
+                          key:
+                            description: key is the label key that the selector applies
+                              to.
+                            type: string
+                          operator:
+                            description: |-
+                              operator represents a key's relationship to a set of values.
+                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                            type: string
+                          values:
+                            description: |-
+                              values is an array of string values. If the operator is In or NotIn,
+                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                              the values array must be empty. This array is replaced during a strategic
+                              merge patch.
+                            items:
+                              type: string
+                            type: array
+                            x-kubernetes-list-type: atomic
+                        required:
+                        - key
+                        - operator
+                        type: object
+                      type: array
+                      x-kubernetes-list-type: atomic
+                    matchLabels:
+                      additionalProperties:
+                        type: string
+                      description: |-
+                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                      type: object
+                  type: object
+                  x-kubernetes-map-type: atomic
+                type: array
+              namespaces:
+                description: |-
+                  Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
+                  Deprecated: Use NamespaceSelectors instead.
+                items:
+                  maxLength: 63
+                  minLength: 1
+                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
+                  type: string
+                type: array
+              refreshTime:
+                description: The time in which the controller should reconcile its
+                  objects and recheck namespaces for labels.
+                type: string
+            required:
+            - externalSecretSpec
+            type: object
+          status:
+            description: ClusterExternalSecretStatus defines the observed state of
+              ClusterExternalSecret.
+            properties:
+              conditions:
+                items:
+                  properties:
+                    message:
+                      type: string
+                    status:
+                      type: string
+                    type:
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              externalSecretName:
+                description: ExternalSecretName is the name of the ExternalSecrets
+                  created by the ClusterExternalSecret
+                type: string
+              failedNamespaces:
+                description: Failed namespaces are the namespaces that failed to apply
+                  an ExternalSecret
+                items:
+                  description: ClusterExternalSecretNamespaceFailure represents a
+                    failed namespace deployment and it's reason.
+                  properties:
+                    namespace:
+                      description: Namespace is the namespace that failed when trying
+                        to apply an ExternalSecret
+                      type: string
+                    reason:
+                      description: Reason is why the ExternalSecret failed to apply
+                        to the namespace
+                      type: string
+                  required:
+                  - namespace
+                  type: object
+                type: array
+              provisionedNamespaces:
+                description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret
+                  has secrets
+                items:
+                  type: string
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
   - additionalPrinterColumns:
     - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
       name: Store
@@ -498,7 +1256,6 @@ spec:
                               that should be used to compile/execute the
                               template specified in .data and .templateFrom[].
                             enum:
-                            - v1
                             - v2
                             type: string
                           mergePolicy:
@@ -775,6 +1532,6 @@ spec:
             type: object
         type: object
     served: true
-    storage: true
+    storage: false
     subresources:
       status: {}

config/crds/bases/external-secrets.io_clusterpushsecrets.yaml

@@ -359,7 +359,6 @@ spec:
                           that should be used to compile/execute the
                           template specified in .data and .templateFrom[].
                         enum:
-                        - v1
                         - v2
                         type: string
                       mergePolicy:

config/crds/bases/external-secrets.io_externalsecrets.yaml

@@ -21,7 +21,7 @@ spec:
   versions:
   - additionalPrinterColumns:
     - jsonPath: .spec.secretStoreRef.kind
-      name: Store
+      name: StoreType
       type: string
     - jsonPath: .spec.secretStoreRef.name
       name: Store
@@ -32,8 +32,10 @@ spec:
     - jsonPath: .status.conditions[?(@.type=="Ready")].reason
       name: Status
       type: string
-    deprecated: true
-    name: v1alpha1
+    - jsonPath: .status.conditions[?(@.type=="Ready")].status
+      name: Ready
+      type: string
+    name: v1
     schema:
       openAPIV3Schema:
         description: ExternalSecret is the Schema for the external-secrets API.
@@ -66,8 +68,9 @@ spec:
                     Kubernetes Secret key (spec.data.<key>) and the Provider data.
                   properties:
                     remoteRef:
-                      description: ExternalSecretDataRemoteRef defines Provider data
-                        location.
+                      description: |-
+                        RemoteRef points to the remote secret and defines
+                        which secret (version/property/..) to fetch.
                       properties:
                         conversionStrategy:
                           default: Default
@@ -76,9 +79,27 @@ spec:
                           - Default
                           - Unicode
                           type: string
+                        decodingStrategy:
+                          default: None
+                          description: Used to define a decoding Strategy
+                          enum:
+                          - Auto
+                          - Base64
+                          - Base64URL
+                          - None
+                          type: string
                         key:
                           description: Key is the key used in the Provider, mandatory
                           type: string
+                        metadataPolicy:
+                          default: None
+                          description: Policy for fetching tags/labels from provider
+                            secrets, possible options are Fetch, None. Defaults to
+                            None
+                          enum:
+                          - None
+                          - Fetch
+                          type: string
                         property:
                           description: Used to select a specific property of the Provider
                             value (if a map), if supported
@@ -96,6 +117,72 @@ spec:
                       minLength: 1
                       pattern: ^[-._a-zA-Z0-9]+$
                       type: string
+                    sourceRef:
+                      description: |-
+                        SourceRef allows you to override the source
+                        from which the value will be pulled.
+                      maxProperties: 1
+                      minProperties: 1
+                      properties:
+                        generatorRef:
+                          description: |-
+                            GeneratorRef points to a generator custom resource.
+
+                            Deprecated: The generatorRef is not implemented in .data[].
+                            this will be removed with v1.
+                          properties:
+                            apiVersion:
+                              default: generators.external-secrets.io/v1alpha1
+                              description: Specify the apiVersion of the generator
+                                resource
+                              type: string
+                            kind:
+                              description: Specify the Kind of the generator resource
+                              enum:
+                              - ACRAccessToken
+                              - ClusterGenerator
+                              - ECRAuthorizationToken
+                              - Fake
+                              - GCRAccessToken
+                              - GithubAccessToken
+                              - QuayAccessToken
+                              - Password
+                              - STSSessionToken
+                              - UUID
+                              - VaultDynamicSecret
+                              - Webhook
+                              - Grafana
+                              type: string
+                            name:
+                              description: Specify the name of the generator resource
+                              maxLength: 253
+                              minLength: 1
+                              pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                              type: string
+                          required:
+                          - kind
+                          - name
+                          type: object
+                        storeRef:
+                          description: SecretStoreRef defines which SecretStore to
+                            fetch the ExternalSecret data.
+                          properties:
+                            kind:
+                              description: |-
+                                Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
+                                Defaults to `SecretStore`
+                              enum:
+                              - SecretStore
+                              - ClusterSecretStore
+                              type: string
+                            name:
+                              description: Name of the SecretStore resource
+                              maxLength: 253
+                              minLength: 1
+                              pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                              type: string
+                          type: object
+                      type: object
                   required:
                   - remoteRef
                   - secretKey
@@ -106,37 +193,215 @@ spec:
                   DataFrom is used to fetch all properties from a specific Provider data
                   If multiple entries are specified, the Secret keys are merged in the specified order
                 items:
-                  description: ExternalSecretDataRemoteRef defines Provider data location.
                   properties:
-                    conversionStrategy:
-                      default: Default
-                      description: Used to define a conversion Strategy
-                      enum:
-                      - Default
-                      - Unicode
-                      type: string
-                    key:
-                      description: Key is the key used in the Provider, mandatory
-                      type: string
-                    property:
-                      description: Used to select a specific property of the Provider
-                        value (if a map), if supported
-                      type: string
-                    version:
-                      description: Used to select a specific version of the Provider
-                        value, if supported
-                      type: string
-                  required:
-                  - key
+                    extract:
+                      description: |-
+                        Used to extract multiple key/value pairs from one secret
+                        Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
+                      properties:
+                        conversionStrategy:
+                          default: Default
+                          description: Used to define a conversion Strategy
+                          enum:
+                          - Default
+                          - Unicode
+                          type: string
+                        decodingStrategy:
+                          default: None
+                          description: Used to define a decoding Strategy
+                          enum:
+                          - Auto
+                          - Base64
+                          - Base64URL
+                          - None
+                          type: string
+                        key:
+                          description: Key is the key used in the Provider, mandatory
+                          type: string
+                        metadataPolicy:
+                          default: None
+                          description: Policy for fetching tags/labels from provider
+                            secrets, possible options are Fetch, None. Defaults to
+                            None
+                          enum:
+                          - None
+                          - Fetch
+                          type: string
+                        property:
+                          description: Used to select a specific property of the Provider
+                            value (if a map), if supported
+                          type: string
+                        version:
+                          description: Used to select a specific version of the Provider
+                            value, if supported
+                          type: string
+                      required:
+                      - key
+                      type: object
+                    find:
+                      description: |-
+                        Used to find secrets based on tags or regular expressions
+                        Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
+                      properties:
+                        conversionStrategy:
+                          default: Default
+                          description: Used to define a conversion Strategy
+                          enum:
+                          - Default
+                          - Unicode
+                          type: string
+                        decodingStrategy:
+                          default: None
+                          description: Used to define a decoding Strategy
+                          enum:
+                          - Auto
+                          - Base64
+                          - Base64URL
+                          - None
+                          type: string
+                        name:
+                          description: Finds secrets based on the name.
+                          properties:
+                            regexp:
+                              description: Finds secrets base
+                              type: string
+                          type: object
+                        path:
+                          description: A root path to start the find operations.
+                          type: string
+                        tags:
+                          additionalProperties:
+                            type: string
+                          description: Find secrets based on tags.
+                          type: object
+                      type: object
+                    rewrite:
+                      description: |-
+                        Used to rewrite secret Keys after getting them from the secret Provider
+                        Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
+                      items:
+                        properties:
+                          regexp:
+                            description: |-
+                              Used to rewrite with regular expressions.
+                              The resulting key will be the output of a regexp.ReplaceAll operation.
+                            properties:
+                              source:
+                                description: Used to define the regular expression
+                                  of a re.Compiler.
+                                type: string
+                              target:
+                                description: Used to define the target pattern of
+                                  a ReplaceAll operation.
+                                type: string
+                            required:
+                            - source
+                            - target
+                            type: object
+                          transform:
+                            description: |-
+                              Used to apply string transformation on the secrets.
+                              The resulting key will be the output of the template applied by the operation.
+                            properties:
+                              template:
+                                description: |-
+                                  Used to define the template to apply on the secret name.
+                                  `.value ` will specify the secret name in the template.
+                                type: string
+                            required:
+                            - template
+                            type: object
+                        type: object
+                      type: array
+                    sourceRef:
+                      description: |-
+                        SourceRef points to a store or generator
+                        which contains secret values ready to use.
+                        Use this in combination with Extract or Find pull values out of
+                        a specific SecretStore.
+                        When sourceRef points to a generator Extract or Find is not supported.
+                        The generator returns a static map of values
+                      maxProperties: 1
+                      minProperties: 1
+                      properties:
+                        generatorRef:
+                          description: GeneratorRef points to a generator custom resource.
+                          properties:
+                            apiVersion:
+                              default: generators.external-secrets.io/v1alpha1
+                              description: Specify the apiVersion of the generator
+                                resource
+                              type: string
+                            kind:
+                              description: Specify the Kind of the generator resource
+                              enum:
+                              - ACRAccessToken
+                              - ClusterGenerator
+                              - ECRAuthorizationToken
+                              - Fake
+                              - GCRAccessToken
+                              - GithubAccessToken
+                              - QuayAccessToken
+                              - Password
+                              - STSSessionToken
+                              - UUID
+                              - VaultDynamicSecret
+                              - Webhook
+                              - Grafana
+                              type: string
+                            name:
+                              description: Specify the name of the generator resource
+                              maxLength: 253
+                              minLength: 1
+                              pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                              type: string
+                          required:
+                          - kind
+                          - name
+                          type: object
+                        storeRef:
+                          description: SecretStoreRef defines which SecretStore to
+                            fetch the ExternalSecret data.
+                          properties:
+                            kind:
+                              description: |-
+                                Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
+                                Defaults to `SecretStore`
+                              enum:
+                              - SecretStore
+                              - ClusterSecretStore
+                              type: string
+                            name:
+                              description: Name of the SecretStore resource
+                              maxLength: 253
+                              minLength: 1
+                              pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
+                              type: string
+                          type: object
+                      type: object
                   type: object
                 type: array
               refreshInterval:
                 default: 1h
                 description: |-
-                  RefreshInterval is the amount of time before the values are read again from the SecretStore provider
+                  RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
+                  specified as Golang Duration strings.
                   Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
+                  Example values: "1h", "2h30m", "10s"
                   May be set to zero to fetch and create it once. Defaults to 1h.
                 type: string
+              refreshPolicy:
+                description: |-
+                  RefreshPolicy determines how the ExternalSecret should be refreshed:
+                  - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
+                  - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
+                    No periodic updates occur if refreshInterval is 0.
+                  - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
+                enum:
+                - CreatedOnce
+                - Periodic
+                - OnChange
+                type: string
               secretStoreRef:
                 description: SecretStoreRef defines which SecretStore to fetch the
                   ExternalSecret data.
@@ -157,6 +422,9 @@ spec:
                     type: string
                 type: object
               target:
+                default:
+                  creationPolicy: Owner
+                  deletionPolicy: Retain
                 description: |-
                   ExternalSecretTarget defines the Kubernetes Secret to be created
                   There can be only one target per ExternalSecret.
@@ -168,9 +436,20 @@ spec:
                       Defaults to "Owner"
                     enum:
                     - Owner
+                    - Orphan
                     - Merge
                     - None
                     type: string
+                  deletionPolicy:
+                    default: Retain
+                    description: |-
+                      DeletionPolicy defines rules on how to delete the resulting Secret.
+                      Defaults to "Retain"
+                    enum:
+                    - Delete
+                    - Merge
+                    - Retain
+                    type: string
                   immutable:
                     description: Immutable defines if the final secret will be immutable
                     type: boolean
@@ -191,15 +470,20 @@ spec:
                           type: string
                         type: object
                       engineVersion:
-                        default: v1
+                        default: v2
                         description: |-
                           EngineVersion specifies the template engine version
                           that should be used to compile/execute the
                           template specified in .data and .templateFrom[].
                         enum:
-                        - v1
                         - v2
                         type: string
+                      mergePolicy:
+                        default: Replace
+                        enum:
+                        - Replace
+                        - Merge
+                        type: string
                       metadata:
                         description: ExternalSecretTemplateMetadata defines metadata
                           fields for the Secret blueprint.
@@ -215,8 +499,6 @@ spec:
                         type: object
                       templateFrom:
                         items:
-                          maxProperties: 1
-                          minProperties: 1
                           properties:
                             configMap:
                               properties:
@@ -231,6 +513,12 @@ spec:
                                         minLength: 1
                                         pattern: ^[-._a-zA-Z0-9]+$
                                         type: string
+                                      templateAs:
+                                        default: Values
+                                        enum:
+                                        - Values
+                                        - KeysAndValues
+                                        type: string
                                     required:
                                     - key
                                     type: object
@@ -245,6 +533,8 @@ spec:
                               - items
                               - name
                               type: object
+                            literal:
+                              type: string
                             secret:
                               properties:
                                 items:
@@ -258,6 +548,12 @@ spec:
                                         minLength: 1
                                         pattern: ^[-._a-zA-Z0-9]+$
                                         type: string
+                                      templateAs:
+                                        default: Values
+                                        enum:
+                                        - Values
+                                        - KeysAndValues
+                                        type: string
                                     required:
                                     - key
                                     type: object
@@ -272,15 +568,19 @@ spec:
                               - items
                               - name
                               type: object
+                            target:
+                              default: Data
+                              enum:
+                              - Data
+                              - Annotations
+                              - Labels
+                              type: string
                           type: object
                         type: array
                       type:
                         type: string
                     type: object
                 type: object
-            required:
-            - secretStoreRef
-            - target
             type: object
           status:
             properties:
@@ -332,7 +632,7 @@ spec:
             type: object
         type: object
     served: true
-    storage: false
+    storage: true
     subresources:
       status: {}
   - additionalPrinterColumns:
@@ -792,7 +1092,6 @@ spec:
                           that should be used to compile/execute the
                           template specified in .data and .templateFrom[].
                         enum:
-                        - v1
                         - v2
                         type: string
                       mergePolicy:
@@ -949,6 +1248,6 @@ spec:
             type: object
         type: object
     served: true
-    storage: true
+    storage: false
     subresources:
       status: {}

config/crds/bases/external-secrets.io_pushsecrets.yaml

@@ -282,7 +282,6 @@ spec:
                       that should be used to compile/execute the
                       template specified in .data and .templateFrom[].
                     enum:
-                    - v1
                     - v2
                     type: string
                   mergePolicy:

deploy/charts/external-secrets/README.md

@@ -87,7 +87,7 @@ The command removes all the Kubernetes components associated with the chart and
 | concurrent | int | `1` | Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at a time. |
 | controllerClass | string | `""` | If set external secrets will filter matching Secret Stores with the appropriate controller values. |
 | crds.annotations | object | `{}` |  |
-| crds.conversion.enabled | bool | `true` | If webhook is set to false this also needs to be set to false otherwise the kubeapi will be hammered because the conversion is looking for a webhook endpoint. |
+| crds.conversion.enabled | bool | `false` | Conversion is disabled by default as we stopped supporting v1alpha1. |
 | crds.createClusterExternalSecret | bool | `true` | If true, create CRDs for Cluster External Secret. |
 | crds.createClusterGenerator | bool | `true` | If true, create CRDs for Cluster Generator. |
 | crds.createClusterPushSecret | bool | `true` | If true, create CRDs for Cluster Push Secret. |

deploy/charts/external-secrets/templates/validatingwebhook.yaml

@@ -19,7 +19,7 @@ webhooks:
 - name: "validate.secretstore.external-secrets.io"
   rules:
   - apiGroups:   ["external-secrets.io"]
-    apiVersions: ["v1beta1"]
+    apiVersions: ["v1"]
     operations:  ["CREATE", "UPDATE", "DELETE"]
     resources:   ["secretstores"]
     scope:       "Namespaced"
@@ -27,7 +27,7 @@ webhooks:
     service:
       namespace: {{ template "external-secrets.namespace" . }}
       name: {{ include "external-secrets.fullname" . }}-webhook
-      path: /validate-external-secrets-io-v1beta1-secretstore
+      path: /validate-external-secrets-io-v1-secretstore
   admissionReviewVersions: ["v1", "v1beta1"]
   sideEffects: None
   timeoutSeconds: 5
@@ -35,7 +35,7 @@ webhooks:
 - name: "validate.clustersecretstore.external-secrets.io"
   rules:
   - apiGroups:   ["external-secrets.io"]
-    apiVersions: ["v1beta1"]
+    apiVersions: ["v1"]
     operations:  ["CREATE", "UPDATE", "DELETE"]
     resources:   ["clustersecretstores"]
     scope:       "Cluster"
@@ -43,7 +43,7 @@ webhooks:
     service:
       namespace: {{ template "external-secrets.namespace" . }}
       name: {{ include "external-secrets.fullname" . }}-webhook
-      path: /validate-external-secrets-io-v1beta1-clustersecretstore
+      path: /validate-external-secrets-io-v1-clustersecretstore
   admissionReviewVersions: ["v1", "v1beta1"]
   sideEffects: None
   timeoutSeconds: 5
@@ -68,7 +68,7 @@ webhooks:
 - name: "validate.externalsecret.external-secrets.io"
   rules:
   - apiGroups:   ["external-secrets.io"]
-    apiVersions: ["v1beta1"]
+    apiVersions: ["v1"]
     operations:  ["CREATE", "UPDATE", "DELETE"]
     resources:   ["externalsecrets"]
     scope:       "Namespaced"
@@ -76,7 +76,7 @@ webhooks:
     service:
       namespace: {{ template "external-secrets.namespace" . }}
       name: {{ include "external-secrets.fullname" . }}-webhook
-      path: /validate-external-secrets-io-v1beta1-externalsecret
+      path: /validate-external-secrets-io-v1-externalsecret
   admissionReviewVersions: ["v1", "v1beta1"]
   sideEffects: None
   timeoutSeconds: 5

deploy/charts/external-secrets/tests/webhook_test.yaml

@@ -141,6 +141,7 @@ tests:
   - it: should add annotations to the webhook
     set:
       webhook.create: true
+      crds.conversion.enabled: true
       webhook.certManager.enabled: true
       webhook.certManager.addInjectorAnnotations: true
     asserts:

deploy/charts/external-secrets/values.yaml

@@ -47,8 +47,8 @@ crds:
   createPushSecret: true
   annotations: {}
   conversion:
-    # -- If webhook is set to false this also needs to be set to false otherwise the kubeapi will be hammered because the conversion is looking for a webhook endpoint.
-    enabled: true
+    # -- Conversion is disabled by default as we stopped supporting v1alpha1.
+    enabled: false
 
 imagePullSecrets: []
 nameOverride: ""

design/007-provider-versioning-strategy.md

@@ -64,7 +64,7 @@ An example of how this implementation would look like is available on [here](htt
 ### Example Implementations
 Fake Provider Basic Convert function (very similar to other ):
 ```go
-func (p *Provider) Convert(in esv1beta1.GenericStore) (client.Object, error) {
+func (p *Provider) Convert(in esv1.GenericStore) (client.Object, error) {
 	out := &prov.Fake{}
 	tmp := map[string]any{
 		"spec": in.GetSpec().Provider.Fake,
@@ -134,7 +134,7 @@ func (g *gitlabBase) getAuth(ctx context.Context) ([]byte, error) {
 
 Gitlab Provider NewClient implementations:
 ```go
-func (g *Provider) NewClient(ctx context.Context, obj kclient.Object, kube kclient.Client, namespace string) (esv1beta1.SecretsClient, error) {
+func (g *Provider) NewClient(ctx context.Context, obj kclient.Object, kube kclient.Client, namespace string) (esv1.SecretsClient, error) {
 	prov, ok := obj.(*prov.Gitlab)
 	if !ok {
 		return nil, fmt.Errorf("could not convert spec %v onto a Gitlab Provider type: current type: %T", obj.GetName(), obj)
@@ -162,29 +162,29 @@ func (g *Provider) NewClient(ctx context.Context, obj kclient.Object, kube kclie
 Client Manager reconciler changes:
 
 ```go
-func (m *Manager) GetProviderRefFromStore(store esv1beta1.GenericStore) (esv1beta1.ProviderRef, error) {
+func (m *Manager) GetProviderRefFromStore(store esv1.GenericStore) (esv1.ProviderRef, error) {
   providerRef := store.GetSpec().ProviderRef
   if providerRef != nil {
     return *providerRef, nil
   }
-provider, err := esv1beta1.GetProvider(store)
+provider, err := esv1.GetProvider(store)
   if err != nil {
-    return esv1beta1.ProviderRef{}, err
+    return esv1.ProviderRef{}, err
   }
-  providerRef := esv1beta1.GetProviderRefByProvider(provider)
+  providerRef := esv1.GetProviderRefByProvider(provider)
   providerRef.Name = store.GetName()
   return *providerRef, nil
 }
 
-func (m *Manager) GetFromStore(ctx context.Context, store esv1beta1.GenericStore, namespace string) (esv1beta1.SecretsClient, error) {
-	var storeProvider esv1beta1.Provider
+func (m *Manager) GetFromStore(ctx context.Context, store esv1.GenericStore, namespace string) (esv1.SecretsClient, error) {
+	var storeProvider esv1.Provider
 	var err error
 	var spec client.Object
   prov, err := GetProviderRefFromStore(store)
   if err != nil {
     return nil, err
   }
-		storeProvider, _ = esv1beta1.GetProviderByRef(*prov)
+		storeProvider, _ = esv1.GetProviderByRef(*prov)
 		spec, err = m.getProviderSpec(ctx, prov, namespace)
 		if err != nil {
 			return nil, err
@@ -198,7 +198,7 @@ func (m *Manager) GetFromStore(ctx context.Context, store esv1beta1.GenericStore
 		"store", fmt.Sprintf("%s/%s", store.GetNamespace(), store.GetName()))
 	caller := esmetav1.ReferentCallSecretStore
 	storeKind := store.GetObjectKind().GroupVersionKind().Kind
-	if storeKind == esv1beta1.ClusterSecretStoreKind {
+	if storeKind == esv1.ClusterSecretStoreKind {
 		caller = esmetav1.ReferentCallClusterSecretStore
 	}
 	referredSpec, err := storeProvider.ApplyReferent(spec, caller, namespace)

docs/api/clustersecretstore.md

@@ -3,6 +3,13 @@
 The `ClusterSecretStore` is a cluster scoped SecretStore that can be referenced by all
 `ExternalSecrets` from all namespaces. Use it to offer a central gateway to your secret backend.
 
+Different Store Providers have different stability levels, maintenance status, and support. 
+To check the full list, please see [Stability Support](../introduction/stability-support.md).
+
+!!! note "Unmaintained Stores generate events"
+    Admission webhooks and controllers will emit warning events for providers without a explicit maintainer.
+    To disable controller warning events, you can add `external-secrets.io/ignore-maintenance-checks: "true"` annotation to the SecretStore.
+    Admission webhook warning cannot be disabled.
 
 ## Example
 

docs/api/secretstore.md

@@ -7,6 +7,16 @@ The SecretStore maps to exactly one instance of an external API.
 By design, SecretStores are bound to a namespace and can not reference resources across namespaces.
 If you want to design cross-namespace SecretStores you must use [ClusterSecretStores](./clustersecretstore.md) which do not have this limitation.
 
+
+Different Store Providers have different stability levels, maintenance status, and support. 
+To check the full list, please see [Stability Support](../introduction/stability-support.md).
+
+!!! note "Unmaintained Stores generate events"
+    Admission webhooks and controllers will emit warning events for providers without a explicit maintainer.
+    To disable controller warning events, you can add `external-secrets.io/ignore-maintenance-checks: "true"` annotation to the SecretStore.
+    Admission webhook warning cannot be disabled.
+
+
 ## Example
 
 For a full list of supported fields see [spec](./spec.md) or dig into our [guides](../guides/introduction.md).

docs/introduction/stability-support.md

@@ -35,37 +35,38 @@ As of version 0.14.x , this is the only kubernetes version that we will guarante
 
 The following table describes the stability level of each provider and who's responsible.
 
-| Provider                                                                                                   | Stability |                                                                                                                                                                              Maintainer |
-| ---------------------------------------------------------------------------------------------------------- | :-------: | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------: |
-| [AWS Secrets Manager](https://external-secrets.io/latest/provider/aws-secrets-manager/)                    |  stable   |                                                                                                                                 [external-secrets](https://github.com/external-secrets) |
-| [AWS Parameter Store](https://external-secrets.io/latest/provider/aws-parameter-store/)                    |  stable   |                                                                                                                                 [external-secrets](https://github.com/external-secrets) |
-| [Hashicorp Vault](https://external-secrets.io/latest/provider/hashicorp-vault/)                            |  stable   |                                                                                                                                 [external-secrets](https://github.com/external-secrets) |
-| [GCP Secret Manager](https://external-secrets.io/latest/provider/google-secrets-manager/)                  |  stable   |                                                                                                                                 [external-secrets](https://github.com/external-secrets) |
-| [Azure Keyvault](https://external-secrets.io/latest/provider/azure-key-vault/)                             |  stable   |                                                                                                                                 [external-secrets](https://github.com/external-secrets) |
-| [IBM Cloud Secrets Manager](https://external-secrets.io/latest/provider/ibm-secrets-manager/)              |  stable   | [@knelasevero](https://github.com/knelasevero) [@sebagomez](https://github.com/sebagomez) [@ricardoptcosta](https://github.com/ricardoptcosta) [@IdanAdar](https://github.com/IdanAdar) |
-| [Kubernetes](https://external-secrets.io/latest/provider/kubernetes)                                       |   beta    |                                                                                                                                 [external-secrets](https://github.com/external-secrets) |
-| [Yandex Lockbox](https://external-secrets.io/latest/provider/yandex-lockbox/)                              |   alpha   |                                                                                     [@AndreyZamyslov](https://github.com/AndreyZamyslov) [@knelasevero](https://github.com/knelasevero) |
-| [GitLab Variables](https://external-secrets.io/latest/provider/gitlab-variables/)                          |   alpha   |                                                                                                                                                  [@Jabray5](https://github.com/Jabray5) |
-| Alibaba Cloud KMS                                                                                          |   alpha   |                                                                                                                                          [@ElsaChelala](https://github.com/ElsaChelala) |
-| [Oracle Vault](https://external-secrets.io/latest/provider/oracle-vault)                                   |   alpha   |                                                                                                 [@KianTigger](https://github.com/KianTigger) [@EladGabay](https://github.com/EladGabay) |
-| [Akeyless](https://external-secrets.io/latest/provider/akeyless)                                           |  stable   |                                                                                                                                 [external-secrets](https://github.com/external-secrets) |
-| [1Password](https://external-secrets.io/latest/provider/1password-automation)                              |   alpha   |                                                                                       [@SimSpaceCorp](https://github.com/Simspace) [@snarlysodboxer](https://github.com/snarlysodboxer) |
-| [Generic Webhook](https://external-secrets.io/latest/provider/webhook)                                     |   alpha   |                                                                                                                                                  [@willemm](https://github.com/willemm) |
-| [senhasegura DevOps Secrets Management (DSM)](https://external-secrets.io/latest/provider/senhasegura-dsm) |   alpha   |                                                                                                                                                    [@lfraga](https://github.com/lfraga) |
-| [Doppler SecretOps Platform](https://external-secrets.io/latest/provider/doppler)                          |   alpha   |                                                                                         [@ryan-blunden](https://github.com/ryan-blunden/) [@nmanoogian](https://github.com/nmanoogian/) |
-| [Keeper Security](https://www.keepersecurity.com/)                                                         |   alpha   |                                                                                                                                              [@ppodevlab](https://github.com/ppodevlab) |
-| [Scaleway](https://external-secrets.io/latest/provider/scaleway)                                           |   alpha   |                                                                                                                                                   [@azert9](https://github.com/azert9/) |
-| [Conjur](https://external-secrets.io/latest/provider/conjur)                                               |  stable   |                                                                                                  [@davidh-cyberark](https://github.com/davidh-cyberark/) [@szh](https://github.com/szh) |
-| [Delinea](https://external-secrets.io/latest/provider/delinea)                                             |   alpha   |                                                                                                                                     [@michaelsauter](https://github.com/michaelsauter/) |
-| [Beyondtrust](https://external-secrets.io/latest/provider/beyondtrust)                                     |   alpha   |                                                                                                                                       [@btfhernandez](https://github.com/btfhernandez/) |
-| [SecretServer](https://external-secrets.io/latest/provider/secretserver)                                   |   alpha   |                                                                                                                                        [@billhamilton](https://github.com/pacificcode/) |
-| [Pulumi ESC](https://external-secrets.io/latest/provider/pulumi)                                           |   alpha   |                                                                                                                                                    [@dirien](https://github.com/dirien) |
-| [Passbolt](https://external-secrets.io/latest/provider/passbolt)                                           |   alpha   |                                                                                                                                                                                         |
-| [Infisical](https://external-secrets.io/latest/provider/infisical)                                         |   alpha   |                                                                                                                                              [@akhilmhdh](https://github.com/akhilmhdh) |
-| [Device42](https://external-secrets.io/latest/provider/device42)                                           |   alpha   |                                                                                                                                                                                         |
-| [Bitwarden Secrets Manager](https://external-secrets.io/latest/provider/bitwarden-secrets-manager)         |   alpha   |                                                                                                                                                  [@skarlso](https://github.com/Skarlso) |
-| [Previder](https://external-secrets.io/latest/provider/previder)                                           |  stable   |                                                                                                                                                [@previder](https://github.com/previder) |
-| [Cloud.ru](https://external-secrets.io/latest/provider/cloudru)                                            |   alpha   |                                                                                                                                              [@default23](https://github.com/default23) |
+| Provider                                                                                                   | Stability | Maintainer                                                                                          |
+|------------------------------------------------------------------------------------------------------------|-:-:-------|--:--------------------------------------------------------------------------------------------------|
+| [AWS Secrets Manager](https://external-secrets.io/latest/provider/aws-secrets-manager/)                    | stable    | [external-secrets](https://github.com/external-secrets)                                             |
+| [AWS Parameter Store](https://external-secrets.io/latest/provider/aws-parameter-store/)                    | stable    | [external-secrets](https://github.com/external-secrets)                                             |
+| [Hashicorp Vault](https://external-secrets.io/latest/provider/hashicorp-vault/)                            | stable    | [external-secrets](https://github.com/external-secrets)                                             |
+| [GCP Secret Manager](https://external-secrets.io/latest/provider/google-secrets-manager/)                  | stable    | [external-secrets](https://github.com/external-secrets)                                             |
+| [Azure Keyvault](https://external-secrets.io/latest/provider/azure-key-vault/)                             | stable    | [external-secrets](https://github.com/external-secrets)                                             |
+| [IBM Cloud Secrets Manager](https://external-secrets.io/latest/provider/ibm-secrets-manager/)              | stable    | [@IdanAdar](https://github.com/IdanAdar)                                                            |
+| [Kubernetes](https://external-secrets.io/latest/provider/kubernetes)                                       | beta      | [external-secrets](https://github.com/external-secrets)                                             |
+| [Yandex Lockbox](https://external-secrets.io/latest/provider/yandex-lockbox/)                              | alpha     | [@AndreyZamyslov](https://github.com/AndreyZamyslov) [@knelasevero](https://github.com/knelasevero) |
+| [GitLab Variables](https://external-secrets.io/latest/provider/gitlab-variables/)                          | alpha     | [@Jabray5](https://github.com/Jabray5)                                                              |
+| Alibaba Cloud KMS                                                                                          | alpha     | **UNMAINTAINED**                                                                                    |
+| [Oracle Vault](https://external-secrets.io/latest/provider/oracle-vault)                                   | alpha     | **UNMAINTAINED**                                                                                    |
+| [Akeyless](https://external-secrets.io/latest/provider/akeyless)                                           | stable    | [external-secrets](https://github.com/external-secrets)                                             |
+| [1Password](https://external-secrets.io/latest/provider/1password-automation)                              | alpha     | [@SimSpaceCorp](https://github.com/Simspace) [@snarlysodboxer](https://github.com/snarlysodboxer)   |
+| [Generic Webhook](https://external-secrets.io/latest/provider/webhook)                                     | alpha     | [@willemm](https://github.com/willemm)                                                              |
+| [senhasegura DevOps Secrets Management (DSM)](https://external-secrets.io/latest/provider/senhasegura-dsm) | alpha     | [@lfraga](https://github.com/lfraga)                                                                |
+| [Doppler SecretOps Platform](https://external-secrets.io/latest/provider/doppler)                          | alpha     | [@ryan-blunden](https://github.com/ryan-blunden/) [@nmanoogian](https://github.com/nmanoogian/)     |
+| [Keeper Security](https://www.keepersecurity.com/)                                                         | alpha     | [@ppodevlab](https://github.com/ppodevlab)                                                          |
+| [Scaleway](https://external-secrets.io/latest/provider/scaleway)                                           | alpha     | [@azert9](https://github.com/azert9/)                                                               |
+| [Conjur](https://external-secrets.io/latest/provider/conjur)                                               | stable    | [@davidh-cyberark](https://github.com/davidh-cyberark/) [@szh](https://github.com/szh)              |
+| [Delinea](https://external-secrets.io/latest/provider/delinea)                                             | alpha     | [@michaelsauter](https://github.com/michaelsauter/)                                                 |
+| [Beyondtrust](https://external-secrets.io/latest/provider/beyondtrust)                                     | alpha     | [@btfhernandez](https://github.com/btfhernandez/)                                                   |
+| [SecretServer](https://external-secrets.io/latest/provider/secretserver)                                   | alpha     | [@billhamilton](https://github.com/pacificcode/)                                                    |
+| [Pulumi ESC](https://external-secrets.io/latest/provider/pulumi)                                           | alpha     | [@dirien](https://github.com/dirien)                                                                |
+| [Passbolt](https://external-secrets.io/latest/provider/passbolt)                                           | alpha     | **UNMAINTAINED**                                                                                    |
+| [Infisical](https://external-secrets.io/latest/provider/infisical)                                         | alpha     | [@akhilmhdh](https://github.com/akhilmhdh)                                                          |
+| [Device42](https://external-secrets.io/latest/provider/device42)                                           | alpha     | **UNMAINTAINED**                                                                                    |
+| [Bitwarden Secrets Manager](https://external-secrets.io/latest/provider/bitwarden-secrets-manager)         | alpha     | [@skarlso](https://github.com/Skarlso)                                                              |
+| [Previder](https://external-secrets.io/latest/provider/previder)                                           | stable    | [@previder](https://github.com/previder)                                                            |
+| [Cloud.ru](https://external-secrets.io/latest/provider/cloudru)                                            | alpha     | [@default23](https://github.com/default23)                                                          |
+
 
 ## Provider Feature Support
 

docs/snippets/full-cluster-secret-store.yaml

@@ -2,6 +2,9 @@ apiVersion: external-secrets.io/v1beta1
 kind: ClusterSecretStore
 metadata:
   name: example
+  annotations:
+    ## Add this annotation to disable controller warning events for unmaintained stores
+    external-secrets.io/disable-maintenance-checks: "true"
 spec:
   # Used to select the correct ESO controller (think: ingress.ingressClassName)
   # The ESO controller is instantiated with a specific controller name

docs/snippets/full-secret-store.yaml

@@ -3,6 +3,9 @@ kind: SecretStore
 metadata:
   name: example
   namespace: example-ns
+  annotations:
+    ## Add this annotation to disable controller warning events for unmaintained stores
+    external-secrets.io/disable-maintenance-checks: "true"
 spec:
 
   # Used to select the correct ESO controller (think: ingress.ingressClassName)

e2e/framework/addon/eso_argocd_application.go

@@ -144,14 +144,14 @@ func (c *ArgoCDApplication) Install() error {
 		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 	}
 	client := &http.Client{Transport: tr}
-	return wait.PollImmediate(time.Second, time.Minute*5, func() (bool, error) {
-		const payload = `{"apiVersion": "apiextensions.k8s.io/v1","kind": "ConversionReview","request": {}}`
-		res, err := client.Post("https://external-secrets-webhook.external-secrets.svc.cluster.local/convert", "application/json", bytes.NewBufferString(payload))
+	return wait.PollUntilContextTimeout(context.Background(), time.Second, time.Minute*5, true, func(ctx context.Context) (bool, error) {
+		const payload = `{"apiVersion": "admission.k8s.io/v1","kind": "AdmissionReview","request": {"uid": "test","kind": {"group": "external-secrets.io","version": "v1","kind": "ExternalSecret"}, "resource": {"group": "external-secrets.io","version": "v1","kind": "ExternalSecret"},"dryRun": true, "operation": "CREATE", "userInfo":{"username":"test","uid":"test","groups":[],"extra":{}}}}`
+		res, err := client.Post("https://external-secrets-webhook.external-secrets.svc.cluster.local/validate-external-secrets-io-v1-externalsecret", "application/json", bytes.NewBufferString(payload))
 		if err != nil {
 			return false, nil
 		}
 		defer res.Body.Close()
-		ginkgo.GinkgoWriter.Printf("conversion res: %d", res.StatusCode)
+		ginkgo.GinkgoWriter.Printf("webhook res: %d", res.StatusCode)
 		return res.StatusCode == http.StatusOK, nil
 	})
 }

e2e/framework/addon/eso_flux_helm.go

@@ -104,7 +104,7 @@ func (c *FluxHelmRelease) Install() error {
 	}
 
 	// wait for app to become ready
-	err = wait.PollImmediate(time.Second*5, time.Minute*3, func() (bool, error) {
+	err = wait.PollUntilContextTimeout(context.Background(), time.Second*5, time.Minute*3, true, func(ctx context.Context) (bool, error) {
 		var hr fluxhelm.HelmRelease
 		err := c.config.CRClient.Get(context.Background(), types.NamespacedName{
 			Name:      c.Name,
@@ -131,14 +131,14 @@ func (c *FluxHelmRelease) Install() error {
 		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 	}
 	client := &http.Client{Transport: tr}
-	return wait.PollImmediate(time.Second, time.Minute*5, func() (bool, error) {
-		const payload = `{"apiVersion": "apiextensions.k8s.io/v1","kind": "ConversionReview","request": {}}`
-		res, err := client.Post("https://external-secrets-webhook.external-secrets.svc.cluster.local/convert", "application/json", bytes.NewBufferString(payload))
+	return wait.PollUntilContextTimeout(context.Background(), time.Second, time.Minute*5, true, func(ctx context.Context) (bool, error) {
+		const payload = `{"apiVersion": "admission.k8s.io/v1","kind": "AdmissionReview","request": {"uid": "test","kind": {"group": "external-secrets.io","version": "v1","kind": "ExternalSecret"}, "resource": "external-secrets.io/v1.externalsecrets","dryRun": true, "operation": "CREATE", "userInfo":{"username":"test","uid":"test","groups":[],"extra":{}}}}`
+		res, err := client.Post("https://external-secrets-webhook.external-secrets.svc.cluster.local/validate-external-secrets-io-v1-externalsecret", "application/json", bytes.NewBufferString(payload))
 		if err != nil {
 			return false, nil
 		}
 		defer res.Body.Close()
-		ginkgo.GinkgoWriter.Printf("conversion res: %d", res.StatusCode)
+		ginkgo.GinkgoWriter.Printf("webhook res: %d", res.StatusCode)
 		return res.StatusCode == http.StatusOK, nil
 	})
 }

e2e/framework/eso.go

@@ -30,7 +30,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 
 	"github.com/external-secrets/external-secrets-e2e/framework/log"
-	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
+	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 )
 
 // WaitForSecretValue waits until a secret comes into existence and compares the secret.Data
@@ -52,7 +52,7 @@ func (f *Framework) WaitForSecretValue(namespace, name string, expected *v1.Secr
 
 func (f *Framework) printESDebugLogs(esName, esNamespace string) {
 	// fetch es and print status condition
-	var es esv1beta1.ExternalSecret
+	var es esv1.ExternalSecret
 	err := f.CRClient.Get(context.Background(), types.NamespacedName{
 		Name:      esName,
 		Namespace: esNamespace,
@@ -106,8 +106,8 @@ func equalSecrets(exp, ts *v1.Secret) bool {
 	}
 
 	// secret contains labels which must be ignored
-	delete(ts.ObjectMeta.Labels, esv1beta1.LabelOwner)
-	delete(ts.ObjectMeta.Labels, esv1beta1.LabelManaged)
+	delete(ts.ObjectMeta.Labels, esv1.LabelOwner)
+	delete(ts.ObjectMeta.Labels, esv1.LabelManaged)
 	if len(ts.ObjectMeta.Labels) == 0 {
 		ts.ObjectMeta.Labels = nil
 	}
@@ -119,7 +119,7 @@ func equalSecrets(exp, ts *v1.Secret) bool {
 	}
 
 	// secret contains data hash property which must be ignored
-	delete(ts.ObjectMeta.Annotations, esv1beta1.AnnotationDataHash)
+	delete(ts.ObjectMeta.Annotations, esv1.AnnotationDataHash)
 	if len(ts.ObjectMeta.Annotations) == 0 {
 		ts.ObjectMeta.Annotations = nil
 	}

e2e/framework/testcase.go

@@ -20,8 +20,8 @@ import (
 
 	//nolint
 	"github.com/external-secrets/external-secrets-e2e/framework/log"
+	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
-	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	. "github.com/onsi/gomega"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -33,15 +33,14 @@ var TargetSecretName = "target-secret"
 // TestCase contains the test infra to run a table driven test.
 type TestCase struct {
 	Framework               *Framework
-	ExternalSecret          *esv1beta1.ExternalSecret
-	ExternalSecretV1Alpha1  *esv1alpha1.ExternalSecret
+	ExternalSecret          *esv1.ExternalSecret
 	PushSecret              *esv1alpha1.PushSecret
 	PushSecretSource        *v1.Secret
 	AdditionalObjects       []client.Object
 	Secrets                 map[string]SecretEntry
 	ExpectedSecret          *v1.Secret
 	AfterSync               func(SecretStoreProvider, *v1.Secret)
-	VerifyPushSecretOutcome func(ps *esv1alpha1.PushSecret, pushClient esv1beta1.SecretsClient)
+	VerifyPushSecretOutcome func(ps *esv1alpha1.PushSecret, pushClient esv1.SecretsClient)
 }
 
 type SecretEntry struct {
@@ -121,18 +120,15 @@ func generateAdditionalObjects(tc *TestCase) {
 }
 
 func createProvidedExternalSecret(tc *TestCase) {
-	if tc.ExternalSecretV1Alpha1 != nil {
-		err := tc.Framework.CRClient.Create(context.Background(), tc.ExternalSecretV1Alpha1)
-		Expect(err).ToNot(HaveOccurred())
-	} else if tc.ExternalSecret != nil {
-		// create v1beta1 external secret otherwise
-		err := tc.Framework.CRClient.Create(context.Background(), tc.ExternalSecret)
-		Expect(err).ToNot(HaveOccurred())
+	if tc.ExternalSecret == nil {
+		return
 	}
+	err := tc.Framework.CRClient.Create(context.Background(), tc.ExternalSecret)
+	Expect(err).ToNot(HaveOccurred())
 }
 
 // TableFuncWithPushSecret returns the main func that runs a TestCase in a table driven test for push secrets.
-func TableFuncWithPushSecret(f *Framework, prov SecretStoreProvider, pushClient esv1beta1.SecretsClient) func(...func(*TestCase)) {
+func TableFuncWithPushSecret(f *Framework, prov SecretStoreProvider, pushClient esv1.SecretsClient) func(...func(*TestCase)) {
 	return func(tweaks ...func(*TestCase)) {
 		var err error
 
@@ -167,17 +163,17 @@ func makeDefaultExternalSecretTestCase(f *Framework) *TestCase {
 	return &TestCase{
 		AfterSync: func(ssp SecretStoreProvider, s *v1.Secret) {},
 		Framework: f,
-		ExternalSecret: &esv1beta1.ExternalSecret{
+		ExternalSecret: &esv1.ExternalSecret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      "e2e-es",
 				Namespace: f.Namespace.Name,
 			},
-			Spec: esv1beta1.ExternalSecretSpec{
+			Spec: esv1.ExternalSecretSpec{
 				RefreshInterval: &metav1.Duration{Duration: time.Second * 5},
-				SecretStoreRef: esv1beta1.SecretStoreRef{
+				SecretStoreRef: esv1.SecretStoreRef{
 					Name: f.Namespace.Name,
 				},
-				Target: esv1beta1.ExternalSecretTarget{
+				Target: esv1.ExternalSecretTarget{
 					Name: TargetSecretName,
 				},
 			},