Deployed 11375fb2e to main with MkDocs 1.6.1 and mike 1.2.0.dev0

main/api/clusterexternalsecret/index.html

@@ -5039,9 +5039,15 @@ If there is a conflict with an existing resource the controller will error out.<
 <span class="nt">metadata</span><span class="p">:</span>
 <span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;hello-world&quot;</span>
 <span class="nt">spec</span><span class="p">:</span>
-<span class="w">  </span><span class="c1"># The name to be used on the ExternalSecrets</span>
+<span class="w">  </span><span class="c1"># The name to be used on the ExternalSecrets.</span>
+<span class="w">  </span><span class="c1"># Defaults to the name of the ClusterExternalSecret when omitted.</span>
 <span class="w">  </span><span class="nt">externalSecretName</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;hello-world-es&quot;</span>
 
+<span class="w">  </span><span class="c1"># Optional labels and annotations to set on every created ExternalSecret.</span>
+<span class="w">  </span><span class="nt">externalSecretMetadata</span><span class="p">:</span>
+<span class="w">    </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span>
+<span class="w">    </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span>
+
 <span class="w">  </span><span class="c1"># This is a basic label selector to select the namespaces to deploy ExternalSecrets to.</span>
 <span class="w">  </span><span class="c1"># you can read more about them here https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements</span>
 <span class="w">  </span><span class="c1"># Deprecated: Use namespaceSelectors instead.</span>
@@ -5057,8 +5063,14 @@ If there is a conflict with an existing resource the controller will error out.<
 <span class="w">  </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span>
 <span class="w">      </span><span class="nt">cool</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">label</span>
 
+<span class="w">  </span><span class="c1"># Choose namespaces by name. This is OR&#39;d with anything namespaceSelectors matches.</span>
+<span class="w">  </span><span class="c1"># Deprecated: Use namespaceSelectors instead.</span>
+<span class="w">  </span><span class="c1"># namespaces:</span>
+<span class="w">  </span><span class="c1">#   - my-namespace</span>
+
 <span class="w">  </span><span class="c1"># How often the ClusterExternalSecret should reconcile itself</span>
 <span class="w">  </span><span class="c1"># This will decide how often to check and make sure that the ExternalSecrets exist in the matching namespaces</span>
+<span class="w">  </span><span class="c1"># If omitted, the controller&#39;s default requeue interval is used.</span>
 <span class="w">  </span><span class="nt">refreshTime</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;1m&quot;</span>
 
 <span class="w">  </span><span class="c1"># This is the spec of the ExternalSecrets to be created</span>
@@ -5118,12 +5130,13 @@ If there is a conflict with an existing resource the controller will error out.<
 <span class="w">    </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">&quot;matching-ns-3&quot;</span>
 <span class="w">    </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">&quot;matching-ns-2&quot;</span>
 
-<span class="w">  </span><span class="c1"># The condition can be Ready, PartiallyReady, or NotReady</span>
-<span class="w">  </span><span class="c1"># PartiallyReady would indicate an error in 1 or more namespaces</span>
-<span class="w">  </span><span class="c1"># NotReady would indicate errors in all namespaces meaning all ExternalSecrets resulted in errors</span>
+<span class="w">  </span><span class="c1"># The only condition type is Ready. status is &quot;True&quot; when all matching</span>
+<span class="w">  </span><span class="c1"># namespaces synced, and &quot;False&quot; if one or more namespaces failed (the failed</span>
+<span class="w">  </span><span class="c1"># ones are listed under failedNamespaces above).</span>
 <span class="w">  </span><span class="nt">conditions</span><span class="p">:</span>
-<span class="w">  </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PartiallyReady</span>
-<span class="w">    </span><span class="nt">status</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;True&quot;</span>
+<span class="w">  </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Ready</span>
+<span class="w">    </span><span class="nt">status</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;False&quot;</span>
+<span class="w">    </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;one</span><span class="nv"> </span><span class="s">or</span><span class="nv"> </span><span class="s">more</span><span class="nv"> </span><span class="s">namespaces</span><span class="nv"> </span><span class="s">failed&quot;</span>
 <span class="w">    </span><span class="nt">lastTransitionTime</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;2022-01-12T12:33:02Z&quot;</span>
 </code></pre></div>
 <h2 id="reducing-provider-calls-for-large-namespace-sets">Reducing provider calls for large namespace sets</h2>

main/api/clusterpushsecret/index.html

@@ -4947,9 +4947,15 @@ If there is a conflict with an existing resource the controller will error out.<
 <span class="nt">metadata</span><span class="p">:</span>
 <span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;hello-world&quot;</span>
 <span class="nt">spec</span><span class="p">:</span>
-<span class="w">  </span><span class="c1"># The name to be used on the PushSecrets</span>
+<span class="w">  </span><span class="c1"># The name to be used on the PushSecrets.</span>
+<span class="w">  </span><span class="c1"># Defaults to the name of the ClusterPushSecret when omitted.</span>
 <span class="w">  </span><span class="nt">pushSecretName</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;hello-world-ps&quot;</span>
 
+<span class="w">  </span><span class="c1"># Optional labels and annotations to set on every created PushSecret.</span>
+<span class="w">  </span><span class="nt">pushSecretMetadata</span><span class="p">:</span>
+<span class="w">    </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span>
+<span class="w">    </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{}</span>
+
 <span class="w">  </span><span class="c1"># This is a list of basic label selector to select the namespaces to deploy PushSecrets to.</span>
 <span class="w">  </span><span class="c1"># you can read more about them here https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements</span>
 <span class="w">  </span><span class="c1"># The list is OR&#39;d together, so if any of the namespaceSelectors match the namespace,</span>
@@ -4960,6 +4966,7 @@ If there is a conflict with an existing resource the controller will error out.<
 
 <span class="w">  </span><span class="c1"># How often the ClusterPushSecret should reconcile itself</span>
 <span class="w">  </span><span class="c1"># This will decide how often to check and make sure that the PushSecrets exist in the matching namespaces</span>
+<span class="w">  </span><span class="c1"># If omitted, the controller&#39;s default requeue interval is used.</span>
 <span class="w">  </span><span class="nt">refreshTime</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;1m&quot;</span>
 
 <span class="w">  </span><span class="c1"># This is the spec of the PushSecrets to be created</span>
@@ -5010,19 +5017,20 @@ If there is a conflict with an existing resource the controller will error out.<
 <span class="w">  </span><span class="nt">failedNamespaces</span><span class="p">:</span>
 <span class="w">    </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;matching-ns-1&quot;</span>
 <span class="w">      </span><span class="c1"># This is one of the possible messages, and likely the most common</span>
-<span class="w">      </span><span class="nt">reason</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;external</span><span class="nv"> </span><span class="s">secret</span><span class="nv"> </span><span class="s">already</span><span class="nv"> </span><span class="s">exists</span><span class="nv"> </span><span class="s">in</span><span class="nv"> </span><span class="s">namespace&quot;</span>
+<span class="w">      </span><span class="nt">reason</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;push</span><span class="nv"> </span><span class="s">secret</span><span class="nv"> </span><span class="s">already</span><span class="nv"> </span><span class="s">exists</span><span class="nv"> </span><span class="s">in</span><span class="nv"> </span><span class="s">namespace&quot;</span>
 
 <span class="w">  </span><span class="c1"># You can find all matching and successfully deployed namespaces here</span>
 <span class="w">  </span><span class="nt">provisionedNamespaces</span><span class="p">:</span>
 <span class="w">    </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">&quot;matching-ns-3&quot;</span>
 <span class="w">    </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">&quot;matching-ns-2&quot;</span>
 
-<span class="w">  </span><span class="c1"># The condition can be Ready, PartiallyReady, or NotReady</span>
-<span class="w">  </span><span class="c1"># PartiallyReady would indicate an error in 1 or more namespaces</span>
-<span class="w">  </span><span class="c1"># NotReady would indicate errors in all namespaces meaning all ExternalSecrets resulted in errors</span>
+<span class="w">  </span><span class="c1"># The only condition type is Ready. status is &quot;True&quot; when all matching</span>
+<span class="w">  </span><span class="c1"># namespaces synced, and &quot;False&quot; if one or more namespaces failed (the failed</span>
+<span class="w">  </span><span class="c1"># ones are listed under failedNamespaces above).</span>
 <span class="w">  </span><span class="nt">conditions</span><span class="p">:</span>
-<span class="w">  </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PartiallyReady</span>
-<span class="w">    </span><span class="nt">status</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;True&quot;</span>
+<span class="w">  </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Ready</span>
+<span class="w">    </span><span class="nt">status</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;False&quot;</span>
+<span class="w">    </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;one</span><span class="nv"> </span><span class="s">or</span><span class="nv"> </span><span class="s">more</span><span class="nv"> </span><span class="s">namespaces</span><span class="nv"> </span><span class="s">failed&quot;</span>
 <span class="w">    </span><span class="nt">lastTransitionTime</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;2022-01-12T12:33:02Z&quot;</span>
 </code></pre></div>
 <p>The result of the created Secret object will look like:</p>

main/api/clustersecretstore/index.html

@@ -4947,7 +4947,7 @@ Admission webhook warning cannot be disabled.</p>
 <span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example</span>
 <span class="w">  </span><span class="nt">annotations</span><span class="p">:</span>
 <span class="w">    </span><span class="c1">## Add this annotation to disable controller warning events for unmaintained stores</span>
-<span class="w">    </span><span class="nt">external-secrets.io/disable-maintenance-checks</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;true&quot;</span>
+<span class="w">    </span><span class="nt">external-secrets.io/ignore-maintenance-checks</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;true&quot;</span>
 <span class="nt">spec</span><span class="p">:</span>
 <span class="w">  </span><span class="c1"># Used to select the correct ESO controller (think: ingress.ingressClassName)</span>
 <span class="w">  </span><span class="c1"># The ESO controller is instantiated with a specific controller name</span>
@@ -5120,7 +5120,7 @@ Admission webhook warning cannot be disabled.</p>
 <span class="w">    </span><span class="c1"># should prevent attempts to fetch secrets</span>
 <span class="w">    </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Ready</span>
 <span class="w">      </span><span class="nt">status</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;False&quot;</span>
-<span class="w">      </span><span class="nt">reason</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;ConfigError&quot;</span>
+<span class="w">      </span><span class="nt">reason</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;ValidationFailed&quot;</span>
 <span class="w">      </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;SecretStore</span><span class="nv"> </span><span class="s">validation</span><span class="nv"> </span><span class="s">failed&quot;</span>
 <span class="w">      </span><span class="nt">lastTransitionTime</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;2019-08-12T12:33:02Z&quot;</span>
 </code></pre></div>

main/api/pushsecret/index.html

@@ -5242,19 +5242,21 @@
 <span class="w">  </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span><span class="w"> </span><span class="c1"># Same of the SecretStores</span>
 <span class="nt">spec</span><span class="p">:</span>
 <span class="w">  </span><span class="nt">updatePolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Replace</span><span class="w"> </span><span class="c1"># Policy to overwrite existing secrets in the provider on sync</span>
-<span class="w">  </span><span class="nt">deletionPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Delete</span><span class="w"> </span><span class="c1"># the provider&#39; secret will be deleted if the PushSecret is deleted</span>
+<span class="w">  </span><span class="nt">deletionPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Delete</span><span class="w"> </span><span class="c1"># delete the provider secret when the PushSecret is deleted (default: None, which keeps it)</span>
 <span class="w">  </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1h0m0s</span><span class="w"> </span><span class="c1"># Refresh interval for which push secret will reconcile</span>
 <span class="w">  </span><span class="nt">secretStoreRefs</span><span class="p">:</span><span class="w"> </span><span class="c1"># A list of secret stores to push secrets to</span>
 <span class="w">    </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">aws-parameterstore</span>
 <span class="w">      </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
+<span class="w">  </span><span class="c1"># Exactly one of selector.secret or selector.generatorRef may be set.</span>
 <span class="w">  </span><span class="nt">selector</span><span class="p">:</span>
 <span class="w">    </span><span class="nt">secret</span><span class="p">:</span>
 <span class="w">      </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">pokedex-credentials</span><span class="w"> </span><span class="c1"># Source Kubernetes secret to be pushed</span>
-<span class="w">    </span><span class="c1"># Alternatively, you can point to a generator that produces values to be pushed</span>
-<span class="w">    </span><span class="nt">generatorRef</span><span class="p">:</span>
-<span class="w">      </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">generators.external-secrets.io/v1alpha1</span>
-<span class="w">      </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ECRAuthorizationToken</span>
-<span class="w">      </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">prod-registry-credentials</span>
+<span class="w">    </span><span class="c1"># Alternatively (mutually exclusive with secret), point to a generator</span>
+<span class="w">    </span><span class="c1"># that produces the values to be pushed:</span>
+<span class="w">    </span><span class="c1"># generatorRef:</span>
+<span class="w">    </span><span class="c1">#   apiVersion: generators.external-secrets.io/v1alpha1</span>
+<span class="w">    </span><span class="c1">#   kind: ECRAuthorizationToken</span>
+<span class="w">    </span><span class="c1">#   name: prod-registry-credentials</span>
 <span class="w">  </span><span class="nt">template</span><span class="p">:</span>
 <span class="w">    </span><span class="nt">metadata</span><span class="p">:</span>
 <span class="w">      </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{</span><span class="w"> </span><span class="p p-Indicator">}</span>

main/api/secretstore/index.html

@@ -4950,7 +4950,7 @@ Admission webhook warning cannot be disabled.</p>
 <span class="w">  </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example-ns</span>
 <span class="w">  </span><span class="nt">annotations</span><span class="p">:</span>
 <span class="w">    </span><span class="c1">## Add this annotation to disable controller warning events for unmaintained stores</span>
-<span class="w">    </span><span class="nt">external-secrets.io/disable-maintenance-checks</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;true&quot;</span>
+<span class="w">    </span><span class="nt">external-secrets.io/ignore-maintenance-checks</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;true&quot;</span>
 <span class="nt">spec</span><span class="p">:</span>
 
 <span class="w">  </span><span class="c1"># Used to select the correct ESO controller (think: ingress.ingressClassName)</span>
@@ -5086,7 +5086,7 @@ Admission webhook warning cannot be disabled.</p>
 <span class="w">  </span><span class="c1"># should prevent attempts to fetch secrets</span>
 <span class="w">  </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Ready</span>
 <span class="w">    </span><span class="nt">status</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;False&quot;</span>
-<span class="w">    </span><span class="nt">reason</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;ConfigError&quot;</span>
+<span class="w">    </span><span class="nt">reason</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;ValidationFailed&quot;</span>
 <span class="w">    </span><span class="nt">message</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;SecretStore</span><span class="nv"> </span><span class="s">validation</span><span class="nv"> </span><span class="s">failed&quot;</span>
 <span class="w">    </span><span class="nt">lastTransitionTime</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;2019-08-12T12:33:02Z&quot;</span>
 </code></pre></div>

main/guides/decoding-strategy/index.html

@@ -5113,7 +5113,7 @@ It will render the following Kubernetes Secret:
 <p>At this time, decoding Strategy Auto is only trying to check if the original input is valid to perform Base64 operations. As there is no reliable way to detect base64 encoded values, this means that some non-encoded secret values might end up being decoded, producing gibberish. For example, this is the case for alphanumeric values with a length divisible by 4, like <code>1234</code> or <code>happy/street</code>. </p>
 <div class="admonition note">
 <p class="admonition-title">Note</p>
-<p>If you are using <code>decodeStrategy: Auto</code> and start to see ESO pulling completely wrong secret values into your kubernetes secret, consider changing it to <code>None</code> to investigate it.</p>
+<p>If you are using <code>decodingStrategy: Auto</code> and start to see ESO pulling completely wrong secret values into your kubernetes secret, consider changing it to <code>None</code> to investigate it.</p>
 </div>
 
 

main/guides/pushsecrets/index.html

@@ -5081,19 +5081,21 @@
 <span class="w">  </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span><span class="w"> </span><span class="c1"># Same of the SecretStores</span>
 <span class="nt">spec</span><span class="p">:</span>
 <span class="w">  </span><span class="nt">updatePolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Replace</span><span class="w"> </span><span class="c1"># Policy to overwrite existing secrets in the provider on sync</span>
-<span class="w">  </span><span class="nt">deletionPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Delete</span><span class="w"> </span><span class="c1"># the provider&#39; secret will be deleted if the PushSecret is deleted</span>
+<span class="w">  </span><span class="nt">deletionPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Delete</span><span class="w"> </span><span class="c1"># delete the provider secret when the PushSecret is deleted (default: None, which keeps it)</span>
 <span class="w">  </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1h0m0s</span><span class="w"> </span><span class="c1"># Refresh interval for which push secret will reconcile</span>
 <span class="w">  </span><span class="nt">secretStoreRefs</span><span class="p">:</span><span class="w"> </span><span class="c1"># A list of secret stores to push secrets to</span>
 <span class="w">    </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">aws-parameterstore</span>
 <span class="w">      </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
+<span class="w">  </span><span class="c1"># Exactly one of selector.secret or selector.generatorRef may be set.</span>
 <span class="w">  </span><span class="nt">selector</span><span class="p">:</span>
 <span class="w">    </span><span class="nt">secret</span><span class="p">:</span>
 <span class="w">      </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">pokedex-credentials</span><span class="w"> </span><span class="c1"># Source Kubernetes secret to be pushed</span>
-<span class="w">    </span><span class="c1"># Alternatively, you can point to a generator that produces values to be pushed</span>
-<span class="w">    </span><span class="nt">generatorRef</span><span class="p">:</span>
-<span class="w">      </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">generators.external-secrets.io/v1alpha1</span>
-<span class="w">      </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ECRAuthorizationToken</span>
-<span class="w">      </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">prod-registry-credentials</span>
+<span class="w">    </span><span class="c1"># Alternatively (mutually exclusive with secret), point to a generator</span>
+<span class="w">    </span><span class="c1"># that produces the values to be pushed:</span>
+<span class="w">    </span><span class="c1"># generatorRef:</span>
+<span class="w">    </span><span class="c1">#   apiVersion: generators.external-secrets.io/v1alpha1</span>
+<span class="w">    </span><span class="c1">#   kind: ECRAuthorizationToken</span>
+<span class="w">    </span><span class="c1">#   name: prod-registry-credentials</span>
 <span class="w">  </span><span class="nt">template</span><span class="p">:</span>
 <span class="w">    </span><span class="nt">metadata</span><span class="p">:</span>
 <span class="w">      </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{</span><span class="w"> </span><span class="p p-Indicator">}</span>

main/provider/aws-parameter-store/index.html

@@ -5323,19 +5323,21 @@ Please estimate your costs before using ESO. Cost depends on the RefreshInterval
 <span class="w">  </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span><span class="w"> </span><span class="c1"># Same of the SecretStores</span>
 <span class="nt">spec</span><span class="p">:</span>
 <span class="w">  </span><span class="nt">updatePolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Replace</span><span class="w"> </span><span class="c1"># Policy to overwrite existing secrets in the provider on sync</span>
-<span class="w">  </span><span class="nt">deletionPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Delete</span><span class="w"> </span><span class="c1"># the provider&#39; secret will be deleted if the PushSecret is deleted</span>
+<span class="w">  </span><span class="nt">deletionPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Delete</span><span class="w"> </span><span class="c1"># delete the provider secret when the PushSecret is deleted (default: None, which keeps it)</span>
 <span class="w">  </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1h0m0s</span><span class="w"> </span><span class="c1"># Refresh interval for which push secret will reconcile</span>
 <span class="w">  </span><span class="nt">secretStoreRefs</span><span class="p">:</span><span class="w"> </span><span class="c1"># A list of secret stores to push secrets to</span>
 <span class="w">    </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">aws-parameterstore</span>
 <span class="w">      </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
+<span class="w">  </span><span class="c1"># Exactly one of selector.secret or selector.generatorRef may be set.</span>
 <span class="w">  </span><span class="nt">selector</span><span class="p">:</span>
 <span class="w">    </span><span class="nt">secret</span><span class="p">:</span>
 <span class="w">      </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">pokedex-credentials</span><span class="w"> </span><span class="c1"># Source Kubernetes secret to be pushed</span>
-<span class="w">    </span><span class="c1"># Alternatively, you can point to a generator that produces values to be pushed</span>
-<span class="w">    </span><span class="nt">generatorRef</span><span class="p">:</span>
-<span class="w">      </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">generators.external-secrets.io/v1alpha1</span>
-<span class="w">      </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ECRAuthorizationToken</span>
-<span class="w">      </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">prod-registry-credentials</span>
+<span class="w">    </span><span class="c1"># Alternatively (mutually exclusive with secret), point to a generator</span>
+<span class="w">    </span><span class="c1"># that produces the values to be pushed:</span>
+<span class="w">    </span><span class="c1"># generatorRef:</span>
+<span class="w">    </span><span class="c1">#   apiVersion: generators.external-secrets.io/v1alpha1</span>
+<span class="w">    </span><span class="c1">#   kind: ECRAuthorizationToken</span>
+<span class="w">    </span><span class="c1">#   name: prod-registry-credentials</span>
 <span class="w">  </span><span class="nt">template</span><span class="p">:</span>
 <span class="w">    </span><span class="nt">metadata</span><span class="p">:</span>
 <span class="w">      </span><span class="nt">annotations</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">{</span><span class="w"> </span><span class="p p-Indicator">}</span>

main/snippets/full-cluster-external-secret.yaml

@@ -4,9 +4,15 @@ kind: ClusterExternalSecret
 metadata:
   name: "hello-world"
 spec:
-  # The name to be used on the ExternalSecrets
+  # The name to be used on the ExternalSecrets.
+  # Defaults to the name of the ClusterExternalSecret when omitted.
   externalSecretName: "hello-world-es"
 
+  # Optional labels and annotations to set on every created ExternalSecret.
+  externalSecretMetadata:
+    labels: {}
+    annotations: {}
+
   # This is a basic label selector to select the namespaces to deploy ExternalSecrets to.
   # you can read more about them here https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements
   # Deprecated: Use namespaceSelectors instead.
@@ -22,8 +28,14 @@ spec:
   - matchLabels:
       cool: label
 
+  # Choose namespaces by name. This is OR'd with anything namespaceSelectors matches.
+  # Deprecated: Use namespaceSelectors instead.
+  # namespaces:
+  #   - my-namespace
+
   # How often the ClusterExternalSecret should reconcile itself
   # This will decide how often to check and make sure that the ExternalSecrets exist in the matching namespaces
+  # If omitted, the controller's default requeue interval is used.
   refreshTime: "1m"
 
   # This is the spec of the ExternalSecrets to be created
@@ -83,11 +95,12 @@ status:
     - "matching-ns-3"
     - "matching-ns-2"
 
-  # The condition can be Ready, PartiallyReady, or NotReady
-  # PartiallyReady would indicate an error in 1 or more namespaces
-  # NotReady would indicate errors in all namespaces meaning all ExternalSecrets resulted in errors
+  # The only condition type is Ready. status is "True" when all matching
+  # namespaces synced, and "False" if one or more namespaces failed (the failed
+  # ones are listed under failedNamespaces above).
   conditions:
-  - type: PartiallyReady
-    status: "True"
+  - type: Ready
+    status: "False"
+    message: "one or more namespaces failed"
     lastTransitionTime: "2022-01-12T12:33:02Z"
 {% endraw %}

main/snippets/full-cluster-push-secret.yaml

@@ -13,9 +13,15 @@ kind: ClusterPushSecret
 metadata:
   name: "hello-world"
 spec:
-  # The name to be used on the PushSecrets
+  # The name to be used on the PushSecrets.
+  # Defaults to the name of the ClusterPushSecret when omitted.
   pushSecretName: "hello-world-ps"
 
+  # Optional labels and annotations to set on every created PushSecret.
+  pushSecretMetadata:
+    labels: {}
+    annotations: {}
+
   # This is a list of basic label selector to select the namespaces to deploy PushSecrets to.
   # you can read more about them here https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements
   # The list is OR'd together, so if any of the namespaceSelectors match the namespace,
@@ -26,6 +32,7 @@ spec:
 
   # How often the ClusterPushSecret should reconcile itself
   # This will decide how often to check and make sure that the PushSecrets exist in the matching namespaces
+  # If omitted, the controller's default requeue interval is used.
   refreshTime: "1m"
 
   # This is the spec of the PushSecrets to be created
@@ -76,18 +83,19 @@ status:
   failedNamespaces:
     - namespace: "matching-ns-1"
       # This is one of the possible messages, and likely the most common
-      reason: "external secret already exists in namespace"
+      reason: "push secret already exists in namespace"
 
   # You can find all matching and successfully deployed namespaces here
   provisionedNamespaces:
     - "matching-ns-3"
     - "matching-ns-2"
 
-  # The condition can be Ready, PartiallyReady, or NotReady
-  # PartiallyReady would indicate an error in 1 or more namespaces
-  # NotReady would indicate errors in all namespaces meaning all ExternalSecrets resulted in errors
+  # The only condition type is Ready. status is "True" when all matching
+  # namespaces synced, and "False" if one or more namespaces failed (the failed
+  # ones are listed under failedNamespaces above).
   conditions:
-  - type: PartiallyReady
-    status: "True"
+  - type: Ready
+    status: "False"
+    message: "one or more namespaces failed"
     lastTransitionTime: "2022-01-12T12:33:02Z"
 {% endraw %}

main/snippets/full-cluster-secret-store.yaml

@@ -4,7 +4,7 @@ metadata:
   name: example
   annotations:
     ## Add this annotation to disable controller warning events for unmaintained stores
-    external-secrets.io/disable-maintenance-checks: "true"
+    external-secrets.io/ignore-maintenance-checks: "true"
 spec:
   # Used to select the correct ESO controller (think: ingress.ingressClassName)
   # The ESO controller is instantiated with a specific controller name
@@ -177,6 +177,6 @@ status:
     # should prevent attempts to fetch secrets
     - type: Ready
       status: "False"
-      reason: "ConfigError"
+      reason: "ValidationFailed"
       message: "SecretStore validation failed"
       lastTransitionTime: "2019-08-12T12:33:02Z"

main/snippets/full-pushsecret.yaml

@@ -15,19 +15,21 @@ metadata:
   namespace: default # Same of the SecretStores
 spec:
   updatePolicy: Replace # Policy to overwrite existing secrets in the provider on sync
-  deletionPolicy: Delete # the provider' secret will be deleted if the PushSecret is deleted
+  deletionPolicy: Delete # delete the provider secret when the PushSecret is deleted (default: None, which keeps it)
   refreshInterval: 1h0m0s # Refresh interval for which push secret will reconcile
   secretStoreRefs: # A list of secret stores to push secrets to
     - name: aws-parameterstore
       kind: SecretStore
+  # Exactly one of selector.secret or selector.generatorRef may be set.
   selector:
     secret:
       name: pokedex-credentials # Source Kubernetes secret to be pushed
-    # Alternatively, you can point to a generator that produces values to be pushed
-    generatorRef:
-      apiVersion: generators.external-secrets.io/v1alpha1
-      kind: ECRAuthorizationToken
-      name: prod-registry-credentials
+    # Alternatively (mutually exclusive with secret), point to a generator
+    # that produces the values to be pushed:
+    # generatorRef:
+    #   apiVersion: generators.external-secrets.io/v1alpha1
+    #   kind: ECRAuthorizationToken
+    #   name: prod-registry-credentials
   template:
     metadata:
       annotations: { }

main/snippets/full-secret-store.yaml

@@ -5,7 +5,7 @@ metadata:
   namespace: example-ns
   annotations:
     ## Add this annotation to disable controller warning events for unmaintained stores
-    external-secrets.io/disable-maintenance-checks: "true"
+    external-secrets.io/ignore-maintenance-checks: "true"
 spec:
 
   # Used to select the correct ESO controller (think: ingress.ingressClassName)
@@ -141,6 +141,6 @@ status:
   # should prevent attempts to fetch secrets
   - type: Ready
     status: "False"
-    reason: "ConfigError"
+    reason: "ValidationFailed"
     message: "SecretStore validation failed"
     lastTransitionTime: "2019-08-12T12:33:02Z"