Deployed 8eb3e21eb to main with MkDocs 1.6.1 and mike 1.2.0.dev0

main/api/spec/index.html

@@ -6635,6 +6635,7 @@ string
 <a href="#external-secrets.io/v1.InfisicalProvider">InfisicalProvider</a>, 
 <a href="#external-secrets.io/v1.KubernetesServer">KubernetesServer</a>, 
 <a href="#external-secrets.io/v1.OvhClientMTLS">OvhClientMTLS</a>, 
+<a href="#external-secrets.io/v1.PassboltProvider">PassboltProvider</a>, 
 <a href="#external-secrets.io/v1.SecretServerProvider">SecretServerProvider</a>, 
 <a href="#external-secrets.io/v1.VaultProvider">VaultProvider</a>)
 </p>
@@ -13435,6 +13436,34 @@ string
 <p>Host defines the Passbolt Server to connect to</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>caBundle</code></br>
+<em>
+[]byte
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>PEM encoded CA bundle used to validate Passbolt server certificate. Only used
+if the Host URL is using HTTPS protocol. If not set the system root certificates
+are used to validate the TLS connection.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>caProvider</code></br>
+<em>
+<a href="#external-secrets.io/v1.CAProvider">
+CAProvider
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>The provider for the CA bundle to use to validate Passbolt server certificate.</p>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="external-secrets.io/v1.PasswordDepotAuth">PasswordDepotAuth

main/provider/azure-key-vault/index.html

@@ -5750,7 +5750,34 @@
 <h3 id="creating-a-pushsecret">Creating a PushSecret</h3>
 <p>You can push secrets from Kubernetes into Azure Key Vault as secrets, keys or certificates by using a <code>PushSecret</code>. A <code>PushSecret</code> references a Kubernetes Secret as the source of the data. The operator can create, update or delete the corresponding secret in Azure Key Vault to match the desired state defined in the <code>PushSecret</code>.</p>
 <h4 id="pushing-to-a-secret">Pushing to a Secret</h4>
-<p>Pushing to a Secret requires no previous setup. Provided you have a Kubernetes Secret available, you can create a <code>PushSecret</code> which references it to have it created on Azure Key Vault. You can optionally set metadata such as content type or tags. The operator will read the data from the Kubernetes Secret and push it to Azure Key Vault as a secret.</p>
+<p>Pushing to a Secret requires no previous setup. Provided you have a Kubernetes Secret available, you can create a <code>PushSecret</code> which references it to have it created on Azure Key Vault. The operator will read the data from the Kubernetes Secret and push it to Azure Key Vault as a secret.</p>
+<p>You can optionally attach metadata to the secret via the <code>spec.data[].metadata</code> field. The following fields are supported:</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Type</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td><code>expirationDate</code></td>
+<td>string</td>
+<td>Expiration date for the secret in RFC3339 format (e.g. <code>2099-12-31T23:59:59Z</code>).</td>
+</tr>
+<tr>
+<td><code>contentType</code></td>
+<td>string</td>
+<td>Content type of the secret value (e.g. <code>application/json</code>, <code>text/plain</code>).</td>
+</tr>
+<tr>
+<td><code>tags</code></td>
+<td>map[string]string</td>
+<td>Arbitrary key-value tags attached to the secret in Azure Key Vault.</td>
+</tr>
+</tbody>
+</table>
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span>
 <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Secret</span>
 <span class="nt">metadata</span><span class="p">:</span>
@@ -5782,13 +5809,18 @@
 <span class="w">        </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PushSecretMetadata</span>
 <span class="w">        </span><span class="nt">spec</span><span class="p">:</span>
 <span class="w">          </span><span class="nt">expirationDate</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;2024-12-31T23:59:59Z&quot;</span><span class="w"> </span><span class="c1"># Expiration date for the secret in Azure Key Vault</span>
+<span class="w">          </span><span class="nt">contentType</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;application/json&quot;</span><span class="w"> </span><span class="c1"># Content type of the secret value in Azure Key Vault</span>
 <span class="w">          </span><span class="nt">tags</span><span class="p">:</span><span class="w"> </span><span class="c1"># Tags to be added to the secret in Azure Key Vault</span>
-<span class="w">            </span><span class="nt">Content-Type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">application/json</span>
+<span class="w">            </span><span class="nt">environment</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">production</span>
 </code></pre></div>
 <div class="admonition note">
 <p class="admonition-title">Note</p>
 <p>In order to create a PushSecret targeting Secrets, the <a href="https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/security#key-vault-secrets-officer">Key Vault Secrets Officer</a> role, alternatively Access Policy permissions <code>Set</code> and <code>Delete</code> for Secrets must be granted to the identity configured on the SecretStore.</p>
 </div>
+<div class="admonition note">
+<p class="admonition-title">Note</p>
+<p>Omitting <code>contentType</code> (or setting it to an empty string) is interpreted as "don't change" rather than "clear": if the secret in Azure Key Vault already has a <code>ContentType</code> set, it will be preserved on update. There is currently no way to clear an existing <code>ContentType</code> via PushSecret — if you need to remove it, delete the secret from Azure Key Vault directly and let PushSecret recreate it.</p>
+</div>
 <h4 id="pushing-to-a-key">Pushing to a Key</h4>
 <p>The first step is to generate a valid private key. Supported formats include <code>PRIVATE KEY</code>, <code>RSA PRIVATE KEY</code> AND <code>EC PRIVATE KEY</code> (EC/PKCS1/PKCS8 types). After uploading your key to a Kubernetes Secret, the next step is to create a PushSecret manifest with the following configuration:</p>
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span>

main/provider/passbolt/index.html

@@ -3815,6 +3815,23 @@
     </span>
   </a>
   
+    <nav class="md-nav" aria-label="Creating a Passbolt secret store">
+      <ul class="md-nav__list">
+        
+          <li class="md-nav__item">
+  <a href="#custom-ca-certificate" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Custom CA certificate
+      
+    </span>
+  </a>
+  
+</li>
+        
+      </ul>
+    </nav>
+  
 </li>
       
         <li class="md-nav__item">
@@ -4926,6 +4943,23 @@
     </span>
   </a>
   
+    <nav class="md-nav" aria-label="Creating a Passbolt secret store">
+      <ul class="md-nav__list">
+        
+          <li class="md-nav__item">
+  <a href="#custom-ca-certificate" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Custom CA certificate
+      
+    </span>
+  </a>
+  
+</li>
+        
+      </ul>
+    </nav>
+  
 </li>
       
         <li class="md-nav__item">
@@ -4992,6 +5026,36 @@ The API requires a password and private key provided in a secret.</p>
 <span class="w">          </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">privateKey</span>
 <span class="w">          </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">passbolt-credentials</span>
 </code></pre></div>
+<h4 id="custom-ca-certificate">Custom CA certificate</h4>
+<p>If your Passbolt instance uses a certificate signed by a private or custom
+Certificate Authority, you can configure the CA bundle that ESO uses to
+validate the Passbolt server certificate. Either supply the PEM-encoded
+bundle inline via <code>caBundle</code>, or reference a Secret/ConfigMap via
+<code>caProvider</code>.</p>
+<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1</span>
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
+<span class="nt">metadata</span><span class="p">:</span>
+<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">passbolt-with-custom-ca</span>
+<span class="nt">spec</span><span class="p">:</span>
+<span class="w">  </span><span class="nt">provider</span><span class="p">:</span>
+<span class="w">    </span><span class="nt">passbolt</span><span class="p">:</span>
+<span class="w">      </span><span class="nt">host</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">https://passbolt.example.com</span>
+<span class="w">      </span><span class="c1"># Reference a ConfigMap or Secret containing the CA bundle that signed</span>
+<span class="w">      </span><span class="c1"># the Passbolt server certificate.</span>
+<span class="w">      </span><span class="nt">caProvider</span><span class="p">:</span>
+<span class="w">        </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ConfigMap</span>
+<span class="w">        </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">passbolt-ca-bundle</span>
+<span class="w">        </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ca.crt</span>
+<span class="w">      </span><span class="nt">auth</span><span class="p">:</span>
+<span class="w">        </span><span class="nt">passwordSecretRef</span><span class="p">:</span>
+<span class="w">          </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">password</span>
+<span class="w">          </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">passbolt-credentials</span>
+<span class="w">        </span><span class="nt">privateKeySecretRef</span><span class="p">:</span>
+<span class="w">          </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">privateKey</span>
+<span class="w">          </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">passbolt-credentials</span>
+</code></pre></div>
+<p>If neither <code>caBundle</code> nor <code>caProvider</code> is set, ESO uses the system root
+certificates to validate the TLS connection.</p>
 <h3 id="creating-an-external-secret">Creating an external secret</h3>
 <p>To sync a Passbolt secret to a Kubernetes secret, a <code>Kind=ExternalSecret</code> is needed.
 By default the secret contains name, username, uri, password and description.</p>

main/snippets/azkv-pushsecret-secret.yaml

@@ -29,5 +29,6 @@ spec:
         kind: PushSecretMetadata
         spec:
           expirationDate: "2024-12-31T23:59:59Z" # Expiration date for the secret in Azure Key Vault
+          contentType: "application/json" # Content type of the secret value in Azure Key Vault
           tags: # Tags to be added to the secret in Azure Key Vault
-            Content-Type: application/json
+            environment: production

main/snippets/passbolt-secret-store-ca.yaml

@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1
+kind: SecretStore
+metadata:
+  name: passbolt-with-custom-ca
+spec:
+  provider:
+    passbolt:
+      host: https://passbolt.example.com
+      # Reference a ConfigMap or Secret containing the CA bundle that signed
+      # the Passbolt server certificate.
+      caProvider:
+        type: ConfigMap
+        name: passbolt-ca-bundle
+        key: ca.crt
+      auth:
+        passwordSecretRef:
+          key: password
+          name: passbolt-credentials
+        privateKeySecretRef:
+          key: privateKey
+          name: passbolt-credentials