Merge pull request #704 from external-secrets/feature/conversion-webhook

[Draft] Implements v1beta1 + conversion webhooks

.gitignore

@@ -1,5 +1,6 @@
 .DS_Store
-
+/webhook/bin
+/webhook/certcontroller/bin
 /bin
 /vendor
 cover.out

Makefile

@@ -16,7 +16,8 @@ all: $(addprefix build-,$(ARCH))
 # Image registry for build/push image targets
 export IMAGE_REGISTRY ?= ghcr.io/external-secrets/external-secrets
 
-CRD_DIR     ?= deploy/crds
+BUNDLE_DIR     ?= deploy/crds
+CRD_DIR     ?= config/crds
 
 HELM_DIR    ?= deploy/charts/external-secrets
 TF_DIR ?= terraform
@@ -130,13 +131,14 @@ fmt: lint.check ## Ensure consistent code style
 
 generate: ## Generate code and crds
 	@go run sigs.k8s.io/controller-tools/cmd/controller-gen object:headerFile="hack/boilerplate.go.txt" paths="./..."
-	@go run sigs.k8s.io/controller-tools/cmd/controller-gen crd paths="./..." output:crd:artifacts:config=$(CRD_DIR)
+	@go run sigs.k8s.io/controller-tools/cmd/controller-gen crd paths="./..." output:crd:artifacts:config=$(CRD_DIR)/bases
 # Remove extra header lines in generated CRDs
-	@for i in $(CRD_DIR)/*.yaml; do \
+	@for i in $(CRD_DIR)/bases/*.yaml; do \
   		tail -n +2 <"$$i" >"$$i.bkp" && \
   		cp "$$i.bkp" "$$i" && \
   		rm "$$i.bkp"; \
   	done
+	@yq e '.spec.conversion.strategy = "Webhook" | .spec.conversion.webhook.conversionReviewVersions = ["v1"] | .spec.conversion.webhook.clientConfig.caBundle = "Cg==" | .spec.conversion.webhook.clientConfig.service.name = "kubernetes" | .spec.conversion.webhook.clientConfig.service.namespace = "default" |	.spec.conversion.webhook.clientConfig.service.path = "/convert"' $(CRD_DIR)/bases/*  > $(BUNDLE_DIR)/bundle.yaml
 	@$(OK) Finished generating deepcopy and crds
 
 # ====================================================================================
@@ -152,10 +154,10 @@ manifests: helm.generate ## Generate manifests from helm chart
 	helm template external-secrets $(HELM_DIR) -f deploy/manifests/helm-values.yaml > $(OUTPUT_DIR)/deploy/manifests/external-secrets.yaml
 
 crds.install: generate ## Install CRDs into a cluster. This is for convenience
-	kubectl apply -f $(CRD_DIR)
+	kubectl apply -f $(BUNDLE_DIR)
 
 crds.uninstall: ## Uninstall CRDs from a cluster. This is for convenience
-	kubectl delete -f $(CRD_DIR)
+	kubectl delete -f $(BUNDLE_DIR)
 
 # ====================================================================================
 # Helm Chart
@@ -173,7 +175,7 @@ helm.build: helm.generate ## Build helm chart
 	@$(OK) helm package
 
 helm.generate: helm.docs ## Copy crds to helm chart directory
-	@cp $(CRD_DIR)/*.yaml $(HELM_DIR)/templates/crds/
+	@cp $(BUNDLE_DIR)/*.yaml $(HELM_DIR)/templates/crds/
 # Add helm if statement for controlling the install of CRDs
 	@for i in $(HELM_DIR)/templates/crds/*.yaml; do \
 		cp "$$i" "$$i.bkp" && \

PROJECT

@@ -2,10 +2,22 @@ domain: io
 multigroup: true
 repo: github.com/external-secrets/external-secrets
 resources:
+- group: external-secrets
+  kind: ClusterSecretStore
+  version: v1alpha1
 - group: external-secrets
   kind: SecretStore
   version: v1alpha1
 - group: external-secrets
   kind: ExternalSecret
   version: v1alpha1
-version: "2"
+- group: external-secrets
+  kind: ClusterSecretStore
+  version: v1beta1
+- group: external-secrets
+  kind: SecretStore
+  version: v1beta1
+- group: external-secrets
+  kind: ExternalSecret
+  version: v1beta1
+version: "3"

apis/externalsecrets/v1alpha1/externalsecret_conversion.go

@@ -0,0 +1,127 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"encoding/json"
+
+	"sigs.k8s.io/controller-runtime/pkg/conversion"
+
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
+)
+
+func (alpha *ExternalSecret) ConvertTo(betaRaw conversion.Hub) error {
+	beta := betaRaw.(*esv1beta1.ExternalSecret)
+	// Actual converted code thatn eeds to be like this
+	v1beta1DataFrom := make([]esv1beta1.ExternalSecretDataFromRemoteRef, 0)
+	for _, v1alpha1RemoteRef := range alpha.Spec.DataFrom {
+		v1beta1RemoteRef := esv1beta1.ExternalSecretDataFromRemoteRef{
+			Extract: esv1beta1.ExternalSecretDataRemoteRef{
+				Key:      v1alpha1RemoteRef.Key,
+				Property: v1alpha1RemoteRef.Property,
+				Version:  v1alpha1RemoteRef.Version,
+			},
+		}
+		v1beta1DataFrom = append(v1beta1DataFrom, v1beta1RemoteRef)
+	}
+	beta.Spec.DataFrom = v1beta1DataFrom
+	tmp, err := json.Marshal(alpha.Spec.Data)
+	if err != nil {
+		return err
+	}
+	data := make([]esv1beta1.ExternalSecretData, 0)
+	err = json.Unmarshal(tmp, &data)
+	if err != nil {
+		return err
+	}
+	beta.Spec.Data = data
+
+	tmp, err = json.Marshal(alpha.Spec.Target)
+	if err != nil {
+		return err
+	}
+	target := esv1beta1.ExternalSecretTarget{}
+	err = json.Unmarshal(tmp, &target)
+	if err != nil {
+		return err
+	}
+	beta.Spec.Target = target
+	beta.Spec.RefreshInterval = alpha.Spec.RefreshInterval
+	beta.Spec.SecretStoreRef = esv1beta1.SecretStoreRef(alpha.Spec.SecretStoreRef)
+	beta.ObjectMeta = alpha.ObjectMeta
+	tmp, err = json.Marshal(alpha.Status)
+	if err != nil {
+		return err
+	}
+	status := esv1beta1.ExternalSecretStatus{}
+	err = json.Unmarshal(tmp, &status)
+	if err != nil {
+		return err
+	}
+	beta.Status = status
+	return nil
+}
+
+func (alpha *ExternalSecret) ConvertFrom(betaRaw conversion.Hub) error {
+	beta := betaRaw.(*esv1beta1.ExternalSecret)
+	v1alpha1DataFrom := make([]ExternalSecretDataRemoteRef, 0)
+	for _, v1beta1RemoteRef := range beta.Spec.DataFrom {
+		if v1beta1RemoteRef.Extract.Key != "" {
+			v1alpha1RemoteRef := ExternalSecretDataRemoteRef{
+				Key:      v1beta1RemoteRef.Extract.Key,
+				Property: v1beta1RemoteRef.Extract.Property,
+				Version:  v1beta1RemoteRef.Extract.Version,
+			}
+			v1alpha1DataFrom = append(v1alpha1DataFrom, v1alpha1RemoteRef)
+		}
+	}
+	alpha.Spec.DataFrom = v1alpha1DataFrom
+
+	tmp, err := json.Marshal(beta.Spec.Data)
+	if err != nil {
+		return err
+	}
+	data := make([]ExternalSecretData, 0)
+	err = json.Unmarshal(tmp, &data)
+	if err != nil {
+		return err
+	}
+	alpha.Spec.Data = data
+
+	tmp, err = json.Marshal(beta.Spec.Target)
+	if err != nil {
+		return err
+	}
+	target := ExternalSecretTarget{}
+	err = json.Unmarshal(tmp, &target)
+	if err != nil {
+		return err
+	}
+	alpha.Spec.Target = target
+	alpha.Spec.RefreshInterval = beta.Spec.RefreshInterval
+	alpha.Spec.SecretStoreRef = SecretStoreRef(beta.Spec.SecretStoreRef)
+	alpha.ObjectMeta = beta.ObjectMeta
+	tmp, err = json.Marshal(beta.Status)
+	if err != nil {
+		return err
+	}
+	status := ExternalSecretStatus{}
+	err = json.Unmarshal(tmp, &status)
+	if err != nil {
+		return err
+	}
+	alpha.Status = status
+	return nil
+}

apis/externalsecrets/v1alpha1/externalsecret_conversion_test.go

@@ -0,0 +1,221 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
+)
+
+const (
+	keyName = "my-key"
+)
+
+func newExternalSecretV1Alpha1() *ExternalSecret {
+	return &ExternalSecret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "full-es",
+			Namespace: "my-ns",
+		},
+		Status: ExternalSecretStatus{
+			SyncedResourceVersion: "123",
+			Conditions: []ExternalSecretStatusCondition{
+				{
+					Type:    ExternalSecretReady,
+					Status:  corev1.ConditionTrue,
+					Reason:  "it's a mock, it's always ready",
+					Message: "...why wouldn't it be?",
+				},
+			},
+		},
+		Spec: ExternalSecretSpec{
+			SecretStoreRef: SecretStoreRef{
+				Name: "test-secret-store",
+				Kind: "ClusterSecretStore",
+			},
+			Target: ExternalSecretTarget{
+				Name:           "test-target",
+				CreationPolicy: Owner,
+				Immutable:      false,
+				Template: &ExternalSecretTemplate{
+					Type: corev1.SecretTypeOpaque,
+					Metadata: ExternalSecretTemplateMetadata{
+						Annotations: map[string]string{
+							"foo": "bar",
+						},
+						Labels: map[string]string{
+							"foolbl": "barlbl",
+						},
+					},
+					Data: map[string]string{
+						keyName: "{{.data | toString}}",
+					},
+					TemplateFrom: []TemplateFrom{
+						{
+							ConfigMap: &TemplateRef{
+								Name: "test-configmap",
+								Items: []TemplateRefItem{
+									{
+										Key: keyName,
+									},
+								},
+							},
+							Secret: &TemplateRef{
+								Name: "test-secret",
+								Items: []TemplateRefItem{
+									{
+										Key: keyName,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			Data: []ExternalSecretData{
+				{
+					SecretKey: keyName,
+					RemoteRef: ExternalSecretDataRemoteRef{
+						Key:      "datakey",
+						Property: "dataproperty",
+						Version:  "dataversion",
+					},
+				},
+			},
+			DataFrom: []ExternalSecretDataRemoteRef{
+				{
+					Key:      "key",
+					Property: "property",
+					Version:  "version",
+				},
+			},
+		},
+	}
+}
+
+func newExternalSecretV1Beta1() *esv1beta1.ExternalSecret {
+	return &esv1beta1.ExternalSecret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "full-es",
+			Namespace: "my-ns",
+		},
+		Status: esv1beta1.ExternalSecretStatus{
+			SyncedResourceVersion: "123",
+			Conditions: []esv1beta1.ExternalSecretStatusCondition{
+				{
+					Type:    esv1beta1.ExternalSecretReady,
+					Status:  corev1.ConditionTrue,
+					Reason:  "it's a mock, it's always ready",
+					Message: "...why wouldn't it be?",
+				},
+			},
+		},
+		Spec: esv1beta1.ExternalSecretSpec{
+			SecretStoreRef: esv1beta1.SecretStoreRef{
+				Name: "test-secret-store",
+				Kind: "ClusterSecretStore",
+			},
+			Target: esv1beta1.ExternalSecretTarget{
+				Name:           "test-target",
+				CreationPolicy: esv1beta1.Owner,
+				Immutable:      false,
+				Template: &esv1beta1.ExternalSecretTemplate{
+					Type: corev1.SecretTypeOpaque,
+					Metadata: esv1beta1.ExternalSecretTemplateMetadata{
+						Annotations: map[string]string{
+							"foo": "bar",
+						},
+						Labels: map[string]string{
+							"foolbl": "barlbl",
+						},
+					},
+					Data: map[string]string{
+						keyName: "{{.data | toString}}",
+					},
+					TemplateFrom: []esv1beta1.TemplateFrom{
+						{
+							ConfigMap: &esv1beta1.TemplateRef{
+								Name: "test-configmap",
+								Items: []esv1beta1.TemplateRefItem{
+									{
+										Key: keyName,
+									},
+								},
+							},
+							Secret: &esv1beta1.TemplateRef{
+								Name: "test-secret",
+								Items: []esv1beta1.TemplateRefItem{
+									{
+										Key: keyName,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			Data: []esv1beta1.ExternalSecretData{
+				{
+					SecretKey: keyName,
+					RemoteRef: esv1beta1.ExternalSecretDataRemoteRef{
+						Key:      "datakey",
+						Property: "dataproperty",
+						Version:  "dataversion",
+					},
+				},
+			},
+			DataFrom: []esv1beta1.ExternalSecretDataFromRemoteRef{
+				{
+					Extract: esv1beta1.ExternalSecretDataRemoteRef{
+						Key:      "key",
+						Property: "property",
+						Version:  "version",
+					},
+				},
+			},
+		},
+	}
+}
+
+func TestExternalSecretConvertFrom(t *testing.T) {
+	given := newExternalSecretV1Beta1()
+	want := newExternalSecretV1Alpha1()
+	got := &ExternalSecret{}
+	err := got.ConvertFrom(given)
+	if err != nil {
+		t.Errorf("test failed with error: %v", err)
+	}
+	if !assert.Equal(t, want, got) {
+		t.Errorf("test failed, expected: %v, got: %v", want, got)
+	}
+}
+
+func TestExternalSecretConvertTo(t *testing.T) {
+	want := newExternalSecretV1Beta1()
+	given := newExternalSecretV1Alpha1()
+	got := &esv1beta1.ExternalSecret{}
+	err := given.ConvertTo(got)
+	if err != nil {
+		t.Errorf("test failed with error: %v", err)
+	}
+	if !assert.Equal(t, want, got) {
+		t.Errorf("test failed, expected: %v, got: %v", want, got)
+	}
+}

apis/externalsecrets/v1alpha1/externalsecret_webhook.go

@@ -0,0 +1,25 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	ctrl "sigs.k8s.io/controller-runtime"
+)
+
+func (alpha *ExternalSecret) SetupWebhookWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(alpha).
+		Complete()
+}

apis/externalsecrets/v1alpha1/secretstore_conversion.go

@@ -0,0 +1,91 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"encoding/json"
+
+	"sigs.k8s.io/controller-runtime/pkg/conversion"
+
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
+)
+
+func (c *SecretStore) ConvertTo(betaRaw conversion.Hub) error {
+	beta := betaRaw.(*esv1beta1.SecretStore)
+	tmp := &esv1beta1.SecretStore{}
+	alphajson, err := json.Marshal(c)
+	if err != nil {
+		return err
+	}
+	err = json.Unmarshal(alphajson, tmp)
+	if err != nil {
+		return err
+	}
+	beta.Spec = tmp.Spec
+	beta.ObjectMeta = tmp.ObjectMeta
+	beta.Status = tmp.Status
+	return nil
+}
+
+func (c *SecretStore) ConvertFrom(betaRaw conversion.Hub) error {
+	beta := betaRaw.(*esv1beta1.SecretStore)
+	tmp := &SecretStore{}
+	betajson, err := json.Marshal(beta)
+	if err != nil {
+		return err
+	}
+	err = json.Unmarshal(betajson, tmp)
+	if err != nil {
+		return err
+	}
+	c.Spec = tmp.Spec
+	c.ObjectMeta = tmp.ObjectMeta
+	c.Status = tmp.Status
+	return nil
+}
+
+func (c *ClusterSecretStore) ConvertTo(betaRaw conversion.Hub) error {
+	beta := betaRaw.(*esv1beta1.ClusterSecretStore)
+	tmp := &esv1beta1.ClusterSecretStore{}
+	alphajson, err := json.Marshal(c)
+	if err != nil {
+		return err
+	}
+	err = json.Unmarshal(alphajson, tmp)
+	if err != nil {
+		return err
+	}
+	beta.Spec = tmp.Spec
+	beta.ObjectMeta = tmp.ObjectMeta
+	beta.Status = tmp.Status
+	return nil
+}
+
+func (c *ClusterSecretStore) ConvertFrom(betaRaw conversion.Hub) error {
+	beta := betaRaw.(*esv1beta1.ClusterSecretStore)
+	tmp := &ClusterSecretStore{}
+	betajson, err := json.Marshal(beta)
+	if err != nil {
+		return err
+	}
+	err = json.Unmarshal(betajson, tmp)
+	if err != nil {
+		return err
+	}
+	c.Spec = tmp.Spec
+	c.ObjectMeta = tmp.ObjectMeta
+	c.Status = tmp.Status
+	return nil
+}

apis/externalsecrets/v1alpha1/secretstore_conversion_test.go

@@ -0,0 +1,259 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+const (
+	storeName                = "secret-store"
+	storeNamespace           = "my-namespace"
+	storeReason              = "it's a mock, it's always ready"
+	storeMessage             = "...why wouldn't it be?"
+	storeAWSRegion           = "us-east-1"
+	storeAWSRole             = "arn:aws:iam::123456789012:role/my-role"
+	storeAccessName          = "my-access"
+	storeKey                 = "my-key"
+	storeSecretName          = "my-secret"
+	defaultErrorMessage      = "test failed with error: %v"
+	defaultComparisonMessage = "test failed, expected: %v, got: %v"
+)
+
+func newSecretStoreV1Alpha1() *SecretStore {
+	return &SecretStore{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      storeName,
+			Namespace: storeNamespace,
+		},
+		Status: SecretStoreStatus{
+			Conditions: []SecretStoreStatusCondition{
+				{
+					Type:    SecretStoreReady,
+					Status:  corev1.ConditionTrue,
+					Reason:  storeReason,
+					Message: storeMessage,
+				},
+			},
+		},
+		Spec: SecretStoreSpec{
+			Controller: "dev",
+			Provider: &SecretStoreProvider{
+				AWS: &AWSProvider{
+					Service: AWSServiceSecretsManager,
+					Region:  storeAWSRegion,
+					Role:    storeAWSRole,
+					Auth: AWSAuth{
+						SecretRef: &AWSAuthSecretRef{
+							AccessKeyID: esmeta.SecretKeySelector{
+								Name: storeAccessName,
+								Key:  storeKey,
+							},
+							SecretAccessKey: esmeta.SecretKeySelector{
+								Name: storeSecretName,
+								Key:  storeKey,
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func newSecretStoreV1Beta1() *esv1beta1.SecretStore {
+	return &esv1beta1.SecretStore{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      storeName,
+			Namespace: storeNamespace,
+		},
+		Status: esv1beta1.SecretStoreStatus{
+			Conditions: []esv1beta1.SecretStoreStatusCondition{
+				{
+					Type:    esv1beta1.SecretStoreReady,
+					Status:  corev1.ConditionTrue,
+					Reason:  storeReason,
+					Message: storeMessage,
+				},
+			},
+		},
+		Spec: esv1beta1.SecretStoreSpec{
+			Controller: "dev",
+			Provider: &esv1beta1.SecretStoreProvider{
+				AWS: &esv1beta1.AWSProvider{
+					Service: esv1beta1.AWSServiceSecretsManager,
+					Region:  storeAWSRegion,
+					Role:    storeAWSRole,
+					Auth: esv1beta1.AWSAuth{
+						SecretRef: &esv1beta1.AWSAuthSecretRef{
+							AccessKeyID: esmeta.SecretKeySelector{
+								Name: storeAccessName,
+								Key:  storeKey,
+							},
+							SecretAccessKey: esmeta.SecretKeySelector{
+								Name: storeSecretName,
+								Key:  storeKey,
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func newClusterSecretStoreV1Alpha1() *ClusterSecretStore {
+	ns := storeNamespace
+	return &ClusterSecretStore{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: storeName,
+		},
+		Status: SecretStoreStatus{
+			Conditions: []SecretStoreStatusCondition{
+				{
+					Type:    SecretStoreReady,
+					Status:  corev1.ConditionTrue,
+					Reason:  storeReason,
+					Message: storeMessage,
+				},
+			},
+		},
+		Spec: SecretStoreSpec{
+			Controller: "dev",
+			Provider: &SecretStoreProvider{
+				AWS: &AWSProvider{
+					Service: AWSServiceSecretsManager,
+					Region:  storeAWSRegion,
+					Role:    storeAWSRole,
+					Auth: AWSAuth{
+						SecretRef: &AWSAuthSecretRef{
+							AccessKeyID: esmeta.SecretKeySelector{
+								Name:      storeAccessName,
+								Key:       storeKey,
+								Namespace: &ns,
+							},
+							SecretAccessKey: esmeta.SecretKeySelector{
+								Name:      storeSecretName,
+								Key:       storeKey,
+								Namespace: &ns,
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func newClusterSecretStoreV1Beta1() *esv1beta1.ClusterSecretStore {
+	ns := storeNamespace
+	return &esv1beta1.ClusterSecretStore{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: storeName,
+		},
+		Status: esv1beta1.SecretStoreStatus{
+			Conditions: []esv1beta1.SecretStoreStatusCondition{
+				{
+					Type:    esv1beta1.SecretStoreReady,
+					Status:  corev1.ConditionTrue,
+					Reason:  storeReason,
+					Message: storeMessage,
+				},
+			},
+		},
+		Spec: esv1beta1.SecretStoreSpec{
+			Controller: "dev",
+			Provider: &esv1beta1.SecretStoreProvider{
+				AWS: &esv1beta1.AWSProvider{
+					Service: esv1beta1.AWSServiceSecretsManager,
+					Region:  storeAWSRegion,
+					Role:    storeAWSRole,
+					Auth: esv1beta1.AWSAuth{
+						SecretRef: &esv1beta1.AWSAuthSecretRef{
+							AccessKeyID: esmeta.SecretKeySelector{
+								Name:      storeAccessName,
+								Key:       storeKey,
+								Namespace: &ns,
+							},
+							SecretAccessKey: esmeta.SecretKeySelector{
+								Name:      storeSecretName,
+								Key:       storeKey,
+								Namespace: &ns,
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+func TestSecretStoreConvertFrom(t *testing.T) {
+	given := newSecretStoreV1Beta1()
+	want := newSecretStoreV1Alpha1()
+	got := &SecretStore{}
+	err := got.ConvertFrom(given)
+	if err != nil {
+		t.Errorf(defaultErrorMessage, err)
+	}
+	if !assert.Equal(t, want, got) {
+		t.Errorf("test failed, expected: %v, got: %v", want, got)
+	}
+}
+
+func TestSecretStoreConvertTo(t *testing.T) {
+	want := newSecretStoreV1Beta1()
+	given := newSecretStoreV1Alpha1()
+	got := &esv1beta1.SecretStore{}
+	err := given.ConvertTo(got)
+	if err != nil {
+		t.Errorf(defaultErrorMessage, err)
+	}
+	if !assert.Equal(t, want, got) {
+		t.Errorf(defaultComparisonMessage, want, got)
+	}
+}
+
+func TestClusterSecretStoreConvertFrom(t *testing.T) {
+	given := newClusterSecretStoreV1Beta1()
+	want := newClusterSecretStoreV1Alpha1()
+	got := &ClusterSecretStore{}
+	err := got.ConvertFrom(given)
+	if err != nil {
+		t.Errorf(defaultErrorMessage, err)
+	}
+	if !assert.Equal(t, want, got) {
+		t.Errorf(defaultComparisonMessage, want, got)
+	}
+}
+
+func TestClusterSecretStoreConvertTo(t *testing.T) {
+	want := newClusterSecretStoreV1Beta1()
+	given := newClusterSecretStoreV1Alpha1()
+	got := &esv1beta1.ClusterSecretStore{}
+	err := given.ConvertTo(got)
+	if err != nil {
+		t.Errorf(defaultErrorMessage, err)
+	}
+	if !assert.Equal(t, want, got) {
+		t.Errorf(defaultComparisonMessage, want, got)
+	}
+}

apis/externalsecrets/v1alpha1/secretstore_types.go

@@ -85,6 +85,7 @@ type SecretStoreProvider struct {
 	// Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
 	// +optional
 	Kubernetes *KubernetesProvider `json:"kubernetes,omitempty"`
+
 	// Fake configures a store with static key/value pairs
 	// +optional
 	Fake *FakeProvider `json:"fake,omitempty"`

apis/externalsecrets/v1alpha1/secretstore_webhook.go

@@ -0,0 +1,31 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	ctrl "sigs.k8s.io/controller-runtime"
+)
+
+func (c *SecretStore) SetupWebhookWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(c).
+		Complete()
+}
+
+func (c *ClusterSecretStore) SetupWebhookWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(c).
+		Complete()
+}

apis/externalsecrets/v1beta1/doc.go

@@ -0,0 +1,19 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1beta1 contains resources for external-secrets
+// +kubebuilder:object:generate=true
+// +groupName=external-secrets.io
+// +versionName=v1beta1
+package v1beta1

apis/externalsecrets/v1beta1/externalsecret_conversion.go

@@ -0,0 +1,19 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+func (*ExternalSecret) Hub() {
+	// This empty method defines the Hub convertible interface.
+}

apis/externalsecrets/v1beta1/externalsecret_types.go

@@ -0,0 +1,287 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
+type SecretStoreRef struct {
+	// Name of the SecretStore resource
+	Name string `json:"name"`
+
+	// Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
+	// Defaults to `SecretStore`
+	// +optional
+	Kind string `json:"kind,omitempty"`
+}
+
+// ExternalSecretCreationPolicy defines rules on how to create the resulting Secret.
+type ExternalSecretCreationPolicy string
+
+const (
+	// Owner creates the Secret and sets .metadata.ownerReferences to the ExternalSecret resource.
+	Owner ExternalSecretCreationPolicy = "Owner"
+
+	// Merge does not create the Secret, but merges the data fields to the Secret.
+	Merge ExternalSecretCreationPolicy = "Merge"
+
+	// None does not create a Secret (future use with injector).
+	None ExternalSecretCreationPolicy = "None"
+)
+
+// ExternalSecretDeletionPolicy defines rules on how to delete the resulting Secret.
+type ExternalSecretDeletionPolicy string
+
+const (
+	// Owner creates the Secret and sets .metadata.ownerReferences to the ExternalSecret resource.
+	DeletionOwner ExternalSecretDeletionPolicy = "Owner"
+
+	// Merge does not create the Secret, but merges the data fields to the Secret.
+	DeletionMerge ExternalSecretDeletionPolicy = "Merge"
+
+	// None does not create a Secret (future use with injector).
+	DeletionNone ExternalSecretDeletionPolicy = "None"
+)
+
+// ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
+type ExternalSecretTemplateMetadata struct {
+	// +optional
+	Annotations map[string]string `json:"annotations,omitempty"`
+
+	// +optional
+	Labels map[string]string `json:"labels,omitempty"`
+}
+
+// ExternalSecretTemplate defines a blueprint for the created Secret resource.
+// we can not use native corev1.Secret, it will have empty ObjectMeta values: https://github.com/kubernetes-sigs/controller-tools/issues/448
+type ExternalSecretTemplate struct {
+	// +optional
+	Type corev1.SecretType `json:"type,omitempty"`
+
+	// EngineVersion specifies the template engine version
+	// that should be used to compile/execute the
+	// template specified in .data and .templateFrom[].
+	// +kubebuilder:default="v2"
+
+	EngineVersion TemplateEngineVersion `json:"engineVersion,omitempty"`
+	// +optional
+	Metadata ExternalSecretTemplateMetadata `json:"metadata,omitempty"`
+
+	// +optional
+	Data map[string]string `json:"data,omitempty"`
+
+	// +optional
+	TemplateFrom []TemplateFrom `json:"templateFrom,omitempty"`
+}
+
+type TemplateEngineVersion string
+
+const (
+	TemplateEngineV1 TemplateEngineVersion = "v1"
+	TemplateEngineV2 TemplateEngineVersion = "v2"
+)
+
+// +kubebuilder:validation:MinProperties=1
+// +kubebuilder:validation:MaxProperties=1
+type TemplateFrom struct {
+	ConfigMap *TemplateRef `json:"configMap,omitempty"`
+	Secret    *TemplateRef `json:"secret,omitempty"`
+}
+
+type TemplateRef struct {
+	Name  string            `json:"name"`
+	Items []TemplateRefItem `json:"items"`
+}
+
+type TemplateRefItem struct {
+	Key string `json:"key"`
+}
+
+// ExternalSecretTarget defines the Kubernetes Secret to be created
+// There can be only one target per ExternalSecret.
+type ExternalSecretTarget struct {
+	// Name defines the name of the Secret resource to be managed
+	// This field is immutable
+	// Defaults to the .metadata.name of the ExternalSecret resource
+	// +optional
+	Name string `json:"name,omitempty"`
+
+	// CreationPolicy defines rules on how to create the resulting Secret
+	// Defaults to 'Owner'
+	// +optional
+	// +kubebuilder:default="Owner"
+	CreationPolicy ExternalSecretCreationPolicy `json:"creationPolicy,omitempty"`
+	// DeletionPolicy defines rules on how to delete the resulting Secret
+	// Defaults to 'None'
+	// +optional
+	// +kubebuilder:default="None"
+	DeletionPolicy ExternalSecretDeletionPolicy `json:"deletionPolicy,omitempty"`
+	// Template defines a blueprint for the created Secret resource.
+	// +optional
+	Template *ExternalSecretTemplate `json:"template,omitempty"`
+
+	// Immutable defines if the final secret will be immutable
+	// +optional
+	Immutable bool `json:"immutable,omitempty"`
+}
+
+// ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
+type ExternalSecretData struct {
+	SecretKey string `json:"secretKey"`
+
+	RemoteRef ExternalSecretDataRemoteRef `json:"remoteRef"`
+}
+
+// ExternalSecretDataRemoteRef defines Provider data location.
+type ExternalSecretDataRemoteRef struct {
+	// Key is the key used in the Provider, mandatory
+	Key string `json:"key"`
+
+	// Used to select a specific version of the Provider value, if supported
+	// +optional
+	Version string `json:"version,omitempty"`
+
+	// +optional
+	// Used to select a specific property of the Provider value (if a map), if supported
+	Property string `json:"property,omitempty"`
+}
+
+type ExternalSecretDataFromRemoteRef struct {
+	// Used to extract multiple key/value pairs from one secret
+	// +optional
+	Extract ExternalSecretDataRemoteRef `json:"extract,omitempty"`
+	// Used to find secrets based on tags or regular expressions
+	// +optional
+	Find ExternalSecretFind `json:"find,omitempty"`
+}
+
+type ExternalSecretFind struct {
+	// Finds secrets based on the name.
+	// +optional
+	Name *FindName `json:"name,omitempty"`
+
+	// Find secrets based on tags.
+	// +optional
+	Tags map[string]string `json:"tags,omitempty"`
+}
+
+type FindName struct {
+	// Finds secrets base
+	// +optional
+	RegExp string `json:"regexp,omitempty"`
+}
+
+// ExternalSecretSpec defines the desired state of ExternalSecret.
+type ExternalSecretSpec struct {
+	SecretStoreRef SecretStoreRef `json:"secretStoreRef"`
+
+	Target ExternalSecretTarget `json:"target"`
+
+	// RefreshInterval is the amount of time before the values are read again from the SecretStore provider
+	// Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
+	// May be set to zero to fetch and create it once. Defaults to 1h.
+	// +kubebuilder:default="1h"
+	RefreshInterval *metav1.Duration `json:"refreshInterval,omitempty"`
+
+	// Data defines the connection between the Kubernetes Secret keys and the Provider data
+	// +optional
+	Data []ExternalSecretData `json:"data,omitempty"`
+
+	// DataFrom is used to fetch all properties from a specific Provider data
+	// If multiple entries are specified, the Secret keys are merged in the specified order
+	// +optional
+	DataFrom []ExternalSecretDataFromRemoteRef `json:"dataFrom,omitempty"`
+}
+
+type ExternalSecretConditionType string
+
+const (
+	ExternalSecretReady   ExternalSecretConditionType = "Ready"
+	ExternalSecretDeleted ExternalSecretConditionType = "Deleted"
+)
+
+type ExternalSecretStatusCondition struct {
+	Type   ExternalSecretConditionType `json:"type"`
+	Status corev1.ConditionStatus      `json:"status"`
+
+	// +optional
+	Reason string `json:"reason,omitempty"`
+
+	// +optional
+	Message string `json:"message,omitempty"`
+
+	// +optional
+	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"`
+}
+
+const (
+	// ConditionReasonSecretSynced indicates that the secrets was synced.
+	ConditionReasonSecretSynced = "SecretSynced"
+	// ConditionReasonSecretSyncedError indicates that there was an error syncing the secret.
+	ConditionReasonSecretSyncedError = "SecretSyncedError"
+	// ConditionReasonSecretDeleted indicates that the secret has been deleted.
+	ConditionReasonSecretDeleted = "SecretDeleted"
+
+	ReasonInvalidStoreRef      = "InvalidStoreRef"
+	ReasonProviderClientConfig = "InvalidProviderClientConfig"
+	ReasonUpdateFailed         = "UpdateFailed"
+	ReasonUpdated              = "Updated"
+)
+
+type ExternalSecretStatus struct {
+	// +nullable
+	// refreshTime is the time and date the external secret was fetched and
+	// the target secret updated
+	RefreshTime metav1.Time `json:"refreshTime,omitempty"`
+
+	// SyncedResourceVersion keeps track of the last synced version
+	SyncedResourceVersion string `json:"syncedResourceVersion,omitempty"`
+
+	// +optional
+	Conditions []ExternalSecretStatusCondition `json:"conditions,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:storageversion
+// ExternalSecret is the Schema for the external-secrets API.
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:scope=Namespaced,categories={externalsecrets},shortName=es
+// +kubebuilder:printcolumn:name="Store",type=string,JSONPath=`.spec.secretStoreRef.name`
+// +kubebuilder:printcolumn:name="Refresh Interval",type=string,JSONPath=`.spec.refreshInterval`
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].reason`
+type ExternalSecret struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   ExternalSecretSpec   `json:"spec,omitempty"`
+	Status ExternalSecretStatus `json:"status,omitempty"`
+}
+
+const (
+	// AnnotationDataHash is used to ensure consistency.
+	AnnotationDataHash = "reconcile.external-secrets.io/data-hash"
+)
+
+// +kubebuilder:object:root=true
+
+// ExternalSecretList contains a list of ExternalSecret resources.
+type ExternalSecretList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []ExternalSecret `json:"items"`
+}

apis/externalsecrets/v1beta1/externalsecret_webhook.go

@@ -0,0 +1,25 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	ctrl "sigs.k8s.io/controller-runtime"
+)
+
+func (r *ExternalSecret) SetupWebhookWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(r).
+		Complete()
+}

apis/externalsecrets/v1beta1/generic_store.go

@@ -0,0 +1,107 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	"fmt"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// +kubebuilder:object:root=false
+// +kubebuilder:object:generate:false
+// +k8s:deepcopy-gen:interfaces=nil
+// +k8s:deepcopy-gen=nil
+
+// GenericStore is a common interface for interacting with ClusterSecretStore
+// or a namespaced SecretStore.
+type GenericStore interface {
+	runtime.Object
+	metav1.Object
+
+	GetObjectMeta() *metav1.ObjectMeta
+	GetTypeMeta() *metav1.TypeMeta
+
+	GetSpec() *SecretStoreSpec
+	GetNamespacedName() string
+	GetStatus() SecretStoreStatus
+	SetStatus(status SecretStoreStatus)
+	Copy() GenericStore
+}
+
+// +kubebuilder:object:root:false
+// +kubebuilder:object:generate:false
+var _ GenericStore = &SecretStore{}
+
+func (c *SecretStore) GetObjectMeta() *metav1.ObjectMeta {
+	return &c.ObjectMeta
+}
+
+func (c *SecretStore) GetTypeMeta() *metav1.TypeMeta {
+	return &c.TypeMeta
+}
+
+func (c *SecretStore) GetSpec() *SecretStoreSpec {
+	return &c.Spec
+}
+
+func (c *SecretStore) GetStatus() SecretStoreStatus {
+	return c.Status
+}
+
+func (c *SecretStore) SetStatus(status SecretStoreStatus) {
+	c.Status = status
+}
+
+func (c *SecretStore) GetNamespacedName() string {
+	return fmt.Sprintf("%s/%s", c.Namespace, c.Name)
+}
+
+func (c *SecretStore) Copy() GenericStore {
+	return c.DeepCopy()
+}
+
+// +kubebuilder:object:root:false
+// +kubebuilder:object:generate:false
+var _ GenericStore = &ClusterSecretStore{}
+
+func (c *ClusterSecretStore) GetObjectMeta() *metav1.ObjectMeta {
+	return &c.ObjectMeta
+}
+
+func (c *ClusterSecretStore) GetTypeMeta() *metav1.TypeMeta {
+	return &c.TypeMeta
+}
+
+func (c *ClusterSecretStore) GetSpec() *SecretStoreSpec {
+	return &c.Spec
+}
+
+func (c *ClusterSecretStore) Copy() GenericStore {
+	return c.DeepCopy()
+}
+
+func (c *ClusterSecretStore) GetStatus() SecretStoreStatus {
+	return c.Status
+}
+
+func (c *ClusterSecretStore) SetStatus(status SecretStoreStatus) {
+	c.Status = status
+}
+
+func (c *ClusterSecretStore) GetNamespacedName() string {
+	return fmt.Sprintf("%s/%s", c.Namespace, c.Name)
+}

apis/externalsecrets/v1beta1/register.go

@@ -0,0 +1,67 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	"reflect"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+// Package type metadata.
+const (
+	Group   = "external-secrets.io"
+	Version = "v1beta1"
+)
+
+var (
+	// SchemeGroupVersion is group version used to register these objects.
+	SchemeGroupVersion = schema.GroupVersion{Group: Group, Version: Version}
+
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
+	SchemeBuilder = &scheme.Builder{GroupVersion: SchemeGroupVersion}
+	AddToScheme   = SchemeBuilder.AddToScheme
+)
+
+// ExternalSecret type metadata.
+var (
+	ExtSecretKind             = reflect.TypeOf(ExternalSecret{}).Name()
+	ExtSecretGroupKind        = schema.GroupKind{Group: Group, Kind: ExtSecretKind}.String()
+	ExtSecretKindAPIVersion   = ExtSecretKind + "." + SchemeGroupVersion.String()
+	ExtSecretGroupVersionKind = SchemeGroupVersion.WithKind(ExtSecretKind)
+)
+
+// SecretStore type metadata.
+var (
+	SecretStoreKind             = reflect.TypeOf(SecretStore{}).Name()
+	SecretStoreGroupKind        = schema.GroupKind{Group: Group, Kind: SecretStoreKind}.String()
+	SecretStoreKindAPIVersion   = SecretStoreKind + "." + SchemeGroupVersion.String()
+	SecretStoreGroupVersionKind = SchemeGroupVersion.WithKind(SecretStoreKind)
+)
+
+// ClusterSecretStore type metadata.
+var (
+	ClusterSecretStoreKind             = reflect.TypeOf(ClusterSecretStore{}).Name()
+	ClusterSecretStoreGroupKind        = schema.GroupKind{Group: Group, Kind: ClusterSecretStoreKind}.String()
+	ClusterSecretStoreKindAPIVersion   = ClusterSecretStoreKind + "." + SchemeGroupVersion.String()
+	ClusterSecretStoreGroupVersionKind = SchemeGroupVersion.WithKind(ClusterSecretStoreKind)
+)
+
+func init() {
+	SchemeBuilder.Register(&ExternalSecret{}, &ExternalSecretList{})
+	SchemeBuilder.Register(&SecretStore{}, &SecretStoreList{})
+	SchemeBuilder.Register(&ClusterSecretStore{}, &ClusterSecretStoreList{})
+}

apis/externalsecrets/v1beta1/secretstore_akeyless_types.go

@@ -0,0 +1,42 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+// AkeylessProvider Configures an store to sync secrets using Akeyless KV.
+type AkeylessProvider struct {
+
+	// Akeyless GW API Url from which the secrets to be fetched from.
+	AkeylessGWApiURL *string `json:"akeylessGWApiURL"`
+
+	// Auth configures how the operator authenticates with Akeyless.
+	Auth *AkeylessAuth `json:"authSecretRef"`
+}
+
+type AkeylessAuth struct {
+	SecretRef AkeylessAuthSecretRef `json:"secretRef"`
+}
+
+// AkeylessAuthSecretRef
+//AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.
+type AkeylessAuthSecretRef struct {
+	// The SecretAccessID is used for authentication
+	AccessID        esmeta.SecretKeySelector `json:"accessID,omitempty"`
+	AccessType      esmeta.SecretKeySelector `json:"accessType,omitempty"`
+	AccessTypeParam esmeta.SecretKeySelector `json:"accessTypeParam,omitempty"`
+}

apis/externalsecrets/v1beta1/secretstore_alibaba_types.go

@@ -0,0 +1,41 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+// AlibabaAuth contains a secretRef for credentials.
+type AlibabaAuth struct {
+	SecretRef AlibabaAuthSecretRef `json:"secretRef"`
+}
+
+// AlibabaAuthSecretRef holds secret references for Alibaba credentials.
+type AlibabaAuthSecretRef struct {
+	// The AccessKeyID is used for authentication
+	AccessKeyID esmeta.SecretKeySelector `json:"accessKeyIDSecretRef"`
+	// The AccessKeySecret is used for authentication
+	AccessKeySecret esmeta.SecretKeySelector `json:"accessKeySecretSecretRef"`
+}
+
+// AlibabaProvider configures a store to sync secrets using the Alibaba Secret Manager provider.
+type AlibabaProvider struct {
+	Auth *AlibabaAuth `json:"auth"`
+	// +optional
+	Endpoint string `json:"endpoint"`
+	// Alibaba Region to be used for the provider
+	RegionID string `json:"regionID"`
+}

apis/externalsecrets/v1beta1/secretstore_aws_types.go

@@ -0,0 +1,76 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+// AWSAuth tells the controller how to do authentication with aws.
+// Only one of secretRef or jwt can be specified.
+// if none is specified the controller will load credentials using the aws sdk defaults.
+type AWSAuth struct {
+	// +optional
+	SecretRef *AWSAuthSecretRef `json:"secretRef,omitempty"`
+	// +optional
+	JWTAuth *AWSJWTAuth `json:"jwt,omitempty"`
+}
+
+// AWSAuthSecretRef holds secret references for AWS credentials
+// both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
+type AWSAuthSecretRef struct {
+	// The AccessKeyID is used for authentication
+	AccessKeyID esmeta.SecretKeySelector `json:"accessKeyIDSecretRef,omitempty"`
+
+	// The SecretAccessKey is used for authentication
+	SecretAccessKey esmeta.SecretKeySelector `json:"secretAccessKeySecretRef,omitempty"`
+}
+
+// Authenticate against AWS using service account tokens.
+type AWSJWTAuth struct {
+	ServiceAccountRef *esmeta.ServiceAccountSelector `json:"serviceAccountRef,omitempty"`
+}
+
+// AWSServiceType is a enum that defines the service/API that is used to fetch the secrets.
+// +kubebuilder:validation:Enum=SecretsManager;ParameterStore
+type AWSServiceType string
+
+const (
+	// AWSServiceSecretsManager is the AWS SecretsManager.
+	// see: https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html
+	AWSServiceSecretsManager AWSServiceType = "SecretsManager"
+	// AWSServiceParameterStore is the AWS SystemsManager ParameterStore.
+	// see: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html
+	AWSServiceParameterStore AWSServiceType = "ParameterStore"
+)
+
+// AWSProvider configures a store to sync secrets with AWS.
+type AWSProvider struct {
+	// Service defines which service should be used to fetch the secrets
+	Service AWSServiceType `json:"service"`
+
+	// Auth defines the information necessary to authenticate against AWS
+	// if not set aws sdk will infer credentials from your environment
+	// see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+	// +optional
+	Auth AWSAuth `json:"auth"`
+
+	// Role is a Role ARN which the SecretManager provider will assume
+	// +optional
+	Role string `json:"role,omitempty"`
+
+	// AWS Region to be used for the provider
+	Region string `json:"region"`
+}

apis/externalsecrets/v1beta1/secretstore_azurekv_types.go

@@ -0,0 +1,62 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import smmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+
+// AuthType describes how to authenticate to the Azure Keyvault
+// Only one of the following auth types may be specified.
+// If none of the following auth type is specified, the default one
+// is ServicePrincipal.
+// +kubebuilder:validation:Enum=ServicePrincipal;ManagedIdentity
+type AuthType string
+
+const (
+	// Using service principal to authenticate, which needs a tenantId, a clientId and a clientSecret.
+	ServicePrincipal AuthType = "ServicePrincipal"
+
+	// Using Managed Identity to authenticate. Used with aad-pod-identity instelled in the clister.
+	ManagedIdentity AuthType = "ManagedIdentity"
+)
+
+// Configures an store to sync secrets using Azure KV.
+type AzureKVProvider struct {
+	// Auth type defines how to authenticate to the keyvault service.
+	// Valid values are:
+	// - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
+	// - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
+	// +optional
+	// +kubebuilder:default=ServicePrincipal
+	AuthType *AuthType `json:"authType,omitempty"`
+	// Vault Url from which the secrets to be fetched from.
+	VaultURL *string `json:"vaultUrl"`
+	// TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
+	// +optional
+	TenantID *string `json:"tenantId,omitempty"`
+	// Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
+	// +optional
+	AuthSecretRef *AzureKVAuth `json:"authSecretRef,omitempty"`
+	// If multiple Managed Identity is assigned to the pod, you can select the one to be used
+	// +optional
+	IdentityID *string `json:"identityId,omitempty"`
+}
+
+// Configuration used to authenticate with Azure.
+type AzureKVAuth struct {
+	// The Azure clientId of the service principle used for authentication.
+	ClientID *smmeta.SecretKeySelector `json:"clientId"`
+	// The Azure ClientSecret of the service principle used for authentication.
+	ClientSecret *smmeta.SecretKeySelector `json:"clientSecret"`
+}

apis/externalsecrets/v1beta1/secretstore_conversion.go

@@ -0,0 +1,23 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+func (*SecretStore) Hub() {
+	// Hub() method to be compliant with the conversion Hub interface
+}
+
+func (*ClusterSecretStore) Hub() {
+	// Hub() method to be compliant with the conversion Hub interface
+}

apis/externalsecrets/v1beta1/secretstore_fake_types.go

@@ -0,0 +1,27 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+// FakeProvider configures a fake provider that returns static values.
+type FakeProvider struct {
+	Data []FakeProviderData `json:"data"`
+}
+
+type FakeProviderData struct {
+	Key      string            `json:"key"`
+	Value    string            `json:"value,omitempty"`
+	ValueMap map[string]string `json:"valueMap,omitempty"`
+	Version  string            `json:"version,omitempty"`
+}

apis/externalsecrets/v1beta1/secretstore_gcpsm_types.go

@@ -0,0 +1,48 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+type GCPSMAuth struct {
+	// +optional
+	SecretRef *GCPSMAuthSecretRef `json:"secretRef,omitempty"`
+	// +optional
+	WorkloadIdentity *GCPWorkloadIdentity `json:"workloadIdentity,omitempty"`
+}
+
+type GCPSMAuthSecretRef struct {
+	// The SecretAccessKey is used for authentication
+	// +optional
+	SecretAccessKey esmeta.SecretKeySelector `json:"secretAccessKeySecretRef,omitempty"`
+}
+
+type GCPWorkloadIdentity struct {
+	ServiceAccountRef esmeta.ServiceAccountSelector `json:"serviceAccountRef"`
+	ClusterLocation   string                        `json:"clusterLocation"`
+	ClusterName       string                        `json:"clusterName"`
+}
+
+// GCPSMProvider Configures a store to sync secrets using the GCP Secret Manager provider.
+type GCPSMProvider struct {
+	// Auth defines the information necessary to authenticate against GCP
+	// +optional
+	Auth GCPSMAuth `json:"auth,omitempty"`
+
+	// ProjectID project where secret is located
+	ProjectID string `json:"projectID,omitempty"`
+}

apis/externalsecrets/v1beta1/secretstore_gitlab_types.go

@@ -0,0 +1,40 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+// Configures a store to sync secrets with a GitLab instance.
+type GitlabProvider struct {
+	// URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
+	URL string `json:"url,omitempty"`
+
+	// Auth configures how secret-manager authenticates with a GitLab instance.
+	Auth GitlabAuth `json:"auth"`
+
+	// ProjectID specifies a project where secrets are located.
+	ProjectID string `json:"projectID,omitempty"`
+}
+
+type GitlabAuth struct {
+	SecretRef GitlabSecretRef `json:"SecretRef"`
+}
+
+type GitlabSecretRef struct {
+	// AccessToken is used for authentication.
+	AccessToken esmeta.SecretKeySelector `json:"accessToken,omitempty"`
+}

apis/externalsecrets/v1beta1/secretstore_ibm_types.go

@@ -0,0 +1,39 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+// Configures an store to sync secrets using a IBM Cloud Secrets Manager
+// backend.
+type IBMProvider struct {
+	// Auth configures how secret-manager authenticates with the IBM secrets manager.
+	Auth IBMAuth `json:"auth"`
+
+	// ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
+	ServiceURL *string `json:"serviceUrl,omitempty"`
+}
+
+type IBMAuth struct {
+	SecretRef IBMAuthSecretRef `json:"secretRef"`
+}
+
+type IBMAuthSecretRef struct {
+	// The SecretAccessKey is used for authentication
+	// +optional
+	SecretAPIKey esmeta.SecretKeySelector `json:"secretApiKeySecretRef,omitempty"`
+}

apis/externalsecrets/v1beta1/secretstore_kubernetes_types.go

@@ -0,0 +1,87 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+type KubernetesServer struct {
+
+	// configures the Kubernetes server Address.
+	// +kubebuilder:default=kubernetes.default
+	// +optional
+	URL string `json:"url,omitempty"`
+
+	// CABundle is a base64-encoded CA certificate
+	// +optional
+	CABundle []byte `json:"caBundle,omitempty"`
+
+	// see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider
+	// +optional
+	CAProvider *CAProvider `json:"caProvider,omitempty"`
+
+	// there's still room for impersonation or proxy settings:
+	// Impersonate-User
+	// Impersonate-Group
+	// Impersonate-Extra-( extra name )
+	// Impersonate-Uid
+	// Proxy Settings
+}
+
+// Configures a store to sync secrets with a Kubernetes instance.
+type KubernetesProvider struct {
+	// configures the Kubernetes server Address.
+	Server KubernetesServer `json:"server,omitempty"`
+
+	// Auth configures how secret-manager authenticates with a Kubernetes instance.
+	Auth KubernetesAuth `json:"auth"`
+
+	// Remote namespace to fetch the secrets from
+	// +kubebuilder:default= default
+	// +optional
+	RemoteNamespace string `json:"remoteNamespace"`
+}
+
+// +kubebuilder:validation:MinProperties=1
+// +kubebuilder:validation:MaxProperties=1
+type KubernetesAuth struct {
+	// has both clientCert and clientKey as secretKeySelector
+	// +optional
+	Cert *CertAuth `json:"cert,omitempty"`
+
+	// use static token to authenticate with
+	// +optional
+	Token *TokenAuth `json:"token,omitempty"`
+
+	// points to a service account that should be used for authentication
+	// +optional
+	ServiceAccount *ServiceAccountAuth `json:"serviceAccount,omitempty"`
+
+	// possibly exec or webhook
+}
+
+type CertAuth struct {
+	ClientCert esmeta.SecretKeySelector `json:"clientCert,omitempty"`
+	ClientKey  esmeta.SecretKeySelector `json:"clientKey,omitempty"`
+}
+
+type TokenAuth struct {
+	BearerToken esmeta.SecretKeySelector `json:"bearerToken,omitempty"`
+}
+
+type ServiceAccountAuth struct {
+	ServiceAccountRef esmeta.ServiceAccountSelector `json:"serviceAccount,omitempty"`
+}

apis/externalsecrets/v1beta1/secretstore_oracle_types.go

@@ -0,0 +1,51 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+// Configures an store to sync secrets using a Oracle Vault
+// backend.
+type OracleProvider struct {
+	// Region is the region where vault is located.
+	Region string `json:"region"`
+
+	// Vault is the vault's OCID of the specific vault where secret is located.
+	Vault string `json:"vault"`
+
+	// Auth configures how secret-manager authenticates with the Oracle Vault.
+	// If empty, use the instance principal, otherwise the user credentials specified in Auth.
+	// +optional
+	Auth *OracleAuth `json:"auth,omitempty"`
+}
+
+type OracleAuth struct {
+	// Tenancy is the tenancy OCID where user is located.
+	Tenancy string `json:"tenancy"`
+
+	// User is an access OCID specific to the account.
+	User string `json:"user"`
+
+	// SecretRef to pass through sensitive information.
+	SecretRef OracleSecretRef `json:"secretRef"`
+}
+
+type OracleSecretRef struct {
+	// PrivateKey is the user's API Signing Key in PEM format, used for authentication.
+	PrivateKey esmeta.SecretKeySelector `json:"privatekey"`
+
+	// Fingerprint is the fingerprint of the API private key.
+	Fingerprint esmeta.SecretKeySelector `json:"fingerprint"`
+}

apis/externalsecrets/v1beta1/secretstore_types.go

@@ -0,0 +1,177 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// SecretStoreSpec defines the desired state of SecretStore.
+type SecretStoreSpec struct {
+	// Used to select the correct KES controller (think: ingress.ingressClassName)
+	// The KES controller is instantiated with a specific controller name and filters ES based on this property
+	// +optional
+	Controller string `json:"controller"`
+
+	// Used to configure the provider. Only one provider may be set
+	Provider *SecretStoreProvider `json:"provider"`
+
+	// Used to configure http retries if failed
+	// +optional
+	RetrySettings *SecretStoreRetrySettings `json:"retrySettings,omitempty"`
+}
+
+// SecretStoreProvider contains the provider-specific configration.
+// +kubebuilder:validation:MinProperties=1
+// +kubebuilder:validation:MaxProperties=1
+type SecretStoreProvider struct {
+	// AWS configures this store to sync secrets using AWS Secret Manager provider
+	// +optional
+	AWS *AWSProvider `json:"aws,omitempty"`
+
+	// AzureKV configures this store to sync secrets using Azure Key Vault provider
+	// +optional
+	AzureKV *AzureKVProvider `json:"azurekv,omitempty"`
+
+	// Akeyless configures this store to sync secrets using Akeyless Vault provider
+	// +optional
+	Akeyless *AkeylessProvider `json:"akeyless,omitempty"`
+
+	// Vault configures this store to sync secrets using Hashi provider
+	// +optional
+	Vault *VaultProvider `json:"vault,omitempty"`
+
+	// GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
+	// +optional
+	GCPSM *GCPSMProvider `json:"gcpsm,omitempty"`
+
+	// Oracle configures this store to sync secrets using Oracle Vault provider
+	// +optional
+	Oracle *OracleProvider `json:"oracle,omitempty"`
+
+	// IBM configures this store to sync secrets using IBM Cloud provider
+	// +optional
+	IBM *IBMProvider `json:"ibm,omitempty"`
+
+	// YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
+	// +optional
+	YandexLockbox *YandexLockboxProvider `json:"yandexlockbox,omitempty"`
+
+	// GItlab configures this store to sync secrets using Gitlab Variables provider
+	// +optional
+	Gitlab *GitlabProvider `json:"gitlab,omitempty"`
+
+	// Alibaba configures this store to sync secrets using Alibaba Cloud provider
+	// +optional
+	Alibaba *AlibabaProvider `json:"alibaba,omitempty"`
+
+	// Webhook configures this store to sync secrets using a generic templated webhook
+	// +optional
+	Webhook *WebhookProvider `json:"webhook,omitempty"`
+
+	// Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
+	// +optional
+	Kubernetes *KubernetesProvider `json:"kubernetes,omitempty"`
+
+	// Fake configures a store with static key/value pairs
+	// +optional
+	Fake *FakeProvider `json:"fake,omitempty"`
+}
+
+type SecretStoreRetrySettings struct {
+	MaxRetries    *int32  `json:"maxRetries,omitempty"`
+	RetryInterval *string `json:"retryInterval,omitempty"`
+}
+
+type SecretStoreConditionType string
+
+const (
+	SecretStoreReady SecretStoreConditionType = "Ready"
+
+	ReasonInvalidStore          = "InvalidStoreConfiguration"
+	ReasonInvalidProviderConfig = "InvalidProviderConfig"
+	ReasonValidationFailed      = "ValidationFailed"
+	ReasonStoreValid            = "Valid"
+)
+
+type SecretStoreStatusCondition struct {
+	Type   SecretStoreConditionType `json:"type"`
+	Status corev1.ConditionStatus   `json:"status"`
+
+	// +optional
+	Reason string `json:"reason,omitempty"`
+
+	// +optional
+	Message string `json:"message,omitempty"`
+
+	// +optional
+	LastTransitionTime metav1.Time `json:"lastTransitionTime,omitempty"`
+}
+
+// SecretStoreStatus defines the observed state of the SecretStore.
+type SecretStoreStatus struct {
+	// +optional
+	Conditions []SecretStoreStatusCondition `json:"conditions"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:storageversion
+
+// SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
+// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.conditions[?(@.type=="Ready")].reason`
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:scope=Namespaced,categories={externalsecrets},shortName=ss
+type SecretStore struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   SecretStoreSpec   `json:"spec,omitempty"`
+	Status SecretStoreStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// SecretStoreList contains a list of SecretStore resources.
+type SecretStoreList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []SecretStore `json:"items"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:storageversion
+
+// ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
+// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:scope=Cluster,categories={externalsecrets},shortName=css
+type ClusterSecretStore struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   SecretStoreSpec   `json:"spec,omitempty"`
+	Status SecretStoreStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// ClusterSecretStoreList contains a list of ClusterSecretStore resources.
+type ClusterSecretStoreList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []ClusterSecretStore `json:"items"`
+}

apis/externalsecrets/v1beta1/secretstore_vault_types.go

@@ -0,0 +1,235 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+type VaultKVStoreVersion string
+
+const (
+	VaultKVStoreV1 VaultKVStoreVersion = "v1"
+	VaultKVStoreV2 VaultKVStoreVersion = "v2"
+)
+
+type CAProviderType string
+
+const (
+	CAProviderTypeSecret    CAProviderType = "Secret"
+	CAProviderTypeConfigMap CAProviderType = "ConfigMap"
+)
+
+// Defines a location to fetch the cert for the vault provider from.
+type CAProvider struct {
+	// The type of provider to use such as "Secret", or "ConfigMap".
+	// +kubebuilder:validation:Enum="Secret";"ConfigMap"
+	Type CAProviderType `json:"type"`
+
+	// The name of the object located at the provider type.
+	Name string `json:"name"`
+
+	// The key the value inside of the provider type to use, only used with "Secret" type
+	// +kubebuilder:validation:Optional
+	Key string `json:"key,omitempty"`
+
+	// The namespace the Provider type is in.
+	// +optional
+	Namespace *string `json:"namespace,omitempty"`
+}
+
+// Configures an store to sync secrets using a HashiCorp Vault
+// KV backend.
+type VaultProvider struct {
+	// Auth configures how secret-manager authenticates with the Vault server.
+	Auth VaultAuth `json:"auth"`
+
+	// Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".
+	Server string `json:"server"`
+
+	// Path is the mount path of the Vault KV backend endpoint, e.g:
+	// "secret". The v2 KV secret engine version specific "/data" path suffix
+	// for fetching secrets from Vault is optional and will be appended
+	// if not present in specified path.
+	// +optional
+	Path *string `json:"path"`
+
+	// Version is the Vault KV secret engine version. This can be either "v1" or
+	// "v2". Version defaults to "v2".
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Enum="v1";"v2"
+	// +kubebuilder:default:="v2"
+	Version VaultKVStoreVersion `json:"version"`
+
+	// Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
+	// Vault environments to support Secure Multi-tenancy. e.g: "ns1".
+	// More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
+	// +optional
+	Namespace *string `json:"namespace,omitempty"`
+
+	// PEM encoded CA bundle used to validate Vault server certificate. Only used
+	// if the Server URL is using HTTPS protocol. This parameter is ignored for
+	// plain HTTP protocol connection. If not set the system root certificates
+	// are used to validate the TLS connection.
+	// +optional
+	CABundle []byte `json:"caBundle,omitempty"`
+
+	// The provider for the CA bundle to use to validate Vault server certificate.
+	// +optional
+	CAProvider *CAProvider `json:"caProvider,omitempty"`
+
+	// ReadYourWrites ensures isolated read-after-write semantics by
+	// providing discovered cluster replication states in each request.
+	// More information about eventual consistency in Vault can be found here
+	// https://www.vaultproject.io/docs/enterprise/consistency
+	// +optional
+	ReadYourWrites bool `json:"readYourWrites,omitempty"`
+
+	// ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
+	// leader instead of simply retrying within a loop. This can increase performance if
+	// the option is enabled serverside.
+	// https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
+	// +optional
+	ForwardInconsistent bool `json:"forwardInconsistent,omitempty"`
+}
+
+// VaultAuth is the configuration used to authenticate with a Vault server.
+// Only one of `tokenSecretRef`, `appRole`,  `kubernetes`, `ldap`, `jwt` or `cert`
+// can be specified.
+type VaultAuth struct {
+	// TokenSecretRef authenticates with Vault by presenting a token.
+	// +optional
+	TokenSecretRef *esmeta.SecretKeySelector `json:"tokenSecretRef,omitempty"`
+
+	// AppRole authenticates with Vault using the App Role auth mechanism,
+	// with the role and secret stored in a Kubernetes Secret resource.
+	// +optional
+	AppRole *VaultAppRole `json:"appRole,omitempty"`
+
+	// Kubernetes authenticates with Vault by passing the ServiceAccount
+	// token stored in the named Secret resource to the Vault server.
+	// +optional
+	Kubernetes *VaultKubernetesAuth `json:"kubernetes,omitempty"`
+
+	// Ldap authenticates with Vault by passing username/password pair using
+	// the LDAP authentication method
+	// +optional
+	Ldap *VaultLdapAuth `json:"ldap,omitempty"`
+
+	// Jwt authenticates with Vault by passing role and JWT token using the
+	// JWT/OIDC authentication method
+	// +optional
+	Jwt *VaultJwtAuth `json:"jwt,omitempty"`
+
+	// Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
+	// Cert authentication method
+	// +optional
+	Cert *VaultCertAuth `json:"cert,omitempty"`
+}
+
+// VaultAppRole authenticates with Vault using the App Role auth mechanism,
+// with the role and secret stored in a Kubernetes Secret resource.
+type VaultAppRole struct {
+	// Path where the App Role authentication backend is mounted
+	// in Vault, e.g: "approle"
+	// +kubebuilder:default=approle
+	Path string `json:"path"`
+
+	// RoleID configured in the App Role authentication backend when setting
+	// up the authentication backend in Vault.
+	RoleID string `json:"roleId"`
+
+	// Reference to a key in a Secret that contains the App Role secret used
+	// to authenticate with Vault.
+	// The `key` field must be specified and denotes which entry within the Secret
+	// resource is used as the app role secret.
+	SecretRef esmeta.SecretKeySelector `json:"secretRef"`
+}
+
+// Authenticate against Vault using a Kubernetes ServiceAccount token stored in
+// a Secret.
+type VaultKubernetesAuth struct {
+	// Path where the Kubernetes authentication backend is mounted in Vault, e.g:
+	// "kubernetes"
+	// +kubebuilder:default=kubernetes
+	Path string `json:"mountPath"`
+
+	// Optional service account field containing the name of a kubernetes ServiceAccount.
+	// If the service account is specified, the service account secret token JWT will be used
+	// for authenticating with Vault. If the service account selector is not supplied,
+	// the secretRef will be used instead.
+	// +optional
+	ServiceAccountRef *esmeta.ServiceAccountSelector `json:"serviceAccountRef,omitempty"`
+
+	// Optional secret field containing a Kubernetes ServiceAccount JWT used
+	// for authenticating with Vault. If a name is specified without a key,
+	// `token` is the default. If one is not specified, the one bound to
+	// the controller will be used.
+	// +optional
+	SecretRef *esmeta.SecretKeySelector `json:"secretRef,omitempty"`
+
+	// A required field containing the Vault Role to assume. A Role binds a
+	// Kubernetes ServiceAccount with a set of Vault policies.
+	Role string `json:"role"`
+}
+
+// VaultLdapAuth authenticates with Vault using the LDAP authentication method,
+// with the username and password stored in a Kubernetes Secret resource.
+type VaultLdapAuth struct {
+	// Path where the LDAP authentication backend is mounted
+	// in Vault, e.g: "ldap"
+	// +kubebuilder:default=ldap
+	Path string `json:"path"`
+
+	// Username is a LDAP user name used to authenticate using the LDAP Vault
+	// authentication method
+	Username string `json:"username"`
+
+	// SecretRef to a key in a Secret resource containing password for the LDAP
+	// user used to authenticate with Vault using the LDAP authentication
+	// method
+	SecretRef esmeta.SecretKeySelector `json:"secretRef,omitempty"`
+}
+
+// VaultJwtAuth authenticates with Vault using the JWT/OIDC authentication
+// method, with the role name and token stored in a Kubernetes Secret resource.
+type VaultJwtAuth struct {
+	// Path where the JWT authentication backend is mounted
+	// in Vault, e.g: "jwt"
+	// +kubebuilder:default=jwt
+	Path string `json:"path"`
+
+	// Role is a JWT role to authenticate using the JWT/OIDC Vault
+	// authentication method
+	// +optional
+	Role string `json:"role"`
+
+	// SecretRef to a key in a Secret resource containing JWT token to
+	// authenticate with Vault using the JWT/OIDC authentication method
+	SecretRef esmeta.SecretKeySelector `json:"secretRef,omitempty"`
+}
+
+// VaultJwtAuth authenticates with Vault using the JWT/OIDC authentication
+// method, with the role name and token stored in a Kubernetes Secret resource.
+type VaultCertAuth struct {
+	// ClientCert is a certificate to authenticate using the Cert Vault
+	// authentication method
+	// +optional
+	ClientCert esmeta.SecretKeySelector `json:"clientCert,omitempty"`
+
+	// SecretRef to a key in a Secret resource containing client private key to
+	// authenticate with Vault using the Cert authentication method
+	SecretRef esmeta.SecretKeySelector `json:"secretRef,omitempty"`
+}

apis/externalsecrets/v1beta1/secretstore_webhook.go

@@ -0,0 +1,31 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	ctrl "sigs.k8s.io/controller-runtime"
+)
+
+func (c *SecretStore) SetupWebhookWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(c).
+		Complete()
+}
+
+func (c *ClusterSecretStore) SetupWebhookWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(c).
+		Complete()
+}

apis/externalsecrets/v1beta1/secretstore_webhook_types.go

@@ -0,0 +1,101 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+// AkeylessProvider Configures an store to sync secrets using Akeyless KV.
+type WebhookProvider struct {
+	// Webhook Method
+	// +optional, default GET
+	Method string `json:"method,omitempty"`
+
+	// Webhook url to call
+	URL string `json:"url"`
+
+	// Headers
+	// +optional
+	Headers map[string]string `json:"headers,omitempty"`
+
+	// Body
+	// +optional
+	Body string `json:"body,omitempty"`
+
+	// Timeout
+	// +optional
+	Timeout *metav1.Duration `json:"timeout,omitempty"`
+
+	// Result formatting
+	Result WebhookResult `json:"result"`
+
+	// Secrets to fill in templates
+	// These secrets will be passed to the templating function as key value pairs under the given name
+	// +optional
+	Secrets []WebhookSecret `json:"secrets,omitempty"`
+
+	// PEM encoded CA bundle used to validate webhook server certificate. Only used
+	// if the Server URL is using HTTPS protocol. This parameter is ignored for
+	// plain HTTP protocol connection. If not set the system root certificates
+	// are used to validate the TLS connection.
+	// +optional
+	CABundle []byte `json:"caBundle,omitempty"`
+
+	// The provider for the CA bundle to use to validate webhook server certificate.
+	// +optional
+	CAProvider *WebhookCAProvider `json:"caProvider,omitempty"`
+}
+
+type WebhookCAProviderType string
+
+const (
+	WebhookCAProviderTypeSecret    WebhookCAProviderType = "Secret"
+	WebhookCAProviderTypeConfigMap WebhookCAProviderType = "ConfigMap"
+)
+
+// Defines a location to fetch the cert for the webhook provider from.
+type WebhookCAProvider struct {
+	// The type of provider to use such as "Secret", or "ConfigMap".
+	// +kubebuilder:validation:Enum="Secret";"ConfigMap"
+	Type WebhookCAProviderType `json:"type"`
+
+	// The name of the object located at the provider type.
+	Name string `json:"name"`
+
+	// The key the value inside of the provider type to use, only used with "Secret" type
+	// +kubebuilder:validation:Optional
+	Key string `json:"key,omitempty"`
+
+	// The namespace the Provider type is in.
+	// +optional
+	Namespace *string `json:"namespace,omitempty"`
+}
+
+type WebhookResult struct {
+	// Json path of return value
+	// +optional
+	JSONPath string `json:"jsonPath,omitempty"`
+}
+
+type WebhookSecret struct {
+	// Name of this secret in templates
+	Name string `json:"name"`
+
+	// Secret ref to fill in credentials
+	SecretRef esmeta.SecretKeySelector `json:"secretRef"`
+}

apis/externalsecrets/v1beta1/secretstore_yandexlockbox_types.go

@@ -0,0 +1,43 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
+)
+
+type YandexLockboxAuth struct {
+	// The authorized key used for authentication
+	// +optional
+	AuthorizedKey esmeta.SecretKeySelector `json:"authorizedKeySecretRef,omitempty"`
+}
+
+type YandexLockboxCAProvider struct {
+	Certificate esmeta.SecretKeySelector `json:"certSecretRef,omitempty"`
+}
+
+// YandexLockboxProvider Configures a store to sync secrets using the Yandex Lockbox provider.
+type YandexLockboxProvider struct {
+	// Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
+	// +optional
+	APIEndpoint string `json:"apiEndpoint,omitempty"`
+
+	// Auth defines the information necessary to authenticate against Yandex Lockbox
+	Auth YandexLockboxAuth `json:"auth"`
+
+	// The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
+	// +optional
+	CAProvider *YandexLockboxCAProvider `json:"caProvider,omitempty"`
+}

apis/externalsecrets/v1beta1/zz_generated.deepcopy.go

@@ -0,0 +1,1675 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by controller-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	metav1 "github.com/external-secrets/external-secrets/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AWSAuth) DeepCopyInto(out *AWSAuth) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(AWSAuthSecretRef)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.JWTAuth != nil {
+		in, out := &in.JWTAuth, &out.JWTAuth
+		*out = new(AWSJWTAuth)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSAuth.
+func (in *AWSAuth) DeepCopy() *AWSAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(AWSAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AWSAuthSecretRef) DeepCopyInto(out *AWSAuthSecretRef) {
+	*out = *in
+	in.AccessKeyID.DeepCopyInto(&out.AccessKeyID)
+	in.SecretAccessKey.DeepCopyInto(&out.SecretAccessKey)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSAuthSecretRef.
+func (in *AWSAuthSecretRef) DeepCopy() *AWSAuthSecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(AWSAuthSecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AWSJWTAuth) DeepCopyInto(out *AWSJWTAuth) {
+	*out = *in
+	if in.ServiceAccountRef != nil {
+		in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
+		*out = new(metav1.ServiceAccountSelector)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSJWTAuth.
+func (in *AWSJWTAuth) DeepCopy() *AWSJWTAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(AWSJWTAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AWSProvider) DeepCopyInto(out *AWSProvider) {
+	*out = *in
+	in.Auth.DeepCopyInto(&out.Auth)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSProvider.
+func (in *AWSProvider) DeepCopy() *AWSProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(AWSProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AkeylessAuth) DeepCopyInto(out *AkeylessAuth) {
+	*out = *in
+	in.SecretRef.DeepCopyInto(&out.SecretRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AkeylessAuth.
+func (in *AkeylessAuth) DeepCopy() *AkeylessAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(AkeylessAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AkeylessAuthSecretRef) DeepCopyInto(out *AkeylessAuthSecretRef) {
+	*out = *in
+	in.AccessID.DeepCopyInto(&out.AccessID)
+	in.AccessType.DeepCopyInto(&out.AccessType)
+	in.AccessTypeParam.DeepCopyInto(&out.AccessTypeParam)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AkeylessAuthSecretRef.
+func (in *AkeylessAuthSecretRef) DeepCopy() *AkeylessAuthSecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(AkeylessAuthSecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AkeylessProvider) DeepCopyInto(out *AkeylessProvider) {
+	*out = *in
+	if in.AkeylessGWApiURL != nil {
+		in, out := &in.AkeylessGWApiURL, &out.AkeylessGWApiURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Auth != nil {
+		in, out := &in.Auth, &out.Auth
+		*out = new(AkeylessAuth)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AkeylessProvider.
+func (in *AkeylessProvider) DeepCopy() *AkeylessProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(AkeylessProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AlibabaAuth) DeepCopyInto(out *AlibabaAuth) {
+	*out = *in
+	in.SecretRef.DeepCopyInto(&out.SecretRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AlibabaAuth.
+func (in *AlibabaAuth) DeepCopy() *AlibabaAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(AlibabaAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AlibabaAuthSecretRef) DeepCopyInto(out *AlibabaAuthSecretRef) {
+	*out = *in
+	in.AccessKeyID.DeepCopyInto(&out.AccessKeyID)
+	in.AccessKeySecret.DeepCopyInto(&out.AccessKeySecret)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AlibabaAuthSecretRef.
+func (in *AlibabaAuthSecretRef) DeepCopy() *AlibabaAuthSecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(AlibabaAuthSecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AlibabaProvider) DeepCopyInto(out *AlibabaProvider) {
+	*out = *in
+	if in.Auth != nil {
+		in, out := &in.Auth, &out.Auth
+		*out = new(AlibabaAuth)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AlibabaProvider.
+func (in *AlibabaProvider) DeepCopy() *AlibabaProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(AlibabaProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AzureKVAuth) DeepCopyInto(out *AzureKVAuth) {
+	*out = *in
+	if in.ClientID != nil {
+		in, out := &in.ClientID, &out.ClientID
+		*out = new(metav1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ClientSecret != nil {
+		in, out := &in.ClientSecret, &out.ClientSecret
+		*out = new(metav1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureKVAuth.
+func (in *AzureKVAuth) DeepCopy() *AzureKVAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(AzureKVAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AzureKVProvider) DeepCopyInto(out *AzureKVProvider) {
+	*out = *in
+	if in.AuthType != nil {
+		in, out := &in.AuthType, &out.AuthType
+		*out = new(AuthType)
+		**out = **in
+	}
+	if in.VaultURL != nil {
+		in, out := &in.VaultURL, &out.VaultURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.TenantID != nil {
+		in, out := &in.TenantID, &out.TenantID
+		*out = new(string)
+		**out = **in
+	}
+	if in.AuthSecretRef != nil {
+		in, out := &in.AuthSecretRef, &out.AuthSecretRef
+		*out = new(AzureKVAuth)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.IdentityID != nil {
+		in, out := &in.IdentityID, &out.IdentityID
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureKVProvider.
+func (in *AzureKVProvider) DeepCopy() *AzureKVProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(AzureKVProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CAProvider) DeepCopyInto(out *CAProvider) {
+	*out = *in
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CAProvider.
+func (in *CAProvider) DeepCopy() *CAProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(CAProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CertAuth) DeepCopyInto(out *CertAuth) {
+	*out = *in
+	in.ClientCert.DeepCopyInto(&out.ClientCert)
+	in.ClientKey.DeepCopyInto(&out.ClientKey)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertAuth.
+func (in *CertAuth) DeepCopy() *CertAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(CertAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterSecretStore) DeepCopyInto(out *ClusterSecretStore) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterSecretStore.
+func (in *ClusterSecretStore) DeepCopy() *ClusterSecretStore {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterSecretStore)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterSecretStore) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterSecretStoreList) DeepCopyInto(out *ClusterSecretStoreList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ClusterSecretStore, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterSecretStoreList.
+func (in *ClusterSecretStoreList) DeepCopy() *ClusterSecretStoreList {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterSecretStoreList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterSecretStoreList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecret) DeepCopyInto(out *ExternalSecret) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecret.
+func (in *ExternalSecret) DeepCopy() *ExternalSecret {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecret)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ExternalSecret) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretData) DeepCopyInto(out *ExternalSecretData) {
+	*out = *in
+	out.RemoteRef = in.RemoteRef
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretData.
+func (in *ExternalSecretData) DeepCopy() *ExternalSecretData {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretData)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretDataFromRemoteRef) DeepCopyInto(out *ExternalSecretDataFromRemoteRef) {
+	*out = *in
+	out.Extract = in.Extract
+	in.Find.DeepCopyInto(&out.Find)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretDataFromRemoteRef.
+func (in *ExternalSecretDataFromRemoteRef) DeepCopy() *ExternalSecretDataFromRemoteRef {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretDataFromRemoteRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretDataRemoteRef) DeepCopyInto(out *ExternalSecretDataRemoteRef) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretDataRemoteRef.
+func (in *ExternalSecretDataRemoteRef) DeepCopy() *ExternalSecretDataRemoteRef {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretDataRemoteRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretFind) DeepCopyInto(out *ExternalSecretFind) {
+	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(FindName)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretFind.
+func (in *ExternalSecretFind) DeepCopy() *ExternalSecretFind {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretFind)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretList) DeepCopyInto(out *ExternalSecretList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ExternalSecret, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretList.
+func (in *ExternalSecretList) DeepCopy() *ExternalSecretList {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ExternalSecretList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretSpec) DeepCopyInto(out *ExternalSecretSpec) {
+	*out = *in
+	out.SecretStoreRef = in.SecretStoreRef
+	in.Target.DeepCopyInto(&out.Target)
+	if in.RefreshInterval != nil {
+		in, out := &in.RefreshInterval, &out.RefreshInterval
+		*out = new(v1.Duration)
+		**out = **in
+	}
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = make([]ExternalSecretData, len(*in))
+		copy(*out, *in)
+	}
+	if in.DataFrom != nil {
+		in, out := &in.DataFrom, &out.DataFrom
+		*out = make([]ExternalSecretDataFromRemoteRef, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretSpec.
+func (in *ExternalSecretSpec) DeepCopy() *ExternalSecretSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretStatus) DeepCopyInto(out *ExternalSecretStatus) {
+	*out = *in
+	in.RefreshTime.DeepCopyInto(&out.RefreshTime)
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]ExternalSecretStatusCondition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretStatus.
+func (in *ExternalSecretStatus) DeepCopy() *ExternalSecretStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretStatusCondition) DeepCopyInto(out *ExternalSecretStatusCondition) {
+	*out = *in
+	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretStatusCondition.
+func (in *ExternalSecretStatusCondition) DeepCopy() *ExternalSecretStatusCondition {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretStatusCondition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretTarget) DeepCopyInto(out *ExternalSecretTarget) {
+	*out = *in
+	if in.Template != nil {
+		in, out := &in.Template, &out.Template
+		*out = new(ExternalSecretTemplate)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretTarget.
+func (in *ExternalSecretTarget) DeepCopy() *ExternalSecretTarget {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretTarget)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretTemplate) DeepCopyInto(out *ExternalSecretTemplate) {
+	*out = *in
+	in.Metadata.DeepCopyInto(&out.Metadata)
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.TemplateFrom != nil {
+		in, out := &in.TemplateFrom, &out.TemplateFrom
+		*out = make([]TemplateFrom, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretTemplate.
+func (in *ExternalSecretTemplate) DeepCopy() *ExternalSecretTemplate {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretTemplate)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExternalSecretTemplateMetadata) DeepCopyInto(out *ExternalSecretTemplateMetadata) {
+	*out = *in
+	if in.Annotations != nil {
+		in, out := &in.Annotations, &out.Annotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.Labels != nil {
+		in, out := &in.Labels, &out.Labels
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalSecretTemplateMetadata.
+func (in *ExternalSecretTemplateMetadata) DeepCopy() *ExternalSecretTemplateMetadata {
+	if in == nil {
+		return nil
+	}
+	out := new(ExternalSecretTemplateMetadata)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FakeProvider) DeepCopyInto(out *FakeProvider) {
+	*out = *in
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = make([]FakeProviderData, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FakeProvider.
+func (in *FakeProvider) DeepCopy() *FakeProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(FakeProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FakeProviderData) DeepCopyInto(out *FakeProviderData) {
+	*out = *in
+	if in.ValueMap != nil {
+		in, out := &in.ValueMap, &out.ValueMap
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FakeProviderData.
+func (in *FakeProviderData) DeepCopy() *FakeProviderData {
+	if in == nil {
+		return nil
+	}
+	out := new(FakeProviderData)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FindName) DeepCopyInto(out *FindName) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FindName.
+func (in *FindName) DeepCopy() *FindName {
+	if in == nil {
+		return nil
+	}
+	out := new(FindName)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GCPSMAuth) DeepCopyInto(out *GCPSMAuth) {
+	*out = *in
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(GCPSMAuthSecretRef)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.WorkloadIdentity != nil {
+		in, out := &in.WorkloadIdentity, &out.WorkloadIdentity
+		*out = new(GCPWorkloadIdentity)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCPSMAuth.
+func (in *GCPSMAuth) DeepCopy() *GCPSMAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(GCPSMAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GCPSMAuthSecretRef) DeepCopyInto(out *GCPSMAuthSecretRef) {
+	*out = *in
+	in.SecretAccessKey.DeepCopyInto(&out.SecretAccessKey)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCPSMAuthSecretRef.
+func (in *GCPSMAuthSecretRef) DeepCopy() *GCPSMAuthSecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(GCPSMAuthSecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GCPSMProvider) DeepCopyInto(out *GCPSMProvider) {
+	*out = *in
+	in.Auth.DeepCopyInto(&out.Auth)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCPSMProvider.
+func (in *GCPSMProvider) DeepCopy() *GCPSMProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(GCPSMProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GCPWorkloadIdentity) DeepCopyInto(out *GCPWorkloadIdentity) {
+	*out = *in
+	in.ServiceAccountRef.DeepCopyInto(&out.ServiceAccountRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GCPWorkloadIdentity.
+func (in *GCPWorkloadIdentity) DeepCopy() *GCPWorkloadIdentity {
+	if in == nil {
+		return nil
+	}
+	out := new(GCPWorkloadIdentity)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GitlabAuth) DeepCopyInto(out *GitlabAuth) {
+	*out = *in
+	in.SecretRef.DeepCopyInto(&out.SecretRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitlabAuth.
+func (in *GitlabAuth) DeepCopy() *GitlabAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(GitlabAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GitlabProvider) DeepCopyInto(out *GitlabProvider) {
+	*out = *in
+	in.Auth.DeepCopyInto(&out.Auth)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitlabProvider.
+func (in *GitlabProvider) DeepCopy() *GitlabProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(GitlabProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GitlabSecretRef) DeepCopyInto(out *GitlabSecretRef) {
+	*out = *in
+	in.AccessToken.DeepCopyInto(&out.AccessToken)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitlabSecretRef.
+func (in *GitlabSecretRef) DeepCopy() *GitlabSecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(GitlabSecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IBMAuth) DeepCopyInto(out *IBMAuth) {
+	*out = *in
+	in.SecretRef.DeepCopyInto(&out.SecretRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IBMAuth.
+func (in *IBMAuth) DeepCopy() *IBMAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(IBMAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IBMAuthSecretRef) DeepCopyInto(out *IBMAuthSecretRef) {
+	*out = *in
+	in.SecretAPIKey.DeepCopyInto(&out.SecretAPIKey)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IBMAuthSecretRef.
+func (in *IBMAuthSecretRef) DeepCopy() *IBMAuthSecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(IBMAuthSecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IBMProvider) DeepCopyInto(out *IBMProvider) {
+	*out = *in
+	in.Auth.DeepCopyInto(&out.Auth)
+	if in.ServiceURL != nil {
+		in, out := &in.ServiceURL, &out.ServiceURL
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IBMProvider.
+func (in *IBMProvider) DeepCopy() *IBMProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(IBMProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *KubernetesAuth) DeepCopyInto(out *KubernetesAuth) {
+	*out = *in
+	if in.Cert != nil {
+		in, out := &in.Cert, &out.Cert
+		*out = new(CertAuth)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Token != nil {
+		in, out := &in.Token, &out.Token
+		*out = new(TokenAuth)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ServiceAccount != nil {
+		in, out := &in.ServiceAccount, &out.ServiceAccount
+		*out = new(ServiceAccountAuth)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesAuth.
+func (in *KubernetesAuth) DeepCopy() *KubernetesAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(KubernetesAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *KubernetesProvider) DeepCopyInto(out *KubernetesProvider) {
+	*out = *in
+	in.Server.DeepCopyInto(&out.Server)
+	in.Auth.DeepCopyInto(&out.Auth)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesProvider.
+func (in *KubernetesProvider) DeepCopy() *KubernetesProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(KubernetesProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *KubernetesServer) DeepCopyInto(out *KubernetesServer) {
+	*out = *in
+	if in.CABundle != nil {
+		in, out := &in.CABundle, &out.CABundle
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.CAProvider != nil {
+		in, out := &in.CAProvider, &out.CAProvider
+		*out = new(CAProvider)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesServer.
+func (in *KubernetesServer) DeepCopy() *KubernetesServer {
+	if in == nil {
+		return nil
+	}
+	out := new(KubernetesServer)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OracleAuth) DeepCopyInto(out *OracleAuth) {
+	*out = *in
+	in.SecretRef.DeepCopyInto(&out.SecretRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OracleAuth.
+func (in *OracleAuth) DeepCopy() *OracleAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(OracleAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OracleProvider) DeepCopyInto(out *OracleProvider) {
+	*out = *in
+	if in.Auth != nil {
+		in, out := &in.Auth, &out.Auth
+		*out = new(OracleAuth)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OracleProvider.
+func (in *OracleProvider) DeepCopy() *OracleProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(OracleProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OracleSecretRef) DeepCopyInto(out *OracleSecretRef) {
+	*out = *in
+	in.PrivateKey.DeepCopyInto(&out.PrivateKey)
+	in.Fingerprint.DeepCopyInto(&out.Fingerprint)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OracleSecretRef.
+func (in *OracleSecretRef) DeepCopy() *OracleSecretRef {
+	if in == nil {
+		return nil
+	}
+	out := new(OracleSecretRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretStore) DeepCopyInto(out *SecretStore) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStore.
+func (in *SecretStore) DeepCopy() *SecretStore {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretStore)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *SecretStore) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretStoreList) DeepCopyInto(out *SecretStoreList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]SecretStore, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreList.
+func (in *SecretStoreList) DeepCopy() *SecretStoreList {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretStoreList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *SecretStoreList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretStoreProvider) DeepCopyInto(out *SecretStoreProvider) {
+	*out = *in
+	if in.AWS != nil {
+		in, out := &in.AWS, &out.AWS
+		*out = new(AWSProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.AzureKV != nil {
+		in, out := &in.AzureKV, &out.AzureKV
+		*out = new(AzureKVProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Akeyless != nil {
+		in, out := &in.Akeyless, &out.Akeyless
+		*out = new(AkeylessProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Vault != nil {
+		in, out := &in.Vault, &out.Vault
+		*out = new(VaultProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.GCPSM != nil {
+		in, out := &in.GCPSM, &out.GCPSM
+		*out = new(GCPSMProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Oracle != nil {
+		in, out := &in.Oracle, &out.Oracle
+		*out = new(OracleProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.IBM != nil {
+		in, out := &in.IBM, &out.IBM
+		*out = new(IBMProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.YandexLockbox != nil {
+		in, out := &in.YandexLockbox, &out.YandexLockbox
+		*out = new(YandexLockboxProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Gitlab != nil {
+		in, out := &in.Gitlab, &out.Gitlab
+		*out = new(GitlabProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Alibaba != nil {
+		in, out := &in.Alibaba, &out.Alibaba
+		*out = new(AlibabaProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Webhook != nil {
+		in, out := &in.Webhook, &out.Webhook
+		*out = new(WebhookProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Kubernetes != nil {
+		in, out := &in.Kubernetes, &out.Kubernetes
+		*out = new(KubernetesProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Fake != nil {
+		in, out := &in.Fake, &out.Fake
+		*out = new(FakeProvider)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreProvider.
+func (in *SecretStoreProvider) DeepCopy() *SecretStoreProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretStoreProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretStoreRef) DeepCopyInto(out *SecretStoreRef) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreRef.
+func (in *SecretStoreRef) DeepCopy() *SecretStoreRef {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretStoreRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretStoreRetrySettings) DeepCopyInto(out *SecretStoreRetrySettings) {
+	*out = *in
+	if in.MaxRetries != nil {
+		in, out := &in.MaxRetries, &out.MaxRetries
+		*out = new(int32)
+		**out = **in
+	}
+	if in.RetryInterval != nil {
+		in, out := &in.RetryInterval, &out.RetryInterval
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreRetrySettings.
+func (in *SecretStoreRetrySettings) DeepCopy() *SecretStoreRetrySettings {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretStoreRetrySettings)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretStoreSpec) DeepCopyInto(out *SecretStoreSpec) {
+	*out = *in
+	if in.Provider != nil {
+		in, out := &in.Provider, &out.Provider
+		*out = new(SecretStoreProvider)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.RetrySettings != nil {
+		in, out := &in.RetrySettings, &out.RetrySettings
+		*out = new(SecretStoreRetrySettings)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreSpec.
+func (in *SecretStoreSpec) DeepCopy() *SecretStoreSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretStoreSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretStoreStatus) DeepCopyInto(out *SecretStoreStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]SecretStoreStatusCondition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreStatus.
+func (in *SecretStoreStatus) DeepCopy() *SecretStoreStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretStoreStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SecretStoreStatusCondition) DeepCopyInto(out *SecretStoreStatusCondition) {
+	*out = *in
+	in.LastTransitionTime.DeepCopyInto(&out.LastTransitionTime)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretStoreStatusCondition.
+func (in *SecretStoreStatusCondition) DeepCopy() *SecretStoreStatusCondition {
+	if in == nil {
+		return nil
+	}
+	out := new(SecretStoreStatusCondition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ServiceAccountAuth) DeepCopyInto(out *ServiceAccountAuth) {
+	*out = *in
+	in.ServiceAccountRef.DeepCopyInto(&out.ServiceAccountRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccountAuth.
+func (in *ServiceAccountAuth) DeepCopy() *ServiceAccountAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(ServiceAccountAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TemplateFrom) DeepCopyInto(out *TemplateFrom) {
+	*out = *in
+	if in.ConfigMap != nil {
+		in, out := &in.ConfigMap, &out.ConfigMap
+		*out = new(TemplateRef)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Secret != nil {
+		in, out := &in.Secret, &out.Secret
+		*out = new(TemplateRef)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TemplateFrom.
+func (in *TemplateFrom) DeepCopy() *TemplateFrom {
+	if in == nil {
+		return nil
+	}
+	out := new(TemplateFrom)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TemplateRef) DeepCopyInto(out *TemplateRef) {
+	*out = *in
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]TemplateRefItem, len(*in))
+		copy(*out, *in)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TemplateRef.
+func (in *TemplateRef) DeepCopy() *TemplateRef {
+	if in == nil {
+		return nil
+	}
+	out := new(TemplateRef)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TemplateRefItem) DeepCopyInto(out *TemplateRefItem) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TemplateRefItem.
+func (in *TemplateRefItem) DeepCopy() *TemplateRefItem {
+	if in == nil {
+		return nil
+	}
+	out := new(TemplateRefItem)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TokenAuth) DeepCopyInto(out *TokenAuth) {
+	*out = *in
+	in.BearerToken.DeepCopyInto(&out.BearerToken)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenAuth.
+func (in *TokenAuth) DeepCopy() *TokenAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(TokenAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VaultAppRole) DeepCopyInto(out *VaultAppRole) {
+	*out = *in
+	in.SecretRef.DeepCopyInto(&out.SecretRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAppRole.
+func (in *VaultAppRole) DeepCopy() *VaultAppRole {
+	if in == nil {
+		return nil
+	}
+	out := new(VaultAppRole)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VaultAuth) DeepCopyInto(out *VaultAuth) {
+	*out = *in
+	if in.TokenSecretRef != nil {
+		in, out := &in.TokenSecretRef, &out.TokenSecretRef
+		*out = new(metav1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.AppRole != nil {
+		in, out := &in.AppRole, &out.AppRole
+		*out = new(VaultAppRole)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Kubernetes != nil {
+		in, out := &in.Kubernetes, &out.Kubernetes
+		*out = new(VaultKubernetesAuth)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Ldap != nil {
+		in, out := &in.Ldap, &out.Ldap
+		*out = new(VaultLdapAuth)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Jwt != nil {
+		in, out := &in.Jwt, &out.Jwt
+		*out = new(VaultJwtAuth)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Cert != nil {
+		in, out := &in.Cert, &out.Cert
+		*out = new(VaultCertAuth)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultAuth.
+func (in *VaultAuth) DeepCopy() *VaultAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(VaultAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VaultCertAuth) DeepCopyInto(out *VaultCertAuth) {
+	*out = *in
+	in.ClientCert.DeepCopyInto(&out.ClientCert)
+	in.SecretRef.DeepCopyInto(&out.SecretRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultCertAuth.
+func (in *VaultCertAuth) DeepCopy() *VaultCertAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(VaultCertAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VaultJwtAuth) DeepCopyInto(out *VaultJwtAuth) {
+	*out = *in
+	in.SecretRef.DeepCopyInto(&out.SecretRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultJwtAuth.
+func (in *VaultJwtAuth) DeepCopy() *VaultJwtAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(VaultJwtAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VaultKubernetesAuth) DeepCopyInto(out *VaultKubernetesAuth) {
+	*out = *in
+	if in.ServiceAccountRef != nil {
+		in, out := &in.ServiceAccountRef, &out.ServiceAccountRef
+		*out = new(metav1.ServiceAccountSelector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.SecretRef != nil {
+		in, out := &in.SecretRef, &out.SecretRef
+		*out = new(metav1.SecretKeySelector)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultKubernetesAuth.
+func (in *VaultKubernetesAuth) DeepCopy() *VaultKubernetesAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(VaultKubernetesAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VaultLdapAuth) DeepCopyInto(out *VaultLdapAuth) {
+	*out = *in
+	in.SecretRef.DeepCopyInto(&out.SecretRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultLdapAuth.
+func (in *VaultLdapAuth) DeepCopy() *VaultLdapAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(VaultLdapAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *VaultProvider) DeepCopyInto(out *VaultProvider) {
+	*out = *in
+	in.Auth.DeepCopyInto(&out.Auth)
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.CABundle != nil {
+		in, out := &in.CABundle, &out.CABundle
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.CAProvider != nil {
+		in, out := &in.CAProvider, &out.CAProvider
+		*out = new(CAProvider)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultProvider.
+func (in *VaultProvider) DeepCopy() *VaultProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(VaultProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WebhookCAProvider) DeepCopyInto(out *WebhookCAProvider) {
+	*out = *in
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookCAProvider.
+func (in *WebhookCAProvider) DeepCopy() *WebhookCAProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(WebhookCAProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WebhookProvider) DeepCopyInto(out *WebhookProvider) {
+	*out = *in
+	if in.Headers != nil {
+		in, out := &in.Headers, &out.Headers
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	if in.Timeout != nil {
+		in, out := &in.Timeout, &out.Timeout
+		*out = new(v1.Duration)
+		**out = **in
+	}
+	out.Result = in.Result
+	if in.Secrets != nil {
+		in, out := &in.Secrets, &out.Secrets
+		*out = make([]WebhookSecret, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CABundle != nil {
+		in, out := &in.CABundle, &out.CABundle
+		*out = make([]byte, len(*in))
+		copy(*out, *in)
+	}
+	if in.CAProvider != nil {
+		in, out := &in.CAProvider, &out.CAProvider
+		*out = new(WebhookCAProvider)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookProvider.
+func (in *WebhookProvider) DeepCopy() *WebhookProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(WebhookProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WebhookResult) DeepCopyInto(out *WebhookResult) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookResult.
+func (in *WebhookResult) DeepCopy() *WebhookResult {
+	if in == nil {
+		return nil
+	}
+	out := new(WebhookResult)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *WebhookSecret) DeepCopyInto(out *WebhookSecret) {
+	*out = *in
+	in.SecretRef.DeepCopyInto(&out.SecretRef)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookSecret.
+func (in *WebhookSecret) DeepCopy() *WebhookSecret {
+	if in == nil {
+		return nil
+	}
+	out := new(WebhookSecret)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *YandexLockboxAuth) DeepCopyInto(out *YandexLockboxAuth) {
+	*out = *in
+	in.AuthorizedKey.DeepCopyInto(&out.AuthorizedKey)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new YandexLockboxAuth.
+func (in *YandexLockboxAuth) DeepCopy() *YandexLockboxAuth {
+	if in == nil {
+		return nil
+	}
+	out := new(YandexLockboxAuth)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *YandexLockboxCAProvider) DeepCopyInto(out *YandexLockboxCAProvider) {
+	*out = *in
+	in.Certificate.DeepCopyInto(&out.Certificate)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new YandexLockboxCAProvider.
+func (in *YandexLockboxCAProvider) DeepCopy() *YandexLockboxCAProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(YandexLockboxCAProvider)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *YandexLockboxProvider) DeepCopyInto(out *YandexLockboxProvider) {
+	*out = *in
+	in.Auth.DeepCopyInto(&out.Auth)
+	if in.CAProvider != nil {
+		in, out := &in.CAProvider, &out.CAProvider
+		*out = new(YandexLockboxCAProvider)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new YandexLockboxProvider.
+func (in *YandexLockboxProvider) DeepCopy() *YandexLockboxProvider {
+	if in == nil {
+		return nil
+	}
+	out := new(YandexLockboxProvider)
+	in.DeepCopyInto(out)
+	return out
+}

cmd/certcontroller.go

@@ -0,0 +1,108 @@
+/*
+Copyright © 2022 ESO Maintainer team
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package cmd
+
+import (
+	"os"
+	"time"
+
+	"github.com/spf13/cobra"
+	"go.uber.org/zap/zapcore"
+	v1 "k8s.io/api/core/v1"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+
+	"github.com/external-secrets/external-secrets/pkg/controllers/crds"
+)
+
+var certcontrollerCmd = &cobra.Command{
+	Use:   "certcontroller",
+	Short: "Controller to manage certificates for external secrets CRDs",
+	Long: `Controller to manage certificates for external secrets CRDs.
+	For more information visit https://external-secrets.io`,
+	Run: func(cmd *cobra.Command, args []string) {
+		var lvl zapcore.Level
+		err := lvl.UnmarshalText([]byte(loglevel))
+		if err != nil {
+			setupLog.Error(err, "error unmarshalling loglevel")
+			os.Exit(1)
+		}
+		logger := zap.New(zap.Level(lvl))
+		ctrl.SetLogger(logger)
+
+		mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
+			Scheme:             scheme,
+			MetricsBindAddress: metricsAddr,
+			Port:               9443,
+			LeaderElection:     enableLeaderElection,
+			LeaderElectionID:   "crd-certs-controller",
+			ClientDisableCacheFor: []client.Object{
+				// the client creates a ListWatch for all resource kinds that
+				// are requested with .Get().
+				// We want to avoid to cache all secrets or configmaps in memory.
+				// The ES controller uses v1.PartialObjectMetadata for the secrets
+				// that he owns.
+				// see #721
+				&v1.Secret{},
+			}})
+		if err != nil {
+			setupLog.Error(err, "unable to start manager")
+			os.Exit(1)
+		}
+		crds := &crds.Reconciler{
+			Client:                 mgr.GetClient(),
+			Log:                    ctrl.Log.WithName("controllers").WithName("webhook-certs-updater"),
+			Scheme:                 mgr.GetScheme(),
+			SvcName:                serviceName,
+			SvcNamespace:           serviceNamespace,
+			SecretName:             secretName,
+			SecretNamespace:        secretNamespace,
+			RequeueInterval:        crdRequeueInterval,
+			CrdResources:           []string{"externalsecrets.external-secrets.io", "clustersecretstores.external-secrets.io", "secretstores.external-secrets.io"},
+			CAName:                 "external-secrets",
+			CAOrganization:         "external-secrets",
+			RestartOnSecretRefresh: false,
+		}
+		if err := crds.SetupWithManager(mgr, controller.Options{
+			MaxConcurrentReconciles: concurrent,
+		}); err != nil {
+			setupLog.Error(err, errCreateController, "controller", "CustomResourceDefinition")
+			os.Exit(1)
+		}
+		setupLog.Info("starting manager")
+		if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
+			setupLog.Error(err, "problem running manager")
+			os.Exit(1)
+		}
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(certcontrollerCmd)
+
+	certcontrollerCmd.Flags().StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
+	certcontrollerCmd.Flags().StringVar(&serviceName, "service-name", "external-secrets-webhook", "Webhook service name")
+	certcontrollerCmd.Flags().StringVar(&serviceNamespace, "service-namespace", "default", "Webhook service namespace")
+	certcontrollerCmd.Flags().StringVar(&secretName, "secret-name", "external-secrets-webhook", "Secret to store certs for webhook")
+	certcontrollerCmd.Flags().StringVar(&secretNamespace, "secret-namespace", "default", "namespace of the secret to store certs")
+	certcontrollerCmd.Flags().BoolVar(&enableLeaderElection, "enable-leader-election", false,
+		"Enable leader election for controller manager. "+
+			"Enabling this will ensure there is only one active controller manager.")
+	certcontrollerCmd.Flags().StringVar(&loglevel, "loglevel", "info", "loglevel to use, one of: debug, info, warn, error, dpanic, panic, fatal")
+	certcontrollerCmd.Flags().DurationVar(&crdRequeueInterval, "crd-requeue-interval", time.Minute*5, "Time duration between reconciling CRDs for new certs")
+}

cmd/root.go

@@ -0,0 +1,160 @@
+/*
+Copyright © 2022 ESO Maintainer Team
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package cmd
+
+import (
+	"os"
+	"time"
+
+	"github.com/spf13/cobra"
+	"go.uber.org/zap/zapcore"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+
+	// To allow using gcp auth.
+	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+
+	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
+	"github.com/external-secrets/external-secrets/pkg/controllers/externalsecret"
+	"github.com/external-secrets/external-secrets/pkg/controllers/secretstore"
+)
+
+var (
+	scheme                        = runtime.NewScheme()
+	setupLog                      = ctrl.Log.WithName("setup")
+	dnsName                       string
+	certDir                       string
+	metricsAddr                   string
+	controllerClass               string
+	enableLeaderElection          bool
+	concurrent                    int
+	loglevel                      string
+	namespace                     string
+	storeRequeueInterval          time.Duration
+	serviceName, serviceNamespace string
+	secretName, secretNamespace   string
+	crdRequeueInterval            time.Duration
+	certCheckInterval             time.Duration
+)
+
+const (
+	errCreateController = "unable to create controller"
+)
+
+func init() {
+	_ = clientgoscheme.AddToScheme(scheme)
+	_ = esv1beta1.AddToScheme(scheme)
+	_ = esv1alpha1.AddToScheme(scheme)
+}
+
+var rootCmd = &cobra.Command{
+	Use:   "external-secrets",
+	Short: "operator that reconciles ExternalSecrets and SecretStores",
+	Long:  `For more information visit https://external-secrets.io`,
+	Run: func(cmd *cobra.Command, args []string) {
+		var lvl zapcore.Level
+		err := lvl.UnmarshalText([]byte(loglevel))
+		if err != nil {
+			setupLog.Error(err, "error unmarshalling loglevel")
+			os.Exit(1)
+		}
+		logger := zap.New(zap.Level(lvl))
+		ctrl.SetLogger(logger)
+
+		mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
+			Scheme:             scheme,
+			MetricsBindAddress: metricsAddr,
+			Port:               9443,
+			LeaderElection:     enableLeaderElection,
+			LeaderElectionID:   "external-secrets-controller",
+			ClientDisableCacheFor: []client.Object{
+				// the client creates a ListWatch for all resource kinds that
+				// are requested with .Get().
+				// We want to avoid to cache all secrets or configmaps in memory.
+				// The ES controller uses v1.PartialObjectMetadata for the secrets
+				// that he owns.
+				// see #721
+				&v1.Secret{},
+				&v1.ConfigMap{},
+			},
+			Namespace: namespace,
+		})
+		if err != nil {
+			setupLog.Error(err, "unable to start manager")
+			os.Exit(1)
+		}
+		if err = (&secretstore.StoreReconciler{
+			Client:          mgr.GetClient(),
+			Log:             ctrl.Log.WithName("controllers").WithName("SecretStore"),
+			Scheme:          mgr.GetScheme(),
+			ControllerClass: controllerClass,
+			RequeueInterval: storeRequeueInterval,
+		}).SetupWithManager(mgr); err != nil {
+			setupLog.Error(err, errCreateController, "controller", "SecretStore")
+			os.Exit(1)
+		}
+		if err = (&secretstore.ClusterStoreReconciler{
+			Client:          mgr.GetClient(),
+			Log:             ctrl.Log.WithName("controllers").WithName("ClusterSecretStore"),
+			Scheme:          mgr.GetScheme(),
+			ControllerClass: controllerClass,
+			RequeueInterval: storeRequeueInterval,
+		}).SetupWithManager(mgr); err != nil {
+			setupLog.Error(err, errCreateController, "controller", "ClusterSecretStore")
+			os.Exit(1)
+		}
+		if err = (&externalsecret.Reconciler{
+			Client:          mgr.GetClient(),
+			Log:             ctrl.Log.WithName("controllers").WithName("ExternalSecret"),
+			Scheme:          mgr.GetScheme(),
+			ControllerClass: controllerClass,
+			RequeueInterval: time.Hour,
+		}).SetupWithManager(mgr, controller.Options{
+			MaxConcurrentReconciles: concurrent,
+		}); err != nil {
+			setupLog.Error(err, errCreateController, "controller", "ExternalSecret")
+			os.Exit(1)
+		}
+		setupLog.Info("starting manager")
+		if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
+			setupLog.Error(err, "problem running manager")
+			os.Exit(1)
+		}
+
+	},
+}
+
+func Execute() {
+	cobra.CheckErr(rootCmd.Execute())
+}
+
+func init() {
+	rootCmd.Flags().StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
+	rootCmd.Flags().StringVar(&controllerClass, "controller-class", "default", "the controller is instantiated with a specific controller name and filters ES based on this property")
+	rootCmd.Flags().BoolVar(&enableLeaderElection, "enable-leader-election", false,
+		"Enable leader election for controller manager. "+
+			"Enabling this will ensure there is only one active controller manager.")
+	rootCmd.Flags().IntVar(&concurrent, "concurrent", 1, "The number of concurrent ExternalSecret reconciles.")
+	rootCmd.Flags().StringVar(&loglevel, "loglevel", "info", "loglevel to use, one of: debug, info, warn, error, dpanic, panic, fatal")
+	rootCmd.Flags().StringVar(&namespace, "namespace", "", "watch external secrets scoped in the provided namespace only. ClusterSecretStore can be used but only work if it doesn't reference resources from other namespaces")
+	rootCmd.Flags().DurationVar(&storeRequeueInterval, "store-requeue-interval", time.Minute*5, "Time duration between reconciling (Cluster)SecretStores")
+}

cmd/webhook.go

@@ -0,0 +1,143 @@
+/*
+Copyright © 2022 NAME HERE <EMAIL ADDRESS>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package cmd
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+	"time"
+
+	"github.com/spf13/cobra"
+	"go.uber.org/zap/zapcore"
+	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+
+	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
+	"github.com/external-secrets/external-secrets/pkg/controllers/crds"
+)
+
+const (
+	errCreateWebhook = "unable to create webhook"
+)
+
+func init() {
+	_ = clientgoscheme.AddToScheme(scheme)
+	_ = esv1beta1.AddToScheme(scheme)
+	_ = esv1alpha1.AddToScheme(scheme)
+}
+
+var webhookCmd = &cobra.Command{
+	Use:   "webhook",
+	Short: "Webhook implementation for ExternalSecrets and SecretStores.",
+	Long: `Webhook implementation for ExternalSecrets and SecretStores.
+	For more information visit https://external-secrets.io`,
+	Run: func(cmd *cobra.Command, args []string) {
+		var lvl zapcore.Level
+		err := lvl.UnmarshalText([]byte(loglevel))
+		if err != nil {
+			setupLog.Error(err, "error unmarshalling loglevel")
+			os.Exit(1)
+		}
+		c := crds.CertInfo{
+			CertDir:  certDir,
+			CertName: "tls.crt",
+			KeyName:  "tls.key",
+			CAName:   "ca.crt",
+		}
+
+		logger := zap.New(zap.Level(lvl))
+		ctrl.SetLogger(logger)
+
+		setupLog.Info("validating certs")
+		err = crds.CheckCerts(c, dnsName, time.Now().Add(time.Hour))
+		if err != nil {
+			setupLog.Error(err, "error checking certs")
+			os.Exit(1)
+		}
+		ctx, cancel := context.WithCancel(context.Background())
+		go func(c crds.CertInfo, dnsName string, every time.Duration) {
+			sigs := make(chan os.Signal, 1)
+			signal.Notify(sigs, syscall.SIGINT, syscall.SIGTERM)
+			ticker := time.NewTicker(every)
+			for {
+				select {
+				case <-sigs:
+					cancel()
+				case <-ticker.C:
+					setupLog.Info("validating certs")
+					err = crds.CheckCerts(c, dnsName, time.Now().Add(crds.LookaheadInterval+time.Minute))
+					if err != nil {
+						cancel()
+					}
+					setupLog.Info("certs are valid")
+				}
+			}
+		}(c, dnsName, certCheckInterval)
+
+		mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
+			Scheme:             scheme,
+			MetricsBindAddress: metricsAddr,
+			Port:               9443,
+			CertDir:            certDir,
+		})
+		if err != nil {
+			setupLog.Error(err, "unable to start manager")
+			os.Exit(1)
+		}
+		if err = (&esv1beta1.ExternalSecret{}).SetupWebhookWithManager(mgr); err != nil {
+			setupLog.Error(err, errCreateWebhook, "webhook", "ExternalSecret-v1beta1")
+			os.Exit(1)
+		}
+		if err = (&esv1beta1.SecretStore{}).SetupWebhookWithManager(mgr); err != nil {
+			setupLog.Error(err, errCreateWebhook, "webhook", "SecretStore-v1beta1")
+			os.Exit(1)
+		}
+		if err = (&esv1beta1.ClusterSecretStore{}).SetupWebhookWithManager(mgr); err != nil {
+			setupLog.Error(err, errCreateWebhook, "webhook", "ClusterSecretStore-v1beta1")
+			os.Exit(1)
+		}
+		if err = (&esv1alpha1.ExternalSecret{}).SetupWebhookWithManager(mgr); err != nil {
+			setupLog.Error(err, errCreateWebhook, "webhook", "ExternalSecret-v1alpha1")
+			os.Exit(1)
+		}
+		if err = (&esv1alpha1.SecretStore{}).SetupWebhookWithManager(mgr); err != nil {
+			setupLog.Error(err, errCreateWebhook, "webhook", "SecretStore-v1alpha1")
+			os.Exit(1)
+		}
+		if err = (&esv1alpha1.ClusterSecretStore{}).SetupWebhookWithManager(mgr); err != nil {
+			setupLog.Error(err, errCreateWebhook, "webhook", "ClusterSecretStore-v1alpha1")
+			os.Exit(1)
+		}
+		setupLog.Info("starting manager")
+		if err := mgr.Start(ctx); err != nil {
+			setupLog.Error(err, "problem running manager")
+			os.Exit(1)
+		}
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(webhookCmd)
+	webhookCmd.Flags().StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
+	webhookCmd.Flags().StringVar(&dnsName, "dns-name", "localhost", "DNS name to validate certificates with")
+	webhookCmd.Flags().StringVar(&certDir, "cert-dir", "/tmp/k8s-webhook-server/serving-certs", "path to check for certs")
+	webhookCmd.Flags().StringVar(&loglevel, "loglevel", "info", "loglevel to use, one of: debug, info, warn, error, dpanic, panic, fatal")
+	webhookCmd.Flags().DurationVar(&certCheckInterval, "check-interval", 5*time.Minute, "certificate check interval")
+}

deploy/crds/external-secrets.io_clustersecretstores.yaml → config/crds/bases/external-secrets.io_clustersecretstores.yaml

@@ -1321,6 +1321,1309 @@ spec:
             type: object
         type: object
     served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.creationTimestamp
+      name: AGE
+      type: date
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: ClusterSecretStore represents a secure external location for
+          storing secrets, which can be referenced as part of `storeRef` fields.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: SecretStoreSpec defines the desired state of SecretStore.
+            properties:
+              controller:
+                description: 'Used to select the correct KES controller (think: ingress.ingressClassName)
+                  The KES controller is instantiated with a specific controller name
+                  and filters ES based on this property'
+                type: string
+              provider:
+                description: Used to configure the provider. Only one provider may
+                  be set
+                maxProperties: 1
+                minProperties: 1
+                properties:
+                  akeyless:
+                    description: Akeyless configures this store to sync secrets using
+                      Akeyless Vault provider
+                    properties:
+                      akeylessGWApiURL:
+                        description: Akeyless GW API Url from which the secrets to
+                          be fetched from.
+                        type: string
+                      authSecretRef:
+                        description: Auth configures how the operator authenticates
+                          with Akeyless.
+                        properties:
+                          secretRef:
+                            description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM:
+                              AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
+                            properties:
+                              accessID:
+                                description: The SecretAccessID is used for authentication
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                              accessType:
+                                description: A reference to a specific 'key' within
+                                  a Secret resource, In some instances, `key` is a
+                                  required field.
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                              accessTypeParam:
+                                description: A reference to a specific 'key' within
+                                  a Secret resource, In some instances, `key` is a
+                                  required field.
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                            type: object
+                        required:
+                        - secretRef
+                        type: object
+                    required:
+                    - akeylessGWApiURL
+                    - authSecretRef
+                    type: object
+                  alibaba:
+                    description: Alibaba configures this store to sync secrets using
+                      Alibaba Cloud provider
+                    properties:
+                      auth:
+                        description: AlibabaAuth contains a secretRef for credentials.
+                        properties:
+                          secretRef:
+                            description: AlibabaAuthSecretRef holds secret references
+                              for Alibaba credentials.
+                            properties:
+                              accessKeyIDSecretRef:
+                                description: The AccessKeyID is used for authentication
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                              accessKeySecretSecretRef:
+                                description: The AccessKeySecret is used for authentication
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                            required:
+                            - accessKeyIDSecretRef
+                            - accessKeySecretSecretRef
+                            type: object
+                        required:
+                        - secretRef
+                        type: object
+                      endpoint:
+                        type: string
+                      regionID:
+                        description: Alibaba Region to be used for the provider
+                        type: string
+                    required:
+                    - auth
+                    - regionID
+                    type: object
+                  aws:
+                    description: AWS configures this store to sync secrets using AWS
+                      Secret Manager provider
+                    properties:
+                      auth:
+                        description: 'Auth defines the information necessary to authenticate
+                          against AWS if not set aws sdk will infer credentials from
+                          your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                        properties:
+                          jwt:
+                            description: Authenticate against AWS using service account
+                              tokens.
+                            properties:
+                              serviceAccountRef:
+                                description: A reference to a ServiceAccount resource.
+                                properties:
+                                  name:
+                                    description: The name of the ServiceAccount resource
+                                      being referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                required:
+                                - name
+                                type: object
+                            type: object
+                          secretRef:
+                            description: AWSAuthSecretRef holds secret references
+                              for AWS credentials both AccessKeyID and SecretAccessKey
+                              must be defined in order to properly authenticate.
+                            properties:
+                              accessKeyIDSecretRef:
+                                description: The AccessKeyID is used for authentication
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                              secretAccessKeySecretRef:
+                                description: The SecretAccessKey is used for authentication
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                            type: object
+                        type: object
+                      region:
+                        description: AWS Region to be used for the provider
+                        type: string
+                      role:
+                        description: Role is a Role ARN which the SecretManager provider
+                          will assume
+                        type: string
+                      service:
+                        description: Service defines which service should be used
+                          to fetch the secrets
+                        enum:
+                        - SecretsManager
+                        - ParameterStore
+                        type: string
+                    required:
+                    - region
+                    - service
+                    type: object
+                  azurekv:
+                    description: AzureKV configures this store to sync secrets using
+                      Azure Key Vault provider
+                    properties:
+                      authSecretRef:
+                        description: Auth configures how the operator authenticates
+                          with Azure. Required for ServicePrincipal auth type.
+                        properties:
+                          clientId:
+                            description: The Azure clientId of the service principle
+                              used for authentication.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: The name of the Secret resource being
+                                  referred to.
+                                type: string
+                              namespace:
+                                description: Namespace of the resource being referred
+                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
+                                  defaults to the namespace of the referent.
+                                type: string
+                            type: object
+                          clientSecret:
+                            description: The Azure ClientSecret of the service principle
+                              used for authentication.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: The name of the Secret resource being
+                                  referred to.
+                                type: string
+                              namespace:
+                                description: Namespace of the resource being referred
+                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
+                                  defaults to the namespace of the referent.
+                                type: string
+                            type: object
+                        required:
+                        - clientId
+                        - clientSecret
+                        type: object
+                      authType:
+                        default: ServicePrincipal
+                        description: 'Auth type defines how to authenticate to the
+                          keyvault service. Valid values are: - "ServicePrincipal"
+                          (default): Using a service principal (tenantId, clientId,
+                          clientSecret) - "ManagedIdentity": Using Managed Identity
+                          assigned to the pod (see aad-pod-identity)'
+                        enum:
+                        - ServicePrincipal
+                        - ManagedIdentity
+                        type: string
+                      identityId:
+                        description: If multiple Managed Identity is assigned to the
+                          pod, you can select the one to be used
+                        type: string
+                      tenantId:
+                        description: TenantID configures the Azure Tenant to send
+                          requests to. Required for ServicePrincipal auth type.
+                        type: string
+                      vaultUrl:
+                        description: Vault Url from which the secrets to be fetched
+                          from.
+                        type: string
+                    required:
+                    - vaultUrl
+                    type: object
+                  fake:
+                    description: Fake configures a store with static key/value pairs
+                    properties:
+                      data:
+                        items:
+                          properties:
+                            key:
+                              type: string
+                            value:
+                              type: string
+                            valueMap:
+                              additionalProperties:
+                                type: string
+                              type: object
+                            version:
+                              type: string
+                          required:
+                          - key
+                          type: object
+                        type: array
+                    required:
+                    - data
+                    type: object
+                  gcpsm:
+                    description: GCPSM configures this store to sync secrets using
+                      Google Cloud Platform Secret Manager provider
+                    properties:
+                      auth:
+                        description: Auth defines the information necessary to authenticate
+                          against GCP
+                        properties:
+                          secretRef:
+                            properties:
+                              secretAccessKeySecretRef:
+                                description: The SecretAccessKey is used for authentication
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                            type: object
+                          workloadIdentity:
+                            properties:
+                              clusterLocation:
+                                type: string
+                              clusterName:
+                                type: string
+                              serviceAccountRef:
+                                description: A reference to a ServiceAccount resource.
+                                properties:
+                                  name:
+                                    description: The name of the ServiceAccount resource
+                                      being referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                required:
+                                - name
+                                type: object
+                            required:
+                            - clusterLocation
+                            - clusterName
+                            - serviceAccountRef
+                            type: object
+                        type: object
+                      projectID:
+                        description: ProjectID project where secret is located
+                        type: string
+                    type: object
+                  gitlab:
+                    description: GItlab configures this store to sync secrets using
+                      Gitlab Variables provider
+                    properties:
+                      auth:
+                        description: Auth configures how secret-manager authenticates
+                          with a GitLab instance.
+                        properties:
+                          SecretRef:
+                            properties:
+                              accessToken:
+                                description: AccessToken is used for authentication.
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                            type: object
+                        required:
+                        - SecretRef
+                        type: object
+                      projectID:
+                        description: ProjectID specifies a project where secrets are
+                          located.
+                        type: string
+                      url:
+                        description: URL configures the GitLab instance URL. Defaults
+                          to https://gitlab.com/.
+                        type: string
+                    required:
+                    - auth
+                    type: object
+                  ibm:
+                    description: IBM configures this store to sync secrets using IBM
+                      Cloud provider
+                    properties:
+                      auth:
+                        description: Auth configures how secret-manager authenticates
+                          with the IBM secrets manager.
+                        properties:
+                          secretRef:
+                            properties:
+                              secretApiKeySecretRef:
+                                description: The SecretAccessKey is used for authentication
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                            type: object
+                        required:
+                        - secretRef
+                        type: object
+                      serviceUrl:
+                        description: ServiceURL is the Endpoint URL that is specific
+                          to the Secrets Manager service instance
+                        type: string
+                    required:
+                    - auth
+                    type: object
+                  kubernetes:
+                    description: Kubernetes configures this store to sync secrets
+                      using a Kubernetes cluster provider
+                    properties:
+                      auth:
+                        description: Auth configures how secret-manager authenticates
+                          with a Kubernetes instance.
+                        maxProperties: 1
+                        minProperties: 1
+                        properties:
+                          cert:
+                            description: has both clientCert and clientKey as secretKeySelector
+                            properties:
+                              clientCert:
+                                description: A reference to a specific 'key' within
+                                  a Secret resource, In some instances, `key` is a
+                                  required field.
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                              clientKey:
+                                description: A reference to a specific 'key' within
+                                  a Secret resource, In some instances, `key` is a
+                                  required field.
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                            type: object
+                          serviceAccount:
+                            description: points to a service account that should be
+                              used for authentication
+                            properties:
+                              serviceAccount:
+                                description: A reference to a ServiceAccount resource.
+                                properties:
+                                  name:
+                                    description: The name of the ServiceAccount resource
+                                      being referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                required:
+                                - name
+                                type: object
+                            type: object
+                          token:
+                            description: use static token to authenticate with
+                            properties:
+                              bearerToken:
+                                description: A reference to a specific 'key' within
+                                  a Secret resource, In some instances, `key` is a
+                                  required field.
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                            type: object
+                        type: object
+                      remoteNamespace:
+                        default: default
+                        description: Remote namespace to fetch the secrets from
+                        type: string
+                      server:
+                        description: configures the Kubernetes server Address.
+                        properties:
+                          caBundle:
+                            description: CABundle is a base64-encoded CA certificate
+                            format: byte
+                            type: string
+                          caProvider:
+                            description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
+                            properties:
+                              key:
+                                description: The key the value inside of the provider
+                                  type to use, only used with "Secret" type
+                                type: string
+                              name:
+                                description: The name of the object located at the
+                                  provider type.
+                                type: string
+                              namespace:
+                                description: The namespace the Provider type is in.
+                                type: string
+                              type:
+                                description: The type of provider to use such as "Secret",
+                                  or "ConfigMap".
+                                enum:
+                                - Secret
+                                - ConfigMap
+                                type: string
+                            required:
+                            - name
+                            - type
+                            type: object
+                          url:
+                            default: kubernetes.default
+                            description: configures the Kubernetes server Address.
+                            type: string
+                        type: object
+                    required:
+                    - auth
+                    type: object
+                  oracle:
+                    description: Oracle configures this store to sync secrets using
+                      Oracle Vault provider
+                    properties:
+                      auth:
+                        description: Auth configures how secret-manager authenticates
+                          with the Oracle Vault. If empty, use the instance principal,
+                          otherwise the user credentials specified in Auth.
+                        properties:
+                          secretRef:
+                            description: SecretRef to pass through sensitive information.
+                            properties:
+                              fingerprint:
+                                description: Fingerprint is the fingerprint of the
+                                  API private key.
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                              privatekey:
+                                description: PrivateKey is the user's API Signing
+                                  Key in PEM format, used for authentication.
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                            required:
+                            - fingerprint
+                            - privatekey
+                            type: object
+                          tenancy:
+                            description: Tenancy is the tenancy OCID where user is
+                              located.
+                            type: string
+                          user:
+                            description: User is an access OCID specific to the account.
+                            type: string
+                        required:
+                        - secretRef
+                        - tenancy
+                        - user
+                        type: object
+                      region:
+                        description: Region is the region where vault is located.
+                        type: string
+                      vault:
+                        description: Vault is the vault's OCID of the specific vault
+                          where secret is located.
+                        type: string
+                    required:
+                    - region
+                    - vault
+                    type: object
+                  vault:
+                    description: Vault configures this store to sync secrets using
+                      Hashi provider
+                    properties:
+                      auth:
+                        description: Auth configures how secret-manager authenticates
+                          with the Vault server.
+                        properties:
+                          appRole:
+                            description: AppRole authenticates with Vault using the
+                              App Role auth mechanism, with the role and secret stored
+                              in a Kubernetes Secret resource.
+                            properties:
+                              path:
+                                default: approle
+                                description: 'Path where the App Role authentication
+                                  backend is mounted in Vault, e.g: "approle"'
+                                type: string
+                              roleId:
+                                description: RoleID configured in the App Role authentication
+                                  backend when setting up the authentication backend
+                                  in Vault.
+                                type: string
+                              secretRef:
+                                description: Reference to a key in a Secret that contains
+                                  the App Role secret used to authenticate with Vault.
+                                  The `key` field must be specified and denotes which
+                                  entry within the Secret resource is used as the
+                                  app role secret.
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                            required:
+                            - path
+                            - roleId
+                            - secretRef
+                            type: object
+                          cert:
+                            description: Cert authenticates with TLS Certificates
+                              by passing client certificate, private key and ca certificate
+                              Cert authentication method
+                            properties:
+                              clientCert:
+                                description: ClientCert is a certificate to authenticate
+                                  using the Cert Vault authentication method
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                              secretRef:
+                                description: SecretRef to a key in a Secret resource
+                                  containing client private key to authenticate with
+                                  Vault using the Cert authentication method
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                            type: object
+                          jwt:
+                            description: Jwt authenticates with Vault by passing role
+                              and JWT token using the JWT/OIDC authentication method
+                            properties:
+                              path:
+                                default: jwt
+                                description: 'Path where the JWT authentication backend
+                                  is mounted in Vault, e.g: "jwt"'
+                                type: string
+                              role:
+                                description: Role is a JWT role to authenticate using
+                                  the JWT/OIDC Vault authentication method
+                                type: string
+                              secretRef:
+                                description: SecretRef to a key in a Secret resource
+                                  containing JWT token to authenticate with Vault
+                                  using the JWT/OIDC authentication method
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                            required:
+                            - path
+                            type: object
+                          kubernetes:
+                            description: Kubernetes authenticates with Vault by passing
+                              the ServiceAccount token stored in the named Secret
+                              resource to the Vault server.
+                            properties:
+                              mountPath:
+                                default: kubernetes
+                                description: 'Path where the Kubernetes authentication
+                                  backend is mounted in Vault, e.g: "kubernetes"'
+                                type: string
+                              role:
+                                description: A required field containing the Vault
+                                  Role to assume. A Role binds a Kubernetes ServiceAccount
+                                  with a set of Vault policies.
+                                type: string
+                              secretRef:
+                                description: Optional secret field containing a Kubernetes
+                                  ServiceAccount JWT used for authenticating with
+                                  Vault. If a name is specified without a key, `token`
+                                  is the default. If one is not specified, the one
+                                  bound to the controller will be used.
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                              serviceAccountRef:
+                                description: Optional service account field containing
+                                  the name of a kubernetes ServiceAccount. If the
+                                  service account is specified, the service account
+                                  secret token JWT will be used for authenticating
+                                  with Vault. If the service account selector is not
+                                  supplied, the secretRef will be used instead.
+                                properties:
+                                  name:
+                                    description: The name of the ServiceAccount resource
+                                      being referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                required:
+                                - name
+                                type: object
+                            required:
+                            - mountPath
+                            - role
+                            type: object
+                          ldap:
+                            description: Ldap authenticates with Vault by passing
+                              username/password pair using the LDAP authentication
+                              method
+                            properties:
+                              path:
+                                default: ldap
+                                description: 'Path where the LDAP authentication backend
+                                  is mounted in Vault, e.g: "ldap"'
+                                type: string
+                              secretRef:
+                                description: SecretRef to a key in a Secret resource
+                                  containing password for the LDAP user used to authenticate
+                                  with Vault using the LDAP authentication method
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                              username:
+                                description: Username is a LDAP user name used to
+                                  authenticate using the LDAP Vault authentication
+                                  method
+                                type: string
+                            required:
+                            - path
+                            - username
+                            type: object
+                          tokenSecretRef:
+                            description: TokenSecretRef authenticates with Vault by
+                              presenting a token.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: The name of the Secret resource being
+                                  referred to.
+                                type: string
+                              namespace:
+                                description: Namespace of the resource being referred
+                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
+                                  defaults to the namespace of the referent.
+                                type: string
+                            type: object
+                        type: object
+                      caBundle:
+                        description: PEM encoded CA bundle used to validate Vault
+                          server certificate. Only used if the Server URL is using
+                          HTTPS protocol. This parameter is ignored for plain HTTP
+                          protocol connection. If not set the system root certificates
+                          are used to validate the TLS connection.
+                        format: byte
+                        type: string
+                      caProvider:
+                        description: The provider for the CA bundle to use to validate
+                          Vault server certificate.
+                        properties:
+                          key:
+                            description: The key the value inside of the provider
+                              type to use, only used with "Secret" type
+                            type: string
+                          name:
+                            description: The name of the object located at the provider
+                              type.
+                            type: string
+                          namespace:
+                            description: The namespace the Provider type is in.
+                            type: string
+                          type:
+                            description: The type of provider to use such as "Secret",
+                              or "ConfigMap".
+                            enum:
+                            - Secret
+                            - ConfigMap
+                            type: string
+                        required:
+                        - name
+                        - type
+                        type: object
+                      forwardInconsistent:
+                        description: ForwardInconsistent tells Vault to forward read-after-write
+                          requests to the Vault leader instead of simply retrying
+                          within a loop. This can increase performance if the option
+                          is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
+                        type: boolean
+                      namespace:
+                        description: 'Name of the vault namespace. Namespaces is a
+                          set of features within Vault Enterprise that allows Vault
+                          environments to support Secure Multi-tenancy. e.g: "ns1".
+                          More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
+                        type: string
+                      path:
+                        description: 'Path is the mount path of the Vault KV backend
+                          endpoint, e.g: "secret". The v2 KV secret engine version
+                          specific "/data" path suffix for fetching secrets from Vault
+                          is optional and will be appended if not present in specified
+                          path.'
+                        type: string
+                      readYourWrites:
+                        description: ReadYourWrites ensures isolated read-after-write
+                          semantics by providing discovered cluster replication states
+                          in each request. More information about eventual consistency
+                          in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
+                        type: boolean
+                      server:
+                        description: 'Server is the connection address for the Vault
+                          server, e.g: "https://vault.example.com:8200".'
+                        type: string
+                      version:
+                        default: v2
+                        description: Version is the Vault KV secret engine version.
+                          This can be either "v1" or "v2". Version defaults to "v2".
+                        enum:
+                        - v1
+                        - v2
+                        type: string
+                    required:
+                    - auth
+                    - server
+                    type: object
+                  webhook:
+                    description: Webhook configures this store to sync secrets using
+                      a generic templated webhook
+                    properties:
+                      body:
+                        description: Body
+                        type: string
+                      caBundle:
+                        description: PEM encoded CA bundle used to validate webhook
+                          server certificate. Only used if the Server URL is using
+                          HTTPS protocol. This parameter is ignored for plain HTTP
+                          protocol connection. If not set the system root certificates
+                          are used to validate the TLS connection.
+                        format: byte
+                        type: string
+                      caProvider:
+                        description: The provider for the CA bundle to use to validate
+                          webhook server certificate.
+                        properties:
+                          key:
+                            description: The key the value inside of the provider
+                              type to use, only used with "Secret" type
+                            type: string
+                          name:
+                            description: The name of the object located at the provider
+                              type.
+                            type: string
+                          namespace:
+                            description: The namespace the Provider type is in.
+                            type: string
+                          type:
+                            description: The type of provider to use such as "Secret",
+                              or "ConfigMap".
+                            enum:
+                            - Secret
+                            - ConfigMap
+                            type: string
+                        required:
+                        - name
+                        - type
+                        type: object
+                      headers:
+                        additionalProperties:
+                          type: string
+                        description: Headers
+                        type: object
+                      method:
+                        description: Webhook Method
+                        type: string
+                      result:
+                        description: Result formatting
+                        properties:
+                          jsonPath:
+                            description: Json path of return value
+                            type: string
+                        type: object
+                      secrets:
+                        description: Secrets to fill in templates These secrets will
+                          be passed to the templating function as key value pairs
+                          under the given name
+                        items:
+                          properties:
+                            name:
+                              description: Name of this secret in templates
+                              type: string
+                            secretRef:
+                              description: Secret ref to fill in credentials
+                              properties:
+                                key:
+                                  description: The key of the entry in the Secret
+                                    resource's `data` field to be used. Some instances
+                                    of this field may be defaulted, in others it may
+                                    be required.
+                                  type: string
+                                name:
+                                  description: The name of the Secret resource being
+                                    referred to.
+                                  type: string
+                                namespace:
+                                  description: Namespace of the resource being referred
+                                    to. Ignored if referent is not cluster-scoped.
+                                    cluster-scoped defaults to the namespace of the
+                                    referent.
+                                  type: string
+                              type: object
+                          required:
+                          - name
+                          - secretRef
+                          type: object
+                        type: array
+                      timeout:
+                        description: Timeout
+                        type: string
+                      url:
+                        description: Webhook url to call
+                        type: string
+                    required:
+                    - result
+                    - url
+                    type: object
+                  yandexlockbox:
+                    description: YandexLockbox configures this store to sync secrets
+                      using Yandex Lockbox provider
+                    properties:
+                      apiEndpoint:
+                        description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
+                        type: string
+                      auth:
+                        description: Auth defines the information necessary to authenticate
+                          against Yandex Lockbox
+                        properties:
+                          authorizedKeySecretRef:
+                            description: The authorized key used for authentication
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: The name of the Secret resource being
+                                  referred to.
+                                type: string
+                              namespace:
+                                description: Namespace of the resource being referred
+                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
+                                  defaults to the namespace of the referent.
+                                type: string
+                            type: object
+                        type: object
+                      caProvider:
+                        description: The provider for the CA bundle to use to validate
+                          Yandex.Cloud server certificate.
+                        properties:
+                          certSecretRef:
+                            description: A reference to a specific 'key' within a
+                              Secret resource, In some instances, `key` is a required
+                              field.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: The name of the Secret resource being
+                                  referred to.
+                                type: string
+                              namespace:
+                                description: Namespace of the resource being referred
+                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
+                                  defaults to the namespace of the referent.
+                                type: string
+                            type: object
+                        type: object
+                    required:
+                    - auth
+                    type: object
+                type: object
+              retrySettings:
+                description: Used to configure http retries if failed
+                properties:
+                  maxRetries:
+                    format: int32
+                    type: integer
+                  retryInterval:
+                    type: string
+                type: object
+            required:
+            - provider
+            type: object
+          status:
+            description: SecretStoreStatus defines the observed state of the SecretStore.
+            properties:
+              conditions:
+                items:
+                  properties:
+                    lastTransitionTime:
+                      format: date-time
+                      type: string
+                    message:
+                      type: string
+                    reason:
+                      type: string
+                    status:
+                      type: string
+                    type:
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
     storage: true
     subresources:
       status: {}

config/crds/bases/external-secrets.io_externalsecrets.yaml

@@ -0,0 +1,518 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.8.0
+  creationTimestamp: null
+  name: externalsecrets.external-secrets.io
+spec:
+  group: external-secrets.io
+  names:
+    categories:
+    - externalsecrets
+    kind: ExternalSecret
+    listKind: ExternalSecretList
+    plural: externalsecrets
+    shortNames:
+    - es
+    singular: externalsecret
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.secretStoreRef.name
+      name: Store
+      type: string
+    - jsonPath: .spec.refreshInterval
+      name: Refresh Interval
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].reason
+      name: Status
+      type: string
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: ExternalSecret is the Schema for the external-secrets API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ExternalSecretSpec defines the desired state of ExternalSecret.
+            properties:
+              data:
+                description: Data defines the connection between the Kubernetes Secret
+                  keys and the Provider data
+                items:
+                  description: ExternalSecretData defines the connection between the
+                    Kubernetes Secret key (spec.data.<key>) and the Provider data.
+                  properties:
+                    remoteRef:
+                      description: ExternalSecretDataRemoteRef defines Provider data
+                        location.
+                      properties:
+                        key:
+                          description: Key is the key used in the Provider, mandatory
+                          type: string
+                        property:
+                          description: Used to select a specific property of the Provider
+                            value (if a map), if supported
+                          type: string
+                        version:
+                          description: Used to select a specific version of the Provider
+                            value, if supported
+                          type: string
+                      required:
+                      - key
+                      type: object
+                    secretKey:
+                      type: string
+                  required:
+                  - remoteRef
+                  - secretKey
+                  type: object
+                type: array
+              dataFrom:
+                description: DataFrom is used to fetch all properties from a specific
+                  Provider data If multiple entries are specified, the Secret keys
+                  are merged in the specified order
+                items:
+                  description: ExternalSecretDataRemoteRef defines Provider data location.
+                  properties:
+                    key:
+                      description: Key is the key used in the Provider, mandatory
+                      type: string
+                    property:
+                      description: Used to select a specific property of the Provider
+                        value (if a map), if supported
+                      type: string
+                    version:
+                      description: Used to select a specific version of the Provider
+                        value, if supported
+                      type: string
+                  required:
+                  - key
+                  type: object
+                type: array
+              refreshInterval:
+                default: 1h
+                description: RefreshInterval is the amount of time before the values
+                  are read again from the SecretStore provider Valid time units are
+                  "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to
+                  fetch and create it once. Defaults to 1h.
+                type: string
+              secretStoreRef:
+                description: SecretStoreRef defines which SecretStore to fetch the
+                  ExternalSecret data.
+                properties:
+                  kind:
+                    description: Kind of the SecretStore resource (SecretStore or
+                      ClusterSecretStore) Defaults to `SecretStore`
+                    type: string
+                  name:
+                    description: Name of the SecretStore resource
+                    type: string
+                required:
+                - name
+                type: object
+              target:
+                description: ExternalSecretTarget defines the Kubernetes Secret to
+                  be created There can be only one target per ExternalSecret.
+                properties:
+                  creationPolicy:
+                    default: Owner
+                    description: CreationPolicy defines rules on how to create the
+                      resulting Secret Defaults to 'Owner'
+                    type: string
+                  immutable:
+                    description: Immutable defines if the final secret will be immutable
+                    type: boolean
+                  name:
+                    description: Name defines the name of the Secret resource to be
+                      managed This field is immutable Defaults to the .metadata.name
+                      of the ExternalSecret resource
+                    type: string
+                  template:
+                    description: Template defines a blueprint for the created Secret
+                      resource.
+                    properties:
+                      data:
+                        additionalProperties:
+                          type: string
+                        type: object
+                      engineVersion:
+                        default: v1
+                        description: EngineVersion specifies the template engine version
+                          that should be used to compile/execute the template specified
+                          in .data and .templateFrom[].
+                        type: string
+                      metadata:
+                        description: ExternalSecretTemplateMetadata defines metadata
+                          fields for the Secret blueprint.
+                        properties:
+                          annotations:
+                            additionalProperties:
+                              type: string
+                            type: object
+                          labels:
+                            additionalProperties:
+                              type: string
+                            type: object
+                        type: object
+                      templateFrom:
+                        items:
+                          maxProperties: 1
+                          minProperties: 1
+                          properties:
+                            configMap:
+                              properties:
+                                items:
+                                  items:
+                                    properties:
+                                      key:
+                                        type: string
+                                    required:
+                                    - key
+                                    type: object
+                                  type: array
+                                name:
+                                  type: string
+                              required:
+                              - items
+                              - name
+                              type: object
+                            secret:
+                              properties:
+                                items:
+                                  items:
+                                    properties:
+                                      key:
+                                        type: string
+                                    required:
+                                    - key
+                                    type: object
+                                  type: array
+                                name:
+                                  type: string
+                              required:
+                              - items
+                              - name
+                              type: object
+                          type: object
+                        type: array
+                      type:
+                        type: string
+                    type: object
+                type: object
+            required:
+            - secretStoreRef
+            - target
+            type: object
+          status:
+            properties:
+              conditions:
+                items:
+                  properties:
+                    lastTransitionTime:
+                      format: date-time
+                      type: string
+                    message:
+                      type: string
+                    reason:
+                      type: string
+                    status:
+                      type: string
+                    type:
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              refreshTime:
+                description: refreshTime is the time and date the external secret
+                  was fetched and the target secret updated
+                format: date-time
+                nullable: true
+                type: string
+              syncedResourceVersion:
+                description: SyncedResourceVersion keeps track of the last synced
+                  version
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .spec.secretStoreRef.name
+      name: Store
+      type: string
+    - jsonPath: .spec.refreshInterval
+      name: Refresh Interval
+      type: string
+    - jsonPath: .status.conditions[?(@.type=="Ready")].reason
+      name: Status
+      type: string
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: ExternalSecret is the Schema for the external-secrets API.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ExternalSecretSpec defines the desired state of ExternalSecret.
+            properties:
+              data:
+                description: Data defines the connection between the Kubernetes Secret
+                  keys and the Provider data
+                items:
+                  description: ExternalSecretData defines the connection between the
+                    Kubernetes Secret key (spec.data.<key>) and the Provider data.
+                  properties:
+                    remoteRef:
+                      description: ExternalSecretDataRemoteRef defines Provider data
+                        location.
+                      properties:
+                        key:
+                          description: Key is the key used in the Provider, mandatory
+                          type: string
+                        property:
+                          description: Used to select a specific property of the Provider
+                            value (if a map), if supported
+                          type: string
+                        version:
+                          description: Used to select a specific version of the Provider
+                            value, if supported
+                          type: string
+                      required:
+                      - key
+                      type: object
+                    secretKey:
+                      type: string
+                  required:
+                  - remoteRef
+                  - secretKey
+                  type: object
+                type: array
+              dataFrom:
+                description: DataFrom is used to fetch all properties from a specific
+                  Provider data If multiple entries are specified, the Secret keys
+                  are merged in the specified order
+                items:
+                  properties:
+                    extract:
+                      description: Used to extract multiple key/value pairs from one
+                        secret
+                      properties:
+                        key:
+                          description: Key is the key used in the Provider, mandatory
+                          type: string
+                        property:
+                          description: Used to select a specific property of the Provider
+                            value (if a map), if supported
+                          type: string
+                        version:
+                          description: Used to select a specific version of the Provider
+                            value, if supported
+                          type: string
+                      required:
+                      - key
+                      type: object
+                    find:
+                      description: Used to find secrets based on tags or regular expressions
+                      properties:
+                        name:
+                          description: Finds secrets based on the name.
+                          properties:
+                            regexp:
+                              description: Finds secrets base
+                              type: string
+                          type: object
+                        tags:
+                          additionalProperties:
+                            type: string
+                          description: Find secrets based on tags.
+                          type: object
+                      type: object
+                  type: object
+                type: array
+              refreshInterval:
+                default: 1h
+                description: RefreshInterval is the amount of time before the values
+                  are read again from the SecretStore provider Valid time units are
+                  "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to
+                  fetch and create it once. Defaults to 1h.
+                type: string
+              secretStoreRef:
+                description: SecretStoreRef defines which SecretStore to fetch the
+                  ExternalSecret data.
+                properties:
+                  kind:
+                    description: Kind of the SecretStore resource (SecretStore or
+                      ClusterSecretStore) Defaults to `SecretStore`
+                    type: string
+                  name:
+                    description: Name of the SecretStore resource
+                    type: string
+                required:
+                - name
+                type: object
+              target:
+                description: ExternalSecretTarget defines the Kubernetes Secret to
+                  be created There can be only one target per ExternalSecret.
+                properties:
+                  creationPolicy:
+                    default: Owner
+                    description: CreationPolicy defines rules on how to create the
+                      resulting Secret Defaults to 'Owner'
+                    type: string
+                  deletionPolicy:
+                    default: None
+                    description: DeletionPolicy defines rules on how to delete the
+                      resulting Secret Defaults to 'None'
+                    type: string
+                  immutable:
+                    description: Immutable defines if the final secret will be immutable
+                    type: boolean
+                  name:
+                    description: Name defines the name of the Secret resource to be
+                      managed This field is immutable Defaults to the .metadata.name
+                      of the ExternalSecret resource
+                    type: string
+                  template:
+                    description: Template defines a blueprint for the created Secret
+                      resource.
+                    properties:
+                      data:
+                        additionalProperties:
+                          type: string
+                        type: object
+                      engineVersion:
+                        default: v2
+                        type: string
+                      metadata:
+                        description: ExternalSecretTemplateMetadata defines metadata
+                          fields for the Secret blueprint.
+                        properties:
+                          annotations:
+                            additionalProperties:
+                              type: string
+                            type: object
+                          labels:
+                            additionalProperties:
+                              type: string
+                            type: object
+                        type: object
+                      templateFrom:
+                        items:
+                          maxProperties: 1
+                          minProperties: 1
+                          properties:
+                            configMap:
+                              properties:
+                                items:
+                                  items:
+                                    properties:
+                                      key:
+                                        type: string
+                                    required:
+                                    - key
+                                    type: object
+                                  type: array
+                                name:
+                                  type: string
+                              required:
+                              - items
+                              - name
+                              type: object
+                            secret:
+                              properties:
+                                items:
+                                  items:
+                                    properties:
+                                      key:
+                                        type: string
+                                    required:
+                                    - key
+                                    type: object
+                                  type: array
+                                name:
+                                  type: string
+                              required:
+                              - items
+                              - name
+                              type: object
+                          type: object
+                        type: array
+                      type:
+                        type: string
+                    type: object
+                type: object
+            required:
+            - secretStoreRef
+            - target
+            type: object
+          status:
+            properties:
+              conditions:
+                items:
+                  properties:
+                    lastTransitionTime:
+                      format: date-time
+                      type: string
+                    message:
+                      type: string
+                    reason:
+                      type: string
+                    status:
+                      type: string
+                    type:
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+              refreshTime:
+                description: refreshTime is the time and date the external secret
+                  was fetched and the target secret updated
+                format: date-time
+                nullable: true
+                type: string
+              syncedResourceVersion:
+                description: SyncedResourceVersion keeps track of the last synced
+                  version
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

deploy/crds/external-secrets.io_secretstores.yaml → config/crds/bases/external-secrets.io_secretstores.yaml

@@ -1321,6 +1321,1312 @@ spec:
             type: object
         type: object
     served: true
+    storage: false
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.creationTimestamp
+      name: AGE
+      type: date
+    - jsonPath: .status.conditions[?(@.type=="Ready")].reason
+      name: Status
+      type: string
+    name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: SecretStore represents a secure external location for storing
+          secrets, which can be referenced as part of `storeRef` fields.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: SecretStoreSpec defines the desired state of SecretStore.
+            properties:
+              controller:
+                description: 'Used to select the correct KES controller (think: ingress.ingressClassName)
+                  The KES controller is instantiated with a specific controller name
+                  and filters ES based on this property'
+                type: string
+              provider:
+                description: Used to configure the provider. Only one provider may
+                  be set
+                maxProperties: 1
+                minProperties: 1
+                properties:
+                  akeyless:
+                    description: Akeyless configures this store to sync secrets using
+                      Akeyless Vault provider
+                    properties:
+                      akeylessGWApiURL:
+                        description: Akeyless GW API Url from which the secrets to
+                          be fetched from.
+                        type: string
+                      authSecretRef:
+                        description: Auth configures how the operator authenticates
+                          with Akeyless.
+                        properties:
+                          secretRef:
+                            description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM:
+                              AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
+                            properties:
+                              accessID:
+                                description: The SecretAccessID is used for authentication
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                              accessType:
+                                description: A reference to a specific 'key' within
+                                  a Secret resource, In some instances, `key` is a
+                                  required field.
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                              accessTypeParam:
+                                description: A reference to a specific 'key' within
+                                  a Secret resource, In some instances, `key` is a
+                                  required field.
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                            type: object
+                        required:
+                        - secretRef
+                        type: object
+                    required:
+                    - akeylessGWApiURL
+                    - authSecretRef
+                    type: object
+                  alibaba:
+                    description: Alibaba configures this store to sync secrets using
+                      Alibaba Cloud provider
+                    properties:
+                      auth:
+                        description: AlibabaAuth contains a secretRef for credentials.
+                        properties:
+                          secretRef:
+                            description: AlibabaAuthSecretRef holds secret references
+                              for Alibaba credentials.
+                            properties:
+                              accessKeyIDSecretRef:
+                                description: The AccessKeyID is used for authentication
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                              accessKeySecretSecretRef:
+                                description: The AccessKeySecret is used for authentication
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                            required:
+                            - accessKeyIDSecretRef
+                            - accessKeySecretSecretRef
+                            type: object
+                        required:
+                        - secretRef
+                        type: object
+                      endpoint:
+                        type: string
+                      regionID:
+                        description: Alibaba Region to be used for the provider
+                        type: string
+                    required:
+                    - auth
+                    - regionID
+                    type: object
+                  aws:
+                    description: AWS configures this store to sync secrets using AWS
+                      Secret Manager provider
+                    properties:
+                      auth:
+                        description: 'Auth defines the information necessary to authenticate
+                          against AWS if not set aws sdk will infer credentials from
+                          your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                        properties:
+                          jwt:
+                            description: Authenticate against AWS using service account
+                              tokens.
+                            properties:
+                              serviceAccountRef:
+                                description: A reference to a ServiceAccount resource.
+                                properties:
+                                  name:
+                                    description: The name of the ServiceAccount resource
+                                      being referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                required:
+                                - name
+                                type: object
+                            type: object
+                          secretRef:
+                            description: AWSAuthSecretRef holds secret references
+                              for AWS credentials both AccessKeyID and SecretAccessKey
+                              must be defined in order to properly authenticate.
+                            properties:
+                              accessKeyIDSecretRef:
+                                description: The AccessKeyID is used for authentication
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                              secretAccessKeySecretRef:
+                                description: The SecretAccessKey is used for authentication
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                            type: object
+                        type: object
+                      region:
+                        description: AWS Region to be used for the provider
+                        type: string
+                      role:
+                        description: Role is a Role ARN which the SecretManager provider
+                          will assume
+                        type: string
+                      service:
+                        description: Service defines which service should be used
+                          to fetch the secrets
+                        enum:
+                        - SecretsManager
+                        - ParameterStore
+                        type: string
+                    required:
+                    - region
+                    - service
+                    type: object
+                  azurekv:
+                    description: AzureKV configures this store to sync secrets using
+                      Azure Key Vault provider
+                    properties:
+                      authSecretRef:
+                        description: Auth configures how the operator authenticates
+                          with Azure. Required for ServicePrincipal auth type.
+                        properties:
+                          clientId:
+                            description: The Azure clientId of the service principle
+                              used for authentication.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: The name of the Secret resource being
+                                  referred to.
+                                type: string
+                              namespace:
+                                description: Namespace of the resource being referred
+                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
+                                  defaults to the namespace of the referent.
+                                type: string
+                            type: object
+                          clientSecret:
+                            description: The Azure ClientSecret of the service principle
+                              used for authentication.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: The name of the Secret resource being
+                                  referred to.
+                                type: string
+                              namespace:
+                                description: Namespace of the resource being referred
+                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
+                                  defaults to the namespace of the referent.
+                                type: string
+                            type: object
+                        required:
+                        - clientId
+                        - clientSecret
+                        type: object
+                      authType:
+                        default: ServicePrincipal
+                        description: 'Auth type defines how to authenticate to the
+                          keyvault service. Valid values are: - "ServicePrincipal"
+                          (default): Using a service principal (tenantId, clientId,
+                          clientSecret) - "ManagedIdentity": Using Managed Identity
+                          assigned to the pod (see aad-pod-identity)'
+                        enum:
+                        - ServicePrincipal
+                        - ManagedIdentity
+                        type: string
+                      identityId:
+                        description: If multiple Managed Identity is assigned to the
+                          pod, you can select the one to be used
+                        type: string
+                      tenantId:
+                        description: TenantID configures the Azure Tenant to send
+                          requests to. Required for ServicePrincipal auth type.
+                        type: string
+                      vaultUrl:
+                        description: Vault Url from which the secrets to be fetched
+                          from.
+                        type: string
+                    required:
+                    - vaultUrl
+                    type: object
+                  fake:
+                    description: Fake configures a store with static key/value pairs
+                    properties:
+                      data:
+                        items:
+                          properties:
+                            key:
+                              type: string
+                            value:
+                              type: string
+                            valueMap:
+                              additionalProperties:
+                                type: string
+                              type: object
+                            version:
+                              type: string
+                          required:
+                          - key
+                          type: object
+                        type: array
+                    required:
+                    - data
+                    type: object
+                  gcpsm:
+                    description: GCPSM configures this store to sync secrets using
+                      Google Cloud Platform Secret Manager provider
+                    properties:
+                      auth:
+                        description: Auth defines the information necessary to authenticate
+                          against GCP
+                        properties:
+                          secretRef:
+                            properties:
+                              secretAccessKeySecretRef:
+                                description: The SecretAccessKey is used for authentication
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                            type: object
+                          workloadIdentity:
+                            properties:
+                              clusterLocation:
+                                type: string
+                              clusterName:
+                                type: string
+                              serviceAccountRef:
+                                description: A reference to a ServiceAccount resource.
+                                properties:
+                                  name:
+                                    description: The name of the ServiceAccount resource
+                                      being referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                required:
+                                - name
+                                type: object
+                            required:
+                            - clusterLocation
+                            - clusterName
+                            - serviceAccountRef
+                            type: object
+                        type: object
+                      projectID:
+                        description: ProjectID project where secret is located
+                        type: string
+                    type: object
+                  gitlab:
+                    description: GItlab configures this store to sync secrets using
+                      Gitlab Variables provider
+                    properties:
+                      auth:
+                        description: Auth configures how secret-manager authenticates
+                          with a GitLab instance.
+                        properties:
+                          SecretRef:
+                            properties:
+                              accessToken:
+                                description: AccessToken is used for authentication.
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                            type: object
+                        required:
+                        - SecretRef
+                        type: object
+                      projectID:
+                        description: ProjectID specifies a project where secrets are
+                          located.
+                        type: string
+                      url:
+                        description: URL configures the GitLab instance URL. Defaults
+                          to https://gitlab.com/.
+                        type: string
+                    required:
+                    - auth
+                    type: object
+                  ibm:
+                    description: IBM configures this store to sync secrets using IBM
+                      Cloud provider
+                    properties:
+                      auth:
+                        description: Auth configures how secret-manager authenticates
+                          with the IBM secrets manager.
+                        properties:
+                          secretRef:
+                            properties:
+                              secretApiKeySecretRef:
+                                description: The SecretAccessKey is used for authentication
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                            type: object
+                        required:
+                        - secretRef
+                        type: object
+                      serviceUrl:
+                        description: ServiceURL is the Endpoint URL that is specific
+                          to the Secrets Manager service instance
+                        type: string
+                    required:
+                    - auth
+                    type: object
+                  kubernetes:
+                    description: Kubernetes configures this store to sync secrets
+                      using a Kubernetes cluster provider
+                    properties:
+                      auth:
+                        description: Auth configures how secret-manager authenticates
+                          with a Kubernetes instance.
+                        maxProperties: 1
+                        minProperties: 1
+                        properties:
+                          cert:
+                            description: has both clientCert and clientKey as secretKeySelector
+                            properties:
+                              clientCert:
+                                description: A reference to a specific 'key' within
+                                  a Secret resource, In some instances, `key` is a
+                                  required field.
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                              clientKey:
+                                description: A reference to a specific 'key' within
+                                  a Secret resource, In some instances, `key` is a
+                                  required field.
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                            type: object
+                          serviceAccount:
+                            description: points to a service account that should be
+                              used for authentication
+                            properties:
+                              serviceAccount:
+                                description: A reference to a ServiceAccount resource.
+                                properties:
+                                  name:
+                                    description: The name of the ServiceAccount resource
+                                      being referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                required:
+                                - name
+                                type: object
+                            type: object
+                          token:
+                            description: use static token to authenticate with
+                            properties:
+                              bearerToken:
+                                description: A reference to a specific 'key' within
+                                  a Secret resource, In some instances, `key` is a
+                                  required field.
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                            type: object
+                        type: object
+                      remoteNamespace:
+                        default: default
+                        description: Remote namespace to fetch the secrets from
+                        type: string
+                      server:
+                        description: configures the Kubernetes server Address.
+                        properties:
+                          caBundle:
+                            description: CABundle is a base64-encoded CA certificate
+                            format: byte
+                            type: string
+                          caProvider:
+                            description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
+                            properties:
+                              key:
+                                description: The key the value inside of the provider
+                                  type to use, only used with "Secret" type
+                                type: string
+                              name:
+                                description: The name of the object located at the
+                                  provider type.
+                                type: string
+                              namespace:
+                                description: The namespace the Provider type is in.
+                                type: string
+                              type:
+                                description: The type of provider to use such as "Secret",
+                                  or "ConfigMap".
+                                enum:
+                                - Secret
+                                - ConfigMap
+                                type: string
+                            required:
+                            - name
+                            - type
+                            type: object
+                          url:
+                            default: kubernetes.default
+                            description: configures the Kubernetes server Address.
+                            type: string
+                        type: object
+                    required:
+                    - auth
+                    type: object
+                  oracle:
+                    description: Oracle configures this store to sync secrets using
+                      Oracle Vault provider
+                    properties:
+                      auth:
+                        description: Auth configures how secret-manager authenticates
+                          with the Oracle Vault. If empty, use the instance principal,
+                          otherwise the user credentials specified in Auth.
+                        properties:
+                          secretRef:
+                            description: SecretRef to pass through sensitive information.
+                            properties:
+                              fingerprint:
+                                description: Fingerprint is the fingerprint of the
+                                  API private key.
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                              privatekey:
+                                description: PrivateKey is the user's API Signing
+                                  Key in PEM format, used for authentication.
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                            required:
+                            - fingerprint
+                            - privatekey
+                            type: object
+                          tenancy:
+                            description: Tenancy is the tenancy OCID where user is
+                              located.
+                            type: string
+                          user:
+                            description: User is an access OCID specific to the account.
+                            type: string
+                        required:
+                        - secretRef
+                        - tenancy
+                        - user
+                        type: object
+                      region:
+                        description: Region is the region where vault is located.
+                        type: string
+                      vault:
+                        description: Vault is the vault's OCID of the specific vault
+                          where secret is located.
+                        type: string
+                    required:
+                    - region
+                    - vault
+                    type: object
+                  vault:
+                    description: Vault configures this store to sync secrets using
+                      Hashi provider
+                    properties:
+                      auth:
+                        description: Auth configures how secret-manager authenticates
+                          with the Vault server.
+                        properties:
+                          appRole:
+                            description: AppRole authenticates with Vault using the
+                              App Role auth mechanism, with the role and secret stored
+                              in a Kubernetes Secret resource.
+                            properties:
+                              path:
+                                default: approle
+                                description: 'Path where the App Role authentication
+                                  backend is mounted in Vault, e.g: "approle"'
+                                type: string
+                              roleId:
+                                description: RoleID configured in the App Role authentication
+                                  backend when setting up the authentication backend
+                                  in Vault.
+                                type: string
+                              secretRef:
+                                description: Reference to a key in a Secret that contains
+                                  the App Role secret used to authenticate with Vault.
+                                  The `key` field must be specified and denotes which
+                                  entry within the Secret resource is used as the
+                                  app role secret.
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                            required:
+                            - path
+                            - roleId
+                            - secretRef
+                            type: object
+                          cert:
+                            description: Cert authenticates with TLS Certificates
+                              by passing client certificate, private key and ca certificate
+                              Cert authentication method
+                            properties:
+                              clientCert:
+                                description: ClientCert is a certificate to authenticate
+                                  using the Cert Vault authentication method
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                              secretRef:
+                                description: SecretRef to a key in a Secret resource
+                                  containing client private key to authenticate with
+                                  Vault using the Cert authentication method
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                            type: object
+                          jwt:
+                            description: Jwt authenticates with Vault by passing role
+                              and JWT token using the JWT/OIDC authentication method
+                            properties:
+                              path:
+                                default: jwt
+                                description: 'Path where the JWT authentication backend
+                                  is mounted in Vault, e.g: "jwt"'
+                                type: string
+                              role:
+                                description: Role is a JWT role to authenticate using
+                                  the JWT/OIDC Vault authentication method
+                                type: string
+                              secretRef:
+                                description: SecretRef to a key in a Secret resource
+                                  containing JWT token to authenticate with Vault
+                                  using the JWT/OIDC authentication method
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                            required:
+                            - path
+                            type: object
+                          kubernetes:
+                            description: Kubernetes authenticates with Vault by passing
+                              the ServiceAccount token stored in the named Secret
+                              resource to the Vault server.
+                            properties:
+                              mountPath:
+                                default: kubernetes
+                                description: 'Path where the Kubernetes authentication
+                                  backend is mounted in Vault, e.g: "kubernetes"'
+                                type: string
+                              role:
+                                description: A required field containing the Vault
+                                  Role to assume. A Role binds a Kubernetes ServiceAccount
+                                  with a set of Vault policies.
+                                type: string
+                              secretRef:
+                                description: Optional secret field containing a Kubernetes
+                                  ServiceAccount JWT used for authenticating with
+                                  Vault. If a name is specified without a key, `token`
+                                  is the default. If one is not specified, the one
+                                  bound to the controller will be used.
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                              serviceAccountRef:
+                                description: Optional service account field containing
+                                  the name of a kubernetes ServiceAccount. If the
+                                  service account is specified, the service account
+                                  secret token JWT will be used for authenticating
+                                  with Vault. If the service account selector is not
+                                  supplied, the secretRef will be used instead.
+                                properties:
+                                  name:
+                                    description: The name of the ServiceAccount resource
+                                      being referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                required:
+                                - name
+                                type: object
+                            required:
+                            - mountPath
+                            - role
+                            type: object
+                          ldap:
+                            description: Ldap authenticates with Vault by passing
+                              username/password pair using the LDAP authentication
+                              method
+                            properties:
+                              path:
+                                default: ldap
+                                description: 'Path where the LDAP authentication backend
+                                  is mounted in Vault, e.g: "ldap"'
+                                type: string
+                              secretRef:
+                                description: SecretRef to a key in a Secret resource
+                                  containing password for the LDAP user used to authenticate
+                                  with Vault using the LDAP authentication method
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret
+                                      resource's `data` field to be used. Some instances
+                                      of this field may be defaulted, in others it
+                                      may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being
+                                      referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred
+                                      to. Ignored if referent is not cluster-scoped.
+                                      cluster-scoped defaults to the namespace of
+                                      the referent.
+                                    type: string
+                                type: object
+                              username:
+                                description: Username is a LDAP user name used to
+                                  authenticate using the LDAP Vault authentication
+                                  method
+                                type: string
+                            required:
+                            - path
+                            - username
+                            type: object
+                          tokenSecretRef:
+                            description: TokenSecretRef authenticates with Vault by
+                              presenting a token.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: The name of the Secret resource being
+                                  referred to.
+                                type: string
+                              namespace:
+                                description: Namespace of the resource being referred
+                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
+                                  defaults to the namespace of the referent.
+                                type: string
+                            type: object
+                        type: object
+                      caBundle:
+                        description: PEM encoded CA bundle used to validate Vault
+                          server certificate. Only used if the Server URL is using
+                          HTTPS protocol. This parameter is ignored for plain HTTP
+                          protocol connection. If not set the system root certificates
+                          are used to validate the TLS connection.
+                        format: byte
+                        type: string
+                      caProvider:
+                        description: The provider for the CA bundle to use to validate
+                          Vault server certificate.
+                        properties:
+                          key:
+                            description: The key the value inside of the provider
+                              type to use, only used with "Secret" type
+                            type: string
+                          name:
+                            description: The name of the object located at the provider
+                              type.
+                            type: string
+                          namespace:
+                            description: The namespace the Provider type is in.
+                            type: string
+                          type:
+                            description: The type of provider to use such as "Secret",
+                              or "ConfigMap".
+                            enum:
+                            - Secret
+                            - ConfigMap
+                            type: string
+                        required:
+                        - name
+                        - type
+                        type: object
+                      forwardInconsistent:
+                        description: ForwardInconsistent tells Vault to forward read-after-write
+                          requests to the Vault leader instead of simply retrying
+                          within a loop. This can increase performance if the option
+                          is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
+                        type: boolean
+                      namespace:
+                        description: 'Name of the vault namespace. Namespaces is a
+                          set of features within Vault Enterprise that allows Vault
+                          environments to support Secure Multi-tenancy. e.g: "ns1".
+                          More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
+                        type: string
+                      path:
+                        description: 'Path is the mount path of the Vault KV backend
+                          endpoint, e.g: "secret". The v2 KV secret engine version
+                          specific "/data" path suffix for fetching secrets from Vault
+                          is optional and will be appended if not present in specified
+                          path.'
+                        type: string
+                      readYourWrites:
+                        description: ReadYourWrites ensures isolated read-after-write
+                          semantics by providing discovered cluster replication states
+                          in each request. More information about eventual consistency
+                          in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
+                        type: boolean
+                      server:
+                        description: 'Server is the connection address for the Vault
+                          server, e.g: "https://vault.example.com:8200".'
+                        type: string
+                      version:
+                        default: v2
+                        description: Version is the Vault KV secret engine version.
+                          This can be either "v1" or "v2". Version defaults to "v2".
+                        enum:
+                        - v1
+                        - v2
+                        type: string
+                    required:
+                    - auth
+                    - server
+                    type: object
+                  webhook:
+                    description: Webhook configures this store to sync secrets using
+                      a generic templated webhook
+                    properties:
+                      body:
+                        description: Body
+                        type: string
+                      caBundle:
+                        description: PEM encoded CA bundle used to validate webhook
+                          server certificate. Only used if the Server URL is using
+                          HTTPS protocol. This parameter is ignored for plain HTTP
+                          protocol connection. If not set the system root certificates
+                          are used to validate the TLS connection.
+                        format: byte
+                        type: string
+                      caProvider:
+                        description: The provider for the CA bundle to use to validate
+                          webhook server certificate.
+                        properties:
+                          key:
+                            description: The key the value inside of the provider
+                              type to use, only used with "Secret" type
+                            type: string
+                          name:
+                            description: The name of the object located at the provider
+                              type.
+                            type: string
+                          namespace:
+                            description: The namespace the Provider type is in.
+                            type: string
+                          type:
+                            description: The type of provider to use such as "Secret",
+                              or "ConfigMap".
+                            enum:
+                            - Secret
+                            - ConfigMap
+                            type: string
+                        required:
+                        - name
+                        - type
+                        type: object
+                      headers:
+                        additionalProperties:
+                          type: string
+                        description: Headers
+                        type: object
+                      method:
+                        description: Webhook Method
+                        type: string
+                      result:
+                        description: Result formatting
+                        properties:
+                          jsonPath:
+                            description: Json path of return value
+                            type: string
+                        type: object
+                      secrets:
+                        description: Secrets to fill in templates These secrets will
+                          be passed to the templating function as key value pairs
+                          under the given name
+                        items:
+                          properties:
+                            name:
+                              description: Name of this secret in templates
+                              type: string
+                            secretRef:
+                              description: Secret ref to fill in credentials
+                              properties:
+                                key:
+                                  description: The key of the entry in the Secret
+                                    resource's `data` field to be used. Some instances
+                                    of this field may be defaulted, in others it may
+                                    be required.
+                                  type: string
+                                name:
+                                  description: The name of the Secret resource being
+                                    referred to.
+                                  type: string
+                                namespace:
+                                  description: Namespace of the resource being referred
+                                    to. Ignored if referent is not cluster-scoped.
+                                    cluster-scoped defaults to the namespace of the
+                                    referent.
+                                  type: string
+                              type: object
+                          required:
+                          - name
+                          - secretRef
+                          type: object
+                        type: array
+                      timeout:
+                        description: Timeout
+                        type: string
+                      url:
+                        description: Webhook url to call
+                        type: string
+                    required:
+                    - result
+                    - url
+                    type: object
+                  yandexlockbox:
+                    description: YandexLockbox configures this store to sync secrets
+                      using Yandex Lockbox provider
+                    properties:
+                      apiEndpoint:
+                        description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
+                        type: string
+                      auth:
+                        description: Auth defines the information necessary to authenticate
+                          against Yandex Lockbox
+                        properties:
+                          authorizedKeySecretRef:
+                            description: The authorized key used for authentication
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: The name of the Secret resource being
+                                  referred to.
+                                type: string
+                              namespace:
+                                description: Namespace of the resource being referred
+                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
+                                  defaults to the namespace of the referent.
+                                type: string
+                            type: object
+                        type: object
+                      caProvider:
+                        description: The provider for the CA bundle to use to validate
+                          Yandex.Cloud server certificate.
+                        properties:
+                          certSecretRef:
+                            description: A reference to a specific 'key' within a
+                              Secret resource, In some instances, `key` is a required
+                              field.
+                            properties:
+                              key:
+                                description: The key of the entry in the Secret resource's
+                                  `data` field to be used. Some instances of this
+                                  field may be defaulted, in others it may be required.
+                                type: string
+                              name:
+                                description: The name of the Secret resource being
+                                  referred to.
+                                type: string
+                              namespace:
+                                description: Namespace of the resource being referred
+                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
+                                  defaults to the namespace of the referent.
+                                type: string
+                            type: object
+                        type: object
+                    required:
+                    - auth
+                    type: object
+                type: object
+              retrySettings:
+                description: Used to configure http retries if failed
+                properties:
+                  maxRetries:
+                    format: int32
+                    type: integer
+                  retryInterval:
+                    type: string
+                type: object
+            required:
+            - provider
+            type: object
+          status:
+            description: SecretStoreStatus defines the observed state of the SecretStore.
+            properties:
+              conditions:
+                items:
+                  properties:
+                    lastTransitionTime:
+                      format: date-time
+                      type: string
+                    message:
+                      type: string
+                    reason:
+                      type: string
+                    status:
+                      type: string
+                    type:
+                      type: string
+                  required:
+                  - status
+                  - type
+                  type: object
+                type: array
+            type: object
+        type: object
+    served: true
     storage: true
     subresources:
       status: {}

deploy/charts/external-secrets/README.md

@@ -35,6 +35,31 @@ The command removes all the Kubernetes components associated with the chart and
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | affinity | object | `{}` |  |
+| certController.affinity | object | `{}` |  |
+| certController.deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
+| certController.extraArgs | object | `{}` |  |
+| certController.extraEnv | list | `[]` |  |
+| certController.fullnameOverride | string | `""` |  |
+| certController.image.pullPolicy | string | `"IfNotPresent"` |  |
+| certController.image.repository | string | `"ghcr.io/external-secrets/external-secrets"` |  |
+| certController.image.tag | string | `""` |  |
+| certController.imagePullSecrets | list | `[]` |  |
+| certController.nameOverride | string | `""` |  |
+| certController.nodeSelector | object | `{}` |  |
+| certController.podAnnotations | object | `{}` | Annotations to add to Pod |
+| certController.podLabels | object | `{}` |  |
+| certController.podSecurityContext | object | `{}` |  |
+| certController.priorityClassName | string | `""` | Pod priority class name. |
+| certController.prometheus.enabled | bool | `false` | Specifies whether to expose Service resource for collecting Prometheus metrics |
+| certController.prometheus.service.port | int | `8080` |  |
+| certController.rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
+| certController.requeueInterval | string | `"5m"` |  |
+| certController.resources | object | `{}` |  |
+| certController.securityContext | object | `{}` |  |
+| certController.serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
+| certController.serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
+| certController.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
+| certController.tolerations | list | `[]` |  |
 | concurrent | int | `1` | Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at a time. |
 | controllerClass | string | `""` | If set external secrets will filter matching Secret Stores with the appropriate controller values. |
 | deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
@@ -64,3 +89,30 @@ The command removes all the Kubernetes components associated with the chart and
 | serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
 | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
 | tolerations | list | `[]` |  |
+| webhook.affinity | object | `{}` |  |
+| webhook.certCheckInterval | string | `"5m"` |  |
+| webhook.certDir | string | `"/tmp/certs"` |  |
+| webhook.deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
+| webhook.extraArgs | object | `{}` |  |
+| webhook.extraEnv | list | `[]` |  |
+| webhook.fullnameOverride | string | `""` |  |
+| webhook.image.pullPolicy | string | `"IfNotPresent"` |  |
+| webhook.image.repository | string | `"ghcr.io/external-secrets/external-secrets"` |  |
+| webhook.image.tag | string | `""` | The image tag to use. The default is the chart appVersion. |
+| webhook.imagePullSecrets | list | `[]` |  |
+| webhook.nameOverride | string | `""` |  |
+| webhook.nodeSelector | object | `{}` |  |
+| webhook.podAnnotations | object | `{}` | Annotations to add to Pod |
+| webhook.podLabels | object | `{}` |  |
+| webhook.podSecurityContext | object | `{}` |  |
+| webhook.priorityClassName | string | `""` | Pod priority class name. |
+| webhook.prometheus.enabled | bool | `false` | Specifies whether to expose Service resource for collecting Prometheus metrics |
+| webhook.prometheus.service.port | int | `8080` |  |
+| webhook.rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
+| webhook.replicaCount | int | `1` |  |
+| webhook.resources | object | `{}` |  |
+| webhook.securityContext | object | `{}` |  |
+| webhook.serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
+| webhook.serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
+| webhook.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
+| webhook.tolerations | list | `[]` |  |

deploy/charts/external-secrets/templates/_helpers.tpl

@@ -42,6 +42,24 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
 
+{{- define "external-secrets-webhook.labels" -}}
+helm.sh/chart: {{ include "external-secrets.chart" . }}
+{{ include "external-secrets-webhook.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{- define "external-secrets-cert-controller.labels" -}}
+helm.sh/chart: {{ include "external-secrets.chart" . }}
+{{ include "external-secrets-cert-controller.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
 {{/*
 Selector labels
 */}}
@@ -49,7 +67,14 @@ Selector labels
 app.kubernetes.io/name: {{ include "external-secrets.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
-
+{{- define "external-secrets-webhook.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "external-secrets.name" . }}-webhook
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+{{- define "external-secrets-cert-controller.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "external-secrets.name" . }}-cert-controller
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
 {{/*
 Create the name of the service account to use
 */}}
@@ -60,3 +85,26 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "external-secrets-webhook.serviceAccountName" -}}
+{{- if .Values.webhook.serviceAccount.create }}
+{{- default "external-secrets-webhook" .Values.webhook.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.webhook.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "external-secrets-cert-controller.serviceAccountName" -}}
+{{- if .Values.certController.serviceAccount.create }}
+{{- default "external-secrets-cert-controller" .Values.certController.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.certController.serviceAccount.name }}
+{{- end }}
+{{- end }}
+

deploy/charts/external-secrets/templates/cert-controller-deployment.yaml

@@ -0,0 +1,86 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "external-secrets.fullname" . }}-cert-controller
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "external-secrets-cert-controller.labels" . | nindent 4 }}
+  {{- with .Values.certController.deploymentAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      {{- include "external-secrets-cert-controller.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.certController.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "external-secrets-cert-controller.selectorLabels" . | nindent 8 }}
+        {{- with .Values.certController.podLabels }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.certController.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "external-secrets-cert-controller.serviceAccountName" . }}
+      {{- with .Values.certController.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: cert-controller
+          {{- with .Values.certController.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          image: "{{ .Values.certController.image.repository }}:{{ .Values.certController.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.certController.image.pullPolicy }}
+          args:
+          - certcontroller
+          - --crd-requeue-interval={{ .Values.certController.requeueInterval }}
+          - --service-name={{ include "external-secrets.fullname" . }}-webhook
+          - --service-namespace={{ .Release.Namespace }}
+          - --secret-name={{ include "external-secrets.fullname" . }}-webhook
+          - --secret-namespace={{ .Release.Namespace }}
+          {{- range $key, $value := .Values.certController.extraArgs }}
+            {{- if $value }}
+          - --{{ $key }}={{ $value }}
+            {{- else }}
+          - --{{ $key }}
+            {{- end }}
+          {{- end }}
+          ports:
+            - containerPort: {{ .Values.certController.prometheus.service.port }}
+              protocol: TCP
+              name: metrics
+          {{- with .Values.certController.extraEnv }}
+          env:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.certController.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.certController.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.certController.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.certController.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if .Values.certController.priorityClassName }}
+      priorityClassName: {{ .Values.certController.priorityClassName }}
+      {{- end }}

deploy/charts/external-secrets/templates/cert-controller-rbac.yaml

@@ -0,0 +1,44 @@
+{{- if .Values.certController.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "external-secrets.fullname" . }}-cert-controller
+  labels:
+    {{- include "external-secrets-cert-controller.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+    - "apiextensions.k8s.io"
+    resources:
+    - "customresourcedefinitions"
+    verbs:
+    - "get"
+    - "list"
+    - "watch"
+    - "update"
+    - "patch"
+  - apiGroups:
+    - ""
+    resources:
+    - "secrets"
+    verbs:
+    - "get"
+    - "list"
+    - "watch"
+    - "update"
+    - "patch"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "external-secrets.fullname" . }}-cert-controller
+  labels:
+    {{- include "external-secrets-cert-controller.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "external-secrets.fullname" . }}-cert-controller
+subjects:
+  - name: {{ include "external-secrets-cert-controller.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace | quote }}
+    kind: ServiceAccount
+{{- end }}

deploy/charts/external-secrets/templates/cert-controller-service.yaml

@@ -0,0 +1,20 @@
+{{- if .Values.certController.prometheus.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "external-secrets.fullname" . }}-cert-controller-metrics
+  labels:
+    {{- include "external-secrets.labels" . | nindent 4 }}
+  annotations:
+    prometheus.io/path: "/metrics"
+    prometheus.io/scrape: "true"
+    prometheus.io/port: {{ .Values.certController.prometheus.service.port | quote }}
+spec:
+  type: ClusterIP
+  ports:
+  - port: {{ .Values.certController.prometheus.service.port }}
+    protocol: TCP
+    name: metrics
+  selector:
+    {{- include "external-secrets-cert-controller.selectorLabels" . | nindent 4 }}
+{{- end }}

deploy/charts/external-secrets/templates/cert-controller-serviceaccount.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.certController.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "external-secrets-cert-controller.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "external-secrets-cert-controller.labels" . | nindent 4 }}
+  {{- with .Values.certController.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

deploy/charts/external-secrets/templates/webhook-deployment.yaml

@@ -0,0 +1,100 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "external-secrets.fullname" . }}-webhook
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "external-secrets-webhook.labels" . | nindent 4 }}
+  {{- with .Values.webhook.deploymentAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  replicas: {{ .Values.webhook.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "external-secrets-webhook.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.webhook.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "external-secrets-webhook.selectorLabels" . | nindent 8 }}
+        {{- with .Values.webhook.podLabels }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.webhook.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "external-secrets-webhook.serviceAccountName" . }}
+      {{- with .Values.webhook.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: webhook
+          {{- with .Values.webhook.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          image: "{{ .Values.webhook.image.repository }}:{{ .Values.webhook.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.webhook.image.pullPolicy }}
+          args:
+          - webhook
+          - --dns-name={{ include "external-secrets.fullname" . }}-webhook.{{ .Release.Namespace }}.svc
+          - --cert-dir={{ .Values.webhook.certDir }}
+          - --check-interval={{ .Values.webhook.certCheckInterval }}
+          {{- range $key, $value := .Values.webhook.extraArgs }}
+            {{- if $value }}
+          - --{{ $key }}={{ $value }}
+            {{- else }}
+          - --{{ $key }}
+            {{- end }}
+          {{- end }}
+          ports:
+            - containerPort: {{ .Values.webhook.prometheus.service.port }}
+              protocol: TCP
+              name: metrics
+            - containerPort: 9443
+              protocol: TCP
+              name: webhook
+          readinessProbe:
+            tcpSocket:
+              port: 9443
+            initialDelaySeconds: 20
+            periodSeconds: 5
+          {{- with .Values.webhook.extraEnv }}
+          env:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.webhook.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+          - name: certs
+            mountPath: {{ .Values.webhook.certDir }}
+            readOnly: true
+      volumes:
+      - name: certs
+        secret:
+          secretName: {{ include "external-secrets.fullname" . }}-webhook
+      {{- with .Values.webhook.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.webhook.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.webhook.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if .Values.webhook.priorityClassName }}
+      priorityClassName: {{ .Values.webhook.priorityClassName }}
+      {{- end }}

deploy/charts/external-secrets/templates/webhook-secret.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "external-secrets.fullname" . }}-webhook
+  labels:
+    {{- include "external-secrets-webhook.labels" . | nindent 4 }}
+    external-secrets.io/component : webhook

deploy/charts/external-secrets/templates/webhook-service.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "external-secrets.fullname" . }}-webhook
+  labels:
+    {{- include "external-secrets-webhook.labels" . | nindent 4 }}
+    external-secrets.io/component : webhook
+  {{- if .Values.webhook.prometheus.enabled}}
+  annotations:
+    prometheus.io/path: "/metrics"
+    prometheus.io/scrape: "true"
+    prometheus.io/port: {{ .Values.prometheus.service.port | quote }}
+  {{- end }}
+spec:
+  type: ClusterIP
+  ports:
+  - port: 443
+    targetPort: 9443
+    protocol: TCP
+    name: webhook
+  {{- if .Values.webhook.prometheus.enabled}}
+  - port: {{ .Values.webhook.prometheus.service.port}}
+    targetPort: {{ .Values.webhook.prometheus.service.port}}
+    protocol: TCP
+    name: metrics
+  {{- end }}
+  selector:
+    {{- include "external-secrets-webhook.selectorLabels" . | nindent 4 }}

deploy/charts/external-secrets/templates/webhook-serviceaccount.yaml

@@ -0,0 +1,13 @@
+{{- if .Values.webhook.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "external-secrets-webhook.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "external-secrets-webhook.labels" . | nindent 4 }}
+  {{- with .Values.webhook.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

deploy/charts/external-secrets/values.yaml

@@ -86,3 +86,132 @@ affinity: {}
 
 # -- Pod priority class name.
 priorityClassName: ""
+
+webhook:
+  certCheckInterval: "5m"
+  replicaCount: 1
+  certDir: /tmp/certs
+  image:
+    repository: ghcr.io/external-secrets/external-secrets
+    pullPolicy: IfNotPresent
+  # -- The image tag to use. The default is the chart appVersion.
+    tag: ""
+  imagePullSecrets: []
+  nameOverride: ""
+  fullnameOverride: ""
+  rbac:
+  # -- Specifies whether role and rolebinding resources should be created.
+    create: true
+  serviceAccount:
+    # -- Specifies whether a service account should be created.
+    create: true
+    # -- Annotations to add to the service account.
+    annotations: {}
+    # -- The name of the service account to use.
+    # If not set and create is true, a name is generated using the fullname template.
+    name: ""
+  nodeSelector: {}
+
+  tolerations: []
+
+  affinity: {}
+
+    # -- Pod priority class name.
+  priorityClassName: ""
+  prometheus:
+      # -- Specifies whether to expose Service resource for collecting Prometheus metrics
+    enabled: false
+    service:
+      port: 8080
+    ## -- Extra environment variables to add to container.
+  extraEnv: []
+
+    ## -- Map of extra arguments to pass to container.
+  extraArgs: {}
+
+    # -- Annotations to add to Deployment
+  deploymentAnnotations: {}
+
+    # -- Annotations to add to Pod
+  podAnnotations: {}
+
+  podLabels: {}
+
+  podSecurityContext: {}
+      # fsGroup: 2000
+
+  securityContext: {}
+      # capabilities:
+      #   drop:
+      #   - ALL
+      # readOnlyRootFilesystem: true
+      # runAsNonRoot: true
+      # runAsUser: 1000
+
+  resources: {}
+      # requests:
+      #   cpu: 10m
+      #   memory: 32Mi
+
+certController:
+  requeueInterval: "5m"
+  image:
+    repository: ghcr.io/external-secrets/external-secrets
+    pullPolicy: IfNotPresent
+    tag: ""
+  imagePullSecrets: []
+  nameOverride: ""
+  fullnameOverride: ""
+  rbac:
+  # -- Specifies whether role and rolebinding resources should be created.
+    create: true
+  serviceAccount:
+    # -- Specifies whether a service account should be created.
+    create: true
+    # -- Annotations to add to the service account.
+    annotations: {}
+    # -- The name of the service account to use.
+    # If not set and create is true, a name is generated using the fullname template.
+    name: ""
+  nodeSelector: {}
+
+  tolerations: []
+
+  affinity: {}
+
+    # -- Pod priority class name.
+  priorityClassName: ""
+  prometheus:
+      # -- Specifies whether to expose Service resource for collecting Prometheus metrics
+    enabled: false
+    service:
+      port: 8080
+    ## -- Extra environment variables to add to container.
+  extraEnv: []
+
+    ## -- Map of extra arguments to pass to container.
+  extraArgs: {}
+
+    # -- Annotations to add to Deployment
+  deploymentAnnotations: {}
+
+    # -- Annotations to add to Pod
+  podAnnotations: {}
+
+  podLabels: {}
+
+  podSecurityContext: {}
+      # fsGroup: 2000
+
+  securityContext: {}
+      # capabilities:
+      #   drop:
+      #   - ALL
+      # readOnlyRootFilesystem: true
+      # runAsNonRoot: true
+      # runAsUser: 1000
+
+  resources: {}
+      # requests:
+      #   cpu: 10m
+      #   memory: 32Mi

deploy/crds/bundle.yaml

@@ -0,0 +1,4402 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.8.0
+  creationTimestamp: null
+  name: clustersecretstores.external-secrets.io
+spec:
+  group: external-secrets.io
+  names:
+    categories:
+      - externalsecrets
+    kind: ClusterSecretStore
+    listKind: ClusterSecretStoreList
+    plural: clustersecretstores
+    shortNames:
+      - css
+    singular: clustersecretstore
+  scope: Cluster
+  versions:
+    - additionalPrinterColumns:
+        - jsonPath: .metadata.creationTimestamp
+          name: AGE
+          type: date
+        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
+          name: Status
+          type: string
+      name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
+          properties:
+            apiVersion:
+              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              type: string
+            kind:
+              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: SecretStoreSpec defines the desired state of SecretStore.
+              properties:
+                controller:
+                  description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property'
+                  type: string
+                provider:
+                  description: Used to configure the provider. Only one provider may be set
+                  maxProperties: 1
+                  minProperties: 1
+                  properties:
+                    akeyless:
+                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
+                      properties:
+                        akeylessGWApiURL:
+                          description: Akeyless GW API Url from which the secrets to be fetched from.
+                          type: string
+                        authSecretRef:
+                          description: Auth configures how the operator authenticates with Akeyless.
+                          properties:
+                            secretRef:
+                              description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
+                              properties:
+                                accessID:
+                                  description: The SecretAccessID is used for authentication
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                accessType:
+                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                accessTypeParam:
+                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              type: object
+                          required:
+                            - secretRef
+                          type: object
+                      required:
+                        - akeylessGWApiURL
+                        - authSecretRef
+                      type: object
+                    alibaba:
+                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
+                      properties:
+                        auth:
+                          description: AlibabaAuth contains a secretRef for credentials.
+                          properties:
+                            secretRef:
+                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
+                              properties:
+                                accessKeyIDSecretRef:
+                                  description: The AccessKeyID is used for authentication
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                accessKeySecretSecretRef:
+                                  description: The AccessKeySecret is used for authentication
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              required:
+                                - accessKeyIDSecretRef
+                                - accessKeySecretSecretRef
+                              type: object
+                          required:
+                            - secretRef
+                          type: object
+                        endpoint:
+                          type: string
+                        regionID:
+                          description: Alibaba Region to be used for the provider
+                          type: string
+                      required:
+                        - auth
+                        - regionID
+                      type: object
+                    aws:
+                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
+                      properties:
+                        auth:
+                          description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                          properties:
+                            jwt:
+                              description: Authenticate against AWS using service account tokens.
+                              properties:
+                                serviceAccountRef:
+                                  description: A reference to a ServiceAccount resource.
+                                  properties:
+                                    name:
+                                      description: The name of the ServiceAccount resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  required:
+                                    - name
+                                  type: object
+                              type: object
+                            secretRef:
+                              description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
+                              properties:
+                                accessKeyIDSecretRef:
+                                  description: The AccessKeyID is used for authentication
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                secretAccessKeySecretRef:
+                                  description: The SecretAccessKey is used for authentication
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              type: object
+                          type: object
+                        region:
+                          description: AWS Region to be used for the provider
+                          type: string
+                        role:
+                          description: Role is a Role ARN which the SecretManager provider will assume
+                          type: string
+                        service:
+                          description: Service defines which service should be used to fetch the secrets
+                          enum:
+                            - SecretsManager
+                            - ParameterStore
+                          type: string
+                      required:
+                        - region
+                        - service
+                      type: object
+                    azurekv:
+                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
+                      properties:
+                        authSecretRef:
+                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
+                          properties:
+                            clientId:
+                              description: The Azure clientId of the service principle used for authentication.
+                              properties:
+                                key:
+                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                  type: string
+                                name:
+                                  description: The name of the Secret resource being referred to.
+                                  type: string
+                                namespace:
+                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                  type: string
+                              type: object
+                            clientSecret:
+                              description: The Azure ClientSecret of the service principle used for authentication.
+                              properties:
+                                key:
+                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                  type: string
+                                name:
+                                  description: The name of the Secret resource being referred to.
+                                  type: string
+                                namespace:
+                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                  type: string
+                              type: object
+                          required:
+                            - clientId
+                            - clientSecret
+                          type: object
+                        authType:
+                          default: ServicePrincipal
+                          description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
+                          enum:
+                            - ServicePrincipal
+                            - ManagedIdentity
+                          type: string
+                        identityId:
+                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
+                          type: string
+                        tenantId:
+                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
+                          type: string
+                        vaultUrl:
+                          description: Vault Url from which the secrets to be fetched from.
+                          type: string
+                      required:
+                        - vaultUrl
+                      type: object
+                    fake:
+                      description: Fake configures a store with static key/value pairs
+                      properties:
+                        data:
+                          items:
+                            properties:
+                              key:
+                                type: string
+                              value:
+                                type: string
+                              valueMap:
+                                additionalProperties:
+                                  type: string
+                                type: object
+                              version:
+                                type: string
+                            required:
+                              - key
+                            type: object
+                          type: array
+                      required:
+                        - data
+                      type: object
+                    gcpsm:
+                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
+                      properties:
+                        auth:
+                          description: Auth defines the information necessary to authenticate against GCP
+                          properties:
+                            secretRef:
+                              properties:
+                                secretAccessKeySecretRef:
+                                  description: The SecretAccessKey is used for authentication
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              type: object
+                            workloadIdentity:
+                              properties:
+                                clusterLocation:
+                                  type: string
+                                clusterName:
+                                  type: string
+                                serviceAccountRef:
+                                  description: A reference to a ServiceAccount resource.
+                                  properties:
+                                    name:
+                                      description: The name of the ServiceAccount resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  required:
+                                    - name
+                                  type: object
+                              required:
+                                - clusterLocation
+                                - clusterName
+                                - serviceAccountRef
+                              type: object
+                          type: object
+                        projectID:
+                          description: ProjectID project where secret is located
+                          type: string
+                      type: object
+                    gitlab:
+                      description: GItlab configures this store to sync secrets using Gitlab Variables provider
+                      properties:
+                        auth:
+                          description: Auth configures how secret-manager authenticates with a GitLab instance.
+                          properties:
+                            SecretRef:
+                              properties:
+                                accessToken:
+                                  description: AccessToken is used for authentication.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              type: object
+                          required:
+                            - SecretRef
+                          type: object
+                        projectID:
+                          description: ProjectID specifies a project where secrets are located.
+                          type: string
+                        url:
+                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
+                          type: string
+                      required:
+                        - auth
+                      type: object
+                    ibm:
+                      description: IBM configures this store to sync secrets using IBM Cloud provider
+                      properties:
+                        auth:
+                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
+                          properties:
+                            secretRef:
+                              properties:
+                                secretApiKeySecretRef:
+                                  description: The SecretAccessKey is used for authentication
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              type: object
+                          required:
+                            - secretRef
+                          type: object
+                        serviceUrl:
+                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
+                          type: string
+                      required:
+                        - auth
+                      type: object
+                    kubernetes:
+                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
+                      properties:
+                        auth:
+                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
+                          maxProperties: 1
+                          minProperties: 1
+                          properties:
+                            cert:
+                              description: has both clientCert and clientKey as secretKeySelector
+                              properties:
+                                clientCert:
+                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                clientKey:
+                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              type: object
+                            serviceAccount:
+                              description: points to a service account that should be used for authentication
+                              properties:
+                                serviceAccount:
+                                  description: A reference to a ServiceAccount resource.
+                                  properties:
+                                    name:
+                                      description: The name of the ServiceAccount resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  required:
+                                    - name
+                                  type: object
+                              type: object
+                            token:
+                              description: use static token to authenticate with
+                              properties:
+                                bearerToken:
+                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              type: object
+                          type: object
+                        remoteNamespace:
+                          default: default
+                          description: Remote namespace to fetch the secrets from
+                          type: string
+                        server:
+                          description: configures the Kubernetes server Address.
+                          properties:
+                            caBundle:
+                              description: CABundle is a base64-encoded CA certificate
+                              format: byte
+                              type: string
+                            caProvider:
+                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
+                              properties:
+                                key:
+                                  description: The key the value inside of the provider type to use, only used with "Secret" type
+                                  type: string
+                                name:
+                                  description: The name of the object located at the provider type.
+                                  type: string
+                                namespace:
+                                  description: The namespace the Provider type is in.
+                                  type: string
+                                type:
+                                  description: The type of provider to use such as "Secret", or "ConfigMap".
+                                  enum:
+                                    - Secret
+                                    - ConfigMap
+                                  type: string
+                              required:
+                                - name
+                                - type
+                              type: object
+                            url:
+                              default: kubernetes.default
+                              description: configures the Kubernetes server Address.
+                              type: string
+                          type: object
+                      required:
+                        - auth
+                      type: object
+                    oracle:
+                      description: Oracle configures this store to sync secrets using Oracle Vault provider
+                      properties:
+                        auth:
+                          description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
+                          properties:
+                            secretRef:
+                              description: SecretRef to pass through sensitive information.
+                              properties:
+                                fingerprint:
+                                  description: Fingerprint is the fingerprint of the API private key.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                privatekey:
+                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              required:
+                                - fingerprint
+                                - privatekey
+                              type: object
+                            tenancy:
+                              description: Tenancy is the tenancy OCID where user is located.
+                              type: string
+                            user:
+                              description: User is an access OCID specific to the account.
+                              type: string
+                          required:
+                            - secretRef
+                            - tenancy
+                            - user
+                          type: object
+                        region:
+                          description: Region is the region where vault is located.
+                          type: string
+                        vault:
+                          description: Vault is the vault's OCID of the specific vault where secret is located.
+                          type: string
+                      required:
+                        - region
+                        - vault
+                      type: object
+                    vault:
+                      description: Vault configures this store to sync secrets using Hashi provider
+                      properties:
+                        auth:
+                          description: Auth configures how secret-manager authenticates with the Vault server.
+                          properties:
+                            appRole:
+                              description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
+                              properties:
+                                path:
+                                  default: approle
+                                  description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
+                                  type: string
+                                roleId:
+                                  description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
+                                  type: string
+                                secretRef:
+                                  description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              required:
+                                - path
+                                - roleId
+                                - secretRef
+                              type: object
+                            cert:
+                              description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
+                              properties:
+                                clientCert:
+                                  description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                secretRef:
+                                  description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              type: object
+                            jwt:
+                              description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
+                              properties:
+                                path:
+                                  default: jwt
+                                  description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
+                                  type: string
+                                role:
+                                  description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
+                                  type: string
+                                secretRef:
+                                  description: SecretRef to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              required:
+                                - path
+                              type: object
+                            kubernetes:
+                              description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
+                              properties:
+                                mountPath:
+                                  default: kubernetes
+                                  description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
+                                  type: string
+                                role:
+                                  description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
+                                  type: string
+                                secretRef:
+                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                serviceAccountRef:
+                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
+                                  properties:
+                                    name:
+                                      description: The name of the ServiceAccount resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  required:
+                                    - name
+                                  type: object
+                              required:
+                                - mountPath
+                                - role
+                              type: object
+                            ldap:
+                              description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
+                              properties:
+                                path:
+                                  default: ldap
+                                  description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
+                                  type: string
+                                secretRef:
+                                  description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                username:
+                                  description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
+                                  type: string
+                              required:
+                                - path
+                                - username
+                              type: object
+                            tokenSecretRef:
+                              description: TokenSecretRef authenticates with Vault by presenting a token.
+                              properties:
+                                key:
+                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                  type: string
+                                name:
+                                  description: The name of the Secret resource being referred to.
+                                  type: string
+                                namespace:
+                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                  type: string
+                              type: object
+                          type: object
+                        caBundle:
+                          description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
+                          format: byte
+                          type: string
+                        caProvider:
+                          description: The provider for the CA bundle to use to validate Vault server certificate.
+                          properties:
+                            key:
+                              description: The key the value inside of the provider type to use, only used with "Secret" type
+                              type: string
+                            name:
+                              description: The name of the object located at the provider type.
+                              type: string
+                            namespace:
+                              description: The namespace the Provider type is in.
+                              type: string
+                            type:
+                              description: The type of provider to use such as "Secret", or "ConfigMap".
+                              enum:
+                                - Secret
+                                - ConfigMap
+                              type: string
+                          required:
+                            - name
+                            - type
+                          type: object
+                        forwardInconsistent:
+                          description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
+                          type: boolean
+                        namespace:
+                          description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
+                          type: string
+                        path:
+                          description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
+                          type: string
+                        readYourWrites:
+                          description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
+                          type: boolean
+                        server:
+                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
+                          type: string
+                        version:
+                          default: v2
+                          description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
+                          enum:
+                            - v1
+                            - v2
+                          type: string
+                      required:
+                        - auth
+                        - server
+                      type: object
+                    webhook:
+                      description: Webhook configures this store to sync secrets using a generic templated webhook
+                      properties:
+                        body:
+                          description: Body
+                          type: string
+                        caBundle:
+                          description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
+                          format: byte
+                          type: string
+                        caProvider:
+                          description: The provider for the CA bundle to use to validate webhook server certificate.
+                          properties:
+                            key:
+                              description: The key the value inside of the provider type to use, only used with "Secret" type
+                              type: string
+                            name:
+                              description: The name of the object located at the provider type.
+                              type: string
+                            namespace:
+                              description: The namespace the Provider type is in.
+                              type: string
+                            type:
+                              description: The type of provider to use such as "Secret", or "ConfigMap".
+                              enum:
+                                - Secret
+                                - ConfigMap
+                              type: string
+                          required:
+                            - name
+                            - type
+                          type: object
+                        headers:
+                          additionalProperties:
+                            type: string
+                          description: Headers
+                          type: object
+                        method:
+                          description: Webhook Method
+                          type: string
+                        result:
+                          description: Result formatting
+                          properties:
+                            jsonPath:
+                              description: Json path of return value
+                              type: string
+                          type: object
+                        secrets:
+                          description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
+                          items:
+                            properties:
+                              name:
+                                description: Name of this secret in templates
+                                type: string
+                              secretRef:
+                                description: Secret ref to fill in credentials
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                    type: string
+                                type: object
+                            required:
+                              - name
+                              - secretRef
+                            type: object
+                          type: array
+                        timeout:
+                          description: Timeout
+                          type: string
+                        url:
+                          description: Webhook url to call
+                          type: string
+                      required:
+                        - result
+                        - url
+                      type: object
+                    yandexlockbox:
+                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
+                      properties:
+                        apiEndpoint:
+                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
+                          type: string
+                        auth:
+                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
+                          properties:
+                            authorizedKeySecretRef:
+                              description: The authorized key used for authentication
+                              properties:
+                                key:
+                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                  type: string
+                                name:
+                                  description: The name of the Secret resource being referred to.
+                                  type: string
+                                namespace:
+                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                  type: string
+                              type: object
+                          type: object
+                        caProvider:
+                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
+                          properties:
+                            certSecretRef:
+                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+                              properties:
+                                key:
+                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                  type: string
+                                name:
+                                  description: The name of the Secret resource being referred to.
+                                  type: string
+                                namespace:
+                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                  type: string
+                              type: object
+                          type: object
+                      required:
+                        - auth
+                      type: object
+                  type: object
+                retrySettings:
+                  description: Used to configure http retries if failed
+                  properties:
+                    maxRetries:
+                      format: int32
+                      type: integer
+                    retryInterval:
+                      type: string
+                  type: object
+              required:
+                - provider
+              type: object
+            status:
+              description: SecretStoreStatus defines the observed state of the SecretStore.
+              properties:
+                conditions:
+                  items:
+                    properties:
+                      lastTransitionTime:
+                        format: date-time
+                        type: string
+                      message:
+                        type: string
+                      reason:
+                        type: string
+                      status:
+                        type: string
+                      type:
+                        type: string
+                    required:
+                      - status
+                      - type
+                    type: object
+                  type: array
+              type: object
+          type: object
+      served: true
+      storage: false
+      subresources:
+        status: {}
+    - additionalPrinterColumns:
+        - jsonPath: .metadata.creationTimestamp
+          name: AGE
+          type: date
+      name: v1beta1
+      schema:
+        openAPIV3Schema:
+          description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
+          properties:
+            apiVersion:
+              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              type: string
+            kind:
+              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: SecretStoreSpec defines the desired state of SecretStore.
+              properties:
+                controller:
+                  description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property'
+                  type: string
+                provider:
+                  description: Used to configure the provider. Only one provider may be set
+                  maxProperties: 1
+                  minProperties: 1
+                  properties:
+                    akeyless:
+                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
+                      properties:
+                        akeylessGWApiURL:
+                          description: Akeyless GW API Url from which the secrets to be fetched from.
+                          type: string
+                        authSecretRef:
+                          description: Auth configures how the operator authenticates with Akeyless.
+                          properties:
+                            secretRef:
+                              description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
+                              properties:
+                                accessID:
+                                  description: The SecretAccessID is used for authentication
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                accessType:
+                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                accessTypeParam:
+                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              type: object
+                          required:
+                            - secretRef
+                          type: object
+                      required:
+                        - akeylessGWApiURL
+                        - authSecretRef
+                      type: object
+                    alibaba:
+                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
+                      properties:
+                        auth:
+                          description: AlibabaAuth contains a secretRef for credentials.
+                          properties:
+                            secretRef:
+                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
+                              properties:
+                                accessKeyIDSecretRef:
+                                  description: The AccessKeyID is used for authentication
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                accessKeySecretSecretRef:
+                                  description: The AccessKeySecret is used for authentication
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              required:
+                                - accessKeyIDSecretRef
+                                - accessKeySecretSecretRef
+                              type: object
+                          required:
+                            - secretRef
+                          type: object
+                        endpoint:
+                          type: string
+                        regionID:
+                          description: Alibaba Region to be used for the provider
+                          type: string
+                      required:
+                        - auth
+                        - regionID
+                      type: object
+                    aws:
+                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
+                      properties:
+                        auth:
+                          description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                          properties:
+                            jwt:
+                              description: Authenticate against AWS using service account tokens.
+                              properties:
+                                serviceAccountRef:
+                                  description: A reference to a ServiceAccount resource.
+                                  properties:
+                                    name:
+                                      description: The name of the ServiceAccount resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  required:
+                                    - name
+                                  type: object
+                              type: object
+                            secretRef:
+                              description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
+                              properties:
+                                accessKeyIDSecretRef:
+                                  description: The AccessKeyID is used for authentication
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                secretAccessKeySecretRef:
+                                  description: The SecretAccessKey is used for authentication
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              type: object
+                          type: object
+                        region:
+                          description: AWS Region to be used for the provider
+                          type: string
+                        role:
+                          description: Role is a Role ARN which the SecretManager provider will assume
+                          type: string
+                        service:
+                          description: Service defines which service should be used to fetch the secrets
+                          enum:
+                            - SecretsManager
+                            - ParameterStore
+                          type: string
+                      required:
+                        - region
+                        - service
+                      type: object
+                    azurekv:
+                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
+                      properties:
+                        authSecretRef:
+                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
+                          properties:
+                            clientId:
+                              description: The Azure clientId of the service principle used for authentication.
+                              properties:
+                                key:
+                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                  type: string
+                                name:
+                                  description: The name of the Secret resource being referred to.
+                                  type: string
+                                namespace:
+                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                  type: string
+                              type: object
+                            clientSecret:
+                              description: The Azure ClientSecret of the service principle used for authentication.
+                              properties:
+                                key:
+                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                  type: string
+                                name:
+                                  description: The name of the Secret resource being referred to.
+                                  type: string
+                                namespace:
+                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                  type: string
+                              type: object
+                          required:
+                            - clientId
+                            - clientSecret
+                          type: object
+                        authType:
+                          default: ServicePrincipal
+                          description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
+                          enum:
+                            - ServicePrincipal
+                            - ManagedIdentity
+                          type: string
+                        identityId:
+                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
+                          type: string
+                        tenantId:
+                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
+                          type: string
+                        vaultUrl:
+                          description: Vault Url from which the secrets to be fetched from.
+                          type: string
+                      required:
+                        - vaultUrl
+                      type: object
+                    fake:
+                      description: Fake configures a store with static key/value pairs
+                      properties:
+                        data:
+                          items:
+                            properties:
+                              key:
+                                type: string
+                              value:
+                                type: string
+                              valueMap:
+                                additionalProperties:
+                                  type: string
+                                type: object
+                              version:
+                                type: string
+                            required:
+                              - key
+                            type: object
+                          type: array
+                      required:
+                        - data
+                      type: object
+                    gcpsm:
+                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
+                      properties:
+                        auth:
+                          description: Auth defines the information necessary to authenticate against GCP
+                          properties:
+                            secretRef:
+                              properties:
+                                secretAccessKeySecretRef:
+                                  description: The SecretAccessKey is used for authentication
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              type: object
+                            workloadIdentity:
+                              properties:
+                                clusterLocation:
+                                  type: string
+                                clusterName:
+                                  type: string
+                                serviceAccountRef:
+                                  description: A reference to a ServiceAccount resource.
+                                  properties:
+                                    name:
+                                      description: The name of the ServiceAccount resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  required:
+                                    - name
+                                  type: object
+                              required:
+                                - clusterLocation
+                                - clusterName
+                                - serviceAccountRef
+                              type: object
+                          type: object
+                        projectID:
+                          description: ProjectID project where secret is located
+                          type: string
+                      type: object
+                    gitlab:
+                      description: GItlab configures this store to sync secrets using Gitlab Variables provider
+                      properties:
+                        auth:
+                          description: Auth configures how secret-manager authenticates with a GitLab instance.
+                          properties:
+                            SecretRef:
+                              properties:
+                                accessToken:
+                                  description: AccessToken is used for authentication.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              type: object
+                          required:
+                            - SecretRef
+                          type: object
+                        projectID:
+                          description: ProjectID specifies a project where secrets are located.
+                          type: string
+                        url:
+                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
+                          type: string
+                      required:
+                        - auth
+                      type: object
+                    ibm:
+                      description: IBM configures this store to sync secrets using IBM Cloud provider
+                      properties:
+                        auth:
+                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
+                          properties:
+                            secretRef:
+                              properties:
+                                secretApiKeySecretRef:
+                                  description: The SecretAccessKey is used for authentication
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              type: object
+                          required:
+                            - secretRef
+                          type: object
+                        serviceUrl:
+                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
+                          type: string
+                      required:
+                        - auth
+                      type: object
+                    kubernetes:
+                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
+                      properties:
+                        auth:
+                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
+                          maxProperties: 1
+                          minProperties: 1
+                          properties:
+                            cert:
+                              description: has both clientCert and clientKey as secretKeySelector
+                              properties:
+                                clientCert:
+                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                clientKey:
+                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              type: object
+                            serviceAccount:
+                              description: points to a service account that should be used for authentication
+                              properties:
+                                serviceAccount:
+                                  description: A reference to a ServiceAccount resource.
+                                  properties:
+                                    name:
+                                      description: The name of the ServiceAccount resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  required:
+                                    - name
+                                  type: object
+                              type: object
+                            token:
+                              description: use static token to authenticate with
+                              properties:
+                                bearerToken:
+                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              type: object
+                          type: object
+                        remoteNamespace:
+                          default: default
+                          description: Remote namespace to fetch the secrets from
+                          type: string
+                        server:
+                          description: configures the Kubernetes server Address.
+                          properties:
+                            caBundle:
+                              description: CABundle is a base64-encoded CA certificate
+                              format: byte
+                              type: string
+                            caProvider:
+                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
+                              properties:
+                                key:
+                                  description: The key the value inside of the provider type to use, only used with "Secret" type
+                                  type: string
+                                name:
+                                  description: The name of the object located at the provider type.
+                                  type: string
+                                namespace:
+                                  description: The namespace the Provider type is in.
+                                  type: string
+                                type:
+                                  description: The type of provider to use such as "Secret", or "ConfigMap".
+                                  enum:
+                                    - Secret
+                                    - ConfigMap
+                                  type: string
+                              required:
+                                - name
+                                - type
+                              type: object
+                            url:
+                              default: kubernetes.default
+                              description: configures the Kubernetes server Address.
+                              type: string
+                          type: object
+                      required:
+                        - auth
+                      type: object
+                    oracle:
+                      description: Oracle configures this store to sync secrets using Oracle Vault provider
+                      properties:
+                        auth:
+                          description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
+                          properties:
+                            secretRef:
+                              description: SecretRef to pass through sensitive information.
+                              properties:
+                                fingerprint:
+                                  description: Fingerprint is the fingerprint of the API private key.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                privatekey:
+                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              required:
+                                - fingerprint
+                                - privatekey
+                              type: object
+                            tenancy:
+                              description: Tenancy is the tenancy OCID where user is located.
+                              type: string
+                            user:
+                              description: User is an access OCID specific to the account.
+                              type: string
+                          required:
+                            - secretRef
+                            - tenancy
+                            - user
+                          type: object
+                        region:
+                          description: Region is the region where vault is located.
+                          type: string
+                        vault:
+                          description: Vault is the vault's OCID of the specific vault where secret is located.
+                          type: string
+                      required:
+                        - region
+                        - vault
+                      type: object
+                    vault:
+                      description: Vault configures this store to sync secrets using Hashi provider
+                      properties:
+                        auth:
+                          description: Auth configures how secret-manager authenticates with the Vault server.
+                          properties:
+                            appRole:
+                              description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
+                              properties:
+                                path:
+                                  default: approle
+                                  description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
+                                  type: string
+                                roleId:
+                                  description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
+                                  type: string
+                                secretRef:
+                                  description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              required:
+                                - path
+                                - roleId
+                                - secretRef
+                              type: object
+                            cert:
+                              description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
+                              properties:
+                                clientCert:
+                                  description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                secretRef:
+                                  description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              type: object
+                            jwt:
+                              description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
+                              properties:
+                                path:
+                                  default: jwt
+                                  description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
+                                  type: string
+                                role:
+                                  description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
+                                  type: string
+                                secretRef:
+                                  description: SecretRef to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              required:
+                                - path
+                              type: object
+                            kubernetes:
+                              description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
+                              properties:
+                                mountPath:
+                                  default: kubernetes
+                                  description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
+                                  type: string
+                                role:
+                                  description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
+                                  type: string
+                                secretRef:
+                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                serviceAccountRef:
+                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
+                                  properties:
+                                    name:
+                                      description: The name of the ServiceAccount resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  required:
+                                    - name
+                                  type: object
+                              required:
+                                - mountPath
+                                - role
+                              type: object
+                            ldap:
+                              description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
+                              properties:
+                                path:
+                                  default: ldap
+                                  description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
+                                  type: string
+                                secretRef:
+                                  description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                username:
+                                  description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
+                                  type: string
+                              required:
+                                - path
+                                - username
+                              type: object
+                            tokenSecretRef:
+                              description: TokenSecretRef authenticates with Vault by presenting a token.
+                              properties:
+                                key:
+                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                  type: string
+                                name:
+                                  description: The name of the Secret resource being referred to.
+                                  type: string
+                                namespace:
+                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                  type: string
+                              type: object
+                          type: object
+                        caBundle:
+                          description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
+                          format: byte
+                          type: string
+                        caProvider:
+                          description: The provider for the CA bundle to use to validate Vault server certificate.
+                          properties:
+                            key:
+                              description: The key the value inside of the provider type to use, only used with "Secret" type
+                              type: string
+                            name:
+                              description: The name of the object located at the provider type.
+                              type: string
+                            namespace:
+                              description: The namespace the Provider type is in.
+                              type: string
+                            type:
+                              description: The type of provider to use such as "Secret", or "ConfigMap".
+                              enum:
+                                - Secret
+                                - ConfigMap
+                              type: string
+                          required:
+                            - name
+                            - type
+                          type: object
+                        forwardInconsistent:
+                          description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
+                          type: boolean
+                        namespace:
+                          description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
+                          type: string
+                        path:
+                          description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
+                          type: string
+                        readYourWrites:
+                          description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
+                          type: boolean
+                        server:
+                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
+                          type: string
+                        version:
+                          default: v2
+                          description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
+                          enum:
+                            - v1
+                            - v2
+                          type: string
+                      required:
+                        - auth
+                        - server
+                      type: object
+                    webhook:
+                      description: Webhook configures this store to sync secrets using a generic templated webhook
+                      properties:
+                        body:
+                          description: Body
+                          type: string
+                        caBundle:
+                          description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
+                          format: byte
+                          type: string
+                        caProvider:
+                          description: The provider for the CA bundle to use to validate webhook server certificate.
+                          properties:
+                            key:
+                              description: The key the value inside of the provider type to use, only used with "Secret" type
+                              type: string
+                            name:
+                              description: The name of the object located at the provider type.
+                              type: string
+                            namespace:
+                              description: The namespace the Provider type is in.
+                              type: string
+                            type:
+                              description: The type of provider to use such as "Secret", or "ConfigMap".
+                              enum:
+                                - Secret
+                                - ConfigMap
+                              type: string
+                          required:
+                            - name
+                            - type
+                          type: object
+                        headers:
+                          additionalProperties:
+                            type: string
+                          description: Headers
+                          type: object
+                        method:
+                          description: Webhook Method
+                          type: string
+                        result:
+                          description: Result formatting
+                          properties:
+                            jsonPath:
+                              description: Json path of return value
+                              type: string
+                          type: object
+                        secrets:
+                          description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
+                          items:
+                            properties:
+                              name:
+                                description: Name of this secret in templates
+                                type: string
+                              secretRef:
+                                description: Secret ref to fill in credentials
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                    type: string
+                                type: object
+                            required:
+                              - name
+                              - secretRef
+                            type: object
+                          type: array
+                        timeout:
+                          description: Timeout
+                          type: string
+                        url:
+                          description: Webhook url to call
+                          type: string
+                      required:
+                        - result
+                        - url
+                      type: object
+                    yandexlockbox:
+                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
+                      properties:
+                        apiEndpoint:
+                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
+                          type: string
+                        auth:
+                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
+                          properties:
+                            authorizedKeySecretRef:
+                              description: The authorized key used for authentication
+                              properties:
+                                key:
+                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                  type: string
+                                name:
+                                  description: The name of the Secret resource being referred to.
+                                  type: string
+                                namespace:
+                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                  type: string
+                              type: object
+                          type: object
+                        caProvider:
+                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
+                          properties:
+                            certSecretRef:
+                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+                              properties:
+                                key:
+                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                  type: string
+                                name:
+                                  description: The name of the Secret resource being referred to.
+                                  type: string
+                                namespace:
+                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                  type: string
+                              type: object
+                          type: object
+                      required:
+                        - auth
+                      type: object
+                  type: object
+                retrySettings:
+                  description: Used to configure http retries if failed
+                  properties:
+                    maxRetries:
+                      format: int32
+                      type: integer
+                    retryInterval:
+                      type: string
+                  type: object
+              required:
+                - provider
+              type: object
+            status:
+              description: SecretStoreStatus defines the observed state of the SecretStore.
+              properties:
+                conditions:
+                  items:
+                    properties:
+                      lastTransitionTime:
+                        format: date-time
+                        type: string
+                      message:
+                        type: string
+                      reason:
+                        type: string
+                      status:
+                        type: string
+                      type:
+                        type: string
+                    required:
+                      - status
+                      - type
+                    type: object
+                  type: array
+              type: object
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}
+  conversion:
+    strategy: Webhook
+    webhook:
+      conversionReviewVersions:
+        - v1
+      clientConfig:
+        caBundle: Cg==
+        service:
+          name: kubernetes
+          namespace: default
+          path: /convert
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.8.0
+  creationTimestamp: null
+  name: externalsecrets.external-secrets.io
+spec:
+  group: external-secrets.io
+  names:
+    categories:
+      - externalsecrets
+    kind: ExternalSecret
+    listKind: ExternalSecretList
+    plural: externalsecrets
+    shortNames:
+      - es
+    singular: externalsecret
+  scope: Namespaced
+  versions:
+    - additionalPrinterColumns:
+        - jsonPath: .spec.secretStoreRef.name
+          name: Store
+          type: string
+        - jsonPath: .spec.refreshInterval
+          name: Refresh Interval
+          type: string
+        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
+          name: Status
+          type: string
+      name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          description: ExternalSecret is the Schema for the external-secrets API.
+          properties:
+            apiVersion:
+              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              type: string
+            kind:
+              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: ExternalSecretSpec defines the desired state of ExternalSecret.
+              properties:
+                data:
+                  description: Data defines the connection between the Kubernetes Secret keys and the Provider data
+                  items:
+                    description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
+                    properties:
+                      remoteRef:
+                        description: ExternalSecretDataRemoteRef defines Provider data location.
+                        properties:
+                          key:
+                            description: Key is the key used in the Provider, mandatory
+                            type: string
+                          property:
+                            description: Used to select a specific property of the Provider value (if a map), if supported
+                            type: string
+                          version:
+                            description: Used to select a specific version of the Provider value, if supported
+                            type: string
+                        required:
+                          - key
+                        type: object
+                      secretKey:
+                        type: string
+                    required:
+                      - remoteRef
+                      - secretKey
+                    type: object
+                  type: array
+                dataFrom:
+                  description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
+                  items:
+                    description: ExternalSecretDataRemoteRef defines Provider data location.
+                    properties:
+                      key:
+                        description: Key is the key used in the Provider, mandatory
+                        type: string
+                      property:
+                        description: Used to select a specific property of the Provider value (if a map), if supported
+                        type: string
+                      version:
+                        description: Used to select a specific version of the Provider value, if supported
+                        type: string
+                    required:
+                      - key
+                    type: object
+                  type: array
+                refreshInterval:
+                  default: 1h
+                  description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
+                  type: string
+                secretStoreRef:
+                  description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
+                  properties:
+                    kind:
+                      description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
+                      type: string
+                    name:
+                      description: Name of the SecretStore resource
+                      type: string
+                  required:
+                    - name
+                  type: object
+                target:
+                  description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
+                  properties:
+                    creationPolicy:
+                      default: Owner
+                      description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
+                      type: string
+                    immutable:
+                      description: Immutable defines if the final secret will be immutable
+                      type: boolean
+                    name:
+                      description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
+                      type: string
+                    template:
+                      description: Template defines a blueprint for the created Secret resource.
+                      properties:
+                        data:
+                          additionalProperties:
+                            type: string
+                          type: object
+                        engineVersion:
+                          default: v1
+                          description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[].
+                          type: string
+                        metadata:
+                          description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
+                          properties:
+                            annotations:
+                              additionalProperties:
+                                type: string
+                              type: object
+                            labels:
+                              additionalProperties:
+                                type: string
+                              type: object
+                          type: object
+                        templateFrom:
+                          items:
+                            maxProperties: 1
+                            minProperties: 1
+                            properties:
+                              configMap:
+                                properties:
+                                  items:
+                                    items:
+                                      properties:
+                                        key:
+                                          type: string
+                                      required:
+                                        - key
+                                      type: object
+                                    type: array
+                                  name:
+                                    type: string
+                                required:
+                                  - items
+                                  - name
+                                type: object
+                              secret:
+                                properties:
+                                  items:
+                                    items:
+                                      properties:
+                                        key:
+                                          type: string
+                                      required:
+                                        - key
+                                      type: object
+                                    type: array
+                                  name:
+                                    type: string
+                                required:
+                                  - items
+                                  - name
+                                type: object
+                            type: object
+                          type: array
+                        type:
+                          type: string
+                      type: object
+                  type: object
+              required:
+                - secretStoreRef
+                - target
+              type: object
+            status:
+              properties:
+                conditions:
+                  items:
+                    properties:
+                      lastTransitionTime:
+                        format: date-time
+                        type: string
+                      message:
+                        type: string
+                      reason:
+                        type: string
+                      status:
+                        type: string
+                      type:
+                        type: string
+                    required:
+                      - status
+                      - type
+                    type: object
+                  type: array
+                refreshTime:
+                  description: refreshTime is the time and date the external secret was fetched and the target secret updated
+                  format: date-time
+                  nullable: true
+                  type: string
+                syncedResourceVersion:
+                  description: SyncedResourceVersion keeps track of the last synced version
+                  type: string
+              type: object
+          type: object
+      served: true
+      storage: false
+      subresources:
+        status: {}
+    - additionalPrinterColumns:
+        - jsonPath: .spec.secretStoreRef.name
+          name: Store
+          type: string
+        - jsonPath: .spec.refreshInterval
+          name: Refresh Interval
+          type: string
+        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
+          name: Status
+          type: string
+      name: v1beta1
+      schema:
+        openAPIV3Schema:
+          description: ExternalSecret is the Schema for the external-secrets API.
+          properties:
+            apiVersion:
+              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              type: string
+            kind:
+              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: ExternalSecretSpec defines the desired state of ExternalSecret.
+              properties:
+                data:
+                  description: Data defines the connection between the Kubernetes Secret keys and the Provider data
+                  items:
+                    description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
+                    properties:
+                      remoteRef:
+                        description: ExternalSecretDataRemoteRef defines Provider data location.
+                        properties:
+                          key:
+                            description: Key is the key used in the Provider, mandatory
+                            type: string
+                          property:
+                            description: Used to select a specific property of the Provider value (if a map), if supported
+                            type: string
+                          version:
+                            description: Used to select a specific version of the Provider value, if supported
+                            type: string
+                        required:
+                          - key
+                        type: object
+                      secretKey:
+                        type: string
+                    required:
+                      - remoteRef
+                      - secretKey
+                    type: object
+                  type: array
+                dataFrom:
+                  description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
+                  items:
+                    properties:
+                      extract:
+                        description: Used to extract multiple key/value pairs from one secret
+                        properties:
+                          key:
+                            description: Key is the key used in the Provider, mandatory
+                            type: string
+                          property:
+                            description: Used to select a specific property of the Provider value (if a map), if supported
+                            type: string
+                          version:
+                            description: Used to select a specific version of the Provider value, if supported
+                            type: string
+                        required:
+                          - key
+                        type: object
+                      find:
+                        description: Used to find secrets based on tags or regular expressions
+                        properties:
+                          name:
+                            description: Finds secrets based on the name.
+                            properties:
+                              regexp:
+                                description: Finds secrets base
+                                type: string
+                            type: object
+                          tags:
+                            additionalProperties:
+                              type: string
+                            description: Find secrets based on tags.
+                            type: object
+                        type: object
+                    type: object
+                  type: array
+                refreshInterval:
+                  default: 1h
+                  description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
+                  type: string
+                secretStoreRef:
+                  description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
+                  properties:
+                    kind:
+                      description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
+                      type: string
+                    name:
+                      description: Name of the SecretStore resource
+                      type: string
+                  required:
+                    - name
+                  type: object
+                target:
+                  description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
+                  properties:
+                    creationPolicy:
+                      default: Owner
+                      description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
+                      type: string
+                    deletionPolicy:
+                      default: None
+                      description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'None'
+                      type: string
+                    immutable:
+                      description: Immutable defines if the final secret will be immutable
+                      type: boolean
+                    name:
+                      description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
+                      type: string
+                    template:
+                      description: Template defines a blueprint for the created Secret resource.
+                      properties:
+                        data:
+                          additionalProperties:
+                            type: string
+                          type: object
+                        engineVersion:
+                          default: v2
+                          type: string
+                        metadata:
+                          description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
+                          properties:
+                            annotations:
+                              additionalProperties:
+                                type: string
+                              type: object
+                            labels:
+                              additionalProperties:
+                                type: string
+                              type: object
+                          type: object
+                        templateFrom:
+                          items:
+                            maxProperties: 1
+                            minProperties: 1
+                            properties:
+                              configMap:
+                                properties:
+                                  items:
+                                    items:
+                                      properties:
+                                        key:
+                                          type: string
+                                      required:
+                                        - key
+                                      type: object
+                                    type: array
+                                  name:
+                                    type: string
+                                required:
+                                  - items
+                                  - name
+                                type: object
+                              secret:
+                                properties:
+                                  items:
+                                    items:
+                                      properties:
+                                        key:
+                                          type: string
+                                      required:
+                                        - key
+                                      type: object
+                                    type: array
+                                  name:
+                                    type: string
+                                required:
+                                  - items
+                                  - name
+                                type: object
+                            type: object
+                          type: array
+                        type:
+                          type: string
+                      type: object
+                  type: object
+              required:
+                - secretStoreRef
+                - target
+              type: object
+            status:
+              properties:
+                conditions:
+                  items:
+                    properties:
+                      lastTransitionTime:
+                        format: date-time
+                        type: string
+                      message:
+                        type: string
+                      reason:
+                        type: string
+                      status:
+                        type: string
+                      type:
+                        type: string
+                    required:
+                      - status
+                      - type
+                    type: object
+                  type: array
+                refreshTime:
+                  description: refreshTime is the time and date the external secret was fetched and the target secret updated
+                  format: date-time
+                  nullable: true
+                  type: string
+                syncedResourceVersion:
+                  description: SyncedResourceVersion keeps track of the last synced version
+                  type: string
+              type: object
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}
+  conversion:
+    strategy: Webhook
+    webhook:
+      conversionReviewVersions:
+        - v1
+      clientConfig:
+        caBundle: Cg==
+        service:
+          name: kubernetes
+          namespace: default
+          path: /convert
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.8.0
+  creationTimestamp: null
+  name: secretstores.external-secrets.io
+spec:
+  group: external-secrets.io
+  names:
+    categories:
+      - externalsecrets
+    kind: SecretStore
+    listKind: SecretStoreList
+    plural: secretstores
+    shortNames:
+      - ss
+    singular: secretstore
+  scope: Namespaced
+  versions:
+    - additionalPrinterColumns:
+        - jsonPath: .metadata.creationTimestamp
+          name: AGE
+          type: date
+        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
+          name: Status
+          type: string
+      name: v1alpha1
+      schema:
+        openAPIV3Schema:
+          description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
+          properties:
+            apiVersion:
+              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              type: string
+            kind:
+              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: SecretStoreSpec defines the desired state of SecretStore.
+              properties:
+                controller:
+                  description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property'
+                  type: string
+                provider:
+                  description: Used to configure the provider. Only one provider may be set
+                  maxProperties: 1
+                  minProperties: 1
+                  properties:
+                    akeyless:
+                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
+                      properties:
+                        akeylessGWApiURL:
+                          description: Akeyless GW API Url from which the secrets to be fetched from.
+                          type: string
+                        authSecretRef:
+                          description: Auth configures how the operator authenticates with Akeyless.
+                          properties:
+                            secretRef:
+                              description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
+                              properties:
+                                accessID:
+                                  description: The SecretAccessID is used for authentication
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                accessType:
+                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                accessTypeParam:
+                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              type: object
+                          required:
+                            - secretRef
+                          type: object
+                      required:
+                        - akeylessGWApiURL
+                        - authSecretRef
+                      type: object
+                    alibaba:
+                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
+                      properties:
+                        auth:
+                          description: AlibabaAuth contains a secretRef for credentials.
+                          properties:
+                            secretRef:
+                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
+                              properties:
+                                accessKeyIDSecretRef:
+                                  description: The AccessKeyID is used for authentication
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                accessKeySecretSecretRef:
+                                  description: The AccessKeySecret is used for authentication
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              required:
+                                - accessKeyIDSecretRef
+                                - accessKeySecretSecretRef
+                              type: object
+                          required:
+                            - secretRef
+                          type: object
+                        endpoint:
+                          type: string
+                        regionID:
+                          description: Alibaba Region to be used for the provider
+                          type: string
+                      required:
+                        - auth
+                        - regionID
+                      type: object
+                    aws:
+                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
+                      properties:
+                        auth:
+                          description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                          properties:
+                            jwt:
+                              description: Authenticate against AWS using service account tokens.
+                              properties:
+                                serviceAccountRef:
+                                  description: A reference to a ServiceAccount resource.
+                                  properties:
+                                    name:
+                                      description: The name of the ServiceAccount resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  required:
+                                    - name
+                                  type: object
+                              type: object
+                            secretRef:
+                              description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
+                              properties:
+                                accessKeyIDSecretRef:
+                                  description: The AccessKeyID is used for authentication
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                secretAccessKeySecretRef:
+                                  description: The SecretAccessKey is used for authentication
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              type: object
+                          type: object
+                        region:
+                          description: AWS Region to be used for the provider
+                          type: string
+                        role:
+                          description: Role is a Role ARN which the SecretManager provider will assume
+                          type: string
+                        service:
+                          description: Service defines which service should be used to fetch the secrets
+                          enum:
+                            - SecretsManager
+                            - ParameterStore
+                          type: string
+                      required:
+                        - region
+                        - service
+                      type: object
+                    azurekv:
+                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
+                      properties:
+                        authSecretRef:
+                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
+                          properties:
+                            clientId:
+                              description: The Azure clientId of the service principle used for authentication.
+                              properties:
+                                key:
+                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                  type: string
+                                name:
+                                  description: The name of the Secret resource being referred to.
+                                  type: string
+                                namespace:
+                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                  type: string
+                              type: object
+                            clientSecret:
+                              description: The Azure ClientSecret of the service principle used for authentication.
+                              properties:
+                                key:
+                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                  type: string
+                                name:
+                                  description: The name of the Secret resource being referred to.
+                                  type: string
+                                namespace:
+                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                  type: string
+                              type: object
+                          required:
+                            - clientId
+                            - clientSecret
+                          type: object
+                        authType:
+                          default: ServicePrincipal
+                          description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
+                          enum:
+                            - ServicePrincipal
+                            - ManagedIdentity
+                          type: string
+                        identityId:
+                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
+                          type: string
+                        tenantId:
+                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
+                          type: string
+                        vaultUrl:
+                          description: Vault Url from which the secrets to be fetched from.
+                          type: string
+                      required:
+                        - vaultUrl
+                      type: object
+                    fake:
+                      description: Fake configures a store with static key/value pairs
+                      properties:
+                        data:
+                          items:
+                            properties:
+                              key:
+                                type: string
+                              value:
+                                type: string
+                              valueMap:
+                                additionalProperties:
+                                  type: string
+                                type: object
+                              version:
+                                type: string
+                            required:
+                              - key
+                            type: object
+                          type: array
+                      required:
+                        - data
+                      type: object
+                    gcpsm:
+                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
+                      properties:
+                        auth:
+                          description: Auth defines the information necessary to authenticate against GCP
+                          properties:
+                            secretRef:
+                              properties:
+                                secretAccessKeySecretRef:
+                                  description: The SecretAccessKey is used for authentication
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              type: object
+                            workloadIdentity:
+                              properties:
+                                clusterLocation:
+                                  type: string
+                                clusterName:
+                                  type: string
+                                serviceAccountRef:
+                                  description: A reference to a ServiceAccount resource.
+                                  properties:
+                                    name:
+                                      description: The name of the ServiceAccount resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  required:
+                                    - name
+                                  type: object
+                              required:
+                                - clusterLocation
+                                - clusterName
+                                - serviceAccountRef
+                              type: object
+                          type: object
+                        projectID:
+                          description: ProjectID project where secret is located
+                          type: string
+                      type: object
+                    gitlab:
+                      description: GItlab configures this store to sync secrets using Gitlab Variables provider
+                      properties:
+                        auth:
+                          description: Auth configures how secret-manager authenticates with a GitLab instance.
+                          properties:
+                            SecretRef:
+                              properties:
+                                accessToken:
+                                  description: AccessToken is used for authentication.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              type: object
+                          required:
+                            - SecretRef
+                          type: object
+                        projectID:
+                          description: ProjectID specifies a project where secrets are located.
+                          type: string
+                        url:
+                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
+                          type: string
+                      required:
+                        - auth
+                      type: object
+                    ibm:
+                      description: IBM configures this store to sync secrets using IBM Cloud provider
+                      properties:
+                        auth:
+                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
+                          properties:
+                            secretRef:
+                              properties:
+                                secretApiKeySecretRef:
+                                  description: The SecretAccessKey is used for authentication
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              type: object
+                          required:
+                            - secretRef
+                          type: object
+                        serviceUrl:
+                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
+                          type: string
+                      required:
+                        - auth
+                      type: object
+                    kubernetes:
+                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
+                      properties:
+                        auth:
+                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
+                          maxProperties: 1
+                          minProperties: 1
+                          properties:
+                            cert:
+                              description: has both clientCert and clientKey as secretKeySelector
+                              properties:
+                                clientCert:
+                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                clientKey:
+                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              type: object
+                            serviceAccount:
+                              description: points to a service account that should be used for authentication
+                              properties:
+                                serviceAccount:
+                                  description: A reference to a ServiceAccount resource.
+                                  properties:
+                                    name:
+                                      description: The name of the ServiceAccount resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  required:
+                                    - name
+                                  type: object
+                              type: object
+                            token:
+                              description: use static token to authenticate with
+                              properties:
+                                bearerToken:
+                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              type: object
+                          type: object
+                        remoteNamespace:
+                          default: default
+                          description: Remote namespace to fetch the secrets from
+                          type: string
+                        server:
+                          description: configures the Kubernetes server Address.
+                          properties:
+                            caBundle:
+                              description: CABundle is a base64-encoded CA certificate
+                              format: byte
+                              type: string
+                            caProvider:
+                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
+                              properties:
+                                key:
+                                  description: The key the value inside of the provider type to use, only used with "Secret" type
+                                  type: string
+                                name:
+                                  description: The name of the object located at the provider type.
+                                  type: string
+                                namespace:
+                                  description: The namespace the Provider type is in.
+                                  type: string
+                                type:
+                                  description: The type of provider to use such as "Secret", or "ConfigMap".
+                                  enum:
+                                    - Secret
+                                    - ConfigMap
+                                  type: string
+                              required:
+                                - name
+                                - type
+                              type: object
+                            url:
+                              default: kubernetes.default
+                              description: configures the Kubernetes server Address.
+                              type: string
+                          type: object
+                      required:
+                        - auth
+                      type: object
+                    oracle:
+                      description: Oracle configures this store to sync secrets using Oracle Vault provider
+                      properties:
+                        auth:
+                          description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
+                          properties:
+                            secretRef:
+                              description: SecretRef to pass through sensitive information.
+                              properties:
+                                fingerprint:
+                                  description: Fingerprint is the fingerprint of the API private key.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                privatekey:
+                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              required:
+                                - fingerprint
+                                - privatekey
+                              type: object
+                            tenancy:
+                              description: Tenancy is the tenancy OCID where user is located.
+                              type: string
+                            user:
+                              description: User is an access OCID specific to the account.
+                              type: string
+                          required:
+                            - secretRef
+                            - tenancy
+                            - user
+                          type: object
+                        region:
+                          description: Region is the region where vault is located.
+                          type: string
+                        vault:
+                          description: Vault is the vault's OCID of the specific vault where secret is located.
+                          type: string
+                      required:
+                        - region
+                        - vault
+                      type: object
+                    vault:
+                      description: Vault configures this store to sync secrets using Hashi provider
+                      properties:
+                        auth:
+                          description: Auth configures how secret-manager authenticates with the Vault server.
+                          properties:
+                            appRole:
+                              description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
+                              properties:
+                                path:
+                                  default: approle
+                                  description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
+                                  type: string
+                                roleId:
+                                  description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
+                                  type: string
+                                secretRef:
+                                  description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              required:
+                                - path
+                                - roleId
+                                - secretRef
+                              type: object
+                            cert:
+                              description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
+                              properties:
+                                clientCert:
+                                  description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                secretRef:
+                                  description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              type: object
+                            jwt:
+                              description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
+                              properties:
+                                path:
+                                  default: jwt
+                                  description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
+                                  type: string
+                                role:
+                                  description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
+                                  type: string
+                                secretRef:
+                                  description: SecretRef to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              required:
+                                - path
+                              type: object
+                            kubernetes:
+                              description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
+                              properties:
+                                mountPath:
+                                  default: kubernetes
+                                  description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
+                                  type: string
+                                role:
+                                  description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
+                                  type: string
+                                secretRef:
+                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                serviceAccountRef:
+                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
+                                  properties:
+                                    name:
+                                      description: The name of the ServiceAccount resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  required:
+                                    - name
+                                  type: object
+                              required:
+                                - mountPath
+                                - role
+                              type: object
+                            ldap:
+                              description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
+                              properties:
+                                path:
+                                  default: ldap
+                                  description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
+                                  type: string
+                                secretRef:
+                                  description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                username:
+                                  description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
+                                  type: string
+                              required:
+                                - path
+                                - username
+                              type: object
+                            tokenSecretRef:
+                              description: TokenSecretRef authenticates with Vault by presenting a token.
+                              properties:
+                                key:
+                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                  type: string
+                                name:
+                                  description: The name of the Secret resource being referred to.
+                                  type: string
+                                namespace:
+                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                  type: string
+                              type: object
+                          type: object
+                        caBundle:
+                          description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
+                          format: byte
+                          type: string
+                        caProvider:
+                          description: The provider for the CA bundle to use to validate Vault server certificate.
+                          properties:
+                            key:
+                              description: The key the value inside of the provider type to use, only used with "Secret" type
+                              type: string
+                            name:
+                              description: The name of the object located at the provider type.
+                              type: string
+                            namespace:
+                              description: The namespace the Provider type is in.
+                              type: string
+                            type:
+                              description: The type of provider to use such as "Secret", or "ConfigMap".
+                              enum:
+                                - Secret
+                                - ConfigMap
+                              type: string
+                          required:
+                            - name
+                            - type
+                          type: object
+                        forwardInconsistent:
+                          description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
+                          type: boolean
+                        namespace:
+                          description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
+                          type: string
+                        path:
+                          description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
+                          type: string
+                        readYourWrites:
+                          description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
+                          type: boolean
+                        server:
+                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
+                          type: string
+                        version:
+                          default: v2
+                          description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
+                          enum:
+                            - v1
+                            - v2
+                          type: string
+                      required:
+                        - auth
+                        - server
+                      type: object
+                    webhook:
+                      description: Webhook configures this store to sync secrets using a generic templated webhook
+                      properties:
+                        body:
+                          description: Body
+                          type: string
+                        caBundle:
+                          description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
+                          format: byte
+                          type: string
+                        caProvider:
+                          description: The provider for the CA bundle to use to validate webhook server certificate.
+                          properties:
+                            key:
+                              description: The key the value inside of the provider type to use, only used with "Secret" type
+                              type: string
+                            name:
+                              description: The name of the object located at the provider type.
+                              type: string
+                            namespace:
+                              description: The namespace the Provider type is in.
+                              type: string
+                            type:
+                              description: The type of provider to use such as "Secret", or "ConfigMap".
+                              enum:
+                                - Secret
+                                - ConfigMap
+                              type: string
+                          required:
+                            - name
+                            - type
+                          type: object
+                        headers:
+                          additionalProperties:
+                            type: string
+                          description: Headers
+                          type: object
+                        method:
+                          description: Webhook Method
+                          type: string
+                        result:
+                          description: Result formatting
+                          properties:
+                            jsonPath:
+                              description: Json path of return value
+                              type: string
+                          type: object
+                        secrets:
+                          description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
+                          items:
+                            properties:
+                              name:
+                                description: Name of this secret in templates
+                                type: string
+                              secretRef:
+                                description: Secret ref to fill in credentials
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                    type: string
+                                type: object
+                            required:
+                              - name
+                              - secretRef
+                            type: object
+                          type: array
+                        timeout:
+                          description: Timeout
+                          type: string
+                        url:
+                          description: Webhook url to call
+                          type: string
+                      required:
+                        - result
+                        - url
+                      type: object
+                    yandexlockbox:
+                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
+                      properties:
+                        apiEndpoint:
+                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
+                          type: string
+                        auth:
+                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
+                          properties:
+                            authorizedKeySecretRef:
+                              description: The authorized key used for authentication
+                              properties:
+                                key:
+                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                  type: string
+                                name:
+                                  description: The name of the Secret resource being referred to.
+                                  type: string
+                                namespace:
+                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                  type: string
+                              type: object
+                          type: object
+                        caProvider:
+                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
+                          properties:
+                            certSecretRef:
+                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+                              properties:
+                                key:
+                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                  type: string
+                                name:
+                                  description: The name of the Secret resource being referred to.
+                                  type: string
+                                namespace:
+                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                  type: string
+                              type: object
+                          type: object
+                      required:
+                        - auth
+                      type: object
+                  type: object
+                retrySettings:
+                  description: Used to configure http retries if failed
+                  properties:
+                    maxRetries:
+                      format: int32
+                      type: integer
+                    retryInterval:
+                      type: string
+                  type: object
+              required:
+                - provider
+              type: object
+            status:
+              description: SecretStoreStatus defines the observed state of the SecretStore.
+              properties:
+                conditions:
+                  items:
+                    properties:
+                      lastTransitionTime:
+                        format: date-time
+                        type: string
+                      message:
+                        type: string
+                      reason:
+                        type: string
+                      status:
+                        type: string
+                      type:
+                        type: string
+                    required:
+                      - status
+                      - type
+                    type: object
+                  type: array
+              type: object
+          type: object
+      served: true
+      storage: false
+      subresources:
+        status: {}
+    - additionalPrinterColumns:
+        - jsonPath: .metadata.creationTimestamp
+          name: AGE
+          type: date
+        - jsonPath: .status.conditions[?(@.type=="Ready")].reason
+          name: Status
+          type: string
+      name: v1beta1
+      schema:
+        openAPIV3Schema:
+          description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
+          properties:
+            apiVersion:
+              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              type: string
+            kind:
+              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: SecretStoreSpec defines the desired state of SecretStore.
+              properties:
+                controller:
+                  description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property'
+                  type: string
+                provider:
+                  description: Used to configure the provider. Only one provider may be set
+                  maxProperties: 1
+                  minProperties: 1
+                  properties:
+                    akeyless:
+                      description: Akeyless configures this store to sync secrets using Akeyless Vault provider
+                      properties:
+                        akeylessGWApiURL:
+                          description: Akeyless GW API Url from which the secrets to be fetched from.
+                          type: string
+                        authSecretRef:
+                          description: Auth configures how the operator authenticates with Akeyless.
+                          properties:
+                            secretRef:
+                              description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
+                              properties:
+                                accessID:
+                                  description: The SecretAccessID is used for authentication
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                accessType:
+                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                accessTypeParam:
+                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              type: object
+                          required:
+                            - secretRef
+                          type: object
+                      required:
+                        - akeylessGWApiURL
+                        - authSecretRef
+                      type: object
+                    alibaba:
+                      description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
+                      properties:
+                        auth:
+                          description: AlibabaAuth contains a secretRef for credentials.
+                          properties:
+                            secretRef:
+                              description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
+                              properties:
+                                accessKeyIDSecretRef:
+                                  description: The AccessKeyID is used for authentication
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                accessKeySecretSecretRef:
+                                  description: The AccessKeySecret is used for authentication
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              required:
+                                - accessKeyIDSecretRef
+                                - accessKeySecretSecretRef
+                              type: object
+                          required:
+                            - secretRef
+                          type: object
+                        endpoint:
+                          type: string
+                        regionID:
+                          description: Alibaba Region to be used for the provider
+                          type: string
+                      required:
+                        - auth
+                        - regionID
+                      type: object
+                    aws:
+                      description: AWS configures this store to sync secrets using AWS Secret Manager provider
+                      properties:
+                        auth:
+                          description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
+                          properties:
+                            jwt:
+                              description: Authenticate against AWS using service account tokens.
+                              properties:
+                                serviceAccountRef:
+                                  description: A reference to a ServiceAccount resource.
+                                  properties:
+                                    name:
+                                      description: The name of the ServiceAccount resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  required:
+                                    - name
+                                  type: object
+                              type: object
+                            secretRef:
+                              description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
+                              properties:
+                                accessKeyIDSecretRef:
+                                  description: The AccessKeyID is used for authentication
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                secretAccessKeySecretRef:
+                                  description: The SecretAccessKey is used for authentication
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              type: object
+                          type: object
+                        region:
+                          description: AWS Region to be used for the provider
+                          type: string
+                        role:
+                          description: Role is a Role ARN which the SecretManager provider will assume
+                          type: string
+                        service:
+                          description: Service defines which service should be used to fetch the secrets
+                          enum:
+                            - SecretsManager
+                            - ParameterStore
+                          type: string
+                      required:
+                        - region
+                        - service
+                      type: object
+                    azurekv:
+                      description: AzureKV configures this store to sync secrets using Azure Key Vault provider
+                      properties:
+                        authSecretRef:
+                          description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
+                          properties:
+                            clientId:
+                              description: The Azure clientId of the service principle used for authentication.
+                              properties:
+                                key:
+                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                  type: string
+                                name:
+                                  description: The name of the Secret resource being referred to.
+                                  type: string
+                                namespace:
+                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                  type: string
+                              type: object
+                            clientSecret:
+                              description: The Azure ClientSecret of the service principle used for authentication.
+                              properties:
+                                key:
+                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                  type: string
+                                name:
+                                  description: The name of the Secret resource being referred to.
+                                  type: string
+                                namespace:
+                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                  type: string
+                              type: object
+                          required:
+                            - clientId
+                            - clientSecret
+                          type: object
+                        authType:
+                          default: ServicePrincipal
+                          description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
+                          enum:
+                            - ServicePrincipal
+                            - ManagedIdentity
+                          type: string
+                        identityId:
+                          description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
+                          type: string
+                        tenantId:
+                          description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
+                          type: string
+                        vaultUrl:
+                          description: Vault Url from which the secrets to be fetched from.
+                          type: string
+                      required:
+                        - vaultUrl
+                      type: object
+                    fake:
+                      description: Fake configures a store with static key/value pairs
+                      properties:
+                        data:
+                          items:
+                            properties:
+                              key:
+                                type: string
+                              value:
+                                type: string
+                              valueMap:
+                                additionalProperties:
+                                  type: string
+                                type: object
+                              version:
+                                type: string
+                            required:
+                              - key
+                            type: object
+                          type: array
+                      required:
+                        - data
+                      type: object
+                    gcpsm:
+                      description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
+                      properties:
+                        auth:
+                          description: Auth defines the information necessary to authenticate against GCP
+                          properties:
+                            secretRef:
+                              properties:
+                                secretAccessKeySecretRef:
+                                  description: The SecretAccessKey is used for authentication
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              type: object
+                            workloadIdentity:
+                              properties:
+                                clusterLocation:
+                                  type: string
+                                clusterName:
+                                  type: string
+                                serviceAccountRef:
+                                  description: A reference to a ServiceAccount resource.
+                                  properties:
+                                    name:
+                                      description: The name of the ServiceAccount resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  required:
+                                    - name
+                                  type: object
+                              required:
+                                - clusterLocation
+                                - clusterName
+                                - serviceAccountRef
+                              type: object
+                          type: object
+                        projectID:
+                          description: ProjectID project where secret is located
+                          type: string
+                      type: object
+                    gitlab:
+                      description: GItlab configures this store to sync secrets using Gitlab Variables provider
+                      properties:
+                        auth:
+                          description: Auth configures how secret-manager authenticates with a GitLab instance.
+                          properties:
+                            SecretRef:
+                              properties:
+                                accessToken:
+                                  description: AccessToken is used for authentication.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              type: object
+                          required:
+                            - SecretRef
+                          type: object
+                        projectID:
+                          description: ProjectID specifies a project where secrets are located.
+                          type: string
+                        url:
+                          description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
+                          type: string
+                      required:
+                        - auth
+                      type: object
+                    ibm:
+                      description: IBM configures this store to sync secrets using IBM Cloud provider
+                      properties:
+                        auth:
+                          description: Auth configures how secret-manager authenticates with the IBM secrets manager.
+                          properties:
+                            secretRef:
+                              properties:
+                                secretApiKeySecretRef:
+                                  description: The SecretAccessKey is used for authentication
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              type: object
+                          required:
+                            - secretRef
+                          type: object
+                        serviceUrl:
+                          description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
+                          type: string
+                      required:
+                        - auth
+                      type: object
+                    kubernetes:
+                      description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
+                      properties:
+                        auth:
+                          description: Auth configures how secret-manager authenticates with a Kubernetes instance.
+                          maxProperties: 1
+                          minProperties: 1
+                          properties:
+                            cert:
+                              description: has both clientCert and clientKey as secretKeySelector
+                              properties:
+                                clientCert:
+                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                clientKey:
+                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              type: object
+                            serviceAccount:
+                              description: points to a service account that should be used for authentication
+                              properties:
+                                serviceAccount:
+                                  description: A reference to a ServiceAccount resource.
+                                  properties:
+                                    name:
+                                      description: The name of the ServiceAccount resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  required:
+                                    - name
+                                  type: object
+                              type: object
+                            token:
+                              description: use static token to authenticate with
+                              properties:
+                                bearerToken:
+                                  description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              type: object
+                          type: object
+                        remoteNamespace:
+                          default: default
+                          description: Remote namespace to fetch the secrets from
+                          type: string
+                        server:
+                          description: configures the Kubernetes server Address.
+                          properties:
+                            caBundle:
+                              description: CABundle is a base64-encoded CA certificate
+                              format: byte
+                              type: string
+                            caProvider:
+                              description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
+                              properties:
+                                key:
+                                  description: The key the value inside of the provider type to use, only used with "Secret" type
+                                  type: string
+                                name:
+                                  description: The name of the object located at the provider type.
+                                  type: string
+                                namespace:
+                                  description: The namespace the Provider type is in.
+                                  type: string
+                                type:
+                                  description: The type of provider to use such as "Secret", or "ConfigMap".
+                                  enum:
+                                    - Secret
+                                    - ConfigMap
+                                  type: string
+                              required:
+                                - name
+                                - type
+                              type: object
+                            url:
+                              default: kubernetes.default
+                              description: configures the Kubernetes server Address.
+                              type: string
+                          type: object
+                      required:
+                        - auth
+                      type: object
+                    oracle:
+                      description: Oracle configures this store to sync secrets using Oracle Vault provider
+                      properties:
+                        auth:
+                          description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
+                          properties:
+                            secretRef:
+                              description: SecretRef to pass through sensitive information.
+                              properties:
+                                fingerprint:
+                                  description: Fingerprint is the fingerprint of the API private key.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                privatekey:
+                                  description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              required:
+                                - fingerprint
+                                - privatekey
+                              type: object
+                            tenancy:
+                              description: Tenancy is the tenancy OCID where user is located.
+                              type: string
+                            user:
+                              description: User is an access OCID specific to the account.
+                              type: string
+                          required:
+                            - secretRef
+                            - tenancy
+                            - user
+                          type: object
+                        region:
+                          description: Region is the region where vault is located.
+                          type: string
+                        vault:
+                          description: Vault is the vault's OCID of the specific vault where secret is located.
+                          type: string
+                      required:
+                        - region
+                        - vault
+                      type: object
+                    vault:
+                      description: Vault configures this store to sync secrets using Hashi provider
+                      properties:
+                        auth:
+                          description: Auth configures how secret-manager authenticates with the Vault server.
+                          properties:
+                            appRole:
+                              description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
+                              properties:
+                                path:
+                                  default: approle
+                                  description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
+                                  type: string
+                                roleId:
+                                  description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
+                                  type: string
+                                secretRef:
+                                  description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              required:
+                                - path
+                                - roleId
+                                - secretRef
+                              type: object
+                            cert:
+                              description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
+                              properties:
+                                clientCert:
+                                  description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                secretRef:
+                                  description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              type: object
+                            jwt:
+                              description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
+                              properties:
+                                path:
+                                  default: jwt
+                                  description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
+                                  type: string
+                                role:
+                                  description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
+                                  type: string
+                                secretRef:
+                                  description: SecretRef to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                              required:
+                                - path
+                              type: object
+                            kubernetes:
+                              description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
+                              properties:
+                                mountPath:
+                                  default: kubernetes
+                                  description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
+                                  type: string
+                                role:
+                                  description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
+                                  type: string
+                                secretRef:
+                                  description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                serviceAccountRef:
+                                  description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
+                                  properties:
+                                    name:
+                                      description: The name of the ServiceAccount resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  required:
+                                    - name
+                                  type: object
+                              required:
+                                - mountPath
+                                - role
+                              type: object
+                            ldap:
+                              description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
+                              properties:
+                                path:
+                                  default: ldap
+                                  description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
+                                  type: string
+                                secretRef:
+                                  description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
+                                  properties:
+                                    key:
+                                      description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                      type: string
+                                    name:
+                                      description: The name of the Secret resource being referred to.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                      type: string
+                                  type: object
+                                username:
+                                  description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
+                                  type: string
+                              required:
+                                - path
+                                - username
+                              type: object
+                            tokenSecretRef:
+                              description: TokenSecretRef authenticates with Vault by presenting a token.
+                              properties:
+                                key:
+                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                  type: string
+                                name:
+                                  description: The name of the Secret resource being referred to.
+                                  type: string
+                                namespace:
+                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                  type: string
+                              type: object
+                          type: object
+                        caBundle:
+                          description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
+                          format: byte
+                          type: string
+                        caProvider:
+                          description: The provider for the CA bundle to use to validate Vault server certificate.
+                          properties:
+                            key:
+                              description: The key the value inside of the provider type to use, only used with "Secret" type
+                              type: string
+                            name:
+                              description: The name of the object located at the provider type.
+                              type: string
+                            namespace:
+                              description: The namespace the Provider type is in.
+                              type: string
+                            type:
+                              description: The type of provider to use such as "Secret", or "ConfigMap".
+                              enum:
+                                - Secret
+                                - ConfigMap
+                              type: string
+                          required:
+                            - name
+                            - type
+                          type: object
+                        forwardInconsistent:
+                          description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
+                          type: boolean
+                        namespace:
+                          description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
+                          type: string
+                        path:
+                          description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
+                          type: string
+                        readYourWrites:
+                          description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
+                          type: boolean
+                        server:
+                          description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
+                          type: string
+                        version:
+                          default: v2
+                          description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
+                          enum:
+                            - v1
+                            - v2
+                          type: string
+                      required:
+                        - auth
+                        - server
+                      type: object
+                    webhook:
+                      description: Webhook configures this store to sync secrets using a generic templated webhook
+                      properties:
+                        body:
+                          description: Body
+                          type: string
+                        caBundle:
+                          description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
+                          format: byte
+                          type: string
+                        caProvider:
+                          description: The provider for the CA bundle to use to validate webhook server certificate.
+                          properties:
+                            key:
+                              description: The key the value inside of the provider type to use, only used with "Secret" type
+                              type: string
+                            name:
+                              description: The name of the object located at the provider type.
+                              type: string
+                            namespace:
+                              description: The namespace the Provider type is in.
+                              type: string
+                            type:
+                              description: The type of provider to use such as "Secret", or "ConfigMap".
+                              enum:
+                                - Secret
+                                - ConfigMap
+                              type: string
+                          required:
+                            - name
+                            - type
+                          type: object
+                        headers:
+                          additionalProperties:
+                            type: string
+                          description: Headers
+                          type: object
+                        method:
+                          description: Webhook Method
+                          type: string
+                        result:
+                          description: Result formatting
+                          properties:
+                            jsonPath:
+                              description: Json path of return value
+                              type: string
+                          type: object
+                        secrets:
+                          description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
+                          items:
+                            properties:
+                              name:
+                                description: Name of this secret in templates
+                                type: string
+                              secretRef:
+                                description: Secret ref to fill in credentials
+                                properties:
+                                  key:
+                                    description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                    type: string
+                                  name:
+                                    description: The name of the Secret resource being referred to.
+                                    type: string
+                                  namespace:
+                                    description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                    type: string
+                                type: object
+                            required:
+                              - name
+                              - secretRef
+                            type: object
+                          type: array
+                        timeout:
+                          description: Timeout
+                          type: string
+                        url:
+                          description: Webhook url to call
+                          type: string
+                      required:
+                        - result
+                        - url
+                      type: object
+                    yandexlockbox:
+                      description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
+                      properties:
+                        apiEndpoint:
+                          description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
+                          type: string
+                        auth:
+                          description: Auth defines the information necessary to authenticate against Yandex Lockbox
+                          properties:
+                            authorizedKeySecretRef:
+                              description: The authorized key used for authentication
+                              properties:
+                                key:
+                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                  type: string
+                                name:
+                                  description: The name of the Secret resource being referred to.
+                                  type: string
+                                namespace:
+                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                  type: string
+                              type: object
+                          type: object
+                        caProvider:
+                          description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
+                          properties:
+                            certSecretRef:
+                              description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
+                              properties:
+                                key:
+                                  description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
+                                  type: string
+                                name:
+                                  description: The name of the Secret resource being referred to.
+                                  type: string
+                                namespace:
+                                  description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
+                                  type: string
+                              type: object
+                          type: object
+                      required:
+                        - auth
+                      type: object
+                  type: object
+                retrySettings:
+                  description: Used to configure http retries if failed
+                  properties:
+                    maxRetries:
+                      format: int32
+                      type: integer
+                    retryInterval:
+                      type: string
+                  type: object
+              required:
+                - provider
+              type: object
+            status:
+              description: SecretStoreStatus defines the observed state of the SecretStore.
+              properties:
+                conditions:
+                  items:
+                    properties:
+                      lastTransitionTime:
+                        format: date-time
+                        type: string
+                      message:
+                        type: string
+                      reason:
+                        type: string
+                      status:
+                        type: string
+                      type:
+                        type: string
+                    required:
+                      - status
+                      - type
+                    type: object
+                  type: array
+              type: object
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}
+  conversion:
+    strategy: Webhook
+    webhook:
+      conversionReviewVersions:
+        - v1
+      clientConfig:
+        caBundle: Cg==
+        service:
+          name: kubernetes
+          namespace: default
+          path: /convert
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

deploy/crds/external-secrets.io_externalsecrets.yaml

@@ -1,261 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.8.0
-  creationTimestamp: null
-  name: externalsecrets.external-secrets.io
-spec:
-  group: external-secrets.io
-  names:
-    categories:
-    - externalsecrets
-    kind: ExternalSecret
-    listKind: ExternalSecretList
-    plural: externalsecrets
-    shortNames:
-    - es
-    singular: externalsecret
-  scope: Namespaced
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .spec.secretStoreRef.name
-      name: Store
-      type: string
-    - jsonPath: .spec.refreshInterval
-      name: Refresh Interval
-      type: string
-    - jsonPath: .status.conditions[?(@.type=="Ready")].reason
-      name: Status
-      type: string
-    name: v1alpha1
-    schema:
-      openAPIV3Schema:
-        description: ExternalSecret is the Schema for the external-secrets API.
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: ExternalSecretSpec defines the desired state of ExternalSecret.
-            properties:
-              data:
-                description: Data defines the connection between the Kubernetes Secret
-                  keys and the Provider data
-                items:
-                  description: ExternalSecretData defines the connection between the
-                    Kubernetes Secret key (spec.data.<key>) and the Provider data.
-                  properties:
-                    remoteRef:
-                      description: ExternalSecretDataRemoteRef defines Provider data
-                        location.
-                      properties:
-                        key:
-                          description: Key is the key used in the Provider, mandatory
-                          type: string
-                        property:
-                          description: Used to select a specific property of the Provider
-                            value (if a map), if supported
-                          type: string
-                        version:
-                          description: Used to select a specific version of the Provider
-                            value, if supported
-                          type: string
-                      required:
-                      - key
-                      type: object
-                    secretKey:
-                      type: string
-                  required:
-                  - remoteRef
-                  - secretKey
-                  type: object
-                type: array
-              dataFrom:
-                description: DataFrom is used to fetch all properties from a specific
-                  Provider data If multiple entries are specified, the Secret keys
-                  are merged in the specified order
-                items:
-                  description: ExternalSecretDataRemoteRef defines Provider data location.
-                  properties:
-                    key:
-                      description: Key is the key used in the Provider, mandatory
-                      type: string
-                    property:
-                      description: Used to select a specific property of the Provider
-                        value (if a map), if supported
-                      type: string
-                    version:
-                      description: Used to select a specific version of the Provider
-                        value, if supported
-                      type: string
-                  required:
-                  - key
-                  type: object
-                type: array
-              refreshInterval:
-                default: 1h
-                description: RefreshInterval is the amount of time before the values
-                  are read again from the SecretStore provider Valid time units are
-                  "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to
-                  fetch and create it once. Defaults to 1h.
-                type: string
-              secretStoreRef:
-                description: SecretStoreRef defines which SecretStore to fetch the
-                  ExternalSecret data.
-                properties:
-                  kind:
-                    description: Kind of the SecretStore resource (SecretStore or
-                      ClusterSecretStore) Defaults to `SecretStore`
-                    type: string
-                  name:
-                    description: Name of the SecretStore resource
-                    type: string
-                required:
-                - name
-                type: object
-              target:
-                description: ExternalSecretTarget defines the Kubernetes Secret to
-                  be created There can be only one target per ExternalSecret.
-                properties:
-                  creationPolicy:
-                    default: Owner
-                    description: CreationPolicy defines rules on how to create the
-                      resulting Secret Defaults to 'Owner'
-                    type: string
-                  immutable:
-                    description: Immutable defines if the final secret will be immutable
-                    type: boolean
-                  name:
-                    description: Name defines the name of the Secret resource to be
-                      managed This field is immutable Defaults to the .metadata.name
-                      of the ExternalSecret resource
-                    type: string
-                  template:
-                    description: Template defines a blueprint for the created Secret
-                      resource.
-                    properties:
-                      data:
-                        additionalProperties:
-                          type: string
-                        type: object
-                      engineVersion:
-                        default: v1
-                        description: EngineVersion specifies the template engine version
-                          that should be used to compile/execute the template specified
-                          in .data and .templateFrom[].
-                        type: string
-                      metadata:
-                        description: ExternalSecretTemplateMetadata defines metadata
-                          fields for the Secret blueprint.
-                        properties:
-                          annotations:
-                            additionalProperties:
-                              type: string
-                            type: object
-                          labels:
-                            additionalProperties:
-                              type: string
-                            type: object
-                        type: object
-                      templateFrom:
-                        items:
-                          maxProperties: 1
-                          minProperties: 1
-                          properties:
-                            configMap:
-                              properties:
-                                items:
-                                  items:
-                                    properties:
-                                      key:
-                                        type: string
-                                    required:
-                                    - key
-                                    type: object
-                                  type: array
-                                name:
-                                  type: string
-                              required:
-                              - items
-                              - name
-                              type: object
-                            secret:
-                              properties:
-                                items:
-                                  items:
-                                    properties:
-                                      key:
-                                        type: string
-                                    required:
-                                    - key
-                                    type: object
-                                  type: array
-                                name:
-                                  type: string
-                              required:
-                              - items
-                              - name
-                              type: object
-                          type: object
-                        type: array
-                      type:
-                        type: string
-                    type: object
-                type: object
-            required:
-            - secretStoreRef
-            - target
-            type: object
-          status:
-            properties:
-              conditions:
-                items:
-                  properties:
-                    lastTransitionTime:
-                      format: date-time
-                      type: string
-                    message:
-                      type: string
-                    reason:
-                      type: string
-                    status:
-                      type: string
-                    type:
-                      type: string
-                  required:
-                  - status
-                  - type
-                  type: object
-                type: array
-              refreshTime:
-                description: refreshTime is the time and date the external secret
-                  was fetched and the target secret updated
-                format: date-time
-                nullable: true
-                type: string
-              syncedResourceVersion:
-                description: SyncedResourceVersion keeps track of the last synced
-                  version
-                type: string
-            type: object
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: []
-  storedVersions: []

e2e/framework/addon/eso.go

@@ -35,6 +35,22 @@ func NewESO(mutators ...MutationFunc) *ESO {
 					Key:   "image.repository",
 					Value: os.Getenv("IMAGE_REGISTRY"),
 				},
+				{
+					Key:   "webhook.image.repository",
+					Value: os.Getenv("IMAGE_REGISTRY"),
+				},
+				{
+					Key:   "certController.image.repository",
+					Value: os.Getenv("IMAGE_REGISTRY"),
+				},
+				{
+					Key:   "webhook.image.tag",
+					Value: os.Getenv("VERSION"),
+				},
+				{
+					Key:   "certController.image.tag",
+					Value: os.Getenv("VERSION"),
+				},
 				{
 					Key:   "image.tag",
 					Value: os.Getenv("VERSION"),

go.mod

@@ -34,6 +34,7 @@ replace (
 
 require (
 	cloud.google.com/go v0.100.2 // indirect
+	cloud.google.com/go/iam v0.2.0
 	cloud.google.com/go/secretmanager v1.2.0
 	github.com/Azure/azure-sdk-for-go v61.5.0+incompatible
 	github.com/Azure/go-autorest/autorest/azure/auth v0.5.11
@@ -61,6 +62,7 @@ require (
 	github.com/oracle/oci-go-sdk/v56 v56.1.0
 	github.com/prometheus/client_golang v1.12.1
 	github.com/prometheus/client_model v0.2.0
+	github.com/spf13/cobra v1.3.0
 	github.com/stretchr/testify v1.7.0
 	github.com/tidwall/gjson v1.14.0
 	github.com/xanzy/go-gitlab v0.54.3
@@ -76,6 +78,7 @@ require (
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
 	grpc.go4.org v0.0.0-20170609214715-11d0a25b4919
 	k8s.io/api v0.23.0
+	k8s.io/apiextensions-apiserver v0.23.0
 	k8s.io/apimachinery v0.23.0
 	k8s.io/client-go v0.23.0
 	k8s.io/utils v0.0.0-20210930125809-cb0fa318a74b
@@ -84,8 +87,6 @@ require (
 	software.sslmate.com/src/go-pkcs12 v0.0.0-20210415151418-c5206de65a78
 )
 
-require cloud.google.com/go/iam v0.2.0
-
 require (
 	cloud.google.com/go/compute v1.2.0 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
@@ -177,13 +178,11 @@ require (
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/common v0.32.1 // indirect
 	github.com/prometheus/procfs v0.7.3 // indirect
-	github.com/russross/blackfriday/v2 v2.0.1 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
 	github.com/shopspring/decimal v1.2.0 // indirect
-	github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
 	github.com/sony/gobreaker v0.4.2-0.20210216022020-dd874f9dd33b // indirect
-	github.com/spf13/cast v1.3.1 // indirect
-	github.com/spf13/cobra v1.2.1 // indirect
+	github.com/spf13/cast v1.4.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/stretchr/objx v0.2.0 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
@@ -192,7 +191,7 @@ require (
 	go.opencensus.io v0.23.0 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.6.0 // indirect
-	golang.org/x/mod v0.4.2 // indirect
+	golang.org/x/mod v0.5.0 // indirect
 	golang.org/x/net v0.0.0-20220114011407-0dd24b26b47d // indirect
 	golang.org/x/sys v0.0.0-20220204135822-1c1b9b1eba6a // indirect
 	golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b // indirect
@@ -208,7 +207,6 @@ require (
 	gopkg.in/ini.v1 v1.66.2 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	k8s.io/apiextensions-apiserver v0.23.0 // indirect
 	k8s.io/component-base v0.23.0 // indirect
 	k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c // indirect
 	k8s.io/klog v0.3.0 // indirect

go.sum

@@ -25,6 +25,7 @@ cloud.google.com/go v0.90.0/go.mod h1:kRX0mNRHe0e2rC6oNakvwQqzyDmg57xJ+SZU1eT2aD
 cloud.google.com/go v0.93.3/go.mod h1:8utlLll2EF5XMAV15woO4lSbWQlk8rer9aLOfLh7+YI=
 cloud.google.com/go v0.94.1/go.mod h1:qAlAugsXlC+JWO+Bke5vCtc9ONxjQT3drlTTnAplMW4=
 cloud.google.com/go v0.97.0/go.mod h1:GF7l59pYBVlXQIBLx3a761cZ41F9bBH3JUlihCt2Udc=
+cloud.google.com/go v0.98.0/go.mod h1:ua6Ush4NALrHk5QXDWnjvZHN93OuF0HfuEPq9I1X0cM=
 cloud.google.com/go v0.99.0/go.mod h1:w0Xx2nLzqWJPuozYQX+hFfCSI8WioryfRDzkoI/Y2ZA=
 cloud.google.com/go v0.100.1/go.mod h1:fs4QogzfH5n2pBXBP9vRiU+eCny7lD2vmFZy79Iuw1U=
 cloud.google.com/go v0.100.2 h1:t9Iw5QH5v4XtlEQaCtUY7x6sCABps8sW0acw7e2WQ6Y=
@@ -41,6 +42,7 @@ cloud.google.com/go/compute v1.2.0/go.mod h1:xlogom/6gr8RJGBe7nT2eGsQYAFUbbv8dbC
 cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
 cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
 cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk=
+cloud.google.com/go/firestore v1.6.1/go.mod h1:asNXNOzBdyVQmEU+ggO8UPodTkEVFW5Qx+rwHnAz+EY=
 cloud.google.com/go/iam v0.1.0/go.mod h1:vcUNEa0pEm0qRVpmWepWaFMIAI8/hjB9mO8rNCJtF6c=
 cloud.google.com/go/iam v0.2.0 h1:Ouq6qif4mZdXkb3SiFMpxvu0JQJB1Yid9TsZ23N6hg8=
 cloud.google.com/go/iam v0.2.0/go.mod h1:BCK88+tmjAwnZYfOSizmKCTSFjJHCa18t3DpdGEY13Y=
@@ -158,6 +160,7 @@ github.com/cenkalti/backoff/v3 v3.0.0/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4r
 github.com/cenkalti/backoff/v3 v3.2.2 h1:cfUAAO3yvKMYKPrvhDuHSwQnhZNk/RMHKdZqKTxfm6M=
 github.com/cenkalti/backoff/v3 v3.2.2/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
+github.com/census-instrumentation/opencensus-proto v0.3.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/certifi/gocertifi v0.0.0-20191021191039-0944d244cd40/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA=
 github.com/certifi/gocertifi v0.0.0-20200922220541-2c3bb06c6054/go.mod h1:sGbDF6GwGcLpkNXPUTkMRoywsNa/ol15pxFe6ERfguA=
 github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
@@ -179,7 +182,9 @@ github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XP
 github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/xds/go v0.0.0-20211130200136-a8f946100490/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cockroachdb/datadriven v0.0.0-20200714090401-bf6692d28da5/go.mod h1:h6jFvWxBdQXxjopDMZyH2UVceIRfR84bdzbkoKrsWNo=
 github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoCr5oaCLELYA=
 github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f/go.mod h1:i/u985jwjWRlyHXQbwatDASoW0RMlZ/3i9yJHE2xLkI=
@@ -195,6 +200,7 @@ github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSV
 github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
 github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
+github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/crossplane/crossplane-runtime v0.15.1 h1:4l3iTMyrQRkt9U0P1oJ6M71JMFGcIq95agFu7OPrwRE=
@@ -225,13 +231,16 @@ github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.m
 github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ=
 github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0=
+github.com/envoyproxy/go-control-plane v0.10.1/go.mod h1:AY7fTTXNdv/aJ2O5jwpxAPOWUZ7hQAEvzN5Pf27BkQQ=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/envoyproxy/protoc-gen-validate v0.6.2/go.mod h1:2t7qjJNvHPx8IjnBOzl9E9/baC+qXE/TeeyBRzgJDws=
 github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ=
 github.com/evanphx/json-patch v4.11.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84=
 github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch/v5 v5.5.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
+github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
 github.com/fatih/color v1.12.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM=
 github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w=
 github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
@@ -441,7 +450,9 @@ github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgf
 github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
 github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q=
+github.com/hashicorp/consul/api v1.11.0/go.mod h1:XjsvQN+RJGWI2TWy1/kqaE16HrR2J/FWgkYjdZQsX9M=
 github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8=
+github.com/hashicorp/consul/sdk v0.8.0/go.mod h1:GBvyrGALthsZObzUGsfgHZQDXjg4lOjagTIwIR1vPms=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -451,8 +462,10 @@ github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9n
 github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
 github.com/hashicorp/go-getter v1.4.0/go.mod h1:7qxyCd8rBfcShwsvxgIguu4KbS3l8bUCwg2Umn7RjeY=
 github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
+github.com/hashicorp/go-hclog v0.12.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
 github.com/hashicorp/go-hclog v0.14.1/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
 github.com/hashicorp/go-hclog v0.16.2/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
+github.com/hashicorp/go-hclog v1.0.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
 github.com/hashicorp/go-hclog v1.1.0 h1:QsGcniKx5/LuX2eYoeL+Np3UKYPNaN7YKpTh29h8rbw=
 github.com/hashicorp/go-hclog v1.1.0/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
 github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
@@ -461,6 +474,7 @@ github.com/hashicorp/go-immutable-radix v1.3.1/go.mod h1:0y9vanUI8NX6FsYoO3zeMjh
 github.com/hashicorp/go-kms-wrapping/entropy v0.1.0/go.mod h1:d1g9WGtAunDNpek8jUIEJnBlbgKS1N2Q61QkHiZyR1g=
 github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM=
 github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
+github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA=
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
 github.com/hashicorp/go-plugin v1.4.3 h1:DXmvivbWD5qdiBts9TpBC7BYL1Aia5sxbRgQB+v6UZM=
@@ -508,8 +522,14 @@ github.com/hashicorp/hcl v1.0.1-vault-3 h1:V95v5KSTu6DB5huDSKiq4uAfILEuNigK/+qPE
 github.com/hashicorp/hcl v1.0.1-vault-3/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=
 github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
 github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ=
+github.com/hashicorp/mdns v1.0.1/go.mod h1:4gW7WsVCke5TE7EPeYliwHlRUyBtfCwuFwuMg2DmyNY=
+github.com/hashicorp/mdns v1.0.4/go.mod h1:mtBihi+LeNXGtG8L9dX59gAEa12BDtBQSp4v/YAJqrc=
 github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
+github.com/hashicorp/memberlist v0.2.2/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOnAH9VT3Sh9MUE=
+github.com/hashicorp/memberlist v0.3.0/go.mod h1:MS2lj3INKhZjWNqd3N0m3J+Jxf3DAOnAH9VT3Sh9MUE=
 github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc=
+github.com/hashicorp/serf v0.9.5/go.mod h1:UWDWwZeL5cuWDJdl0C6wrvrUwEqtQ4ZKBKKENpqIUyk=
+github.com/hashicorp/serf v0.9.6/go.mod h1:TXZNMjZQijwlDvp+r0b63xZ45H7JmCmgg4gpTwn9UV4=
 github.com/hashicorp/vault/api v1.3.1 h1:pkDkcgTh47PRjY1NEFeofqR4W/HkNUi9qIakESO2aRM=
 github.com/hashicorp/vault/api v1.3.1/go.mod h1:QeJoWxMFt+MsuWcYhmwRLwKEXrjwAFFywzhptMsTIUw=
 github.com/hashicorp/vault/sdk v0.3.0 h1:kR3dpxNkhh/wr6ycaJYqp6AFT/i2xaftbfnwZduTKEY=
@@ -521,6 +541,7 @@ github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpO
 github.com/huandu/xstrings v1.3.1/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/huandu/xstrings v1.3.2 h1:L18LIDzqlW6xN2rEkpdV8+oL/IXWJ1APd+vsdYy4Wdw=
 github.com/huandu/xstrings v1.3.2/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
+github.com/iancoleman/strcase v0.2.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
@@ -595,6 +616,7 @@ github.com/lestrrat-go/option v1.0.0 h1:WqAWL8kh8VcSoD6xjSH34/1m8yxluXQbDeKNfvFe
 github.com/lestrrat-go/option v1.0.0/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
 github.com/lestrrat-go/pdebug/v3 v3.0.1 h1:3G5sX/aw/TbMTtVc9U7IHBWRZtMvwvBziF1e4HoQtv8=
 github.com/lestrrat-go/pdebug/v3 v3.0.1/go.mod h1:za+m+Ve24yCxTEhR59N7UlnJomWwCiIqbJRmKeiADU4=
+github.com/lyft/protoc-gen-star v0.5.3/go.mod h1:V0xaHgaf5oCCqmcxYcWiDfTiKsZsRc87/1qhoTACD8w=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
@@ -615,6 +637,7 @@ github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNx
 github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
 github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
 github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84=
+github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE=
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
 github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y=
 github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
@@ -623,7 +646,10 @@ github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5
 github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 h1:I0XW9+e1XWDxdcEniV4rQAIOPUGDq67JSCiRCgGCZLI=
 github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
+github.com/miekg/dns v1.1.26/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso=
+github.com/miekg/dns v1.1.41/go.mod h1:p6aan82bvRIyn+zDIv9xYNUpwa73JcSh9BKwknJysuI=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
+github.com/mitchellh/cli v1.1.0/go.mod h1:xcISNoH86gajksDmfB23e/pu+B+GeFRMYmoHXxx3xhI=
 github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
 github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
 github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
@@ -705,6 +731,7 @@ github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144T
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE=
 github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
+github.com/pelletier/go-toml v1.9.4/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/pierrec/lz4 v2.5.2+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
 github.com/pierrec/lz4 v2.6.1+incompatible h1:9UY3+iC23yxF0UfGaYrGplQ+79Rg+h/q9FV9ix19jjM=
@@ -717,6 +744,7 @@ github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZ
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
+github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSgv7Sy7s/s=
 github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
@@ -756,16 +784,17 @@ github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/russross/blackfriday v1.5.2 h1:HyvC0ARfnZBqnXwABFeSZHpKvJHJJfPz81GNueLj0oo=
 github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
-github.com/russross/blackfriday/v2 v2.0.1 h1:lPqVAte+HuHNfhJ/0LC98ESWRz8afy9tM/0RK8m9o+Q=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
 github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
+github.com/sagikazarmark/crypt v0.3.0/go.mod h1:uD/D+6UF4SrIR1uGEv7bBNkNqLGqUr43MRiaGWX1Nig=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
 github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ=
 github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
-github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5IYyJwS/kOiWx8mHo=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
@@ -783,15 +812,18 @@ github.com/sony/gobreaker v0.4.2-0.20210216022020-dd874f9dd33b/go.mod h1:ZKptC7F
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
+github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4=
 github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
 github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
-github.com/spf13/cast v1.3.1 h1:nFm6S0SMdyzrzcmThSipiEubIDy8WEXKNZ0UOgiRpng=
 github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
+github.com/spf13/cast v1.4.1 h1:s0hze+J0196ZfEMTs80N7UlFt0BDuQ7Q+JDnHiMWKdA=
+github.com/spf13/cast v1.4.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
 github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
 github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU=
 github.com/spf13/cobra v1.1.3/go.mod h1:pGADOWyqRD/YMrPZigI/zbliZ2wVD/23d+is3pSWzOo=
-github.com/spf13/cobra v1.2.1 h1:+KmjbUw1hriSNMF55oPrkZcb27aECyrj8V2ytv7kWDw=
 github.com/spf13/cobra v1.2.1/go.mod h1:ExllRjgxM/piMAM+3tAZvg8fsklGAf3tPfi+i8t68Nk=
+github.com/spf13/cobra v1.3.0 h1:R7cSvGu+Vv+qX0gW5R/85dx2kmmJT5z5NM8ifdYjdn0=
+github.com/spf13/cobra v1.3.0/go.mod h1:BrRVncBjOJa/eUcVVm9CE+oC6as8k+VYr4NY7WCi9V4=
 github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
 github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
@@ -800,6 +832,7 @@ github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An
 github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
 github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg=
 github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns=
+github.com/spf13/viper v1.10.0/go.mod h1:SoyBPwAtKDzypXNDFKN5kzH7ppppbGZtls1UpIy5AsM=
 github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -848,8 +881,11 @@ github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4=
 go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs=
+go.etcd.io/etcd/api/v3 v3.5.1/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs=
 go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
+go.etcd.io/etcd/client/pkg/v3 v3.5.1/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
 go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ=
+go.etcd.io/etcd/client/v2 v2.305.1/go.mod h1:pMEacxZW7o8pg4CrFE7pquyCJJzZvkvdD2RibOCCCGs=
 go.etcd.io/etcd/client/v3 v3.5.0/go.mod h1:AIKXXVX/DQXtfTEqBryiLTUXwON+GuvO6Z7lLS/oTh0=
 go.etcd.io/etcd/pkg/v3 v3.5.0/go.mod h1:UzJGatBQ1lXChBkQF0AuAtkRQMYnHubxAEYIrC3MSsE=
 go.etcd.io/etcd/raft/v3 v3.5.0/go.mod h1:UFOHSIvO/nKwd4lhkwabrTD3cqW5yVyYYf/KlD00Szc=
@@ -903,6 +939,7 @@ golang.org/x/crypto v0.0.0-20190422162423-af44ce270edf/go.mod h1:WFFai1msRO1wXaE
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200414173820-0848c9571904/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
@@ -950,8 +987,9 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.2 h1:Gz96sIWK3OalVv/I/qNygP42zyoKp3xptRVCWRFEBvo=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.5.0 h1:UG21uOlmZabA4fW5i7ZX6bjw1xELEGg/ZLgZq9auk/Q=
+golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
 golang.org/x/net v0.0.0-20180530234432-1e491301e022/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -972,6 +1010,7 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -997,10 +1036,12 @@ golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
+golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy7fQ90B1CfIiPueXVOjqfkSzI8=
 golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
 golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210825183410-e898025ed96a/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220114011407-0dd24b26b47d h1:1n1fc535VhN8SYtD4cDUyNlfpAF2ROMM9+11equK3hs=
@@ -1023,6 +1064,7 @@ golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20211005180243-6b3c2da341f1/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 h1:RerP+noqYHUQ8CMRcPlC2nvTa4dcBIjegkuWdcUDuqg=
 golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -1059,6 +1101,8 @@ golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190922100055-0a153f010e69/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -1070,6 +1114,7 @@ golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200124204421-9fbb57f87de9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -1095,6 +1140,7 @@ golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -1111,12 +1157,15 @@ golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210816183151-1e6c022a8912/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211029165221-6e7872819dc8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211205182925-97ca703d548d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -1167,6 +1216,7 @@ golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgw
 golang.org/x/tools v0.0.0-20190624222133-a101b041ded4/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20190907020128-2ca718005c18/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191108193012-7d206e10da11/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
@@ -1254,7 +1304,9 @@ google.golang.org/api v0.54.0/go.mod h1:7C4bFFOvVDGXjfDTAsgGwDgAxRDeQ4X8NvUedIt6
 google.golang.org/api v0.55.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE=
 google.golang.org/api v0.56.0/go.mod h1:38yMfeP1kfjsl8isn0tliTjIb1rJXcQi4UXlbqivdVE=
 google.golang.org/api v0.57.0/go.mod h1:dVPlbZyBo2/OjBpmvNdpn2GRm6rPy75jyU7bmhdrMgI=
+google.golang.org/api v0.59.0/go.mod h1:sT2boj7M9YJxZzgeZqXogmhfmRWDtPzT31xkieUbuZU=
 google.golang.org/api v0.61.0/go.mod h1:xQRti5UdCmoCEqFxcz93fTl338AVqDgyaDRuOZ3hg9I=
+google.golang.org/api v0.62.0/go.mod h1:dKmwPCydfsad4qCH08MSdgWjfHOyfpd4VtDGgRFdavw=
 google.golang.org/api v0.63.0/go.mod h1:gs4ij2ffTRXwuzzgJl/56BdwJaA194ijkfn++9tDuPo=
 google.golang.org/api v0.66.0/go.mod h1:I1dmXYpX7HGwz/ejRxwQp2qj5bFAz93HiCU1C1oYd9M=
 google.golang.org/api v0.67.0/go.mod h1:ShHKP8E60yPsKNw/w8w+VYaj9H6buA5UqDp8dhbQZ6g=
@@ -1331,7 +1383,11 @@ google.golang.org/genproto v0.0.0-20210831024726-fe130286e0e2/go.mod h1:eFjDcFEc
 google.golang.org/genproto v0.0.0-20210903162649-d08c68adba83/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
 google.golang.org/genproto v0.0.0-20210909211513-a8c4777a87af/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
 google.golang.org/genproto v0.0.0-20210924002016-3dee208752a0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
+google.golang.org/genproto v0.0.0-20211008145708-270636b82663/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
+google.golang.org/genproto v0.0.0-20211028162531-8db9c33dc351/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
 google.golang.org/genproto v0.0.0-20211118181313-81c1377c94b1/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
+google.golang.org/genproto v0.0.0-20211129164237-f09f9a12af12/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
+google.golang.org/genproto v0.0.0-20211203200212-54befc351ae9/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
 google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
 google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
 google.golang.org/genproto v0.0.0-20211221195035-429b39de9b1c/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
@@ -1369,6 +1425,7 @@ google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnD
 google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
 google.golang.org/grpc v1.40.1/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
 google.golang.org/grpc v1.41.0/go.mod h1:U3l9uK9J0sini8mHphKoXyaqDA/8VyGnDee1zzIUK6k=
+google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
 google.golang.org/grpc v1.44.0 h1:weqSxi/TMs1SqFRMHCtBgXRs8k3X39QIDEZ0pRcttUg=
 google.golang.org/grpc v1.44.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=

main.go

@@ -1,4 +1,6 @@
 /*
+Copyright © 2022 ESO Maintainer Team
+
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
@@ -11,128 +13,10 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
-
 package main
 
-import (
-	"flag"
-	"os"
-	"time"
-
-	"go.uber.org/zap/zapcore"
-	v1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/runtime"
-	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
-	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
-	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/controller"
-	"sigs.k8s.io/controller-runtime/pkg/log/zap"
-
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
-	"github.com/external-secrets/external-secrets/pkg/controllers/externalsecret"
-	"github.com/external-secrets/external-secrets/pkg/controllers/secretstore"
-)
-
-var (
-	scheme   = runtime.NewScheme()
-	setupLog = ctrl.Log.WithName("setup")
-)
-
-const errCreateController = "unable to create controller"
-
-func init() {
-	_ = clientgoscheme.AddToScheme(scheme)
-	_ = esv1alpha1.AddToScheme(scheme)
-}
+import "github.com/external-secrets/external-secrets/cmd"
 
 func main() {
-	var metricsAddr string
-	var controllerClass string
-	var enableLeaderElection bool
-	var concurrent int
-	var loglevel string
-	var namespace string
-	var storeRequeueInterval time.Duration
-	flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
-	flag.StringVar(&controllerClass, "controller-class", "default", "the controller is instantiated with a specific controller name and filters ES based on this property")
-	flag.BoolVar(&enableLeaderElection, "enable-leader-election", false,
-		"Enable leader election for controller manager. "+
-			"Enabling this will ensure there is only one active controller manager.")
-	flag.IntVar(&concurrent, "concurrent", 1, "The number of concurrent ExternalSecret reconciles.")
-	flag.StringVar(&loglevel, "loglevel", "info", "loglevel to use, one of: debug, info, warn, error, dpanic, panic, fatal")
-	flag.StringVar(&namespace, "namespace", "", "watch external secrets scoped in the provided namespace only. ClusterSecretStore can be used but only work if it doesn't reference resources from other namespaces")
-	flag.DurationVar(&storeRequeueInterval, "store-requeue-interval", time.Minute*5, "Time duration between reconciling (Cluster)SecretStores")
-	flag.Parse()
-
-	var lvl zapcore.Level
-	err := lvl.UnmarshalText([]byte(loglevel))
-	if err != nil {
-		setupLog.Error(err, "error unmarshalling loglevel")
-		os.Exit(1)
-	}
-	logger := zap.New(zap.Level(lvl))
-	ctrl.SetLogger(logger)
-
-	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
-		Scheme:             scheme,
-		MetricsBindAddress: metricsAddr,
-		Port:               9443,
-		LeaderElection:     enableLeaderElection,
-		LeaderElectionID:   "external-secrets-controller",
-		ClientDisableCacheFor: []client.Object{
-			// the client creates a ListWatch for all resource kinds that
-			// are requested with .Get().
-			// We want to avoid to cache all secrets or configmaps in memory.
-			// The ES controller uses v1.PartialObjectMetadata for the secrets
-			// that he owns.
-			// see #721
-			&v1.Secret{},
-			&v1.ConfigMap{},
-		},
-		Namespace: namespace,
-	})
-	if err != nil {
-		setupLog.Error(err, "unable to start manager")
-		os.Exit(1)
-	}
-
-	if err = (&secretstore.StoreReconciler{
-		Client:          mgr.GetClient(),
-		Log:             ctrl.Log.WithName("controllers").WithName("SecretStore"),
-		Scheme:          mgr.GetScheme(),
-		ControllerClass: controllerClass,
-		RequeueInterval: storeRequeueInterval,
-	}).SetupWithManager(mgr); err != nil {
-		setupLog.Error(err, errCreateController, "controller", "SecretStore")
-		os.Exit(1)
-	}
-	if err = (&secretstore.ClusterStoreReconciler{
-		Client:          mgr.GetClient(),
-		Log:             ctrl.Log.WithName("controllers").WithName("ClusterSecretStore"),
-		Scheme:          mgr.GetScheme(),
-		ControllerClass: controllerClass,
-		RequeueInterval: storeRequeueInterval,
-	}).SetupWithManager(mgr); err != nil {
-		setupLog.Error(err, errCreateController, "controller", "ClusterSecretStore")
-		os.Exit(1)
-	}
-	if err = (&externalsecret.Reconciler{
-		Client:          mgr.GetClient(),
-		Log:             ctrl.Log.WithName("controllers").WithName("ExternalSecret"),
-		Scheme:          mgr.GetScheme(),
-		ControllerClass: controllerClass,
-		RequeueInterval: time.Hour,
-	}).SetupWithManager(mgr, controller.Options{
-		MaxConcurrentReconciles: concurrent,
-	}); err != nil {
-		setupLog.Error(err, errCreateController, "controller", "ExternalSecret")
-		os.Exit(1)
-	}
-
-	setupLog.Info("starting manager")
-	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
-		setupLog.Error(err, "problem running manager")
-		os.Exit(1)
-	}
+	cmd.Execute()
 }

pkg/controllers/crds/common_test.go

@@ -0,0 +1,225 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package crds
+
+import (
+	"context"
+	"encoding/json"
+	"time"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	corev1 "k8s.io/api/core/v1"
+	apiextensions "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
+)
+
+const (
+	crdGroup   = "apiextensions.k8s.io"
+	crdKind    = "CustomResourceDefinition"
+	crdVersion = "v1"
+)
+
+type testCase struct {
+	crd     unstructured.Unstructured
+	crd2    unstructured.Unstructured
+	service corev1.Service
+	secret  corev1.Secret
+	assert  func()
+}
+
+var _ = Describe("CRD reconcile", func() {
+	var test *testCase
+
+	BeforeEach(func() {
+		test = makeDefaultTestcase()
+	})
+
+	AfterEach(func() {
+		// To improve later on with proper clean up.
+	})
+
+	// a invalid provider config should be reflected
+	// in the store status condition
+	PatchesCRD := func(tc *testCase) {
+		tc.assert = func() {
+			Consistently(func() bool {
+				ss := unstructured.Unstructured{}
+				ss.SetGroupVersionKind(schema.GroupVersionKind{Kind: crdKind, Version: crdVersion, Group: crdGroup})
+				err := k8sClient.Get(context.Background(), types.NamespacedName{
+					Name: "secretstores.test.io",
+				}, &ss)
+				if err != nil {
+					return false
+				}
+				val, ok, err := unstructured.NestedString(ss.Object, "spec", "conversion", "webhook", "clientConfig", "service", "name")
+				if err != nil || !ok {
+					return false
+				}
+				want, ok, err := unstructured.NestedString(tc.crd.Object, "spec", "conversion", "webhook", "clientConfig", "service", "name")
+				if err != nil || !ok {
+					return false
+				}
+				return want != val
+			}).
+				WithTimeout(time.Second * 10).
+				WithPolling(time.Second).
+				Should(BeTrue())
+		}
+	}
+
+	// if controllerClass does not match the controller
+	// should not touch this store
+	ignoreNonTargetCRDs := func(tc *testCase) {
+		tc.assert = func() {
+			Consistently(func() bool {
+				ss := unstructured.Unstructured{}
+				ss.SetGroupVersionKind(schema.GroupVersionKind{Kind: crdKind, Version: crdVersion, Group: crdGroup})
+				err := k8sClient.Get(context.Background(), types.NamespacedName{
+					Name: "some-other.test.io",
+				}, &ss)
+				if err != nil {
+					return false
+				}
+				got, ok, err := unstructured.NestedString(ss.Object, "spec", "conversion", "webhook", "clientConfig", "service", "name")
+				if !ok || err != nil {
+					return false
+				}
+				want, ok, err := unstructured.NestedString(tc.crd2.Object, "spec", "conversion", "webhook", "clientConfig", "service", "name")
+				if !ok || err != nil {
+					return false
+				}
+				return got == want
+			}).
+				WithTimeout(time.Second * 3).
+				WithPolling(time.Millisecond * 500).
+				Should(BeTrue())
+		}
+	}
+
+	DescribeTable("Controller Reconcile logic", func(muts ...func(tc *testCase)) {
+		for _, mut := range muts {
+			mut(test)
+		}
+		ctx := context.Background()
+		k8sClient.Create(ctx, &test.secret)
+		k8sClient.Create(ctx, &test.service)
+		k8sClient.Create(ctx, &test.crd)
+		k8sClient.Create(ctx, &test.crd2)
+		test.assert()
+	},
+
+		Entry("[namespace] Ignore non Target CRDs", ignoreNonTargetCRDs),
+		Entry("[namespace] Patch target CRDs", PatchesCRD),
+	)
+
+})
+
+func makeUnstructuredCRD(plural, group string) unstructured.Unstructured {
+	crd := apiextensions.CustomResourceDefinition{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: plural + "." + group,
+		},
+		Spec: apiextensions.CustomResourceDefinitionSpec{
+			Versions: []apiextensions.CustomResourceDefinitionVersion{
+				{
+					Name:    "v1",
+					Served:  true,
+					Storage: true,
+					Schema: &apiextensions.CustomResourceValidation{
+						OpenAPIV3Schema: &apiextensions.JSONSchemaProps{
+							Type: "object",
+						},
+					},
+				},
+			},
+			Group: group,
+			Scope: apiextensions.NamespaceScoped,
+			Names: apiextensions.CustomResourceDefinitionNames{
+				Plural:   plural,
+				Singular: "idc",
+				Kind:     "IDC",
+				ListKind: "IDCList",
+			},
+			Conversion: &apiextensions.CustomResourceConversion{
+				Strategy: "Webhook",
+				Webhook: &apiextensions.WebhookConversion{
+					ConversionReviewVersions: []string{"v1"},
+					ClientConfig: &apiextensions.WebhookClientConfig{
+						CABundle: []byte("foobar"),
+						Service: &apiextensions.ServiceReference{
+							Name:      "webhook",
+							Namespace: "default",
+						},
+					},
+				},
+			},
+		},
+	}
+	marshal, _ := json.Marshal(crd)
+	unmarshal := make(map[string]interface{})
+	json.Unmarshal(marshal, &unmarshal)
+	u := unstructured.Unstructured{
+		Object: unmarshal,
+	}
+	u.SetGroupVersionKind(schema.GroupVersionKind{Kind: crdKind, Version: "v1", Group: crdGroup})
+	return u
+}
+
+func makeSecret() corev1.Secret {
+	return corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "foo",
+			Namespace: "default",
+			Labels: map[string]string{
+				"foo": "bar",
+			},
+		},
+	}
+}
+
+func makeService() corev1.Service {
+	return corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "foo",
+			Namespace: "default",
+			Labels: map[string]string{
+				"foo": "bar",
+			},
+		},
+		Spec: corev1.ServiceSpec{
+			Ports: []corev1.ServicePort{
+				{
+					Name: "http",
+					Port: 80,
+				},
+			},
+		},
+	}
+}
+
+func makeDefaultTestcase() *testCase {
+	return &testCase{
+		assert: func() {
+			// this is a noop by default
+		},
+		crd:     makeUnstructuredCRD("secretstores", "test.io"),
+		crd2:    makeUnstructuredCRD("some-other", "test.io"),
+		secret:  makeSecret(),
+		service: makeService(),
+	}
+}

pkg/controllers/crds/crds_controller.go

@@ -0,0 +1,479 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package crds
+
+import (
+	"bytes"
+	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/base64"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"math/big"
+	"os"
+	"time"
+
+	"github.com/go-logr/logr"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/tools/record"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller"
+)
+
+const (
+	certName             = "tls.crt"
+	keyName              = "tls.key"
+	caCertName           = "ca.crt"
+	caKeyName            = "ca.key"
+	certValidityDuration = 10 * 365 * 24 * time.Hour
+	LookaheadInterval    = 90 * 24 * time.Hour
+)
+
+type WebhookType int
+
+const (
+	Validating WebhookType = iota
+	Mutating
+	CRDConversion
+)
+
+type Reconciler struct {
+	client.Client
+	Log                    logr.Logger
+	Scheme                 *runtime.Scheme
+	recorder               record.EventRecorder
+	SvcName                string
+	SvcNamespace           string
+	SecretName             string
+	SecretNamespace        string
+	CrdResources           []string
+	dnsName                string
+	CAName                 string
+	CAOrganization         string
+	RestartOnSecretRefresh bool
+	RequeueInterval        time.Duration
+}
+
+type CertInfo struct {
+	CertDir  string
+	CertName string
+	KeyName  string
+	CAName   string
+}
+type WebhookInfo struct {
+	Name string
+	Type WebhookType
+}
+
+func contains(s []string, e string) bool {
+	for _, a := range s {
+		if a == e {
+			return true
+		}
+	}
+	return false
+}
+func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
+	log := r.Log.WithValues("CustomResourceDefinition", req.NamespacedName)
+	if contains(r.CrdResources, req.NamespacedName.Name) {
+		err := r.updateCRD(ctx, req)
+		if err != nil {
+			log.Error(err, "failed to inject conversion webhook")
+			return ctrl.Result{}, err
+		}
+	}
+	return ctrl.Result{RequeueAfter: r.RequeueInterval}, nil
+}
+
+func (r *Reconciler) ConvertToWebhookInfo() []WebhookInfo {
+	info := make([]WebhookInfo, len(r.CrdResources))
+	for p, v := range r.CrdResources {
+		r := WebhookInfo{
+			Name: v,
+			Type: CRDConversion,
+		}
+		info[p] = r
+	}
+	return info
+}
+
+func (r *Reconciler) SetupWithManager(mgr ctrl.Manager, opts controller.Options) error {
+	crdGVK := schema.GroupVersionKind{Group: "apiextensions.k8s.io", Version: "v1", Kind: "CustomResourceDefinition"}
+	res := &unstructured.Unstructured{}
+	res.SetGroupVersionKind(crdGVK)
+	r.recorder = mgr.GetEventRecorderFor("custom-resource-definition")
+	return ctrl.NewControllerManagedBy(mgr).
+		WithOptions(opts).
+		For(res).
+		Complete(r)
+}
+
+func (r *Reconciler) updateCRD(ctx context.Context, req ctrl.Request) error {
+	crdGVK := schema.GroupVersionKind{Group: "apiextensions.k8s.io", Version: "v1", Kind: "CustomResourceDefinition"}
+
+	secret := corev1.Secret{}
+	secretName := types.NamespacedName{
+		Name:      r.SecretName,
+		Namespace: r.SecretNamespace,
+	}
+	err := r.Get(context.Background(), secretName, &secret)
+	if err != nil {
+		return err
+	}
+	updatedResource := &unstructured.Unstructured{}
+	updatedResource.SetGroupVersionKind(crdGVK)
+	if err := r.Get(ctx, req.NamespacedName, updatedResource); err != nil {
+		return err
+	}
+	svc := types.NamespacedName{
+		Name:      r.SvcName,
+		Namespace: r.SvcNamespace,
+	}
+	if err := injectSvcToConversionWebhook(updatedResource, svc); err != nil {
+		return err
+	}
+	r.dnsName = fmt.Sprintf("%v.%v.svc", r.SvcName, r.SvcNamespace)
+	need, err := r.refreshCertIfNeeded(&secret)
+	if err != nil {
+		return err
+	}
+	if need {
+		artifacts, err := buildArtifactsFromSecret(&secret)
+		if err != nil {
+			return err
+		}
+		if err := injectCertToConversionWebhook(updatedResource, artifacts.CertPEM); err != nil {
+			return err
+		}
+	}
+	if err := r.Update(ctx, updatedResource); err != nil {
+		return err
+	}
+	return nil
+}
+
+func injectSvcToConversionWebhook(crd *unstructured.Unstructured, svc types.NamespacedName) error {
+	_, found, err := unstructured.NestedMap(crd.Object, "spec", "conversion", "webhook", "clientConfig")
+	if err != nil {
+		return err
+	}
+	if !found {
+		return errors.New("`conversion.webhook.clientConfig` field not found in CustomResourceDefinition")
+	}
+	if err := unstructured.SetNestedField(crd.Object, svc.Name, "spec", "conversion", "webhook", "clientConfig", "service", "name"); err != nil {
+		return err
+	}
+	if err := unstructured.SetNestedField(crd.Object, svc.Namespace, "spec", "conversion", "webhook", "clientConfig", "service", "namespace"); err != nil {
+		return err
+	}
+	return nil
+}
+
+func injectCertToConversionWebhook(crd *unstructured.Unstructured, certPem []byte) error {
+	_, found, err := unstructured.NestedMap(crd.Object, "spec", "conversion", "webhook", "clientConfig")
+	if err != nil {
+		return err
+	}
+	if !found {
+		return errors.New("`conversion.webhook.clientConfig` field not found in CustomResourceDefinition")
+	}
+	if err := unstructured.SetNestedField(crd.Object, base64.StdEncoding.EncodeToString(certPem), "spec", "conversion", "webhook", "clientConfig", "caBundle"); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+type KeyPairArtifacts struct {
+	Cert    *x509.Certificate
+	Key     *rsa.PrivateKey
+	CertPEM []byte
+	KeyPEM  []byte
+}
+
+func populateSecret(cert, key []byte, caArtifacts *KeyPairArtifacts, secret *corev1.Secret) {
+	if secret.Data == nil {
+		secret.Data = make(map[string][]byte)
+	}
+	secret.Data[caCertName] = caArtifacts.CertPEM
+	secret.Data[caKeyName] = caArtifacts.KeyPEM
+	secret.Data[certName] = cert
+	secret.Data[keyName] = key
+}
+
+func ValidCert(caCert, cert, key []byte, dnsName string, at time.Time) (bool, error) {
+	if len(caCert) == 0 || len(cert) == 0 || len(key) == 0 {
+		return false, errors.New("empty cert")
+	}
+
+	pool := x509.NewCertPool()
+	caDer, _ := pem.Decode(caCert)
+	if caDer == nil {
+		return false, errors.New("bad CA cert")
+	}
+	cac, err := x509.ParseCertificate(caDer.Bytes)
+	if err != nil {
+		return false, err
+	}
+	pool.AddCert(cac)
+
+	_, err = tls.X509KeyPair(cert, key)
+	if err != nil {
+		return false, err
+	}
+
+	b, _ := pem.Decode(cert)
+	if b == nil {
+		return false, err
+	}
+
+	crt, err := x509.ParseCertificate(b.Bytes)
+	if err != nil {
+		return false, err
+	}
+	_, err = crt.Verify(x509.VerifyOptions{
+		DNSName:     dnsName,
+		Roots:       pool,
+		CurrentTime: at,
+	})
+	if err != nil {
+		return false, err
+	}
+	return true, nil
+}
+
+func lookaheadTime() time.Time {
+	return time.Now().Add(LookaheadInterval)
+}
+
+func (r *Reconciler) validServerCert(caCert, cert, key []byte) bool {
+	valid, err := ValidCert(caCert, cert, key, r.dnsName, lookaheadTime())
+	if err != nil {
+		return false
+	}
+	return valid
+}
+
+func (r *Reconciler) validCACert(cert, key []byte) bool {
+	valid, err := ValidCert(cert, cert, key, r.CAName, lookaheadTime())
+	if err != nil {
+		return false
+	}
+	return valid
+}
+
+func (r *Reconciler) refreshCertIfNeeded(secret *corev1.Secret) (bool, error) {
+	if secret.Data == nil || !r.validCACert(secret.Data[caCertName], secret.Data[caKeyName]) {
+		if err := r.refreshCerts(true, secret); err != nil {
+			return false, err
+		}
+		if r.RestartOnSecretRefresh {
+			os.Exit(0)
+		}
+		return true, nil
+	}
+	if !r.validServerCert(secret.Data[caCertName], secret.Data[certName], secret.Data[keyName]) {
+		if err := r.refreshCerts(false, secret); err != nil {
+			return false, err
+		}
+		if r.RestartOnSecretRefresh {
+			os.Exit(0)
+		}
+		return true, nil
+	}
+	return true, nil
+}
+
+func (r *Reconciler) refreshCerts(refreshCA bool, secret *corev1.Secret) error {
+	var caArtifacts *KeyPairArtifacts
+	now := time.Now()
+	begin := now.Add(-1 * time.Hour)
+	end := now.Add(certValidityDuration)
+	if refreshCA {
+		var err error
+		caArtifacts, err = r.CreateCACert(begin, end)
+		if err != nil {
+			return err
+		}
+	} else {
+		var err error
+		caArtifacts, err = buildArtifactsFromSecret(secret)
+		if err != nil {
+			return err
+		}
+	}
+	cert, key, err := r.CreateCertPEM(caArtifacts, begin, end)
+	if err != nil {
+		return err
+	}
+	if err := r.writeSecret(cert, key, caArtifacts, secret); err != nil {
+		return err
+	}
+	return nil
+}
+
+func buildArtifactsFromSecret(secret *corev1.Secret) (*KeyPairArtifacts, error) {
+	caPem, ok := secret.Data[caCertName]
+	if !ok {
+		return nil, fmt.Errorf("cert secret is not well-formed, missing %s", caCertName)
+	}
+	keyPem, ok := secret.Data[caKeyName]
+	if !ok {
+		return nil, fmt.Errorf("cert secret is not well-formed, missing %s", caKeyName)
+	}
+	caDer, _ := pem.Decode(caPem)
+	if caDer == nil {
+		return nil, errors.New("bad CA cert")
+	}
+	caCert, err := x509.ParseCertificate(caDer.Bytes)
+	if err != nil {
+		return nil, err
+	}
+	keyDer, _ := pem.Decode(keyPem)
+	if keyDer == nil {
+		return nil, err
+	}
+	key, err := x509.ParsePKCS1PrivateKey(keyDer.Bytes)
+	if err != nil {
+		return nil, err
+	}
+	return &KeyPairArtifacts{
+		Cert:    caCert,
+		CertPEM: caPem,
+		KeyPEM:  keyPem,
+		Key:     key,
+	}, nil
+}
+
+func (r *Reconciler) CreateCACert(begin, end time.Time) (*KeyPairArtifacts, error) {
+	templ := &x509.Certificate{
+		SerialNumber: big.NewInt(0),
+		Subject: pkix.Name{
+			CommonName:   r.CAName,
+			Organization: []string{r.CAOrganization},
+		},
+		DNSNames: []string{
+			r.CAName,
+		},
+		NotBefore:             begin,
+		NotAfter:              end,
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageCertSign,
+		BasicConstraintsValid: true,
+		IsCA:                  true,
+	}
+	key, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, err
+	}
+	der, err := x509.CreateCertificate(rand.Reader, templ, templ, key.Public(), key)
+	if err != nil {
+		return nil, err
+	}
+	certPEM, keyPEM, err := pemEncode(der, key)
+	if err != nil {
+		return nil, err
+	}
+	cert, err := x509.ParseCertificate(der)
+	if err != nil {
+		return nil, err
+	}
+
+	return &KeyPairArtifacts{Cert: cert, Key: key, CertPEM: certPEM, KeyPEM: keyPEM}, nil
+}
+
+func (r *Reconciler) CreateCertPEM(ca *KeyPairArtifacts, begin, end time.Time) ([]byte, []byte, error) {
+	templ := &x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			CommonName: r.dnsName,
+		},
+		DNSNames: []string{
+			r.dnsName,
+		},
+		NotBefore:             begin,
+		NotAfter:              end,
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+	}
+	key, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, nil, err
+	}
+	der, err := x509.CreateCertificate(rand.Reader, templ, ca.Cert, key.Public(), ca.Key)
+	if err != nil {
+		return nil, nil, err
+	}
+	certPEM, keyPEM, err := pemEncode(der, key)
+	if err != nil {
+		return nil, nil, err
+	}
+	return certPEM, keyPEM, nil
+}
+
+func pemEncode(certificateDER []byte, key *rsa.PrivateKey) ([]byte, []byte, error) {
+	certBuf := &bytes.Buffer{}
+	if err := pem.Encode(certBuf, &pem.Block{Type: "CERTIFICATE", Bytes: certificateDER}); err != nil {
+		return nil, nil, err
+	}
+	keyBuf := &bytes.Buffer{}
+	if err := pem.Encode(keyBuf, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)}); err != nil {
+		return nil, nil, err
+	}
+	return certBuf.Bytes(), keyBuf.Bytes(), nil
+}
+
+func (r *Reconciler) writeSecret(cert, key []byte, caArtifacts *KeyPairArtifacts, secret *corev1.Secret) error {
+	populateSecret(cert, key, caArtifacts, secret)
+	return r.Update(context.Background(), secret)
+}
+
+func CheckCerts(c CertInfo, dnsName string, at time.Time) error {
+	certFile := c.CertDir + "/" + c.CertName
+	_, err := os.Stat(certFile)
+	if err != nil {
+		return err
+	}
+	ca, err := os.ReadFile(c.CertDir + "/" + c.CAName)
+	if err != nil {
+		return err
+	}
+	cert, err := os.ReadFile(c.CertDir + "/" + c.CertName)
+	if err != nil {
+		return err
+	}
+	key, err := os.ReadFile(c.CertDir + "/" + c.KeyName)
+	if err != nil {
+		return err
+	}
+	ok, err := ValidCert(ca, cert, key, dnsName, at)
+	if err != nil {
+		return err
+	}
+	if !ok {
+		return errors.New("certificate is not valid")
+	}
+	return nil
+}

pkg/controllers/crds/crds_controller_test.go

@@ -0,0 +1,344 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package crds
+
+import (
+	"context"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/json"
+	"os"
+	"testing"
+	"time"
+
+	corev1 "k8s.io/api/core/v1"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/types"
+	ctrl "sigs.k8s.io/controller-runtime"
+	client "sigs.k8s.io/controller-runtime/pkg/client/fake"
+)
+
+const (
+	setupError              = "Could not setup test"
+	errorSearchingField     = "Error when searching for field"
+	failedCreateCaCerts     = "could not create ca certificates:%v"
+	failedCreateServerCerts = "could not create server certificates:%v"
+	invalidCerts            = "generated certificates are invalid:%v,%v"
+	dnsName                 = "foobar"
+)
+
+func newReconciler() Reconciler {
+	return Reconciler{
+		CrdResources:    []string{"one", "two", "three"},
+		SvcName:         "foo",
+		SvcNamespace:    "default",
+		SecretName:      "foo",
+		SecretNamespace: "default",
+	}
+}
+
+func newService() corev1.Service {
+	return corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "foo",
+			Namespace: "default",
+			Labels:    map[string]string{"foo": "bar"},
+		},
+	}
+}
+func newSecret() corev1.Secret {
+	return corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "foo",
+			Namespace: "default",
+			Labels:    map[string]string{"foo": "bar"},
+		},
+	}
+}
+
+func newCRD() apiextensionsv1.CustomResourceDefinition {
+	return apiextensionsv1.CustomResourceDefinition{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "one",
+		},
+		Spec: apiextensionsv1.CustomResourceDefinitionSpec{
+			Conversion: &apiextensionsv1.CustomResourceConversion{
+				Strategy: "Webhook",
+				Webhook: &apiextensionsv1.WebhookConversion{
+					ConversionReviewVersions: []string{"v1"},
+					ClientConfig: &apiextensionsv1.WebhookClientConfig{
+						CABundle: []byte("test"),
+						Service: &apiextensionsv1.ServiceReference{
+							Name:      "wrong",
+							Namespace: "wrong",
+						},
+					},
+				},
+			},
+		},
+	}
+}
+func TestConvertToWebhookInfo(t *testing.T) {
+	rec := newReconciler()
+	info := rec.ConvertToWebhookInfo()
+	if len(info) != 3 {
+		t.Errorf("Convert to WebhookInfo failed. Total resources:%d", len(info))
+	}
+	for _, v := range info {
+		if v.Type != CRDConversion {
+			t.Errorf("Convert to WebhookInfo failed. wrong type:%v", v.Type)
+		}
+		if v.Name != "one" && v.Name != "two" && v.Name != "three" {
+			t.Errorf("Convert to WebhookInfo failed. wrong name:%v", v.Name)
+		}
+	}
+}
+
+func TestUpdateCRD(t *testing.T) {
+	rec := newReconciler()
+	svc := newService()
+	secret := newSecret()
+	crd := newCRD()
+	c := client.NewClientBuilder().WithObjects(&svc, &secret, &crd).Build()
+	rec.Client = c
+	ctx := context.Background()
+	req := ctrl.Request{
+		NamespacedName: types.NamespacedName{
+			Name: "one",
+		},
+	}
+	err := rec.updateCRD(ctx, req)
+	if err != nil {
+		t.Errorf("Failed updating CRD:%v", err)
+	}
+}
+
+func TestInjectSvcToConversionWebhook(t *testing.T) {
+	svc := newService()
+	crd := newCRD()
+	crdunmarshalled := make(map[string]interface{})
+	crdJSON, err := json.Marshal(crd)
+	if err != nil {
+		t.Fatal(setupError)
+	}
+	err = json.Unmarshal(crdJSON, &crdunmarshalled)
+	if err != nil {
+		t.Fatal(setupError)
+	}
+	u := unstructured.Unstructured{
+		Object: crdunmarshalled,
+	}
+	name := types.NamespacedName{
+		Name:      svc.Name,
+		Namespace: svc.Namespace,
+	}
+	err = injectSvcToConversionWebhook(&u, name)
+	if err != nil {
+		t.Errorf("Failed: error when injecting: %v", err)
+	}
+	val, found, err := unstructured.NestedString(u.Object, "spec", "conversion", "webhook", "clientConfig", "service", "name")
+	if err != nil {
+		t.Error(errorSearchingField)
+	}
+	if !found {
+		t.Error("fieldNotFound")
+	}
+	if val != "foo" {
+		t.Errorf("Wrong service name injected: %v", val)
+	}
+
+	val, found, err = unstructured.NestedString(u.Object, "spec", "conversion", "webhook", "clientConfig", "service", "namespace")
+	if err != nil {
+		t.Error(errorSearchingField)
+	}
+	if !found {
+		t.Error("fieldNotFound")
+	}
+	if val != "default" {
+		t.Errorf("Wrong service namespace injected: %v", val)
+	}
+}
+
+func TestInjectCertToConversionWebhook(t *testing.T) {
+	certPEM := []byte("foobar")
+	crd := newCRD()
+	crdunmarshalled := make(map[string]interface{})
+	crdJSON, err := json.Marshal(crd)
+	if err != nil {
+		t.Fatal(setupError)
+	}
+	err = json.Unmarshal(crdJSON, &crdunmarshalled)
+	if err != nil {
+		t.Fatal(setupError)
+	}
+	u := unstructured.Unstructured{
+		Object: crdunmarshalled,
+	}
+	err = injectCertToConversionWebhook(&u, certPEM)
+	if err != nil {
+		t.Errorf("Failed: error when injecting: %v", err)
+	}
+	val, found, err := unstructured.NestedString(u.Object, "spec", "conversion", "webhook", "clientConfig", "caBundle")
+	if err != nil {
+		t.Error(errorSearchingField)
+	}
+	if !found {
+		t.Error("fieldNotFound")
+	}
+	if val != "Zm9vYmFy" {
+		t.Errorf("Wrong certificate name injected: %v", val)
+	}
+}
+func TestPopulateSecret(t *testing.T) {
+	secret := newSecret()
+	caArtifacts := KeyPairArtifacts{
+		Cert:    &x509.Certificate{},
+		Key:     &rsa.PrivateKey{},
+		CertPEM: []byte("foobarca"),
+		KeyPEM:  []byte("foobarcakey"),
+	}
+	cert := []byte("foobarcert")
+	key := []byte("foobarkey")
+	populateSecret(cert, key, &caArtifacts, &secret)
+	if string(secret.Data["tls.crt"]) != string(cert) {
+		t.Errorf("secret value for tls.crt is wrong:%v", cert)
+	}
+	if string(secret.Data["tls.key"]) != string(key) {
+		t.Errorf("secret value for tls.key is wrong:%v", cert)
+	}
+	if string(secret.Data["ca.crt"]) != string(caArtifacts.CertPEM) {
+		t.Errorf("secret value for ca.crt is wrong:%v", cert)
+	}
+	if string(secret.Data["ca.key"]) != string(caArtifacts.KeyPEM) {
+		t.Errorf("secret value for ca.key is wrong:%v", cert)
+	}
+}
+
+func TestCreateCACert(t *testing.T) {
+	rec := newReconciler()
+	caArtifacts, err := rec.CreateCACert(time.Now(), time.Now().AddDate(1, 0, 0))
+	if err != nil {
+		t.Errorf(failedCreateCaCerts, err)
+	}
+	if !rec.validCACert(caArtifacts.CertPEM, caArtifacts.KeyPEM) {
+		t.Errorf(invalidCerts, caArtifacts.CertPEM, caArtifacts.KeyPEM)
+	}
+}
+
+func TestCreateCertPEM(t *testing.T) {
+	rec := newReconciler()
+	caArtifacts, err := rec.CreateCACert(time.Now(), time.Now().AddDate(1, 0, 0))
+	if err != nil {
+		t.Fatalf(failedCreateCaCerts, err)
+	}
+	certPEM, keyPEM, err := rec.CreateCertPEM(caArtifacts, time.Now(), time.Now().AddDate(1, 0, 0))
+	if err != nil {
+		t.Errorf(failedCreateServerCerts, err)
+	}
+	if !rec.validServerCert(caArtifacts.CertPEM, certPEM, keyPEM) {
+		t.Errorf(invalidCerts, certPEM, keyPEM)
+	}
+}
+func TestValidCert(t *testing.T) {
+	rec := newReconciler()
+	rec.dnsName = dnsName
+	caArtifacts, err := rec.CreateCACert(time.Now(), time.Now().AddDate(1, 0, 0))
+	if err != nil {
+		t.Fatalf(failedCreateCaCerts, err)
+	}
+	certPEM, keyPEM, err := rec.CreateCertPEM(caArtifacts, time.Now(), time.Now().AddDate(1, 0, 0))
+	if err != nil {
+		t.Errorf(failedCreateServerCerts, err)
+	}
+	ok, err := ValidCert(caArtifacts.CertPEM, certPEM, keyPEM, dnsName, time.Now())
+	if err != nil {
+		t.Errorf("error validating cert: %v", err)
+	}
+	if !ok {
+		t.Errorf("certificate is invalid")
+	}
+}
+
+func TestRefreshCertIfNeeded(t *testing.T) {
+	rec := newReconciler()
+	secret := newSecret()
+	c := client.NewClientBuilder().WithObjects(&secret).Build()
+	rec.Client = c
+	rec.dnsName = dnsName
+	caArtifacts, err := rec.CreateCACert(time.Now().AddDate(-1, 0, 0), time.Now().AddDate(0, -1, 0))
+	if err != nil {
+		t.Fatalf(failedCreateCaCerts, err)
+	}
+	certPEM, keyPEM, err := rec.CreateCertPEM(caArtifacts, time.Now(), time.Now().AddDate(1, 0, 0))
+	if err != nil {
+		t.Errorf(failedCreateServerCerts, err)
+	}
+	populateSecret(certPEM, keyPEM, caArtifacts, &secret)
+	ok, err := rec.refreshCertIfNeeded(&secret)
+	if err != nil {
+		t.Errorf("could not verify refresh need: %v", err)
+	}
+	if !ok {
+		t.Error("expected refresh true. got false")
+	}
+	ok, err = rec.refreshCertIfNeeded(&secret)
+	if err != nil {
+		t.Errorf("could not verify refresh need: %v", err)
+	}
+	if !ok {
+		t.Error("expected refresh false. got true")
+	}
+}
+
+func TestCheckCerts(t *testing.T) {
+	rec := newReconciler()
+	rec.dnsName = dnsName
+	caArtifacts, err := rec.CreateCACert(time.Now().AddDate(0, 0, -1), time.Now().AddDate(0, 0, 2))
+	if err != nil {
+		t.Fatalf(failedCreateCaCerts, err)
+	}
+	certPEM, keyPEM, err := rec.CreateCertPEM(caArtifacts, time.Now(), time.Now().AddDate(0, 0, 1))
+	if err != nil {
+		t.Errorf(failedCreateServerCerts, err)
+	}
+	os.WriteFile("/tmp/ca", caArtifacts.CertPEM, 0644)
+	os.WriteFile("/tmp/tls", certPEM, 0644)
+	os.WriteFile("/tmp/key", keyPEM, 0644)
+	cert := CertInfo{
+		CertDir:  "/tmp",
+		CertName: "tls",
+		CAName:   "ca",
+		KeyName:  "key",
+	}
+	err = CheckCerts(cert, rec.dnsName, time.Now())
+	if err != nil {
+		t.Errorf("error checking valid cert: %v", err)
+	}
+	err = CheckCerts(cert, rec.dnsName, time.Now().AddDate(-1, 0, 0))
+	if err == nil {
+		t.Error("expected failure due to expired certificate, got success")
+	}
+	err = CheckCerts(cert, "wrong", time.Now())
+	if err == nil {
+		t.Error("expected failure due to dns name got, success")
+	}
+	cert.CAName = "wrong"
+	err = CheckCerts(cert, rec.dnsName, time.Now())
+	if err == nil {
+		t.Error("expected failure due to wrong certificate name, got success")
+	}
+}

pkg/controllers/crds/suite_test.go

@@ -0,0 +1,102 @@
+/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package crds
+
+import (
+	"context"
+	"path/filepath"
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	"k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/rest"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller"
+	"sigs.k8s.io/controller-runtime/pkg/envtest"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/log/zap"
+
+	esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
+)
+
+var cfg *rest.Config
+var k8sClient client.Client
+var testEnv *envtest.Environment
+var cancel context.CancelFunc
+
+func TestAPIs(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Controller Suite")
+}
+
+var _ = BeforeSuite(func() {
+	log := zap.New(zap.WriteTo(GinkgoWriter))
+	logf.SetLogger(log)
+
+	By("bootstrapping test environment")
+	testEnv = &envtest.Environment{
+		CRDDirectoryPaths: []string{filepath.Join("..", "..", "..", "deploy", "crds")},
+	}
+
+	var ctx context.Context
+	ctx, cancel = context.WithCancel(context.Background())
+
+	var err error
+	cfg, err = testEnv.Start()
+	Expect(err).ToNot(HaveOccurred())
+	Expect(cfg).ToNot(BeNil())
+
+	err = esapi.AddToScheme(scheme.Scheme)
+	Expect(err).NotTo(HaveOccurred())
+
+	k8sManager, err := ctrl.NewManager(cfg, ctrl.Options{
+		Scheme:             scheme.Scheme,
+		MetricsBindAddress: "0", // avoid port collision when testing
+	})
+	Expect(err).ToNot(HaveOccurred())
+
+	k8sClient, err = client.New(cfg, client.Options{Scheme: scheme.Scheme})
+	Expect(err).ToNot(HaveOccurred())
+	Expect(k8sClient).ToNot(BeNil())
+
+	err = (&Reconciler{
+		Client:                 k8sClient,
+		Scheme:                 k8sManager.GetScheme(),
+		Log:                    ctrl.Log.WithName("controllers").WithName("CustomResourceDefinition"),
+		SvcName:                "foo",
+		SvcNamespace:           "default",
+		SecretName:             "foo",
+		SecretNamespace:        "default",
+		CrdResources:           []string{"externalsecrets.test.io", "secretstores.test.io", "clustersecretstores.test.io"},
+		CAName:                 "external-secrets",
+		CAOrganization:         "external-secrets",
+		RestartOnSecretRefresh: false,
+	}).SetupWithManager(k8sManager, controller.Options{})
+	Expect(err).ToNot(HaveOccurred())
+
+	go func() {
+		defer GinkgoRecover()
+		Expect(k8sManager.Start(ctx)).ToNot(HaveOccurred())
+	}()
+})
+
+var _ = AfterSuite(func() {
+	By("tearing down the test environment")
+	cancel() // stop manager
+	err := testEnv.Stop()
+	Expect(err).ToNot(HaveOccurred())
+})

pkg/controllers/externalsecret/externalsecret_controller.go

@@ -34,7 +34,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	"github.com/external-secrets/external-secrets/pkg/controllers/secretstore"
 	"github.com/external-secrets/external-secrets/pkg/provider"
 
@@ -89,13 +89,13 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 
 	syncCallsMetricLabels := prometheus.Labels{"name": req.Name, "namespace": req.Namespace}
 
-	var externalSecret esv1alpha1.ExternalSecret
+	var externalSecret esv1beta1.ExternalSecret
 
 	err := r.Get(ctx, req.NamespacedName, &externalSecret)
 	if apierrors.IsNotFound(err) {
 		syncCallsTotal.With(syncCallsMetricLabels).Inc()
-		conditionSynced := NewExternalSecretCondition(esv1alpha1.ExternalSecretDeleted, v1.ConditionFalse, esv1alpha1.ConditionReasonSecretDeleted, "Secret was deleted")
-		SetExternalSecretCondition(&esv1alpha1.ExternalSecret{
+		conditionSynced := NewExternalSecretCondition(esv1beta1.ExternalSecretDeleted, v1.ConditionFalse, esv1beta1.ConditionReasonSecretDeleted, "Secret was deleted")
+		SetExternalSecretCondition(&esv1beta1.ExternalSecret{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      req.Name,
 				Namespace: req.Namespace,
@@ -120,8 +120,8 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 	store, err := r.getStore(ctx, &externalSecret)
 	if err != nil {
 		log.Error(err, errStoreRef)
-		r.recorder.Event(&externalSecret, v1.EventTypeWarning, esv1alpha1.ReasonInvalidStoreRef, err.Error())
-		conditionSynced := NewExternalSecretCondition(esv1alpha1.ExternalSecretReady, v1.ConditionFalse, esv1alpha1.ConditionReasonSecretSyncedError, errStoreRef)
+		r.recorder.Event(&externalSecret, v1.EventTypeWarning, esv1beta1.ReasonInvalidStoreRef, err.Error())
+		conditionSynced := NewExternalSecretCondition(esv1beta1.ExternalSecretReady, v1.ConditionFalse, esv1beta1.ConditionReasonSecretSyncedError, errStoreRef)
 		SetExternalSecretCondition(&externalSecret, *conditionSynced)
 		syncCallsError.With(syncCallsMetricLabels).Inc()
 		return ctrl.Result{RequeueAfter: requeueAfter}, nil
@@ -145,9 +145,9 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 	secretClient, err := storeProvider.NewClient(ctx, store, r.Client, req.Namespace)
 	if err != nil {
 		log.Error(err, errStoreClient)
-		conditionSynced := NewExternalSecretCondition(esv1alpha1.ExternalSecretReady, v1.ConditionFalse, esv1alpha1.ConditionReasonSecretSyncedError, errStoreClient)
+		conditionSynced := NewExternalSecretCondition(esv1beta1.ExternalSecretReady, v1.ConditionFalse, esv1beta1.ConditionReasonSecretSyncedError, errStoreClient)
 		SetExternalSecretCondition(&externalSecret, *conditionSynced)
-		r.recorder.Event(&externalSecret, v1.EventTypeWarning, esv1alpha1.ReasonProviderClientConfig, err.Error())
+		r.recorder.Event(&externalSecret, v1.EventTypeWarning, esv1beta1.ReasonProviderClientConfig, err.Error())
 		syncCallsError.With(syncCallsMetricLabels).Inc()
 		return ctrl.Result{RequeueAfter: requeueAfter}, nil
 	}
@@ -206,7 +206,7 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 	}
 
 	mutationFunc := func() error {
-		if externalSecret.Spec.Target.CreationPolicy == esv1alpha1.Owner {
+		if externalSecret.Spec.Target.CreationPolicy == esv1beta1.Owner {
 			err = controllerutil.SetControllerReference(&externalSecret, &secret.ObjectMeta, r.Scheme)
 			if err != nil {
 				return fmt.Errorf(errSetCtrlReference, err)
@@ -228,9 +228,9 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 
 	// nolint
 	switch externalSecret.Spec.Target.CreationPolicy {
-	case esv1alpha1.Merge:
+	case esv1beta1.Merge:
 		err = patchSecret(ctx, r.Client, r.Scheme, secret, mutationFunc)
-	case esv1alpha1.None:
+	case esv1beta1.None:
 		log.V(1).Info("secret creation skipped due to creationPolicy=None")
 		err = nil
 	default:
@@ -239,16 +239,16 @@ func (r *Reconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Resu
 
 	if err != nil {
 		log.Error(err, errUpdateSecret)
-		r.recorder.Event(&externalSecret, v1.EventTypeWarning, esv1alpha1.ReasonUpdateFailed, err.Error())
-		conditionSynced := NewExternalSecretCondition(esv1alpha1.ExternalSecretReady, v1.ConditionFalse, esv1alpha1.ConditionReasonSecretSyncedError, errUpdateSecret)
+		r.recorder.Event(&externalSecret, v1.EventTypeWarning, esv1beta1.ReasonUpdateFailed, err.Error())
+		conditionSynced := NewExternalSecretCondition(esv1beta1.ExternalSecretReady, v1.ConditionFalse, esv1beta1.ConditionReasonSecretSyncedError, errUpdateSecret)
 		SetExternalSecretCondition(&externalSecret, *conditionSynced)
 		syncCallsError.With(syncCallsMetricLabels).Inc()
 		return ctrl.Result{RequeueAfter: requeueAfter}, nil
 	}
 
-	r.recorder.Event(&externalSecret, v1.EventTypeNormal, esv1alpha1.ReasonUpdated, "Updated Secret")
-	conditionSynced := NewExternalSecretCondition(esv1alpha1.ExternalSecretReady, v1.ConditionTrue, esv1alpha1.ConditionReasonSecretSynced, "Secret was synced")
-	currCond := GetExternalSecretCondition(externalSecret.Status, esv1alpha1.ExternalSecretReady)
+	r.recorder.Event(&externalSecret, v1.EventTypeNormal, esv1beta1.ReasonUpdated, "Updated Secret")
+	conditionSynced := NewExternalSecretCondition(esv1beta1.ExternalSecretReady, v1.ConditionTrue, esv1beta1.ConditionReasonSecretSynced, "Secret was synced")
+	currCond := GetExternalSecretCondition(externalSecret.Status, esv1beta1.ExternalSecretReady)
 	SetExternalSecretCondition(&externalSecret, *conditionSynced)
 	externalSecret.Status.RefreshTime = metav1.NewTime(time.Now())
 	externalSecret.Status.SyncedResourceVersion = getResourceVersion(externalSecret)
@@ -305,7 +305,7 @@ func patchSecret(ctx context.Context, c client.Client, scheme *runtime.Scheme, s
 	return nil
 }
 
-func getResourceVersion(es esv1alpha1.ExternalSecret) string {
+func getResourceVersion(es esv1beta1.ExternalSecret) string {
 	return fmt.Sprintf("%d-%s", es.ObjectMeta.GetGeneration(), hashMeta(es.ObjectMeta))
 }
 
@@ -320,7 +320,7 @@ func hashMeta(m metav1.ObjectMeta) string {
 	})
 }
 
-func shouldRefresh(es esv1alpha1.ExternalSecret) bool {
+func shouldRefresh(es esv1beta1.ExternalSecret) bool {
 	// refresh if resource version changed
 	if es.Status.SyncedResourceVersion != getResourceVersion(es) {
 		return true
@@ -336,14 +336,14 @@ func shouldRefresh(es esv1alpha1.ExternalSecret) bool {
 	return !es.Status.RefreshTime.Add(es.Spec.RefreshInterval.Duration).After(time.Now())
 }
 
-func shouldReconcile(es esv1alpha1.ExternalSecret) bool {
+func shouldReconcile(es esv1beta1.ExternalSecret) bool {
 	if es.Spec.Target.Immutable && hasSyncedCondition(es) {
 		return false
 	}
 	return true
 }
 
-func hasSyncedCondition(es esv1alpha1.ExternalSecret) bool {
+func hasSyncedCondition(es esv1beta1.ExternalSecret) bool {
 	for _, condition := range es.Status.Conditions {
 		if condition.Reason == "SecretSynced" {
 			return true
@@ -360,20 +360,20 @@ func isSecretValid(existingSecret v1.Secret) bool {
 	}
 
 	// if the calculated hash is different from the calculation, then it's invalid
-	if existingSecret.Annotations[esv1alpha1.AnnotationDataHash] != utils.ObjectHash(existingSecret.Data) {
+	if existingSecret.Annotations[esv1beta1.AnnotationDataHash] != utils.ObjectHash(existingSecret.Data) {
 		return false
 	}
 	return true
 }
 
 // getStore returns the store with the provided ExternalSecret.
-func (r *Reconciler) getStore(ctx context.Context, externalSecret *esv1alpha1.ExternalSecret) (esv1alpha1.GenericStore, error) {
+func (r *Reconciler) getStore(ctx context.Context, externalSecret *esv1beta1.ExternalSecret) (esv1beta1.GenericStore, error) {
 	ref := types.NamespacedName{
 		Name: externalSecret.Spec.SecretStoreRef.Name,
 	}
 
-	if externalSecret.Spec.SecretStoreRef.Kind == esv1alpha1.ClusterSecretStoreKind {
-		var store esv1alpha1.ClusterSecretStore
+	if externalSecret.Spec.SecretStoreRef.Kind == esv1beta1.ClusterSecretStoreKind {
+		var store esv1beta1.ClusterSecretStore
 		err := r.Get(ctx, ref, &store)
 		if err != nil {
 			return nil, fmt.Errorf(errGetClusterSecretStore, ref.Name, err)
@@ -384,7 +384,7 @@ func (r *Reconciler) getStore(ctx context.Context, externalSecret *esv1alpha1.Ex
 
 	ref.Namespace = externalSecret.Namespace
 
-	var store esv1alpha1.SecretStore
+	var store esv1beta1.SecretStore
 	err := r.Get(ctx, ref, &store)
 	if err != nil {
 		return nil, fmt.Errorf(errGetSecretStore, ref.Name, err)
@@ -393,13 +393,22 @@ func (r *Reconciler) getStore(ctx context.Context, externalSecret *esv1alpha1.Ex
 }
 
 // getProviderSecretData returns the provider's secret data with the provided ExternalSecret.
-func (r *Reconciler) getProviderSecretData(ctx context.Context, providerClient provider.SecretsClient, externalSecret *esv1alpha1.ExternalSecret) (map[string][]byte, error) {
+func (r *Reconciler) getProviderSecretData(ctx context.Context, providerClient provider.SecretsClient, externalSecret *esv1beta1.ExternalSecret) (map[string][]byte, error) {
 	providerData := make(map[string][]byte)
 
 	for _, remoteRef := range externalSecret.Spec.DataFrom {
-		secretMap, err := providerClient.GetSecretMap(ctx, remoteRef)
-		if err != nil {
-			return nil, fmt.Errorf(errGetSecretKey, remoteRef.Key, externalSecret.Name, err)
+		var secretMap map[string][]byte
+		var err error
+		if len(remoteRef.Find.Tags) > 0 || remoteRef.Find.Name != nil {
+			secretMap, err = providerClient.GetAllSecrets(ctx, remoteRef.Find)
+			if err != nil {
+				return nil, fmt.Errorf(errGetSecretKey, remoteRef.Extract.Key, externalSecret.Name, err)
+			}
+		} else if remoteRef.Extract.Key != "" {
+			secretMap, err = providerClient.GetSecretMap(ctx, remoteRef.Extract)
+			if err != nil {
+				return nil, fmt.Errorf(errGetSecretKey, remoteRef.Extract.Key, externalSecret.Name, err)
+			}
 		}
 
 		providerData = utils.MergeByteMap(providerData, secretMap)
@@ -423,7 +432,7 @@ func (r *Reconciler) SetupWithManager(mgr ctrl.Manager, opts controller.Options)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		WithOptions(opts).
-		For(&esv1alpha1.ExternalSecret{}).
+		For(&esv1beta1.ExternalSecret{}).
 		Owns(&v1.Secret{}, builder.OnlyMetadata).
 		Complete(r)
 }

pkg/controllers/externalsecret/externalsecret_controller_template.go

@@ -22,7 +22,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 
 	// Loading registered providers.
 	_ "github.com/external-secrets/external-secrets/pkg/provider/register"
@@ -34,13 +34,13 @@ import (
 // * template.Data (highest precedence)
 // * template.templateFrom
 // * secret via es.data or es.dataFrom.
-func (r *Reconciler) applyTemplate(ctx context.Context, es *esv1alpha1.ExternalSecret, secret *v1.Secret, dataMap map[string][]byte) error {
+func (r *Reconciler) applyTemplate(ctx context.Context, es *esv1beta1.ExternalSecret, secret *v1.Secret, dataMap map[string][]byte) error {
 	mergeMetadata(secret, es)
 
 	// no template: copy data and return
 	if es.Spec.Target.Template == nil {
 		secret.Data = dataMap
-		secret.Annotations[esv1alpha1.AnnotationDataHash] = utils.ObjectHash(secret.Data)
+		secret.Annotations[esv1beta1.AnnotationDataHash] = utils.ObjectHash(secret.Data)
 		return nil
 	}
 
@@ -70,14 +70,14 @@ func (r *Reconciler) applyTemplate(ctx context.Context, es *esv1alpha1.ExternalS
 	if len(es.Spec.Target.Template.Data) == 0 {
 		secret.Data = dataMap
 	}
-	secret.Annotations[esv1alpha1.AnnotationDataHash] = utils.ObjectHash(secret.Data)
+	secret.Annotations[esv1beta1.AnnotationDataHash] = utils.ObjectHash(secret.Data)
 
 	return nil
 }
 
 // we do not want to force-override the label/annotations
 // and only copy the necessary key/value pairs.
-func mergeMetadata(secret *v1.Secret, externalSecret *esv1alpha1.ExternalSecret) {
+func mergeMetadata(secret *v1.Secret, externalSecret *esv1beta1.ExternalSecret) {
 	if secret.ObjectMeta.Labels == nil {
 		secret.ObjectMeta.Labels = make(map[string]string)
 	}
@@ -95,7 +95,7 @@ func mergeMetadata(secret *v1.Secret, externalSecret *esv1alpha1.ExternalSecret)
 	utils.MergeStringMap(secret.ObjectMeta.Annotations, externalSecret.Spec.Target.Template.Metadata.Annotations)
 }
 
-func (r *Reconciler) getTemplateData(ctx context.Context, externalSecret *esv1alpha1.ExternalSecret) (map[string][]byte, error) {
+func (r *Reconciler) getTemplateData(ctx context.Context, externalSecret *esv1beta1.ExternalSecret) (map[string][]byte, error) {
 	out := make(map[string][]byte)
 	if externalSecret.Spec.Target.Template == nil {
 		return out, nil
@@ -113,7 +113,7 @@ func (r *Reconciler) getTemplateData(ctx context.Context, externalSecret *esv1al
 	return out, nil
 }
 
-func mergeConfigMap(ctx context.Context, k8sClient client.Client, es *esv1alpha1.ExternalSecret, tpl esv1alpha1.TemplateFrom, out map[string][]byte) error {
+func mergeConfigMap(ctx context.Context, k8sClient client.Client, es *esv1beta1.ExternalSecret, tpl esv1beta1.TemplateFrom, out map[string][]byte) error {
 	if tpl.ConfigMap == nil {
 		return nil
 	}
@@ -136,7 +136,7 @@ func mergeConfigMap(ctx context.Context, k8sClient client.Client, es *esv1alpha1
 	return nil
 }
 
-func mergeSecret(ctx context.Context, k8sClient client.Client, es *esv1alpha1.ExternalSecret, tpl esv1alpha1.TemplateFrom, out map[string][]byte) error {
+func mergeSecret(ctx context.Context, k8sClient client.Client, es *esv1beta1.ExternalSecret, tpl esv1beta1.TemplateFrom, out map[string][]byte) error {
 	if tpl.Secret == nil {
 		return nil
 	}

pkg/controllers/externalsecret/externalsecret_controller_test.go

@@ -29,7 +29,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	"github.com/external-secrets/external-secrets/pkg/provider"
 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
 	"github.com/external-secrets/external-secrets/pkg/provider/testing/fake"
@@ -43,19 +43,19 @@ var (
 )
 
 type testCase struct {
-	secretStore    *esv1alpha1.SecretStore
-	externalSecret *esv1alpha1.ExternalSecret
+	secretStore    *esv1beta1.SecretStore
+	externalSecret *esv1beta1.ExternalSecret
 
 	// checkCondition should return true if the externalSecret
 	// has the expected condition
-	checkCondition func(*esv1alpha1.ExternalSecret) bool
+	checkCondition func(*esv1beta1.ExternalSecret) bool
 
 	// checkExternalSecret is called after the condition has been verified
 	// use this to verify the externalSecret
-	checkExternalSecret func(*esv1alpha1.ExternalSecret)
+	checkExternalSecret func(*esv1beta1.ExternalSecret)
 
 	// optional. use this to test the secret value
-	checkSecret func(*esv1alpha1.ExternalSecret, *v1.Secret)
+	checkSecret func(*esv1beta1.ExternalSecret, *v1.Secret)
 }
 
 type testTweaks func(*testCase)
@@ -98,7 +98,7 @@ var _ = Describe("Kind=secret existence logic", func() {
 				ObjectMeta: metav1.ObjectMeta{
 					UID: "xxx",
 					Annotations: map[string]string{
-						esv1alpha1.AnnotationDataHash: "xxxxxx",
+						esv1beta1.AnnotationDataHash: "xxxxxx",
 					},
 				},
 			},
@@ -110,7 +110,7 @@ var _ = Describe("Kind=secret existence logic", func() {
 				ObjectMeta: metav1.ObjectMeta{
 					UID: "xxx",
 					Annotations: map[string]string{
-						esv1alpha1.AnnotationDataHash: "caa0155759a6a9b3b6ada5a6883ee2bb",
+						esv1beta1.AnnotationDataHash: "caa0155759a6a9b3b6ada5a6883ee2bb",
 					},
 				},
 				Data: map[string][]byte{
@@ -165,7 +165,7 @@ var _ = Describe("ExternalSecret controller", func() {
 				Name: ExternalSecretNamespace,
 			},
 		}, client.PropagationPolicy(metav1.DeletePropagationBackground)), client.GracePeriodSeconds(0)).To(Succeed())
-		Expect(k8sClient.Delete(context.Background(), &esv1alpha1.SecretStore{
+		Expect(k8sClient.Delete(context.Background(), &esv1beta1.SecretStore{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      ExternalSecretStore,
 				Namespace: ExternalSecretNamespace,
@@ -180,43 +180,43 @@ var _ = Describe("ExternalSecret controller", func() {
 	makeDefaultTestcase := func() *testCase {
 		return &testCase{
 			// default condition: es should be ready
-			checkCondition: func(es *esv1alpha1.ExternalSecret) bool {
-				cond := GetExternalSecretCondition(es.Status, esv1alpha1.ExternalSecretReady)
+			checkCondition: func(es *esv1beta1.ExternalSecret) bool {
+				cond := GetExternalSecretCondition(es.Status, esv1beta1.ExternalSecretReady)
 				if cond == nil || cond.Status != v1.ConditionTrue {
 					return false
 				}
 				return true
 			},
-			checkExternalSecret: func(es *esv1alpha1.ExternalSecret) {},
-			secretStore: &esv1alpha1.SecretStore{
+			checkExternalSecret: func(es *esv1beta1.ExternalSecret) {},
+			secretStore: &esv1beta1.SecretStore{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      ExternalSecretStore,
 					Namespace: ExternalSecretNamespace,
 				},
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{
-						AWS: &esv1alpha1.AWSProvider{
-							Service: esv1alpha1.AWSServiceSecretsManager,
+				Spec: esv1beta1.SecretStoreSpec{
+					Provider: &esv1beta1.SecretStoreProvider{
+						AWS: &esv1beta1.AWSProvider{
+							Service: esv1beta1.AWSServiceSecretsManager,
 						},
 					},
 				},
 			},
-			externalSecret: &esv1alpha1.ExternalSecret{
+			externalSecret: &esv1beta1.ExternalSecret{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      ExternalSecretName,
 					Namespace: ExternalSecretNamespace,
 				},
-				Spec: esv1alpha1.ExternalSecretSpec{
-					SecretStoreRef: esv1alpha1.SecretStoreRef{
+				Spec: esv1beta1.ExternalSecretSpec{
+					SecretStoreRef: esv1beta1.SecretStoreRef{
 						Name: ExternalSecretStore,
 					},
-					Target: esv1alpha1.ExternalSecretTarget{
+					Target: esv1beta1.ExternalSecretTarget{
 						Name: ExternalSecretTargetSecretName,
 					},
-					Data: []esv1alpha1.ExternalSecretData{
+					Data: []esv1beta1.ExternalSecretData{
 						{
 							SecretKey: targetProp,
-							RemoteRef: esv1alpha1.ExternalSecretDataRemoteRef{
+							RemoteRef: esv1beta1.ExternalSecretDataRemoteRef{
 								Key:      remoteKey,
 								Property: remoteProperty,
 							},
@@ -230,13 +230,12 @@ var _ = Describe("ExternalSecret controller", func() {
 	// if target Secret name is not specified it should use the ExternalSecret name.
 	syncWithoutTargetName := func(tc *testCase) {
 		tc.externalSecret.Spec.Target.Name = ""
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
 
 			// check secret name
 			Expect(secret.ObjectMeta.Name).To(Equal(ExternalSecretName))
 		}
 	}
-
 	// labels and annotations from the Kind=ExternalSecret
 	// should be copied over to the Kind=Secret
 	syncLabelsAnnotations := func(tc *testCase) {
@@ -248,7 +247,7 @@ var _ = Describe("ExternalSecret controller", func() {
 			"hihihih": "hehehe",
 		}
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
 			// check value
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 
@@ -265,9 +264,9 @@ var _ = Describe("ExternalSecret controller", func() {
 	checkPrometheusCounters := func(tc *testCase) {
 		const secretVal = "someValue"
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
-			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionFalse, 0.0)).To(BeTrue())
-			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionTrue, 1.0)).To(BeTrue())
+		tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
+			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1beta1.ExternalSecretReady, v1.ConditionFalse, 0.0)).To(BeTrue())
+			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1beta1.ExternalSecretReady, v1.ConditionTrue, 1.0)).To(BeTrue())
 			Eventually(func() bool {
 				Expect(syncCallsTotal.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metric)).To(Succeed())
 				return metric.GetCounter().GetValue() == 1.0
@@ -282,7 +281,7 @@ var _ = Describe("ExternalSecret controller", func() {
 		const secretVal = "someValue"
 		const existingKey = "pre-existing-key"
 		existingVal := "pre-existing-value"
-		tc.externalSecret.Spec.Target.CreationPolicy = esv1alpha1.Merge
+		tc.externalSecret.Spec.Target.CreationPolicy = esv1beta1.Merge
 
 		// create secret beforehand
 		Expect(k8sClient.Create(context.Background(), &v1.Secret{
@@ -296,7 +295,7 @@ var _ = Describe("ExternalSecret controller", func() {
 		}, client.FieldOwner(FakeManager))).To(Succeed())
 
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
 			// check value
 			Expect(string(secret.Data[existingKey])).To(Equal(existingVal))
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
@@ -311,7 +310,7 @@ var _ = Describe("ExternalSecret controller", func() {
 			Expect(hasFieldOwnership(
 				secret.ObjectMeta,
 				"external-secrets",
-				fmt.Sprintf("{\"f:data\":{\"f:targetProperty\":{}},\"f:immutable\":{},\"f:metadata\":{\"f:annotations\":{\"f:%s\":{}}}}", esv1alpha1.AnnotationDataHash)),
+				fmt.Sprintf("{\"f:data\":{\"f:targetProperty\":{}},\"f:immutable\":{},\"f:metadata\":{\"f:annotations\":{\"f:%s\":{}}}}", esv1beta1.AnnotationDataHash)),
 			).To(BeTrue())
 			Expect(hasFieldOwnership(secret.ObjectMeta, FakeManager, "{\"f:data\":{\".\":{},\"f:pre-existing-key\":{}},\"f:type\":{}}")).To(BeTrue())
 		}
@@ -321,7 +320,7 @@ var _ = Describe("ExternalSecret controller", func() {
 	mergeWithSecretNoChange := func(tc *testCase) {
 		const existingKey = "pre-existing-key"
 		existingVal := "someValue"
-		tc.externalSecret.Spec.Target.CreationPolicy = esv1alpha1.Merge
+		tc.externalSecret.Spec.Target.CreationPolicy = esv1beta1.Merge
 
 		// create secret beforehand
 		Expect(k8sClient.Create(context.Background(), &v1.Secret{
@@ -334,7 +333,7 @@ var _ = Describe("ExternalSecret controller", func() {
 			},
 		}, client.FieldOwner(FakeManager))).To(Succeed())
 
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
 			oldResourceVersion := secret.ResourceVersion
 
 			cleanSecret := secret.DeepCopy()
@@ -361,23 +360,23 @@ var _ = Describe("ExternalSecret controller", func() {
 	// should not merge with secret if it doesn't exist
 	mergeWithSecretErr := func(tc *testCase) {
 		const secretVal = "someValue"
-		tc.externalSecret.Spec.Target.CreationPolicy = esv1alpha1.Merge
+		tc.externalSecret.Spec.Target.CreationPolicy = esv1beta1.Merge
 
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
-		tc.checkCondition = func(es *esv1alpha1.ExternalSecret) bool {
-			cond := GetExternalSecretCondition(es.Status, esv1alpha1.ExternalSecretReady)
-			if cond == nil || cond.Status != v1.ConditionFalse || cond.Reason != esv1alpha1.ConditionReasonSecretSyncedError {
+		tc.checkCondition = func(es *esv1beta1.ExternalSecret) bool {
+			cond := GetExternalSecretCondition(es.Status, esv1beta1.ExternalSecretReady)
+			if cond == nil || cond.Status != v1.ConditionFalse || cond.Reason != esv1beta1.ConditionReasonSecretSyncedError {
 				return false
 			}
 			return true
 		}
-		tc.checkExternalSecret = func(es *esv1alpha1.ExternalSecret) {
+		tc.checkExternalSecret = func(es *esv1beta1.ExternalSecret) {
 			Eventually(func() bool {
 				Expect(syncCallsError.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metric)).To(Succeed())
 				return metric.GetCounter().GetValue() >= 2.0
 			}, timeout, interval).Should(BeTrue())
-			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionFalse, 1.0)).To(BeTrue())
-			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionTrue, 0.0)).To(BeTrue())
+			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1beta1.ExternalSecretReady, v1.ConditionFalse, 1.0)).To(BeTrue())
+			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1beta1.ExternalSecretReady, v1.ConditionTrue, 0.0)).To(BeTrue())
 		}
 	}
 
@@ -387,7 +386,7 @@ var _ = Describe("ExternalSecret controller", func() {
 		// this should confict
 		const existingKey = targetProp
 		existingVal := "pre-existing-value"
-		tc.externalSecret.Spec.Target.CreationPolicy = esv1alpha1.Merge
+		tc.externalSecret.Spec.Target.CreationPolicy = esv1beta1.Merge
 
 		// create secret beforehand
 		Expect(k8sClient.Create(context.Background(), &v1.Secret{
@@ -401,7 +400,7 @@ var _ = Describe("ExternalSecret controller", func() {
 		}, client.FieldOwner(FakeManager))).To(Succeed())
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
 
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
 			// check that value stays the same
 			Expect(string(secret.Data[existingKey])).To(Equal(secretVal))
 
@@ -424,8 +423,8 @@ var _ = Describe("ExternalSecret controller", func() {
 		tc.externalSecret.ObjectMeta.Annotations = map[string]string{
 			"hihihih": "hehehe",
 		}
-		tc.externalSecret.Spec.Target.Template = &esv1alpha1.ExternalSecretTemplate{
-			Metadata: esv1alpha1.ExternalSecretTemplateMetadata{
+		tc.externalSecret.Spec.Target.Template = &esv1beta1.ExternalSecretTemplate{
+			Metadata: esv1beta1.ExternalSecretTemplateMetadata{
 				Labels: map[string]string{
 					"foos": "ball",
 				},
@@ -433,17 +432,15 @@ var _ = Describe("ExternalSecret controller", func() {
 					"hihi": "ga",
 				},
 			},
-			// We do not specify the engine version
-			// it should default to v1 for alpha1
-			// EngineVersion: esv1alpha1.TemplateEngineV1,
-			Type: v1.SecretTypeOpaque,
+			Type:          v1.SecretTypeOpaque,
+			EngineVersion: esv1beta1.TemplateEngineV1,
 			Data: map[string]string{
 				targetProp:   targetPropObj,
 				tplStaticKey: tplStaticVal,
 			},
 		}
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			Expect(string(secret.Data[targetProp])).To(Equal(expectedSecretVal))
 			Expect(string(secret.Data[tplStaticKey])).To(Equal(tplStaticVal))
@@ -459,15 +456,16 @@ var _ = Describe("ExternalSecret controller", func() {
 	// when using a v2 template it should use the v2 engine version
 	syncWithTemplateV2 := func(tc *testCase) {
 		const secretVal = "someValue"
-		tc.externalSecret.Spec.Target.Template = &esv1alpha1.ExternalSecretTemplate{
-			Type:          v1.SecretTypeOpaque,
-			EngineVersion: esv1alpha1.TemplateEngineV2,
+		tc.externalSecret.Spec.Target.Template = &esv1beta1.ExternalSecretTemplate{
+			Type: v1.SecretTypeOpaque,
+			// it should default to v2 for beta11
+			// EngineVersion: esv1beta1.TemplateEngineV2,
 			Data: map[string]string{
 				targetProp: "{{ .targetProperty | upper }} was templated",
 			},
 		}
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			Expect(string(secret.Data[targetProp])).To(Equal(expectedSecretVal))
 		}
@@ -506,14 +504,14 @@ var _ = Describe("ExternalSecret controller", func() {
 				tplFromSecKey: []byte(tplFromSecVal),
 			},
 		})).To(Succeed())
-		tc.externalSecret.Spec.Target.Template = &esv1alpha1.ExternalSecretTemplate{
-			Metadata: esv1alpha1.ExternalSecretTemplateMetadata{},
+		tc.externalSecret.Spec.Target.Template = &esv1beta1.ExternalSecretTemplate{
+			Metadata: esv1beta1.ExternalSecretTemplateMetadata{},
 			Type:     v1.SecretTypeOpaque,
-			TemplateFrom: []esv1alpha1.TemplateFrom{
+			TemplateFrom: []esv1beta1.TemplateFrom{
 				{
-					ConfigMap: &esv1alpha1.TemplateRef{
+					ConfigMap: &esv1beta1.TemplateRef{
 						Name: tplFromCMName,
-						Items: []esv1alpha1.TemplateRefItem{
+						Items: []esv1beta1.TemplateRefItem{
 							{
 								Key: tplFromKey,
 							},
@@ -521,9 +519,9 @@ var _ = Describe("ExternalSecret controller", func() {
 					},
 				},
 				{
-					Secret: &esv1alpha1.TemplateRef{
+					Secret: &esv1beta1.TemplateRef{
 						Name: tplFromSecretName,
-						Items: []esv1alpha1.TemplateRefItem{
+						Items: []esv1beta1.TemplateRefItem{
 							{
 								Key: tplFromSecKey,
 							},
@@ -540,9 +538,11 @@ var _ = Describe("ExternalSecret controller", func() {
 				tplStaticKey: tplStaticVal,
 			},
 		}
-		tc.externalSecret.Spec.DataFrom = []esv1alpha1.ExternalSecretDataRemoteRef{
+		tc.externalSecret.Spec.DataFrom = []esv1beta1.ExternalSecretDataFromRemoteRef{
 			{
-				Key: "datamap",
+				Extract: esv1beta1.ExternalSecretDataRemoteRef{
+					Key: "datamap",
+				},
 			},
 		}
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
@@ -550,7 +550,7 @@ var _ = Describe("ExternalSecret controller", func() {
 			"targetProperty": []byte(FooValue),
 			"bar":            []byte(BarValue),
 		}, nil)
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			Expect(string(secret.Data[targetProp])).To(Equal(expectedSecretVal))
 			Expect(string(secret.Data[tplStaticKey])).To(Equal(tplStaticVal))
@@ -565,8 +565,8 @@ var _ = Describe("ExternalSecret controller", func() {
 		const tplStaticKey = "tplstatickey"
 		const tplStaticVal = "tplstaticvalue"
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Second}
-		tc.externalSecret.Spec.Target.Template = &esv1alpha1.ExternalSecretTemplate{
-			Metadata: esv1alpha1.ExternalSecretTemplateMetadata{
+		tc.externalSecret.Spec.Target.Template = &esv1beta1.ExternalSecretTemplate{
+			Metadata: esv1beta1.ExternalSecretTemplateMetadata{
 				Labels:      map[string]string{"foo": "bar"},
 				Annotations: map[string]string{"foo": "bar"},
 			},
@@ -577,7 +577,7 @@ var _ = Describe("ExternalSecret controller", func() {
 			},
 		}
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			Expect(string(secret.Data[targetProp])).To(Equal(expectedSecretVal))
 			Expect(string(secret.Data[tplStaticKey])).To(Equal(tplStaticVal))
@@ -625,14 +625,14 @@ var _ = Describe("ExternalSecret controller", func() {
 	onlyMetadataFromTemplate := func(tc *testCase) {
 		const secretVal = "someValue"
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Second}
-		tc.externalSecret.Spec.Target.Template = &esv1alpha1.ExternalSecretTemplate{
-			Metadata: esv1alpha1.ExternalSecretTemplateMetadata{
+		tc.externalSecret.Spec.Target.Template = &esv1beta1.ExternalSecretTemplate{
+			Metadata: esv1beta1.ExternalSecretTemplateMetadata{
 				Labels:      map[string]string{"foo": "bar"},
 				Annotations: map[string]string{"foo": "bar"},
 			},
 		}
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 
@@ -651,7 +651,7 @@ var _ = Describe("ExternalSecret controller", func() {
 		const secretVal = "someValue"
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Second}
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 
@@ -681,14 +681,16 @@ var _ = Describe("ExternalSecret controller", func() {
 			"foo": []byte("1111"),
 			"bar": []byte("2222"),
 		}, nil)
-		tc.externalSecret.Spec.Data = []esv1alpha1.ExternalSecretData{}
-		tc.externalSecret.Spec.DataFrom = []esv1alpha1.ExternalSecretDataRemoteRef{
+		tc.externalSecret.Spec.Data = []esv1beta1.ExternalSecretData{}
+		tc.externalSecret.Spec.DataFrom = []esv1beta1.ExternalSecretDataFromRemoteRef{
 			{
-				Key: remoteKey,
+				Extract: esv1beta1.ExternalSecretDataRemoteRef{
+					Key: remoteKey,
+				},
 			},
 		}
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Second}
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			Expect(string(secret.Data["foo"])).To(Equal("1111"))
 			Expect(string(secret.Data["bar"])).To(Equal("2222"))
@@ -720,15 +722,17 @@ var _ = Describe("ExternalSecret controller", func() {
 			"foo": []byte("1111"),
 			"bar": []byte("2222"),
 		}, nil)
-		tc.externalSecret.Spec.Target.Template = &esv1alpha1.ExternalSecretTemplate{}
-		tc.externalSecret.Spec.Data = []esv1alpha1.ExternalSecretData{}
-		tc.externalSecret.Spec.DataFrom = []esv1alpha1.ExternalSecretDataRemoteRef{
+		tc.externalSecret.Spec.Target.Template = &esv1beta1.ExternalSecretTemplate{}
+		tc.externalSecret.Spec.Data = []esv1beta1.ExternalSecretData{}
+		tc.externalSecret.Spec.DataFrom = []esv1beta1.ExternalSecretDataFromRemoteRef{
 			{
-				Key: remoteKey,
+				Extract: esv1beta1.ExternalSecretDataRemoteRef{
+					Key: remoteKey,
+				},
 			},
 		}
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Second}
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			Expect(string(secret.Data["foo"])).To(Equal("1111"))
 			Expect(string(secret.Data["bar"])).To(Equal("2222"))
@@ -758,7 +762,7 @@ var _ = Describe("ExternalSecret controller", func() {
 		const secretVal = "someValue"
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: 0}
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			Expect(string(secret.Data[targetProp])).To(Equal(secretVal))
 
@@ -785,16 +789,42 @@ var _ = Describe("ExternalSecret controller", func() {
 	// should be put into the secret
 	syncWithDataFrom := func(tc *testCase) {
 		tc.externalSecret.Spec.Data = nil
-		tc.externalSecret.Spec.DataFrom = []esv1alpha1.ExternalSecretDataRemoteRef{
+		tc.externalSecret.Spec.DataFrom = []esv1beta1.ExternalSecretDataFromRemoteRef{
 			{
-				Key: remoteKey,
+				Extract: esv1beta1.ExternalSecretDataRemoteRef{
+					Key: remoteKey,
+				},
 			},
 		}
 		fakeProvider.WithGetSecretMap(map[string][]byte{
 			"foo": []byte(FooValue),
 			"bar": []byte(BarValue),
 		}, nil)
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
+			// check values
+			Expect(string(secret.Data["foo"])).To(Equal(FooValue))
+			Expect(string(secret.Data["bar"])).To(Equal(BarValue))
+		}
+	}
+
+	// with dataFrom.Find the change is on the called method GetAllSecrets
+	// all keys should be put into the secret
+	syncDataFromFind := func(tc *testCase) {
+		tc.externalSecret.Spec.Data = nil
+		tc.externalSecret.Spec.DataFrom = []esv1beta1.ExternalSecretDataFromRemoteRef{
+			{
+				Find: esv1beta1.ExternalSecretFind{
+					Name: &esv1beta1.FindName{
+						RegExp: "foobar",
+					},
+				},
+			},
+		}
+		fakeProvider.WithGetAllSecrets(map[string][]byte{
+			"foo": []byte(FooValue),
+			"bar": []byte(BarValue),
+		}, nil)
+		tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
 			// check values
 			Expect(string(secret.Data["foo"])).To(Equal(FooValue))
 			Expect(string(secret.Data["bar"])).To(Equal(BarValue))
@@ -805,23 +835,25 @@ var _ = Describe("ExternalSecret controller", func() {
 	// should be put into the secret
 	syncWithDataFromTemplate := func(tc *testCase) {
 		tc.externalSecret.Spec.Data = nil
-		tc.externalSecret.Spec.Target = esv1alpha1.ExternalSecretTarget{
+		tc.externalSecret.Spec.Target = esv1beta1.ExternalSecretTarget{
 			Name: ExternalSecretTargetSecretName,
-			Template: &esv1alpha1.ExternalSecretTemplate{
+			Template: &esv1beta1.ExternalSecretTemplate{
 				Type: v1.SecretTypeTLS,
 			},
 		}
 
-		tc.externalSecret.Spec.DataFrom = []esv1alpha1.ExternalSecretDataRemoteRef{
+		tc.externalSecret.Spec.DataFrom = []esv1beta1.ExternalSecretDataFromRemoteRef{
 			{
-				Key: remoteKey,
+				Extract: esv1beta1.ExternalSecretDataRemoteRef{
+					Key: remoteKey,
+				},
 			},
 		}
 		fakeProvider.WithGetSecretMap(map[string][]byte{
 			"tls.crt": []byte(FooValue),
 			"tls.key": []byte(BarValue),
 		}, nil)
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
 			Expect(secret.Type).To(Equal(v1.SecretTypeTLS))
 			// check values
 			Expect(string(secret.Data["tls.crt"])).To(Equal(FooValue))
@@ -835,20 +867,20 @@ var _ = Describe("ExternalSecret controller", func() {
 		const secretVal = "foobar"
 		fakeProvider.WithGetSecret(nil, fmt.Errorf("boom"))
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Millisecond * 100}
-		tc.checkCondition = func(es *esv1alpha1.ExternalSecret) bool {
-			cond := GetExternalSecretCondition(es.Status, esv1alpha1.ExternalSecretReady)
-			if cond == nil || cond.Status != v1.ConditionFalse || cond.Reason != esv1alpha1.ConditionReasonSecretSyncedError {
+		tc.checkCondition = func(es *esv1beta1.ExternalSecret) bool {
+			cond := GetExternalSecretCondition(es.Status, esv1beta1.ExternalSecretReady)
+			if cond == nil || cond.Status != v1.ConditionFalse || cond.Reason != esv1beta1.ConditionReasonSecretSyncedError {
 				return false
 			}
 			return true
 		}
-		tc.checkExternalSecret = func(es *esv1alpha1.ExternalSecret) {
+		tc.checkExternalSecret = func(es *esv1beta1.ExternalSecret) {
 			Eventually(func() bool {
 				Expect(syncCallsError.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metric)).To(Succeed())
 				return metric.GetCounter().GetValue() >= 2.0
 			}, timeout, interval).Should(BeTrue())
-			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionFalse, 1.0)).To(BeTrue())
-			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionTrue, 0.0)).To(BeTrue())
+			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1beta1.ExternalSecretReady, v1.ConditionFalse, 1.0)).To(BeTrue())
+			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1beta1.ExternalSecretReady, v1.ConditionTrue, 0.0)).To(BeTrue())
 
 			// es condition should reflect recovered provider error
 			fakeProvider.WithGetSecret([]byte(secretVal), nil)
@@ -859,7 +891,7 @@ var _ = Describe("ExternalSecret controller", func() {
 					return false
 				}
 				// condition must now be true!
-				cond := GetExternalSecretCondition(es.Status, esv1alpha1.ExternalSecretReady)
+				cond := GetExternalSecretCondition(es.Status, esv1beta1.ExternalSecretReady)
 				if cond == nil && cond.Status != v1.ConditionTrue {
 					return false
 				}
@@ -872,45 +904,45 @@ var _ = Describe("ExternalSecret controller", func() {
 	// a error condition must be set.
 	storeMissingErrCondition := func(tc *testCase) {
 		tc.externalSecret.Spec.SecretStoreRef.Name = "nonexistent"
-		tc.checkCondition = func(es *esv1alpha1.ExternalSecret) bool {
-			cond := GetExternalSecretCondition(es.Status, esv1alpha1.ExternalSecretReady)
-			if cond == nil || cond.Status != v1.ConditionFalse || cond.Reason != esv1alpha1.ConditionReasonSecretSyncedError {
+		tc.checkCondition = func(es *esv1beta1.ExternalSecret) bool {
+			cond := GetExternalSecretCondition(es.Status, esv1beta1.ExternalSecretReady)
+			if cond == nil || cond.Status != v1.ConditionFalse || cond.Reason != esv1beta1.ConditionReasonSecretSyncedError {
 				return false
 			}
 			return true
 		}
-		tc.checkExternalSecret = func(es *esv1alpha1.ExternalSecret) {
+		tc.checkExternalSecret = func(es *esv1beta1.ExternalSecret) {
 			Eventually(func() bool {
 				Expect(syncCallsError.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metric)).To(Succeed())
 				return metric.GetCounter().GetValue() >= 2.0
 			}, timeout, interval).Should(BeTrue())
-			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionFalse, 1.0)).To(BeTrue())
-			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionTrue, 0.0)).To(BeTrue())
+			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1beta1.ExternalSecretReady, v1.ConditionFalse, 1.0)).To(BeTrue())
+			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1beta1.ExternalSecretReady, v1.ConditionTrue, 0.0)).To(BeTrue())
 		}
 	}
 
 	// when the provider constructor errors (e.g. invalid configuration)
 	// a SecretSyncedError status condition must be set
 	storeConstructErrCondition := func(tc *testCase) {
-		fakeProvider.WithNew(func(context.Context, esv1alpha1.GenericStore, client.Client,
+		fakeProvider.WithNew(func(context.Context, esv1beta1.GenericStore, client.Client,
 			string) (provider.SecretsClient, error) {
 			return nil, fmt.Errorf("artificial constructor error")
 		})
-		tc.checkCondition = func(es *esv1alpha1.ExternalSecret) bool {
+		tc.checkCondition = func(es *esv1beta1.ExternalSecret) bool {
 			// condition must be false
-			cond := GetExternalSecretCondition(es.Status, esv1alpha1.ExternalSecretReady)
-			if cond == nil || cond.Status != v1.ConditionFalse || cond.Reason != esv1alpha1.ConditionReasonSecretSyncedError {
+			cond := GetExternalSecretCondition(es.Status, esv1beta1.ExternalSecretReady)
+			if cond == nil || cond.Status != v1.ConditionFalse || cond.Reason != esv1beta1.ConditionReasonSecretSyncedError {
 				return false
 			}
 			return true
 		}
-		tc.checkExternalSecret = func(es *esv1alpha1.ExternalSecret) {
+		tc.checkExternalSecret = func(es *esv1beta1.ExternalSecret) {
 			Eventually(func() bool {
 				Expect(syncCallsError.WithLabelValues(ExternalSecretName, ExternalSecretNamespace).Write(&metric)).To(Succeed())
 				return metric.GetCounter().GetValue() >= 2.0
 			}, timeout, interval).Should(BeTrue())
-			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionFalse, 1.0)).To(BeTrue())
-			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionTrue, 0.0)).To(BeTrue())
+			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1beta1.ExternalSecretReady, v1.ConditionFalse, 1.0)).To(BeTrue())
+			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1beta1.ExternalSecretReady, v1.ConditionTrue, 0.0)).To(BeTrue())
 		}
 	}
 
@@ -918,24 +950,24 @@ var _ = Describe("ExternalSecret controller", func() {
 	// the externalSecret must not be touched
 	ignoreMismatchController := func(tc *testCase) {
 		tc.secretStore.Spec.Controller = "nop"
-		tc.checkCondition = func(es *esv1alpha1.ExternalSecret) bool {
-			cond := GetExternalSecretCondition(es.Status, esv1alpha1.ExternalSecretReady)
+		tc.checkCondition = func(es *esv1beta1.ExternalSecret) bool {
+			cond := GetExternalSecretCondition(es.Status, esv1beta1.ExternalSecretReady)
 			return cond == nil
 		}
-		tc.checkExternalSecret = func(es *esv1alpha1.ExternalSecret) {
+		tc.checkExternalSecret = func(es *esv1beta1.ExternalSecret) {
 			// Condition True and False should be 0, since the Condition was not created
 			Eventually(func() float64 {
-				Expect(externalSecretCondition.WithLabelValues(ExternalSecretName, ExternalSecretNamespace, string(esv1alpha1.ExternalSecretReady), string(v1.ConditionTrue)).Write(&metric)).To(Succeed())
+				Expect(externalSecretCondition.WithLabelValues(ExternalSecretName, ExternalSecretNamespace, string(esv1beta1.ExternalSecretReady), string(v1.ConditionTrue)).Write(&metric)).To(Succeed())
 				return metric.GetGauge().GetValue()
 			}, timeout, interval).Should(Equal(0.0))
 
 			Eventually(func() float64 {
-				Expect(externalSecretCondition.WithLabelValues(ExternalSecretName, ExternalSecretNamespace, string(esv1alpha1.ExternalSecretReady), string(v1.ConditionFalse)).Write(&metric)).To(Succeed())
+				Expect(externalSecretCondition.WithLabelValues(ExternalSecretName, ExternalSecretNamespace, string(esv1beta1.ExternalSecretReady), string(v1.ConditionFalse)).Write(&metric)).To(Succeed())
 				return metric.GetGauge().GetValue()
 			}, timeout, interval).Should(Equal(0.0))
 
-			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionFalse, 0.0)).To(BeTrue())
-			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1alpha1.ExternalSecretReady, v1.ConditionTrue, 0.0)).To(BeTrue())
+			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1beta1.ExternalSecretReady, v1.ConditionFalse, 0.0)).To(BeTrue())
+			Expect(externalSecretConditionShouldBe(ExternalSecretName, ExternalSecretNamespace, esv1beta1.ExternalSecretReady, v1.ConditionTrue, 0.0)).To(BeTrue())
 		}
 	}
 
@@ -945,7 +977,7 @@ var _ = Describe("ExternalSecret controller", func() {
 		const secretVal = "someValue"
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Minute * 10}
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
+		tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
 
 			// check values
 			oldUID := secret.UID
@@ -974,8 +1006,8 @@ var _ = Describe("ExternalSecret controller", func() {
 	checkSecretDataHashAnnotation := func(tc *testCase) {
 		const secretVal = "someValue"
 		fakeProvider.WithGetSecret([]byte(secretVal), nil)
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
-			Expect(secret.Annotations[esv1alpha1.AnnotationDataHash]).To(Equal("9d30b95ca81e156f9454b5ef3bfcc6ee"))
+		tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
+			Expect(secret.Annotations[esv1beta1.AnnotationDataHash]).To(Equal("9d30b95ca81e156f9454b5ef3bfcc6ee"))
 		}
 	}
 
@@ -986,14 +1018,14 @@ var _ = Describe("ExternalSecret controller", func() {
 		}
 		fakeProvider.WithGetSecretMap(fakeData, nil)
 		tc.externalSecret.Spec.RefreshInterval = &metav1.Duration{Duration: time.Minute * 10}
-		tc.checkSecret = func(es *esv1alpha1.ExternalSecret, secret *v1.Secret) {
-			oldHash := secret.Annotations[esv1alpha1.AnnotationDataHash]
+		tc.checkSecret = func(es *esv1beta1.ExternalSecret, secret *v1.Secret) {
+			oldHash := secret.Annotations[esv1beta1.AnnotationDataHash]
 			oldResourceVersion := secret.ResourceVersion
 			Expect(oldHash).NotTo(BeEmpty())
 
 			cleanSecret := secret.DeepCopy()
 			secret.Data["new"] = []byte("value")
-			secret.ObjectMeta.Annotations[esv1alpha1.AnnotationDataHash] = "thisiswronghash"
+			secret.ObjectMeta.Annotations[esv1beta1.AnnotationDataHash] = "thisiswronghash"
 			Expect(k8sClient.Patch(context.Background(), secret, client.MergeFrom(cleanSecret))).To(Succeed())
 
 			var refreshedSecret v1.Secret
@@ -1008,7 +1040,7 @@ var _ = Describe("ExternalSecret controller", func() {
 				}
 				// refreshed secret should have a different generation (sign that it was updated), but since
 				// the secret source is the same (not changed), the hash should be reverted to an old value
-				return refreshedSecret.ResourceVersion != oldResourceVersion && refreshedSecret.Annotations[esv1alpha1.AnnotationDataHash] == oldHash
+				return refreshedSecret.ResourceVersion != oldResourceVersion && refreshedSecret.Annotations[esv1beta1.AnnotationDataHash] == oldHash
 			}, timeout, interval).Should(BeTrue())
 		}
 	}
@@ -1024,7 +1056,7 @@ var _ = Describe("ExternalSecret controller", func() {
 			Expect(k8sClient.Create(ctx, tc.secretStore)).To(Succeed())
 			Expect(k8sClient.Create(ctx, tc.externalSecret)).Should(Succeed())
 			esKey := types.NamespacedName{Name: ExternalSecretName, Namespace: ExternalSecretNamespace}
-			createdES := &esv1alpha1.ExternalSecret{}
+			createdES := &esv1beta1.ExternalSecret{}
 			By("checking the es condition")
 			Eventually(func() bool {
 				err := k8sClient.Get(ctx, esKey, createdES)
@@ -1075,6 +1107,7 @@ var _ = Describe("ExternalSecret controller", func() {
 		Entry("should refresh secret map when provider secret changes when using a template", refreshSecretValueMapTemplate),
 		Entry("should not refresh secret value when provider secret changes but refreshInterval is zero", refreshintervalZero),
 		Entry("should fetch secret using dataFrom", syncWithDataFrom),
+		Entry("should fetch secret using dataFrom.find", syncDataFromFind),
 		Entry("should fetch secret using dataFrom and a template", syncWithDataFromTemplate),
 		Entry("should set error condition when provider errors", providerErrCondition),
 		Entry("should set an error condition when store does not exist", storeMissingErrCondition),
@@ -1086,24 +1119,24 @@ var _ = Describe("ExternalSecret controller", func() {
 var _ = Describe("ExternalSecret refresh logic", func() {
 	Context("secret refresh", func() {
 		It("should refresh when resource version does not match", func() {
-			Expect(shouldRefresh(esv1alpha1.ExternalSecret{
-				Status: esv1alpha1.ExternalSecretStatus{
+			Expect(shouldRefresh(esv1beta1.ExternalSecret{
+				Status: esv1beta1.ExternalSecretStatus{
 					SyncedResourceVersion: "some resource version",
 				},
 			})).To(BeTrue())
 		})
 		It("should refresh when labels change", func() {
-			es := esv1alpha1.ExternalSecret{
+			es := esv1beta1.ExternalSecret{
 				ObjectMeta: metav1.ObjectMeta{
 					Generation: 1,
 					Labels: map[string]string{
 						"foo": "bar",
 					},
 				},
-				Spec: esv1alpha1.ExternalSecretSpec{
+				Spec: esv1beta1.ExternalSecretSpec{
 					RefreshInterval: &metav1.Duration{Duration: time.Minute},
 				},
-				Status: esv1alpha1.ExternalSecretStatus{
+				Status: esv1beta1.ExternalSecretStatus{
 					RefreshTime: metav1.Now(),
 				},
 			}
@@ -1117,17 +1150,17 @@ var _ = Describe("ExternalSecret refresh logic", func() {
 		})
 
 		It("should refresh when annotations change", func() {
-			es := esv1alpha1.ExternalSecret{
+			es := esv1beta1.ExternalSecret{
 				ObjectMeta: metav1.ObjectMeta{
 					Generation: 1,
 					Annotations: map[string]string{
 						"foo": "bar",
 					},
 				},
-				Spec: esv1alpha1.ExternalSecretSpec{
+				Spec: esv1beta1.ExternalSecretSpec{
 					RefreshInterval: &metav1.Duration{Duration: time.Minute},
 				},
-				Status: esv1alpha1.ExternalSecretStatus{
+				Status: esv1beta1.ExternalSecretStatus{
 					RefreshTime: metav1.Now(),
 				},
 			}
@@ -1141,14 +1174,14 @@ var _ = Describe("ExternalSecret refresh logic", func() {
 		})
 
 		It("should refresh when generation has changed", func() {
-			es := esv1alpha1.ExternalSecret{
+			es := esv1beta1.ExternalSecret{
 				ObjectMeta: metav1.ObjectMeta{
 					Generation: 1,
 				},
-				Spec: esv1alpha1.ExternalSecretSpec{
+				Spec: esv1beta1.ExternalSecretSpec{
 					RefreshInterval: &metav1.Duration{Duration: 0},
 				},
-				Status: esv1alpha1.ExternalSecretStatus{
+				Status: esv1beta1.ExternalSecretStatus{
 					RefreshTime: metav1.Now(),
 				},
 			}
@@ -1161,14 +1194,14 @@ var _ = Describe("ExternalSecret refresh logic", func() {
 		})
 
 		It("should skip refresh when refreshInterval is 0", func() {
-			es := esv1alpha1.ExternalSecret{
+			es := esv1beta1.ExternalSecret{
 				ObjectMeta: metav1.ObjectMeta{
 					Generation: 1,
 				},
-				Spec: esv1alpha1.ExternalSecretSpec{
+				Spec: esv1beta1.ExternalSecretSpec{
 					RefreshInterval: &metav1.Duration{Duration: 0},
 				},
-				Status: esv1alpha1.ExternalSecretStatus{},
+				Status: esv1beta1.ExternalSecretStatus{},
 			}
 			// resource version matches
 			es.Status.SyncedResourceVersion = getResourceVersion(es)
@@ -1176,14 +1209,14 @@ var _ = Describe("ExternalSecret refresh logic", func() {
 		})
 
 		It("should refresh when refresh interval has passed", func() {
-			es := esv1alpha1.ExternalSecret{
+			es := esv1beta1.ExternalSecret{
 				ObjectMeta: metav1.ObjectMeta{
 					Generation: 1,
 				},
-				Spec: esv1alpha1.ExternalSecretSpec{
+				Spec: esv1beta1.ExternalSecretSpec{
 					RefreshInterval: &metav1.Duration{Duration: time.Second},
 				},
-				Status: esv1alpha1.ExternalSecretStatus{
+				Status: esv1beta1.ExternalSecretStatus{
 					RefreshTime: metav1.NewTime(metav1.Now().Add(-time.Second * 5)),
 				},
 			}
@@ -1193,14 +1226,14 @@ var _ = Describe("ExternalSecret refresh logic", func() {
 		})
 
 		It("should refresh when no refresh time was set", func() {
-			es := esv1alpha1.ExternalSecret{
+			es := esv1beta1.ExternalSecret{
 				ObjectMeta: metav1.ObjectMeta{
 					Generation: 1,
 				},
-				Spec: esv1alpha1.ExternalSecretSpec{
+				Spec: esv1beta1.ExternalSecretSpec{
 					RefreshInterval: &metav1.Duration{Duration: time.Second},
 				},
-				Status: esv1alpha1.ExternalSecretStatus{},
+				Status: esv1beta1.ExternalSecretStatus{},
 			}
 			// resource version matches
 			es.Status.SyncedResourceVersion = getResourceVersion(es)
@@ -1276,18 +1309,18 @@ var _ = Describe("ExternalSecret refresh logic", func() {
 var _ = Describe("Controller Reconcile logic", func() {
 	Context("controller reconcile", func() {
 		It("should reconcile when resource is not synced", func() {
-			Expect(shouldReconcile(esv1alpha1.ExternalSecret{
-				Status: esv1alpha1.ExternalSecretStatus{
+			Expect(shouldReconcile(esv1beta1.ExternalSecret{
+				Status: esv1beta1.ExternalSecretStatus{
 					SyncedResourceVersion: "some resource version",
-					Conditions:            []esv1alpha1.ExternalSecretStatusCondition{{Reason: "NotASecretSynced"}},
+					Conditions:            []esv1beta1.ExternalSecretStatusCondition{{Reason: "NotASecretSynced"}},
 				},
 			})).To(BeTrue())
 		})
 
 		It("should reconcile when secret isn't immutable", func() {
-			Expect(shouldReconcile(esv1alpha1.ExternalSecret{
-				Spec: esv1alpha1.ExternalSecretSpec{
-					Target: esv1alpha1.ExternalSecretTarget{
+			Expect(shouldReconcile(esv1beta1.ExternalSecret{
+				Spec: esv1beta1.ExternalSecretSpec{
+					Target: esv1beta1.ExternalSecretTarget{
 						Immutable: false,
 					},
 				},
@@ -1295,15 +1328,15 @@ var _ = Describe("Controller Reconcile logic", func() {
 		})
 
 		It("should not reconcile if secret is immutable and has synced condition", func() {
-			Expect(shouldReconcile(esv1alpha1.ExternalSecret{
-				Spec: esv1alpha1.ExternalSecretSpec{
-					Target: esv1alpha1.ExternalSecretTarget{
+			Expect(shouldReconcile(esv1beta1.ExternalSecret{
+				Spec: esv1beta1.ExternalSecretSpec{
+					Target: esv1beta1.ExternalSecretTarget{
 						Immutable: true,
 					},
 				},
-				Status: esv1alpha1.ExternalSecretStatus{
+				Status: esv1beta1.ExternalSecretStatus{
 					SyncedResourceVersion: "some resource version",
-					Conditions:            []esv1alpha1.ExternalSecretStatusCondition{{Reason: "SecretSynced"}},
+					Conditions:            []esv1beta1.ExternalSecretStatusCondition{{Reason: "SecretSynced"}},
 				},
 			})).To(BeFalse())
 		})
@@ -1350,7 +1383,7 @@ func hasFieldOwnership(meta metav1.ObjectMeta, mgr, rawFields string) bool {
 	return false
 }
 
-func externalSecretConditionShouldBe(name, ns string, ct esv1alpha1.ExternalSecretConditionType, cs v1.ConditionStatus, v float64) bool {
+func externalSecretConditionShouldBe(name, ns string, ct esv1beta1.ExternalSecretConditionType, cs v1.ConditionStatus, v float64) bool {
 	return Eventually(func() float64 {
 		Expect(externalSecretCondition.WithLabelValues(name, ns, string(ct), string(cs)).Write(&metric)).To(Succeed())
 		return metric.GetGauge().GetValue()
@@ -1359,9 +1392,9 @@ func externalSecretConditionShouldBe(name, ns string, ct esv1alpha1.ExternalSecr
 
 func init() {
 	fakeProvider = fake.New()
-	schema.ForceRegister(fakeProvider, &esv1alpha1.SecretStoreProvider{
-		AWS: &esv1alpha1.AWSProvider{
-			Service: esv1alpha1.AWSServiceSecretsManager,
+	schema.ForceRegister(fakeProvider, &esv1beta1.SecretStoreProvider{
+		AWS: &esv1beta1.AWSProvider{
+			Service: esv1beta1.AWSServiceSecretsManager,
 		},
 	})
 }

pkg/controllers/externalsecret/metrics.go

@@ -19,7 +19,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/metrics"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 )
 
 const (
@@ -50,35 +50,35 @@ var (
 )
 
 // updateExternalSecretCondition updates the ExternalSecret conditions.
-func updateExternalSecretCondition(es *esv1alpha1.ExternalSecret, condition *esv1alpha1.ExternalSecretStatusCondition, value float64) {
+func updateExternalSecretCondition(es *esv1beta1.ExternalSecret, condition *esv1beta1.ExternalSecretStatusCondition, value float64) {
 	switch condition.Type {
-	case esv1alpha1.ExternalSecretDeleted:
+	case esv1beta1.ExternalSecretDeleted:
 		// Remove condition=Ready metrics when the object gets deleted.
 		externalSecretCondition.Delete(prometheus.Labels{
 			"name":      es.Name,
 			"namespace": es.Namespace,
-			"condition": string(esv1alpha1.ExternalSecretReady),
+			"condition": string(esv1beta1.ExternalSecretReady),
 			"status":    string(v1.ConditionFalse),
 		})
 		externalSecretCondition.Delete(prometheus.Labels{
 			"name":      es.Name,
 			"namespace": es.Namespace,
-			"condition": string(esv1alpha1.ExternalSecretReady),
+			"condition": string(esv1beta1.ExternalSecretReady),
 			"status":    string(v1.ConditionTrue),
 		})
 
-	case esv1alpha1.ExternalSecretReady:
+	case esv1beta1.ExternalSecretReady:
 		// Remove condition=Deleted metrics when the object gets ready.
 		externalSecretCondition.Delete(prometheus.Labels{
 			"name":      es.Name,
 			"namespace": es.Namespace,
-			"condition": string(esv1alpha1.ExternalSecretDeleted),
+			"condition": string(esv1beta1.ExternalSecretDeleted),
 			"status":    string(v1.ConditionFalse),
 		})
 		externalSecretCondition.Delete(prometheus.Labels{
 			"name":      es.Name,
 			"namespace": es.Namespace,
-			"condition": string(esv1alpha1.ExternalSecretDeleted),
+			"condition": string(esv1beta1.ExternalSecretDeleted),
 			"status":    string(v1.ConditionTrue),
 		})
 		// Toggle opposite Status to 0
@@ -87,14 +87,14 @@ func updateExternalSecretCondition(es *esv1alpha1.ExternalSecret, condition *esv
 			externalSecretCondition.With(prometheus.Labels{
 				"name":      es.Name,
 				"namespace": es.Namespace,
-				"condition": string(esv1alpha1.ExternalSecretReady),
+				"condition": string(esv1beta1.ExternalSecretReady),
 				"status":    string(v1.ConditionTrue),
 			}).Set(0)
 		case v1.ConditionTrue:
 			externalSecretCondition.With(prometheus.Labels{
 				"name":      es.Name,
 				"namespace": es.Namespace,
-				"condition": string(esv1alpha1.ExternalSecretReady),
+				"condition": string(esv1beta1.ExternalSecretReady),
 				"status":    string(v1.ConditionFalse),
 			}).Set(0)
 		case v1.ConditionUnknown:

pkg/controllers/externalsecret/suite_test.go

@@ -32,7 +32,7 @@ import (
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 )
 
 // These tests use Ginkgo (BDD-style Go testing framework). Refer to
@@ -66,7 +66,7 @@ var _ = BeforeSuite(func() {
 	Expect(err).ToNot(HaveOccurred())
 	Expect(cfg).ToNot(BeNil())
 
-	err = esv1alpha1.AddToScheme(scheme.Scheme)
+	err = esv1beta1.AddToScheme(scheme.Scheme)
 	Expect(err).NotTo(HaveOccurred())
 
 	k8sManager, err := ctrl.NewManager(cfg, ctrl.Options{

pkg/controllers/externalsecret/util.go

@@ -17,12 +17,12 @@ import (
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 )
 
 // NewExternalSecretCondition a set of default options for creating an External Secret Condition.
-func NewExternalSecretCondition(condType esv1alpha1.ExternalSecretConditionType, status v1.ConditionStatus, reason, message string) *esv1alpha1.ExternalSecretStatusCondition {
-	return &esv1alpha1.ExternalSecretStatusCondition{
+func NewExternalSecretCondition(condType esv1beta1.ExternalSecretConditionType, status v1.ConditionStatus, reason, message string) *esv1beta1.ExternalSecretStatusCondition {
+	return &esv1beta1.ExternalSecretStatusCondition{
 		Type:               condType,
 		Status:             status,
 		LastTransitionTime: metav1.Now(),
@@ -32,7 +32,7 @@ func NewExternalSecretCondition(condType esv1alpha1.ExternalSecretConditionType,
 }
 
 // GetExternalSecretCondition returns the condition with the provided type.
-func GetExternalSecretCondition(status esv1alpha1.ExternalSecretStatus, condType esv1alpha1.ExternalSecretConditionType) *esv1alpha1.ExternalSecretStatusCondition {
+func GetExternalSecretCondition(status esv1beta1.ExternalSecretStatus, condType esv1beta1.ExternalSecretConditionType) *esv1beta1.ExternalSecretStatusCondition {
 	for i := range status.Conditions {
 		c := status.Conditions[i]
 		if c.Type == condType {
@@ -44,7 +44,7 @@ func GetExternalSecretCondition(status esv1alpha1.ExternalSecretStatus, condType
 
 // SetExternalSecretCondition updates the external secret to include the provided
 // condition.
-func SetExternalSecretCondition(es *esv1alpha1.ExternalSecret, condition esv1alpha1.ExternalSecretStatusCondition) {
+func SetExternalSecretCondition(es *esv1beta1.ExternalSecret, condition esv1beta1.ExternalSecretStatusCondition) {
 	currentCond := GetExternalSecretCondition(es.Status, condition.Type)
 
 	if currentCond != nil && currentCond.Status == condition.Status &&
@@ -68,8 +68,8 @@ func SetExternalSecretCondition(es *esv1alpha1.ExternalSecret, condition esv1alp
 }
 
 // filterOutCondition returns an empty set of conditions with the provided type.
-func filterOutCondition(conditions []esv1alpha1.ExternalSecretStatusCondition, condType esv1alpha1.ExternalSecretConditionType) []esv1alpha1.ExternalSecretStatusCondition {
-	newConditions := make([]esv1alpha1.ExternalSecretStatusCondition, 0, len(conditions))
+func filterOutCondition(conditions []esv1beta1.ExternalSecretStatusCondition, condType esv1beta1.ExternalSecretConditionType) []esv1beta1.ExternalSecretStatusCondition {
+	newConditions := make([]esv1beta1.ExternalSecretStatusCondition, 0, len(conditions))
 	for _, c := range conditions {
 		if c.Type == condType {
 			continue

pkg/controllers/secretstore/clustersecretstore_controller.go

@@ -25,7 +25,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 
 	// Loading registered providers.
 	_ "github.com/external-secrets/external-secrets/pkg/provider/register"

pkg/controllers/secretstore/common.go

@@ -24,7 +24,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
 )
 

pkg/controllers/secretstore/common_test.go

@@ -23,7 +23,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 
-	esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 )
 
 type testCase struct {

pkg/controllers/secretstore/secretstore_controller.go

@@ -25,7 +25,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 
 	// Loading registered providers.
 	_ "github.com/external-secrets/external-secrets/pkg/provider/register"

pkg/controllers/secretstore/suite_test.go

@@ -29,7 +29,7 @@ import (
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 
-	esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 )
 
 var cfg *rest.Config

pkg/controllers/secretstore/util.go

@@ -18,7 +18,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 )
 
 // NewSecretStoreCondition a set of default options for creating an External Secret Condition.

pkg/provider/akeyless/akeyless.go

@@ -23,7 +23,7 @@ import (
 	"github.com/akeylesslabs/akeyless-go/v2"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	"github.com/external-secrets/external-secrets/pkg/provider"
 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
 	"github.com/external-secrets/external-secrets/pkg/utils"
@@ -39,7 +39,7 @@ type Provider struct{}
 // akeylessBase satisfies the provider.SecretsClient interface.
 type akeylessBase struct {
 	kube      client.Client
-	store     esv1alpha1.GenericStore
+	store     esv1beta1.GenericStore
 	namespace string
 
 	akeylessGwAPIURL string
@@ -56,17 +56,17 @@ type akeylessVaultInterface interface {
 }
 
 func init() {
-	schema.Register(&Provider{}, &esv1alpha1.SecretStoreProvider{
-		Akeyless: &esv1alpha1.AkeylessProvider{},
+	schema.Register(&Provider{}, &esv1beta1.SecretStoreProvider{
+		Akeyless: &esv1beta1.AkeylessProvider{},
 	})
 }
 
 // NewClient constructs a new secrets client based on the provided store.
-func (p *Provider) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
+func (p *Provider) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
 	return newClient(ctx, store, kube, namespace)
 }
 
-func newClient(_ context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
+func newClient(_ context.Context, store esv1beta1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
 	akl := &akeylessBase{
 		kube:      kube,
 		store:     store,
@@ -109,7 +109,7 @@ func (a *Akeyless) Validate() error {
 
 // Implements store.Client.GetSecret Interface.
 // Retrieves a secret with the secret name defined in ref.Name.
-func (a *Akeyless) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
+func (a *Akeyless) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	if utils.IsNil(a.Client) {
 		return nil, fmt.Errorf(errUninitalizedAkeylessProvider)
 	}
@@ -132,9 +132,15 @@ func (a *Akeyless) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretD
 	return []byte(value), nil
 }
 
+// Empty GetAllSecrets.
+func (a *Akeyless) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
+	// TO be implemented
+	return nil, fmt.Errorf("GetAllSecrets not implemented")
+}
+
 // Implements store.Client.GetSecretMap Interface.
 // New version of GetSecretMap.
-func (a *Akeyless) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (a *Akeyless) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
 	if utils.IsNil(a.Client) {
 		return nil, fmt.Errorf(errUninitalizedAkeylessProvider)
 	}

pkg/provider/akeyless/akeyless_test.go

@@ -20,7 +20,7 @@ import (
 	"strings"
 	"testing"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	fakeakeyless "github.com/external-secrets/external-secrets/pkg/provider/akeyless/fake"
 )
 
@@ -28,7 +28,7 @@ type akeylessTestCase struct {
 	mockClient     *fakeakeyless.AkeylessMockClient
 	apiInput       *fakeakeyless.Input
 	apiOutput      *fakeakeyless.Output
-	ref            *esv1alpha1.ExternalSecretDataRemoteRef
+	ref            *esv1beta1.ExternalSecretDataRemoteRef
 	expectError    string
 	expectedSecret string
 	// for testing secretmap
@@ -49,8 +49,8 @@ func makeValidAkeylessTestCase() *akeylessTestCase {
 	return &smtc
 }
 
-func makeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
-	return &esv1alpha1.ExternalSecretDataRemoteRef{
+func makeValidRef() *esv1beta1.ExternalSecretDataRemoteRef {
+	return &esv1beta1.ExternalSecretDataRemoteRef{
 		Key:     "test-secret",
 		Version: "1",
 	}

pkg/provider/akeyless/auth.go

@@ -21,7 +21,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 )
 
 const (
@@ -44,7 +44,7 @@ func (a *akeylessBase) TokenFromSecretRef(ctx context.Context) (string, error) {
 		Namespace: a.namespace, // default to ExternalSecret namespace
 	}
 	// only ClusterStore is allowed to set namespace (and then it's required)
-	if a.store.GetObjectKind().GroupVersionKind().Kind == esv1alpha1.ClusterSecretStoreKind {
+	if a.store.GetObjectKind().GroupVersionKind().Kind == esv1beta1.ClusterSecretStoreKind {
 		if prov.Auth.SecretRef.AccessID.Namespace == nil {
 			return "", fmt.Errorf(errInvalidClusterStoreMissingAKIDNamespace)
 		}
@@ -60,7 +60,7 @@ func (a *akeylessBase) TokenFromSecretRef(ctx context.Context) (string, error) {
 		Namespace: a.namespace, // default to ExternalSecret namespace
 	}
 	// only ClusterStore is allowed to set namespace (and then it's required)
-	if a.store.GetObjectKind().GroupVersionKind().Kind == esv1alpha1.ClusterSecretStoreKind {
+	if a.store.GetObjectKind().GroupVersionKind().Kind == esv1beta1.ClusterSecretStoreKind {
 		if prov.Auth.SecretRef.AccessType.Namespace == nil {
 			return "", fmt.Errorf(errInvalidClusterStoreMissingSAKNamespace)
 		}
@@ -77,7 +77,7 @@ func (a *akeylessBase) TokenFromSecretRef(ctx context.Context) (string, error) {
 		Namespace: a.namespace, // default to ExternalSecret namespace
 	}
 	// only ClusterStore is allowed to set namespace (and then it's required)
-	if a.store.GetObjectKind().GroupVersionKind().Kind == esv1alpha1.ClusterSecretStoreKind {
+	if a.store.GetObjectKind().GroupVersionKind().Kind == esv1beta1.ClusterSecretStoreKind {
 		if prov.Auth.SecretRef.AccessType.Namespace == nil {
 			return "", fmt.Errorf(errInvalidClusterStoreMissingSAKNamespace)
 		}

pkg/provider/akeyless/utils.go

@@ -21,7 +21,7 @@ import (
 	"strings"
 	"time"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 )
 
 const (
@@ -34,7 +34,7 @@ const (
 )
 
 // GetAKeylessProvider does the necessary nil checks and returns the akeyless provider or an error.
-func GetAKeylessProvider(store esv1alpha1.GenericStore) (*esv1alpha1.AkeylessProvider, error) {
+func GetAKeylessProvider(store esv1beta1.GenericStore) (*esv1beta1.AkeylessProvider, error) {
 	if store == nil {
 		return nil, fmt.Errorf(errNilStore)
 	}

pkg/provider/alibaba/kms.go

@@ -25,7 +25,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	"github.com/external-secrets/external-secrets/pkg/provider"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/util"
 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
@@ -45,7 +45,7 @@ const (
 
 type Client struct {
 	kube      kclient.Client
-	store     *esv1alpha1.AlibabaProvider
+	store     *esv1beta1.AlibabaProvider
 	namespace string
 	storeKind string
 	regionID  string
@@ -74,7 +74,7 @@ func (c *Client) setAuth(ctx context.Context) error {
 	}
 
 	// only ClusterStore is allowed to set namespace (and then it's required)
-	if c.storeKind == esv1alpha1.ClusterSecretStoreKind {
+	if c.storeKind == esv1beta1.ClusterSecretStoreKind {
 		if c.store.Auth.SecretRef.AccessKeyID.Namespace == nil {
 			return fmt.Errorf(errInvalidClusterStoreMissingAKIDNamespace)
 		}
@@ -90,7 +90,7 @@ func (c *Client) setAuth(ctx context.Context) error {
 		Name:      c.store.Auth.SecretRef.AccessKeySecret.Name,
 		Namespace: c.namespace,
 	}
-	if c.storeKind == esv1alpha1.ClusterSecretStoreKind {
+	if c.storeKind == esv1beta1.ClusterSecretStoreKind {
 		if c.store.Auth.SecretRef.AccessKeySecret.Namespace == nil {
 			return fmt.Errorf(errInvalidClusterStoreMissingSKNamespace)
 		}
@@ -110,8 +110,14 @@ func (c *Client) setAuth(ctx context.Context) error {
 	return nil
 }
 
+// Empty GetAllSecrets.
+func (kms *KeyManagementService) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
+	// TO be implemented
+	return nil, fmt.Errorf("GetAllSecrets not implemented")
+}
+
 // GetSecret returns a single secret from the provider.
-func (kms *KeyManagementService) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
+func (kms *KeyManagementService) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	if utils.IsNil(kms.Client) {
 		return nil, fmt.Errorf(errUninitalizedAlibabaProvider)
 	}
@@ -141,7 +147,7 @@ func (kms *KeyManagementService) GetSecret(ctx context.Context, ref esv1alpha1.E
 }
 
 // GetSecretMap returns multiple k/v pairs from the provider.
-func (kms *KeyManagementService) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (kms *KeyManagementService) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
 	data, err := kms.GetSecret(ctx, ref)
 	if err != nil {
 		return nil, err
@@ -159,7 +165,7 @@ func (kms *KeyManagementService) GetSecretMap(ctx context.Context, ref esv1alpha
 }
 
 // NewClient constructs a new secrets client based on the provided store.
-func (kms *KeyManagementService) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
+func (kms *KeyManagementService) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
 	storeSpec := store.GetSpec()
 	alibabaSpec := storeSpec.Provider.Alibaba
 	iStore := &Client{
@@ -191,7 +197,7 @@ func (kms *KeyManagementService) Validate() error {
 }
 
 func init() {
-	schema.Register(&KeyManagementService{}, &esv1alpha1.SecretStoreProvider{
-		Alibaba: &esv1alpha1.AlibabaProvider{},
+	schema.Register(&KeyManagementService{}, &esv1beta1.SecretStoreProvider{
+		Alibaba: &esv1beta1.AlibabaProvider{},
 	})
 }

pkg/provider/alibaba/kms_test.go

@@ -24,7 +24,7 @@ import (
 	"github.com/aliyun/alibaba-cloud-sdk-go/sdk/responses"
 	kmssdk "github.com/aliyun/alibaba-cloud-sdk-go/services/kms"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	fakesm "github.com/external-secrets/external-secrets/pkg/provider/alibaba/fake"
 )
 
@@ -37,7 +37,7 @@ type keyManagementServiceTestCase struct {
 	mockClient     *fakesm.AlibabaMockClient
 	apiInput       *kmssdk.GetSecretValueRequest
 	apiOutput      *kmssdk.GetSecretValueResponse
-	ref            *esv1alpha1.ExternalSecretDataRemoteRef
+	ref            *esv1beta1.ExternalSecretDataRemoteRef
 	apiErr         error
 	expectError    string
 	expectedSecret string
@@ -60,8 +60,8 @@ func makeValidKMSTestCase() *keyManagementServiceTestCase {
 	return &kmstc
 }
 
-func makeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
-	return &esv1alpha1.ExternalSecretDataRemoteRef{
+func makeValidRef() *esv1beta1.ExternalSecretDataRemoteRef {
+	return &esv1beta1.ExternalSecretDataRemoteRef{
 		Key: secretName,
 	}
 }

pkg/provider/aws/auth/auth.go

@@ -33,7 +33,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	ctrlcfg "sigs.k8s.io/controller-runtime/pkg/client/config"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/util"
 )
 
@@ -62,7 +62,7 @@ const (
 // * service-account token authentication via AssumeRoleWithWebIdentity
 // * static credentials from a Kind=Secret, optionally with doing a AssumeRole.
 // * sdk default provider chain, see: https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#credentials-default
-func New(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string, assumeRoler STSProvider, jwtProvider jwtProviderFactory) (*session.Session, error) {
+func New(ctx context.Context, store esv1beta1.GenericStore, kube client.Client, namespace string, assumeRoler STSProvider, jwtProvider jwtProviderFactory) (*session.Session, error) {
 	prov, err := util.GetAWSProvider(store)
 	if err != nil {
 		return nil, err
@@ -113,13 +113,13 @@ func New(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client,
 	return sess, nil
 }
 
-func sessionFromSecretRef(ctx context.Context, prov *esv1alpha1.AWSProvider, store esv1alpha1.GenericStore, kube client.Client, namespace string) (*credentials.Credentials, error) {
+func sessionFromSecretRef(ctx context.Context, prov *esv1beta1.AWSProvider, store esv1beta1.GenericStore, kube client.Client, namespace string) (*credentials.Credentials, error) {
 	ke := client.ObjectKey{
 		Name:      prov.Auth.SecretRef.AccessKeyID.Name,
 		Namespace: namespace, // default to ExternalSecret namespace
 	}
 	// only ClusterStore is allowed to set namespace (and then it's required)
-	if store.GetObjectKind().GroupVersionKind().Kind == esv1alpha1.ClusterSecretStoreKind {
+	if store.GetObjectKind().GroupVersionKind().Kind == esv1beta1.ClusterSecretStoreKind {
 		if prov.Auth.SecretRef.AccessKeyID.Namespace == nil {
 			return nil, fmt.Errorf(errInvalidClusterStoreMissingAKIDNamespace)
 		}
@@ -135,7 +135,7 @@ func sessionFromSecretRef(ctx context.Context, prov *esv1alpha1.AWSProvider, sto
 		Namespace: namespace, // default to ExternalSecret namespace
 	}
 	// only ClusterStore is allowed to set namespace (and then it's required)
-	if store.GetObjectKind().GroupVersionKind().Kind == esv1alpha1.ClusterSecretStoreKind {
+	if store.GetObjectKind().GroupVersionKind().Kind == esv1beta1.ClusterSecretStoreKind {
 		if prov.Auth.SecretRef.SecretAccessKey.Namespace == nil {
 			return nil, fmt.Errorf(errInvalidClusterStoreMissingSAKNamespace)
 		}
@@ -158,8 +158,8 @@ func sessionFromSecretRef(ctx context.Context, prov *esv1alpha1.AWSProvider, sto
 	return credentials.NewStaticCredentials(aks, sak, ""), err
 }
 
-func sessionFromServiceAccount(ctx context.Context, prov *esv1alpha1.AWSProvider, store esv1alpha1.GenericStore, kube client.Client, namespace string, jwtProvider jwtProviderFactory) (*credentials.Credentials, error) {
-	if store.GetObjectKind().GroupVersionKind().Kind == esv1alpha1.ClusterSecretStoreKind {
+func sessionFromServiceAccount(ctx context.Context, prov *esv1beta1.AWSProvider, store esv1beta1.GenericStore, kube client.Client, namespace string, jwtProvider jwtProviderFactory) (*credentials.Credentials, error) {
+	if store.GetObjectKind().GroupVersionKind().Kind == esv1beta1.ClusterSecretStoreKind {
 		if prov.Auth.JWTAuth.ServiceAccountRef.Namespace == nil {
 			return nil, fmt.Errorf("serviceAccountRef has no Namespace field (mandatory for ClusterSecretStore specs)")
 		}

pkg/provider/aws/auth/auth_test.go

@@ -32,7 +32,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	fakesess "github.com/external-secrets/external-secrets/pkg/provider/aws/auth/fake"
 )
@@ -54,30 +54,30 @@ func TestNewSession(t *testing.T) {
 		{
 			name:      "not store spec",
 			expectErr: "storeSpec is missing provider",
-			store:     &esv1alpha1.SecretStore{},
+			store:     &esv1beta1.SecretStore{},
 		},
 		{
 			name:      "store spec has no provider",
 			expectErr: "storeSpec is missing provider",
-			store: &esv1alpha1.SecretStore{
-				Spec: esv1alpha1.SecretStoreSpec{},
+			store: &esv1beta1.SecretStore{
+				Spec: esv1beta1.SecretStoreSpec{},
 			},
 		},
 		{
 			name:      "spec has no awssm field",
 			expectErr: "Missing AWS field",
-			store: &esv1alpha1.SecretStore{
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{},
+			store: &esv1beta1.SecretStore{
+				Spec: esv1beta1.SecretStoreSpec{
+					Provider: &esv1beta1.SecretStoreProvider{},
 				},
 			},
 		},
 		{
 			name: "configure aws using environment variables",
-			store: &esv1alpha1.SecretStore{
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{
-						AWS: &esv1alpha1.AWSProvider{},
+			store: &esv1beta1.SecretStore{
+				Spec: esv1beta1.SecretStoreSpec{
+					Provider: &esv1beta1.SecretStoreProvider{
+						AWS: &esv1beta1.AWSProvider{},
 					},
 				},
 			},
@@ -110,10 +110,10 @@ func TestNewSession(t *testing.T) {
 					},
 				}
 			},
-			store: &esv1alpha1.SecretStore{
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{
-						AWS: &esv1alpha1.AWSProvider{
+			store: &esv1beta1.SecretStore{
+				Spec: esv1beta1.SecretStoreSpec{
+					Provider: &esv1beta1.SecretStoreProvider{
+						AWS: &esv1beta1.AWSProvider{
 							Role: "foo-bar-baz",
 						},
 					},
@@ -130,12 +130,12 @@ func TestNewSession(t *testing.T) {
 		{
 			name:      "error out when secret with credentials does not exist",
 			namespace: "foo",
-			store: &esv1alpha1.SecretStore{
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{
-						AWS: &esv1alpha1.AWSProvider{
-							Auth: esv1alpha1.AWSAuth{
-								SecretRef: &esv1alpha1.AWSAuthSecretRef{
+			store: &esv1beta1.SecretStore{
+				Spec: esv1beta1.SecretStoreSpec{
+					Provider: &esv1beta1.SecretStoreProvider{
+						AWS: &esv1beta1.AWSProvider{
+							Auth: esv1beta1.AWSAuth{
+								SecretRef: &esv1beta1.AWSAuthSecretRef{
 									AccessKeyID: esmeta.SecretKeySelector{
 										Name: "othersecret",
 										Key:  "one",
@@ -155,12 +155,12 @@ func TestNewSession(t *testing.T) {
 		{
 			name:      "use credentials from secret to configure aws",
 			namespace: "foo",
-			store: &esv1alpha1.SecretStore{
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{
-						AWS: &esv1alpha1.AWSProvider{
-							Auth: esv1alpha1.AWSAuth{
-								SecretRef: &esv1alpha1.AWSAuthSecretRef{
+			store: &esv1beta1.SecretStore{
+				Spec: esv1beta1.SecretStoreSpec{
+					Provider: &esv1beta1.SecretStoreProvider{
+						AWS: &esv1beta1.AWSProvider{
+							Auth: esv1beta1.AWSAuth{
+								SecretRef: &esv1beta1.AWSAuthSecretRef{
 									AccessKeyID: esmeta.SecretKeySelector{
 										Name: "onesecret",
 										// Namespace is not set
@@ -196,12 +196,12 @@ func TestNewSession(t *testing.T) {
 		{
 			name:      "error out when secret key does not exist",
 			namespace: "foo",
-			store: &esv1alpha1.SecretStore{
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{
-						AWS: &esv1alpha1.AWSProvider{
-							Auth: esv1alpha1.AWSAuth{
-								SecretRef: &esv1alpha1.AWSAuthSecretRef{
+			store: &esv1beta1.SecretStore{
+				Spec: esv1beta1.SecretStoreSpec{
+					Provider: &esv1beta1.SecretStoreProvider{
+						AWS: &esv1beta1.AWSProvider{
+							Auth: esv1beta1.AWSAuth{
+								SecretRef: &esv1beta1.AWSAuthSecretRef{
 									AccessKeyID: esmeta.SecretKeySelector{
 										Name: "brokensecret",
 										Key:  "one",
@@ -230,12 +230,12 @@ func TestNewSession(t *testing.T) {
 		{
 			name:      "should not be able to access secrets from different namespace",
 			namespace: "foo",
-			store: &esv1alpha1.SecretStore{
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{
-						AWS: &esv1alpha1.AWSProvider{
-							Auth: esv1alpha1.AWSAuth{
-								SecretRef: &esv1alpha1.AWSAuthSecretRef{
+			store: &esv1beta1.SecretStore{
+				Spec: esv1beta1.SecretStoreSpec{
+					Provider: &esv1beta1.SecretStoreProvider{
+						AWS: &esv1beta1.AWSProvider{
+							Auth: esv1beta1.AWSAuth{
+								SecretRef: &esv1beta1.AWSAuthSecretRef{
 									AccessKeyID: esmeta.SecretKeySelector{
 										Name:      "onesecret",
 										Namespace: aws.String("evil"), // this should not be possible!
@@ -269,16 +269,16 @@ func TestNewSession(t *testing.T) {
 		{
 			name:      "ClusterStore should use credentials from a specific namespace",
 			namespace: esNamespaceKey,
-			store: &esv1alpha1.ClusterSecretStore{
+			store: &esv1beta1.ClusterSecretStore{
 				TypeMeta: metav1.TypeMeta{
-					APIVersion: esv1alpha1.ClusterSecretStoreKindAPIVersion,
-					Kind:       esv1alpha1.ClusterSecretStoreKind,
+					APIVersion: esv1beta1.ClusterSecretStoreKindAPIVersion,
+					Kind:       esv1beta1.ClusterSecretStoreKind,
 				},
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{
-						AWS: &esv1alpha1.AWSProvider{
-							Auth: esv1alpha1.AWSAuth{
-								SecretRef: &esv1alpha1.AWSAuthSecretRef{
+				Spec: esv1beta1.SecretStoreSpec{
+					Provider: &esv1beta1.SecretStoreProvider{
+						AWS: &esv1beta1.AWSProvider{
+							Auth: esv1beta1.AWSAuth{
+								SecretRef: &esv1beta1.AWSAuthSecretRef{
 									AccessKeyID: esmeta.SecretKeySelector{
 										Name:      "onesecret",
 										Namespace: aws.String(platformTeamNsKey),
@@ -314,16 +314,16 @@ func TestNewSession(t *testing.T) {
 		{
 			name:      "namespace is mandatory when using ClusterStore with SecretKeySelector",
 			namespace: esNamespaceKey,
-			store: &esv1alpha1.ClusterSecretStore{
+			store: &esv1beta1.ClusterSecretStore{
 				TypeMeta: metav1.TypeMeta{
-					APIVersion: esv1alpha1.ClusterSecretStoreKindAPIVersion,
-					Kind:       esv1alpha1.ClusterSecretStoreKind,
+					APIVersion: esv1beta1.ClusterSecretStoreKindAPIVersion,
+					Kind:       esv1beta1.ClusterSecretStoreKind,
 				},
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{
-						AWS: &esv1alpha1.AWSProvider{
-							Auth: esv1alpha1.AWSAuth{
-								SecretRef: &esv1alpha1.AWSAuthSecretRef{
+				Spec: esv1beta1.SecretStoreSpec{
+					Provider: &esv1beta1.SecretStoreProvider{
+						AWS: &esv1beta1.AWSProvider{
+							Auth: esv1beta1.AWSAuth{
+								SecretRef: &esv1beta1.AWSAuthSecretRef{
 									AccessKeyID: esmeta.SecretKeySelector{
 										Name: "onesecret",
 										Key:  "one",
@@ -368,16 +368,16 @@ func TestNewSession(t *testing.T) {
 					IsExpiredFunc: func() bool { return false },
 				}, nil
 			},
-			store: &esv1alpha1.ClusterSecretStore{
+			store: &esv1beta1.ClusterSecretStore{
 				TypeMeta: metav1.TypeMeta{
-					APIVersion: esv1alpha1.ClusterSecretStoreKindAPIVersion,
-					Kind:       esv1alpha1.ClusterSecretStoreKind,
+					APIVersion: esv1beta1.ClusterSecretStoreKindAPIVersion,
+					Kind:       esv1beta1.ClusterSecretStoreKind,
 				},
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{
-						AWS: &esv1alpha1.AWSProvider{
-							Auth: esv1alpha1.AWSAuth{
-								JWTAuth: &esv1alpha1.AWSJWTAuth{
+				Spec: esv1beta1.SecretStoreSpec{
+					Provider: &esv1beta1.SecretStoreProvider{
+						AWS: &esv1beta1.AWSProvider{
+							Auth: esv1beta1.AWSAuth{
+								JWTAuth: &esv1beta1.AWSJWTAuth{
 									ServiceAccountRef: &esmeta.ServiceAccountSelector{
 										Name:      myServiceAccountKey,
 										Namespace: aws.String(otherNsName),
@@ -403,7 +403,7 @@ func TestNewSession(t *testing.T) {
 
 type TestSessionRow struct {
 	name              string
-	store             esv1alpha1.GenericStore
+	store             esv1beta1.GenericStore
 	secrets           []v1.Secret
 	sa                *v1.ServiceAccount
 	jwtProvider       jwtProviderFactory
@@ -464,11 +464,11 @@ func TestSMEnvCredentials(t *testing.T) {
 	os.Setenv("AWS_ACCESS_KEY_ID", "2222")
 	defer os.Unsetenv("AWS_SECRET_ACCESS_KEY")
 	defer os.Unsetenv("AWS_ACCESS_KEY_ID")
-	s, err := New(context.Background(), &esv1alpha1.SecretStore{
-		Spec: esv1alpha1.SecretStoreSpec{
-			Provider: &esv1alpha1.SecretStoreProvider{
+	s, err := New(context.Background(), &esv1beta1.SecretStore{
+		Spec: esv1beta1.SecretStoreSpec{
+			Provider: &esv1beta1.SecretStoreProvider{
 				// defaults
-				AWS: &esv1alpha1.AWSProvider{},
+				AWS: &esv1beta1.AWSProvider{},
 			},
 		},
 	}, k8sClient, "example-ns", DefaultSTSProvider, nil)
@@ -504,11 +504,11 @@ func TestSMAssumeRole(t *testing.T) {
 	os.Setenv("AWS_ACCESS_KEY_ID", "2222")
 	defer os.Unsetenv("AWS_SECRET_ACCESS_KEY")
 	defer os.Unsetenv("AWS_ACCESS_KEY_ID")
-	s, err := New(context.Background(), &esv1alpha1.SecretStore{
-		Spec: esv1alpha1.SecretStoreSpec{
-			Provider: &esv1alpha1.SecretStoreProvider{
+	s, err := New(context.Background(), &esv1beta1.SecretStore{
+		Spec: esv1beta1.SecretStoreSpec{
+			Provider: &esv1beta1.SecretStoreProvider{
 				// do assume role!
-				AWS: &esv1alpha1.AWSProvider{
+				AWS: &esv1beta1.AWSProvider{
 					Role: "my-awesome-role",
 				},
 			},

pkg/provider/aws/parameterstore/parameterstore.go

@@ -24,7 +24,7 @@ import (
 	"github.com/tidwall/gjson"
 	ctrl "sigs.k8s.io/controller-runtime"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/util"
 )
 
@@ -50,8 +50,14 @@ func New(sess *session.Session) (*ParameterStore, error) {
 	}, nil
 }
 
+// Empty GetAllSecrets.
+func (pm *ParameterStore) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
+	// TO be implemented
+	return nil, fmt.Errorf("GetAllSecrets not implemented")
+}
+
 // GetSecret returns a single secret from the provider.
-func (pm *ParameterStore) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
+func (pm *ParameterStore) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	log.Info("fetching secret value", "key", ref.Key)
 	out, err := pm.client.GetParameter(&ssm.GetParameterInput{
 		Name:           &ref.Key,
@@ -74,7 +80,7 @@ func (pm *ParameterStore) GetSecret(ctx context.Context, ref esv1alpha1.External
 }
 
 // GetSecretMap returns multiple k/v pairs from the provider.
-func (pm *ParameterStore) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (pm *ParameterStore) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
 	log.Info("fetching secret map", "key", ref.Key)
 	data, err := pm.GetSecret(ctx, ref)
 	if err != nil {

pkg/provider/aws/parameterstore/parameterstore_test.go

@@ -23,7 +23,7 @@ import (
 	"github.com/aws/aws-sdk-go/service/ssm"
 	"github.com/google/go-cmp/cmp"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	fake "github.com/external-secrets/external-secrets/pkg/provider/aws/parameterstore/fake"
 )
 
@@ -31,7 +31,7 @@ type parameterstoreTestCase struct {
 	fakeClient     *fake.Client
 	apiInput       *ssm.GetParameterInput
 	apiOutput      *ssm.GetParameterOutput
-	remoteRef      *esv1alpha1.ExternalSecretDataRemoteRef
+	remoteRef      *esv1beta1.ExternalSecretDataRemoteRef
 	apiErr         error
 	expectError    string
 	expectedSecret string
@@ -66,8 +66,8 @@ func makeValidAPIOutput() *ssm.GetParameterOutput {
 	}
 }
 
-func makeValidRemoteRef() *esv1alpha1.ExternalSecretDataRemoteRef {
-	return &esv1alpha1.ExternalSecretDataRemoteRef{
+func makeValidRemoteRef() *esv1beta1.ExternalSecretDataRemoteRef {
+	return &esv1beta1.ExternalSecretDataRemoteRef{
 		Key: "/baz",
 	}
 }

pkg/provider/aws/provider.go

@@ -20,7 +20,7 @@ import (
 
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	"github.com/external-secrets/external-secrets/pkg/provider"
 	awsauth "github.com/external-secrets/external-secrets/pkg/provider/aws/auth"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/parameterstore"
@@ -38,11 +38,11 @@ const (
 )
 
 // NewClient constructs a new secrets client based on the provided store.
-func (p *Provider) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
+func (p *Provider) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
 	return newClient(ctx, store, kube, namespace, awsauth.DefaultSTSProvider)
 }
 
-func newClient(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string, assumeRoler awsauth.STSProvider) (provider.SecretsClient, error) {
+func newClient(ctx context.Context, store esv1beta1.GenericStore, kube client.Client, namespace string, assumeRoler awsauth.STSProvider) (provider.SecretsClient, error) {
 	prov, err := util.GetAWSProvider(store)
 	if err != nil {
 		return nil, err
@@ -54,16 +54,16 @@ func newClient(ctx context.Context, store esv1alpha1.GenericStore, kube client.C
 	}
 
 	switch prov.Service {
-	case esv1alpha1.AWSServiceSecretsManager:
+	case esv1beta1.AWSServiceSecretsManager:
 		return secretsmanager.New(sess)
-	case esv1alpha1.AWSServiceParameterStore:
+	case esv1beta1.AWSServiceParameterStore:
 		return parameterstore.New(sess)
 	}
 	return nil, fmt.Errorf(errUnknownProviderService, prov.Service)
 }
 
 func init() {
-	schema.Register(&Provider{}, &esv1alpha1.SecretStoreProvider{
-		AWS: &esv1alpha1.AWSProvider{},
+	schema.Register(&Provider{}, &esv1beta1.SecretStoreProvider{
+		AWS: &esv1beta1.AWSProvider{},
 	})
 }

pkg/provider/aws/provider_test.go

@@ -23,7 +23,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/parameterstore"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/secretsmanager"
@@ -43,7 +43,7 @@ func TestProvider(t *testing.T) {
 
 	tbl := []struct {
 		test    string
-		store   esv1alpha1.GenericStore
+		store   esv1beta1.GenericStore
 		expType interface{}
 		expErr  bool
 	}{
@@ -55,16 +55,16 @@ func TestProvider(t *testing.T) {
 		{
 			test:   "should not create provider due to missing provider",
 			expErr: true,
-			store: &esv1alpha1.SecretStore{
-				Spec: esv1alpha1.SecretStoreSpec{},
+			store: &esv1beta1.SecretStore{
+				Spec: esv1beta1.SecretStoreSpec{},
 			},
 		},
 		{
 			test:   "should not create provider due to missing provider field",
 			expErr: true,
-			store: &esv1alpha1.SecretStore{
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{},
+			store: &esv1beta1.SecretStore{
+				Spec: esv1beta1.SecretStoreSpec{
+					Provider: &esv1beta1.SecretStoreProvider{},
 				},
 			},
 		},
@@ -72,11 +72,11 @@ func TestProvider(t *testing.T) {
 			test:    "should create parameter store client",
 			expErr:  false,
 			expType: &parameterstore.ParameterStore{},
-			store: &esv1alpha1.SecretStore{
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{
-						AWS: &esv1alpha1.AWSProvider{
-							Service: esv1alpha1.AWSServiceParameterStore,
+			store: &esv1beta1.SecretStore{
+				Spec: esv1beta1.SecretStoreSpec{
+					Provider: &esv1beta1.SecretStoreProvider{
+						AWS: &esv1beta1.AWSProvider{
+							Service: esv1beta1.AWSServiceParameterStore,
 						},
 					},
 				},
@@ -86,11 +86,11 @@ func TestProvider(t *testing.T) {
 			test:    "should create secretsmanager client",
 			expErr:  false,
 			expType: &secretsmanager.SecretsManager{},
-			store: &esv1alpha1.SecretStore{
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{
-						AWS: &esv1alpha1.AWSProvider{
-							Service: esv1alpha1.AWSServiceSecretsManager,
+			store: &esv1beta1.SecretStore{
+				Spec: esv1beta1.SecretStoreSpec{
+					Provider: &esv1beta1.SecretStoreProvider{
+						AWS: &esv1beta1.AWSProvider{
+							Service: esv1beta1.AWSServiceSecretsManager,
 						},
 					},
 				},
@@ -99,10 +99,10 @@ func TestProvider(t *testing.T) {
 		{
 			test:   "invalid service should return an error",
 			expErr: true,
-			store: &esv1alpha1.SecretStore{
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{
-						AWS: &esv1alpha1.AWSProvider{
+			store: &esv1beta1.SecretStore{
+				Spec: esv1beta1.SecretStoreSpec{
+					Provider: &esv1beta1.SecretStoreProvider{
+						AWS: &esv1beta1.AWSProvider{
 							Service: "HIHIHIHHEHEHEHEHEHE",
 						},
 					},
@@ -112,13 +112,13 @@ func TestProvider(t *testing.T) {
 		{
 			test:   "newSession error should be returned",
 			expErr: true,
-			store: &esv1alpha1.SecretStore{
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{
-						AWS: &esv1alpha1.AWSProvider{
-							Service: esv1alpha1.AWSServiceParameterStore,
-							Auth: esv1alpha1.AWSAuth{
-								SecretRef: &esv1alpha1.AWSAuthSecretRef{
+			store: &esv1beta1.SecretStore{
+				Spec: esv1beta1.SecretStoreSpec{
+					Provider: &esv1beta1.SecretStoreProvider{
+						AWS: &esv1beta1.AWSProvider{
+							Service: esv1beta1.AWSServiceParameterStore,
+							Auth: esv1beta1.AWSAuth{
+								SecretRef: &esv1beta1.AWSAuthSecretRef{
 									AccessKeyID: esmeta.SecretKeySelector{
 										Name:      "foo",
 										Namespace: aws.String("NOOP"),

pkg/provider/aws/secretsmanager/secretsmanager.go

@@ -24,7 +24,7 @@ import (
 	"github.com/tidwall/gjson"
 	ctrl "sigs.k8s.io/controller-runtime"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	"github.com/external-secrets/external-secrets/pkg/provider/aws/util"
 )
 
@@ -52,7 +52,7 @@ func New(sess *session.Session) (*SecretsManager, error) {
 	}, nil
 }
 
-func (sm *SecretsManager) fetch(_ context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (*awssm.GetSecretValueOutput, error) {
+func (sm *SecretsManager) fetch(_ context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (*awssm.GetSecretValueOutput, error) {
 	ver := "AWSCURRENT"
 	if ref.Version != "" {
 		ver = ref.Version
@@ -76,8 +76,14 @@ func (sm *SecretsManager) fetch(_ context.Context, ref esv1alpha1.ExternalSecret
 	return secretOut, nil
 }
 
+// Empty GetAllSecrets.
+func (sm *SecretsManager) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
+	// TO be implemented
+	return nil, fmt.Errorf("GetAllSecrets not implemented")
+}
+
 // GetSecret returns a single secret from the provider.
-func (sm *SecretsManager) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
+func (sm *SecretsManager) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	secretOut, err := sm.fetch(ctx, ref)
 	if err != nil {
 		return nil, util.SanitizeErr(err)
@@ -107,7 +113,7 @@ func (sm *SecretsManager) GetSecret(ctx context.Context, ref esv1alpha1.External
 }
 
 // GetSecretMap returns multiple k/v pairs from the provider.
-func (sm *SecretsManager) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (sm *SecretsManager) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
 	log.Info("fetching secret map", "key", ref.Key)
 	data, err := sm.GetSecret(ctx, ref)
 	if err != nil {

pkg/provider/aws/secretsmanager/secretsmanager_test.go

@@ -24,7 +24,7 @@ import (
 	awssm "github.com/aws/aws-sdk-go/service/secretsmanager"
 	"github.com/google/go-cmp/cmp"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	fakesm "github.com/external-secrets/external-secrets/pkg/provider/aws/secretsmanager/fake"
 )
 
@@ -32,7 +32,7 @@ type secretsManagerTestCase struct {
 	fakeClient     *fakesm.Client
 	apiInput       *awssm.GetSecretValueInput
 	apiOutput      *awssm.GetSecretValueOutput
-	remoteRef      *esv1alpha1.ExternalSecretDataRemoteRef
+	remoteRef      *esv1beta1.ExternalSecretDataRemoteRef
 	apiErr         error
 	expectError    string
 	expectedSecret string
@@ -59,8 +59,8 @@ func makeValidSecretsManagerTestCase() *secretsManagerTestCase {
 	return &smtc
 }
 
-func makeValidRemoteRef() *esv1alpha1.ExternalSecretDataRemoteRef {
-	return &esv1alpha1.ExternalSecretDataRemoteRef{
+func makeValidRemoteRef() *esv1beta1.ExternalSecretDataRemoteRef {
+	return &esv1beta1.ExternalSecretDataRemoteRef{
 		Key:     "/baz",
 		Version: "AWSCURRENT",
 	}

pkg/provider/aws/util/provider.go

@@ -16,7 +16,7 @@ package util
 import (
 	"fmt"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 )
 
 const (
@@ -28,7 +28,7 @@ const (
 
 // GetAWSProvider does the necessary nil checks on the generic store
 // it returns the aws provider or an error.
-func GetAWSProvider(store esv1alpha1.GenericStore) (*esv1alpha1.AWSProvider, error) {
+func GetAWSProvider(store esv1beta1.GenericStore) (*esv1beta1.AWSProvider, error) {
 	if store == nil {
 		return nil, fmt.Errorf(errNilStore)
 	}

pkg/provider/azure/keyvault/keyvault.go

@@ -28,7 +28,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	smmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	"github.com/external-secrets/external-secrets/pkg/provider"
 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
@@ -64,24 +64,24 @@ type SecretClient interface {
 
 type Azure struct {
 	kube       client.Client
-	store      esv1alpha1.GenericStore
-	provider   *esv1alpha1.AzureKVProvider
+	store      esv1beta1.GenericStore
+	provider   *esv1beta1.AzureKVProvider
 	baseClient SecretClient
 	namespace  string
 }
 
 func init() {
-	schema.Register(&Azure{}, &esv1alpha1.SecretStoreProvider{
-		AzureKV: &esv1alpha1.AzureKVProvider{},
+	schema.Register(&Azure{}, &esv1beta1.SecretStoreProvider{
+		AzureKV: &esv1beta1.AzureKVProvider{},
 	})
 }
 
 // NewClient constructs a new secrets client based on the provided store.
-func (a *Azure) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
+func (a *Azure) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
 	return newClient(ctx, store, kube, namespace)
 }
 
-func newClient(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
+func newClient(ctx context.Context, store esv1beta1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
 	provider, err := getProvider(store)
 	if err != nil {
 		return nil, err
@@ -106,7 +106,7 @@ func newClient(ctx context.Context, store esv1alpha1.GenericStore, kube client.C
 	return nil, fmt.Errorf(errMissingAuthType)
 }
 
-func getProvider(store esv1alpha1.GenericStore) (*esv1alpha1.AzureKVProvider, error) {
+func getProvider(store esv1beta1.GenericStore) (*esv1beta1.AzureKVProvider, error) {
 	spc := store.GetSpec()
 	if spc == nil || spc.Provider.AzureKV == nil {
 		return nil, errors.New(errUnexpectedStoreSpec)
@@ -115,10 +115,16 @@ func getProvider(store esv1alpha1.GenericStore) (*esv1alpha1.AzureKVProvider, er
 	return spc.Provider.AzureKV, nil
 }
 
+// Empty GetAllSecrets.
+func (a *Azure) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
+	// TO be implemented
+	return nil, fmt.Errorf("GetAllSecrets not implemented")
+}
+
 // Implements store.Client.GetSecret Interface.
 // Retrieves a secret/Key/Certificate with the secret name defined in ref.Name
 // The Object Type is defined as a prefix in the ref.Name , if no prefix is defined , we assume a secret is required.
-func (a *Azure) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
+func (a *Azure) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	version := ""
 	objectType, secretName := getObjType(ref)
 
@@ -166,7 +172,7 @@ func (a *Azure) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretData
 
 // Implements store.Client.GetSecretMap Interface.
 // New version of GetSecretMap.
-func (a *Azure) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (a *Azure) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
 	objectType, secretName := getObjType(ref)
 
 	switch objectType {
@@ -198,7 +204,7 @@ func (a *Azure) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretD
 }
 
 func (a *Azure) setAzureClientWithManagedIdentity() (bool, error) {
-	if *a.provider.AuthType != esv1alpha1.ManagedIdentity {
+	if *a.provider.AuthType != esv1beta1.ManagedIdentity {
 		return false, nil
 	}
 
@@ -219,7 +225,7 @@ func (a *Azure) setAzureClientWithManagedIdentity() (bool, error) {
 }
 
 func (a *Azure) setAzureClientWithServicePrincipal(ctx context.Context) (bool, error) {
-	if *a.provider.AuthType != esv1alpha1.ServicePrincipal {
+	if *a.provider.AuthType != esv1beta1.ServicePrincipal {
 		return false, nil
 	}
 
@@ -233,7 +239,7 @@ func (a *Azure) setAzureClientWithServicePrincipal(ctx context.Context) (bool, e
 		return true, fmt.Errorf(errMissingClientIDSecret)
 	}
 	clusterScoped := false
-	if a.store.GetObjectKind().GroupVersionKind().Kind == esv1alpha1.ClusterSecretStoreKind {
+	if a.store.GetObjectKind().GroupVersionKind().Kind == esv1beta1.ClusterSecretStoreKind {
 		clusterScoped = true
 	}
 	cid, err := a.secretKeyRef(ctx, a.store.GetNamespace(), *a.provider.AuthSecretRef.ClientID, clusterScoped)
@@ -287,7 +293,7 @@ func (a *Azure) Validate() error {
 	return nil
 }
 
-func getObjType(ref esv1alpha1.ExternalSecretDataRemoteRef) (string, string) {
+func getObjType(ref esv1beta1.ExternalSecretDataRemoteRef) (string, string) {
 	objectType := defaultObjType
 
 	secretName := ref.Key

pkg/provider/azure/keyvault/keyvault_test.go

@@ -27,7 +27,7 @@ import (
 	"k8s.io/utils/pointer"
 	clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	v1 "github.com/external-secrets/external-secrets/apis/meta/v1"
 	fake "github.com/external-secrets/external-secrets/pkg/provider/azure/keyvault/fake"
 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
@@ -39,7 +39,7 @@ type secretManagerTestCase struct {
 	secretName     string
 	secretVersion  string
 	serviceURL     string
-	ref            *esv1alpha1.ExternalSecretDataRemoteRef
+	ref            *esv1beta1.ExternalSecretDataRemoteRef
 	apiErr         error
 	secretOutput   keyvault.SecretBundle
 	keyOutput      keyvault.KeyBundle
@@ -87,12 +87,12 @@ func TestNewClientManagedIdentityNoNeedForCredentials(t *testing.T) {
 	namespace := "internal"
 	vaultURL := "https://local.vault.url"
 	identityID := "1234"
-	authType := esv1alpha1.ManagedIdentity
-	store := esv1alpha1.SecretStore{
+	authType := esv1beta1.ManagedIdentity
+	store := esv1beta1.SecretStore{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: namespace,
 		},
-		Spec: esv1alpha1.SecretStoreSpec{Provider: &esv1alpha1.SecretStoreProvider{AzureKV: &esv1alpha1.AzureKVProvider{
+		Spec: esv1beta1.SecretStoreSpec{Provider: &esv1beta1.SecretStoreProvider{AzureKV: &esv1beta1.AzureKVProvider{
 			AuthType:   &authType,
 			IdentityID: &identityID,
 			VaultURL:   &vaultURL,
@@ -116,12 +116,12 @@ func TestNewClientNoCreds(t *testing.T) {
 	namespace := "internal"
 	vaultURL := "https://local.vault.url"
 	tenantID := "1234"
-	authType := esv1alpha1.ServicePrincipal
-	store := esv1alpha1.SecretStore{
+	authType := esv1beta1.ServicePrincipal
+	store := esv1beta1.SecretStore{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: namespace,
 		},
-		Spec: esv1alpha1.SecretStoreSpec{Provider: &esv1alpha1.SecretStoreProvider{AzureKV: &esv1alpha1.AzureKVProvider{
+		Spec: esv1beta1.SecretStoreSpec{Provider: &esv1beta1.SecretStoreProvider{AzureKV: &esv1beta1.AzureKVProvider{
 			AuthType: &authType,
 			VaultURL: &vaultURL,
 			TenantID: &tenantID,
@@ -133,7 +133,7 @@ func TestNewClientNoCreds(t *testing.T) {
 	_, err = provider.NewClient(context.Background(), &store, k8sClient, namespace)
 	tassert.EqualError(t, err, "missing secretRef in provider config")
 
-	store.Spec.Provider.AzureKV.AuthSecretRef = &esv1alpha1.AzureKVAuth{}
+	store.Spec.Provider.AzureKV.AuthSecretRef = &esv1beta1.AzureKVAuth{}
 	_, err = provider.NewClient(context.Background(), &store, k8sClient, namespace)
 	tassert.EqualError(t, err, "missing accessKeyID/secretAccessKey in store config")
 
@@ -144,8 +144,8 @@ func TestNewClientNoCreds(t *testing.T) {
 	store.Spec.Provider.AzureKV.AuthSecretRef.ClientSecret = &v1.SecretKeySelector{Name: "password"}
 	_, err = provider.NewClient(context.Background(), &store, k8sClient, namespace)
 	tassert.EqualError(t, err, "could not find secret internal/user: secrets \"user\" not found")
-	store.TypeMeta.Kind = esv1alpha1.ClusterSecretStoreKind
-	store.TypeMeta.APIVersion = esv1alpha1.ClusterSecretStoreKindAPIVersion
+	store.TypeMeta.Kind = esv1beta1.ClusterSecretStoreKind
+	store.TypeMeta.APIVersion = esv1beta1.ClusterSecretStoreKindAPIVersion
 	ns := "default"
 	store.Spec.Provider.AzureKV.AuthSecretRef.ClientID.Namespace = &ns
 	store.Spec.Provider.AzureKV.AuthSecretRef.ClientSecret.Namespace = &ns
@@ -265,7 +265,7 @@ func TestAzureKeyVaultSecretManagerGetSecret(t *testing.T) {
 	}
 
 	sm := Azure{
-		provider: &esv1alpha1.AzureKVProvider{VaultURL: pointer.StringPtr("noop")},
+		provider: &esv1beta1.AzureKVProvider{VaultURL: pointer.StringPtr("noop")},
 	}
 	for k, v := range successCases {
 		sm.baseClient = v.mockClient
@@ -361,7 +361,7 @@ func TestAzureKeyVaultSecretManagerGetSecretMap(t *testing.T) {
 	}
 
 	sm := Azure{
-		provider: &esv1alpha1.AzureKVProvider{VaultURL: pointer.StringPtr("noop")},
+		provider: &esv1beta1.AzureKVProvider{VaultURL: pointer.StringPtr("noop")},
 	}
 	for k, v := range successCases {
 		sm.baseClient = v.mockClient
@@ -375,8 +375,8 @@ func TestAzureKeyVaultSecretManagerGetSecretMap(t *testing.T) {
 	}
 }
 
-func makeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
-	return &esv1alpha1.ExternalSecretDataRemoteRef{
+func makeValidRef() *esv1beta1.ExternalSecretDataRemoteRef {
+	return &esv1beta1.ExternalSecretDataRemoteRef{
 		Key:     "test-secret",
 		Version: "default",
 	}

pkg/provider/fake/fake.go

@@ -20,7 +20,7 @@ import (
 
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	"github.com/external-secrets/external-secrets/pkg/provider"
 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
 )
@@ -32,10 +32,10 @@ var (
 )
 
 type Provider struct {
-	config *esv1alpha1.FakeProvider
+	config *esv1beta1.FakeProvider
 }
 
-func (p *Provider) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
+func (p *Provider) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube client.Client, namespace string) (provider.SecretsClient, error) {
 	cfg, err := getProvider(store)
 	if err != nil {
 		return nil, err
@@ -45,7 +45,7 @@ func (p *Provider) NewClient(ctx context.Context, store esv1alpha1.GenericStore,
 	}, nil
 }
 
-func getProvider(store esv1alpha1.GenericStore) (*esv1alpha1.FakeProvider, error) {
+func getProvider(store esv1beta1.GenericStore) (*esv1beta1.FakeProvider, error) {
 	if store == nil {
 		return nil, errMissingStore
 	}
@@ -56,8 +56,14 @@ func getProvider(store esv1alpha1.GenericStore) (*esv1alpha1.FakeProvider, error
 	return spc.Provider.Fake, nil
 }
 
+// Empty GetAllSecrets.
+func (p *Provider) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
+	// TO be implemented
+	return nil, fmt.Errorf("GetAllSecrets not implemented")
+}
+
 // GetSecret returns a single secret from the provider.
-func (p *Provider) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
+func (p *Provider) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	for _, data := range p.config.Data {
 		if data.Key == ref.Key && data.Version == ref.Version {
 			return []byte(data.Value), nil
@@ -67,7 +73,7 @@ func (p *Provider) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretD
 }
 
 // GetSecretMap returns multiple k/v pairs from the provider.
-func (p *Provider) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (p *Provider) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
 	for _, data := range p.config.Data {
 		if data.Key != ref.Key || data.Version != ref.Version || data.ValueMap == nil {
 			continue
@@ -94,7 +100,7 @@ func (p *Provider) Validate() error {
 }
 
 func init() {
-	schema.Register(&Provider{}, &esv1alpha1.SecretStoreProvider{
-		Fake: &esv1alpha1.FakeProvider{},
+	schema.Register(&Provider{}, &esv1beta1.SecretStoreProvider{
+		Fake: &esv1beta1.FakeProvider{},
 	})
 }

pkg/provider/fake/fake_test.go

@@ -19,7 +19,7 @@ import (
 
 	"github.com/onsi/gomega"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 )
 
 func TestNewClient(t *testing.T) {
@@ -31,7 +31,7 @@ func TestNewClient(t *testing.T) {
 	gomega.Expect(err).To(gomega.HaveOccurred())
 
 	// missing provider
-	_, err = p.NewClient(context.Background(), &esv1alpha1.SecretStore{}, nil, "")
+	_, err = p.NewClient(context.Background(), &esv1beta1.SecretStore{}, nil, "")
 	gomega.Expect(err).To(gomega.HaveOccurred())
 }
 
@@ -44,8 +44,8 @@ func TestClose(t *testing.T) {
 
 type testCase struct {
 	name     string
-	input    []esv1alpha1.FakeProviderData
-	request  esv1alpha1.ExternalSecretDataRemoteRef
+	input    []esv1beta1.FakeProviderData
+	request  esv1beta1.ExternalSecretDataRemoteRef
 	expValue string
 	expErr   string
 }
@@ -56,8 +56,8 @@ func TestGetSecret(t *testing.T) {
 	tbl := []testCase{
 		{
 			name:  "return err when not found",
-			input: []esv1alpha1.FakeProviderData{},
-			request: esv1alpha1.ExternalSecretDataRemoteRef{
+			input: []esv1beta1.FakeProviderData{},
+			request: esv1beta1.ExternalSecretDataRemoteRef{
 				Key:     "/foo",
 				Version: "v2",
 			},
@@ -65,7 +65,7 @@ func TestGetSecret(t *testing.T) {
 		},
 		{
 			name: "get correct value from multiple versions",
-			input: []esv1alpha1.FakeProviderData{
+			input: []esv1beta1.FakeProviderData{
 				{
 					Key:     "/foo",
 					Value:   "bar2",
@@ -81,7 +81,7 @@ func TestGetSecret(t *testing.T) {
 					Version: "v1",
 				},
 			},
-			request: esv1alpha1.ExternalSecretDataRemoteRef{
+			request: esv1beta1.ExternalSecretDataRemoteRef{
 				Key:     "/foo",
 				Version: "v2",
 			},
@@ -91,10 +91,10 @@ func TestGetSecret(t *testing.T) {
 
 	for _, row := range tbl {
 		t.Run(row.name, func(t *testing.T) {
-			cl, err := p.NewClient(context.Background(), &esv1alpha1.SecretStore{
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{
-						Fake: &esv1alpha1.FakeProvider{
+			cl, err := p.NewClient(context.Background(), &esv1beta1.SecretStore{
+				Spec: esv1beta1.SecretStoreSpec{
+					Provider: &esv1beta1.SecretStoreProvider{
+						Fake: &esv1beta1.FakeProvider{
 							Data: row.input,
 						},
 					},
@@ -114,8 +114,8 @@ func TestGetSecret(t *testing.T) {
 
 type testMapCase struct {
 	name     string
-	input    []esv1alpha1.FakeProviderData
-	request  esv1alpha1.ExternalSecretDataRemoteRef
+	input    []esv1beta1.FakeProviderData
+	request  esv1beta1.ExternalSecretDataRemoteRef
 	expValue map[string][]byte
 	expErr   string
 }
@@ -126,8 +126,8 @@ func TestGetSecretMap(t *testing.T) {
 	tbl := []testMapCase{
 		{
 			name:  "return err when not found",
-			input: []esv1alpha1.FakeProviderData{},
-			request: esv1alpha1.ExternalSecretDataRemoteRef{
+			input: []esv1beta1.FakeProviderData{},
+			request: esv1beta1.ExternalSecretDataRemoteRef{
 				Key:     "/foo",
 				Version: "v2",
 			},
@@ -135,7 +135,7 @@ func TestGetSecretMap(t *testing.T) {
 		},
 		{
 			name: "get correct value from multiple versions",
-			input: []esv1alpha1.FakeProviderData{
+			input: []esv1beta1.FakeProviderData{
 				{
 					Key: "junk",
 					ValueMap: map[string]string{
@@ -159,7 +159,7 @@ func TestGetSecretMap(t *testing.T) {
 					Version: "v2",
 				},
 			},
-			request: esv1alpha1.ExternalSecretDataRemoteRef{
+			request: esv1beta1.ExternalSecretDataRemoteRef{
 				Key:     "/foo",
 				Version: "v2",
 			},
@@ -172,10 +172,10 @@ func TestGetSecretMap(t *testing.T) {
 
 	for _, row := range tbl {
 		t.Run(row.name, func(t *testing.T) {
-			cl, err := p.NewClient(context.Background(), &esv1alpha1.SecretStore{
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{
-						Fake: &esv1alpha1.FakeProvider{
+			cl, err := p.NewClient(context.Background(), &esv1beta1.SecretStore{
+				Spec: esv1beta1.SecretStoreSpec{
+					Provider: &esv1beta1.SecretStoreProvider{
+						Fake: &esv1beta1.FakeProvider{
 							Data: row.input,
 						},
 					},

pkg/provider/gcp/secretmanager/secretsmanager.go

@@ -29,7 +29,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	"github.com/external-secrets/external-secrets/pkg/provider"
 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
 	"github.com/external-secrets/external-secrets/pkg/utils"
@@ -68,13 +68,13 @@ type ProviderGCP struct {
 
 type gClient struct {
 	kube             kclient.Client
-	store            *esv1alpha1.GCPSMProvider
+	store            *esv1beta1.GCPSMProvider
 	namespace        string
 	storeKind        string
 	workloadIdentity *workloadIdentity
 }
 
-func (c *gClient) getTokenSource(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (oauth2.TokenSource, error) {
+func (c *gClient) getTokenSource(ctx context.Context, store esv1beta1.GenericStore, kube kclient.Client, namespace string) (oauth2.TokenSource, error) {
 	ts, err := serviceAccountTokenSource(ctx, store, kube, namespace)
 	if ts != nil || err != nil {
 		return ts, err
@@ -91,7 +91,7 @@ func (c *gClient) Close() error {
 	return c.workloadIdentity.Close()
 }
 
-func serviceAccountTokenSource(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (oauth2.TokenSource, error) {
+func serviceAccountTokenSource(ctx context.Context, store esv1beta1.GenericStore, kube kclient.Client, namespace string) (oauth2.TokenSource, error) {
 	spec := store.GetSpec()
 	if spec == nil || spec.Provider.GCPSM == nil {
 		return nil, fmt.Errorf(errMissingStoreSpec)
@@ -109,7 +109,7 @@ func serviceAccountTokenSource(ctx context.Context, store esv1alpha1.GenericStor
 	}
 
 	// only ClusterStore is allowed to set namespace (and then it's required)
-	if storeKind == esv1alpha1.ClusterSecretStoreKind {
+	if storeKind == esv1beta1.ClusterSecretStoreKind {
 		if credentialsSecretName != "" && sr.SecretAccessKey.Namespace == nil {
 			return nil, fmt.Errorf(errInvalidClusterStoreMissingSAKNamespace)
 		} else if credentialsSecretName != "" {
@@ -132,7 +132,7 @@ func serviceAccountTokenSource(ctx context.Context, store esv1alpha1.GenericStor
 }
 
 // NewClient constructs a GCP Provider.
-func (sm *ProviderGCP) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
+func (sm *ProviderGCP) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
 	storeSpec := store.GetSpec()
 	if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.GCPSM == nil {
 		return nil, fmt.Errorf(errGCPSMStore)
@@ -180,8 +180,14 @@ func (sm *ProviderGCP) NewClient(ctx context.Context, store esv1alpha1.GenericSt
 	return sm, nil
 }
 
+// Empty GetAllSecrets.
+func (sm *ProviderGCP) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
+	// TO be implemented
+	return nil, fmt.Errorf("GetAllSecrets not implemented")
+}
+
 // GetSecret returns a single secret from the provider.
-func (sm *ProviderGCP) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
+func (sm *ProviderGCP) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	if utils.IsNil(sm.SecretManagerClient) || sm.projectID == "" {
 		return nil, fmt.Errorf(errUninitalizedGCPProvider)
 	}
@@ -219,7 +225,7 @@ func (sm *ProviderGCP) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSec
 }
 
 // GetSecretMap returns multiple k/v pairs from the provider.
-func (sm *ProviderGCP) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (sm *ProviderGCP) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
 	if sm.SecretManagerClient == nil || sm.projectID == "" {
 		return nil, fmt.Errorf(errUninitalizedGCPProvider)
 	}
@@ -265,7 +271,7 @@ func (sm *ProviderGCP) Validate() error {
 }
 
 func init() {
-	schema.Register(&ProviderGCP{}, &esv1alpha1.SecretStoreProvider{
-		GCPSM: &esv1alpha1.GCPSMProvider{},
+	schema.Register(&ProviderGCP{}, &esv1beta1.SecretStoreProvider{
+		GCPSM: &esv1beta1.GCPSMProvider{},
 	})
 }

pkg/provider/gcp/secretmanager/secretsmanager_test.go

@@ -22,7 +22,7 @@ import (
 
 	secretmanagerpb "google.golang.org/genproto/googleapis/cloud/secretmanager/v1"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	fakesm "github.com/external-secrets/external-secrets/pkg/provider/gcp/secretmanager/fake"
 )
 
@@ -30,7 +30,7 @@ type secretManagerTestCase struct {
 	mockClient     *fakesm.MockSMClient
 	apiInput       *secretmanagerpb.AccessSecretVersionRequest
 	apiOutput      *secretmanagerpb.AccessSecretVersionResponse
-	ref            *esv1alpha1.ExternalSecretDataRemoteRef
+	ref            *esv1beta1.ExternalSecretDataRemoteRef
 	projectID      string
 	apiErr         error
 	expectError    string
@@ -56,8 +56,8 @@ func makeValidSecretManagerTestCase() *secretManagerTestCase {
 	return &smtc
 }
 
-func makeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
-	return &esv1alpha1.ExternalSecretDataRemoteRef{
+func makeValidRef() *esv1beta1.ExternalSecretDataRemoteRef {
+	return &esv1beta1.ExternalSecretDataRemoteRef{
 		Key:     "/baz",
 		Version: "default",
 	}
@@ -110,7 +110,7 @@ func TestSecretManagerGetSecret(t *testing.T) {
 
 	// good case: ref with
 	setCustomRef := func(smtc *secretManagerTestCase) {
-		smtc.ref = &esv1alpha1.ExternalSecretDataRemoteRef{
+		smtc.ref = &esv1beta1.ExternalSecretDataRemoteRef{
 			Key:      "/baz",
 			Version:  "default",
 			Property: "name.first",

pkg/provider/gcp/secretmanager/secretsmanager_workload_identity.go

@@ -40,7 +40,7 @@ import (
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 	ctrlcfg "sigs.k8s.io/controller-runtime/pkg/client/config"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 )
 
 const (
@@ -91,7 +91,7 @@ func newWorkloadIdentity(ctx context.Context) (*workloadIdentity, error) {
 	}, nil
 }
 
-func (w *workloadIdentity) TokenSource(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (oauth2.TokenSource, error) {
+func (w *workloadIdentity) TokenSource(ctx context.Context, store esv1beta1.GenericStore, kube kclient.Client, namespace string) (oauth2.TokenSource, error) {
 	spec := store.GetSpec()
 	if spec == nil || spec.Provider == nil || spec.Provider.GCPSM == nil {
 		return nil, fmt.Errorf(errMissingStoreSpec)
@@ -107,7 +107,7 @@ func (w *workloadIdentity) TokenSource(ctx context.Context, store esv1alpha1.Gen
 	}
 
 	// only ClusterStore is allowed to set namespace (and then it's required)
-	if storeKind == esv1alpha1.ClusterSecretStoreKind {
+	if storeKind == esv1beta1.ClusterSecretStoreKind {
 		if wi.ServiceAccountRef.Namespace == nil {
 			return nil, fmt.Errorf(errInvalidClusterStoreMissingSANamespace)
 		}

pkg/provider/gcp/secretmanager/secretsmanager_workload_identity_test.go

@@ -32,7 +32,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 )
 
@@ -44,7 +44,7 @@ type workloadIdentityTest struct {
 	genAccessToken func(context.Context, *credentialspb.GenerateAccessTokenRequest, ...gax.CallOption) (*credentialspb.GenerateAccessTokenResponse, error)
 	genIDBindToken func(ctx context.Context, client *http.Client, k8sToken, idPool, idProvider string) (*oauth2.Token, error)
 	genSAToken     func(c context.Context, s1, s2, s3 string) (*authv1.TokenRequest, error)
-	store          esv1alpha1.GenericStore
+	store          esv1beta1.GenericStore
 	kubeObjects    []client.Object
 }
 
@@ -54,14 +54,14 @@ func TestWorkloadIdentity(t *testing.T) {
 		composeTestcase(
 			defaultTestCase("missing store spec should result in error"),
 			withErr("invalid: missing store spec"),
-			withStore(&esv1alpha1.SecretStore{}),
+			withStore(&esv1beta1.SecretStore{}),
 		),
 		composeTestcase(
 			defaultTestCase("should skip when no workload identity is configured: TokenSource and error must be nil"),
-			withStore(&esv1alpha1.SecretStore{
-				Spec: esv1alpha1.SecretStoreSpec{
-					Provider: &esv1alpha1.SecretStoreProvider{
-						GCPSM: &esv1alpha1.GCPSMProvider{},
+			withStore(&esv1beta1.SecretStore{
+				Spec: esv1beta1.SecretStoreSpec{
+					Provider: &esv1beta1.SecretStoreProvider{
+						GCPSM: &esv1beta1.GCPSMProvider{},
 					},
 				},
 			}),
@@ -210,7 +210,7 @@ func withErr(err string) testCaseMutator {
 	}
 }
 
-func withStore(store esv1alpha1.GenericStore) testCaseMutator {
+func withStore(store esv1beta1.GenericStore) testCaseMutator {
 	return func(tc *workloadIdentityTest) {
 		tc.store = store
 	}
@@ -282,8 +282,8 @@ func defaultTestCase(name string) *workloadIdentityTest {
 	}
 }
 
-func defaultStore() *esv1alpha1.SecretStore {
-	return &esv1alpha1.SecretStore{
+func defaultStore() *esv1beta1.SecretStore {
+	return &esv1beta1.SecretStore{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "foobar",
 			Namespace: "default",
@@ -292,10 +292,10 @@ func defaultStore() *esv1alpha1.SecretStore {
 	}
 }
 
-func defaultClusterStore() *esv1alpha1.ClusterSecretStore {
-	return &esv1alpha1.ClusterSecretStore{
+func defaultClusterStore() *esv1beta1.ClusterSecretStore {
+	return &esv1beta1.ClusterSecretStore{
 		TypeMeta: metav1.TypeMeta{
-			Kind: esv1alpha1.ClusterSecretStoreKind,
+			Kind: esv1beta1.ClusterSecretStoreKind,
 		},
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "foobar",
@@ -304,12 +304,12 @@ func defaultClusterStore() *esv1alpha1.ClusterSecretStore {
 	}
 }
 
-func defaultStoreSpec() esv1alpha1.SecretStoreSpec {
-	return esv1alpha1.SecretStoreSpec{
-		Provider: &esv1alpha1.SecretStoreProvider{
-			GCPSM: &esv1alpha1.GCPSMProvider{
-				Auth: esv1alpha1.GCPSMAuth{
-					WorkloadIdentity: &esv1alpha1.GCPWorkloadIdentity{
+func defaultStoreSpec() esv1beta1.SecretStoreSpec {
+	return esv1beta1.SecretStoreSpec{
+		Provider: &esv1beta1.SecretStoreProvider{
+			GCPSM: &esv1beta1.GCPSMProvider{
+				Auth: esv1beta1.GCPSMAuth{
+					WorkloadIdentity: &esv1beta1.GCPWorkloadIdentity{
 						ServiceAccountRef: esmeta.ServiceAccountSelector{
 							Name: "example",
 						},
@@ -323,9 +323,9 @@ func defaultStoreSpec() esv1alpha1.SecretStoreSpec {
 	}
 }
 
-type storeMutator func(spc esv1alpha1.GenericStore)
+type storeMutator func(spc esv1beta1.GenericStore)
 
-func composeStore(store esv1alpha1.GenericStore, mutators ...storeMutator) esv1alpha1.GenericStore {
+func composeStore(store esv1beta1.GenericStore, mutators ...storeMutator) esv1beta1.GenericStore {
 	for _, m := range mutators {
 		m(store)
 	}
@@ -333,7 +333,7 @@ func composeStore(store esv1alpha1.GenericStore, mutators ...storeMutator) esv1a
 }
 
 func withSANamespace(namespace string) storeMutator {
-	return func(store esv1alpha1.GenericStore) {
+	return func(store esv1beta1.GenericStore) {
 		spc := store.GetSpec()
 		spc.Provider.GCPSM.Auth.WorkloadIdentity.ServiceAccountRef.Namespace = &namespace
 	}

pkg/provider/gitlab/gitlab.go

@@ -25,7 +25,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	"github.com/external-secrets/external-secrets/e2e/framework/log"
 	"github.com/external-secrets/external-secrets/pkg/provider"
 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
@@ -56,15 +56,15 @@ type Gitlab struct {
 // Client for interacting with kubernetes cluster...?
 type gClient struct {
 	kube        kclient.Client
-	store       *esv1alpha1.GitlabProvider
+	store       *esv1beta1.GitlabProvider
 	namespace   string
 	storeKind   string
 	credentials []byte
 }
 
 func init() {
-	schema.Register(&Gitlab{}, &esv1alpha1.SecretStoreProvider{
-		Gitlab: &esv1alpha1.GitlabProvider{},
+	schema.Register(&Gitlab{}, &esv1beta1.SecretStoreProvider{
+		Gitlab: &esv1beta1.GitlabProvider{},
 	})
 }
 
@@ -80,7 +80,7 @@ func (c *gClient) setAuth(ctx context.Context) error {
 		Namespace: c.namespace,
 	}
 	// only ClusterStore is allowed to set namespace (and then it's required)
-	if c.storeKind == esv1alpha1.ClusterSecretStoreKind {
+	if c.storeKind == esv1beta1.ClusterSecretStoreKind {
 		if c.store.Auth.SecretRef.AccessToken.Namespace == nil {
 			return fmt.Errorf(errInvalidClusterStoreMissingSAKNamespace)
 		}
@@ -108,7 +108,7 @@ func NewGitlabProvider() *Gitlab {
 }
 
 // Method on Gitlab Provider to set up client with credentials and populate projectID.
-func (g *Gitlab) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
+func (g *Gitlab) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
 	storeSpec := store.GetSpec()
 	if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.Gitlab == nil {
 		return nil, fmt.Errorf("no store type or wrong store type")
@@ -148,7 +148,13 @@ func (g *Gitlab) NewClient(ctx context.Context, store esv1alpha1.GenericStore, k
 	return g, nil
 }
 
-func (g *Gitlab) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
+// Empty GetAllSecrets.
+func (g *Gitlab) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
+	// TO be implemented
+	return nil, fmt.Errorf("GetAllSecrets not implemented")
+}
+
+func (g *Gitlab) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	if utils.IsNil(g.client) {
 		return nil, fmt.Errorf(errUninitalizedGitlabProvider)
 	}
@@ -185,7 +191,7 @@ func (g *Gitlab) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDat
 	return []byte(val.String()), nil
 }
 
-func (g *Gitlab) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (g *Gitlab) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
 	// Gets a secret as normal, expecting secret value to be a json object
 	data, err := g.GetSecret(ctx, ref)
 	if err != nil {

pkg/provider/gitlab/gitlab_test.go

@@ -22,7 +22,7 @@ import (
 
 	gitlab "github.com/xanzy/go-gitlab"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	fakegitlab "github.com/external-secrets/external-secrets/pkg/provider/gitlab/fake"
 )
 
@@ -31,7 +31,7 @@ type secretManagerTestCase struct {
 	apiInputProjectID string
 	apiInputKey       string
 	apiOutput         *gitlab.ProjectVariable
-	ref               *esv1alpha1.ExternalSecretDataRemoteRef
+	ref               *esv1beta1.ExternalSecretDataRemoteRef
 	projectID         *string
 	apiErr            error
 	expectError       string
@@ -57,8 +57,8 @@ func makeValidSecretManagerTestCase() *secretManagerTestCase {
 	return &smtc
 }
 
-func makeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
-	return &esv1alpha1.ExternalSecretDataRemoteRef{
+func makeValidRef() *esv1beta1.ExternalSecretDataRemoteRef {
+	return &esv1beta1.ExternalSecretDataRemoteRef{
 		Key:     "test-secret",
 		Version: "default",
 	}

pkg/provider/ibm/provider.go

@@ -26,7 +26,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	"github.com/external-secrets/external-secrets/pkg/provider"
 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
 	"github.com/external-secrets/external-secrets/pkg/utils"
@@ -56,7 +56,7 @@ type providerIBM struct {
 
 type client struct {
 	kube        kclient.Client
-	store       *esv1alpha1.IBMProvider
+	store       *esv1beta1.IBMProvider
 	namespace   string
 	storeKind   string
 	credentials []byte
@@ -74,7 +74,7 @@ func (c *client) setAuth(ctx context.Context) error {
 	}
 
 	// only ClusterStore is allowed to set namespace (and then it's required)
-	if c.storeKind == esv1alpha1.ClusterSecretStoreKind {
+	if c.storeKind == esv1beta1.ClusterSecretStoreKind {
 		if c.store.Auth.SecretRef.SecretAPIKey.Namespace == nil {
 			return fmt.Errorf(errInvalidClusterStoreMissingSKNamespace)
 		}
@@ -93,7 +93,13 @@ func (c *client) setAuth(ctx context.Context) error {
 	return nil
 }
 
-func (ibm *providerIBM) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
+// Empty GetAllSecrets.
+func (ibm *providerIBM) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
+	// TO be implemented
+	return nil, fmt.Errorf("GetAllSecrets not implemented")
+}
+
+func (ibm *providerIBM) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	if utils.IsNil(ibm.IBMClient) {
 		return nil, fmt.Errorf(errUninitalizedIBMProvider)
 	}
@@ -151,7 +157,7 @@ func getArbitrarySecret(ibm *providerIBM, secretName *string) ([]byte, error) {
 	return []byte(arbitrarySecretPayload), nil
 }
 
-func getImportCertSecret(ibm *providerIBM, secretName *string, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
+func getImportCertSecret(ibm *providerIBM, secretName *string, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	response, _, err := ibm.IBMClient.GetSecret(
 		&sm.GetSecretOptions{
 			SecretType: core.StringPtr(sm.CreateSecretOptionsSecretTypeImportedCertConst),
@@ -186,7 +192,7 @@ func getIamCredentialsSecret(ibm *providerIBM, secretName *string) ([]byte, erro
 	return []byte(secretData), nil
 }
 
-func getUsernamePasswordSecret(ibm *providerIBM, secretName *string, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
+func getUsernamePasswordSecret(ibm *providerIBM, secretName *string, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	response, _, err := ibm.IBMClient.GetSecret(
 		&sm.GetSecretOptions{
 			SecretType: core.StringPtr(sm.CreateSecretOptionsSecretTypeUsernamePasswordConst),
@@ -205,7 +211,7 @@ func getUsernamePasswordSecret(ibm *providerIBM, secretName *string, ref esv1alp
 	return nil, fmt.Errorf("key %s does not exist in secret %s", ref.Property, ref.Key)
 }
 
-func (ibm *providerIBM) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (ibm *providerIBM) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
 	if utils.IsNil(ibm.IBMClient) {
 		return nil, fmt.Errorf(errUninitalizedIBMProvider)
 	}
@@ -317,7 +323,7 @@ func (ibm *providerIBM) Validate() error {
 	return nil
 }
 
-func (ibm *providerIBM) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
+func (ibm *providerIBM) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
 	storeSpec := store.GetSpec()
 	ibmSpec := storeSpec.Provider.IBM
 
@@ -370,7 +376,7 @@ func (ibm *providerIBM) NewClient(ctx context.Context, store esv1alpha1.GenericS
 }
 
 func init() {
-	schema.Register(&providerIBM{}, &esv1alpha1.SecretStoreProvider{
-		IBM: &esv1alpha1.IBMProvider{},
+	schema.Register(&providerIBM{}, &esv1beta1.SecretStoreProvider{
+		IBM: &esv1beta1.IBMProvider{},
 	})
 }

pkg/provider/ibm/provider_test.go

@@ -27,7 +27,7 @@ import (
 	utilpointer "k8s.io/utils/pointer"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	v1 "github.com/external-secrets/external-secrets/apis/meta/v1"
 	fakesm "github.com/external-secrets/external-secrets/pkg/provider/ibm/fake"
 )
@@ -36,7 +36,7 @@ type secretManagerTestCase struct {
 	mockClient     *fakesm.IBMMockClient
 	apiInput       *sm.GetSecretOptions
 	apiOutput      *sm.GetSecret
-	ref            *esv1alpha1.ExternalSecretDataRemoteRef
+	ref            *esv1beta1.ExternalSecretDataRemoteRef
 	serviceURL     *string
 	apiErr         error
 	expectError    string
@@ -61,8 +61,8 @@ func makeValidSecretManagerTestCase() *secretManagerTestCase {
 	return &smtc
 }
 
-func makeValidRef() *esv1alpha1.ExternalSecretDataRemoteRef {
-	return &esv1alpha1.ExternalSecretDataRemoteRef{
+func makeValidRef() *esv1beta1.ExternalSecretDataRemoteRef {
+	return &esv1beta1.ExternalSecretDataRemoteRef{
 		Key:     "test-secret",
 		Version: "default",
 	}
@@ -382,12 +382,12 @@ func TestValidRetryInput(t *testing.T) {
 	invalid := "Invalid"
 	serviceURL := "http://fake-service-url.cool"
 
-	spec := &esv1alpha1.SecretStore{
-		Spec: esv1alpha1.SecretStoreSpec{
-			Provider: &esv1alpha1.SecretStoreProvider{
-				IBM: &esv1alpha1.IBMProvider{
-					Auth: esv1alpha1.IBMAuth{
-						SecretRef: esv1alpha1.IBMAuthSecretRef{
+	spec := &esv1beta1.SecretStore{
+		Spec: esv1beta1.SecretStoreSpec{
+			Provider: &esv1beta1.SecretStoreProvider{
+				IBM: &esv1beta1.IBMProvider{
+					Auth: esv1beta1.IBMAuth{
+						SecretRef: esv1beta1.IBMAuthSecretRef{
 							SecretAPIKey: v1.SecretKeySelector{
 								Name: "fake-secret",
 								Key:  "fake-key",
@@ -397,7 +397,7 @@ func TestValidRetryInput(t *testing.T) {
 					ServiceURL: &serviceURL,
 				},
 			},
-			RetrySettings: &esv1alpha1.SecretStoreRetrySettings{
+			RetrySettings: &esv1beta1.SecretStoreRetrySettings{
 				RetryInterval: &invalid,
 			},
 		},

pkg/provider/kubernetes/kubernetes.go

@@ -25,7 +25,7 @@ import (
 	"k8s.io/client-go/rest"
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 
-	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
+	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	"github.com/external-secrets/external-secrets/pkg/provider"
 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
@@ -55,7 +55,7 @@ var _ provider.SecretsClient = &ProviderKubernetes{}
 
 type BaseClient struct {
 	kube        kclient.Client
-	store       *esv1alpha1.KubernetesProvider
+	store       *esv1beta1.KubernetesProvider
 	namespace   string
 	storeKind   string
 	Certificate []byte
@@ -65,13 +65,13 @@ type BaseClient struct {
 }
 
 func init() {
-	schema.Register(&ProviderKubernetes{}, &esv1alpha1.SecretStoreProvider{
-		Kubernetes: &esv1alpha1.KubernetesProvider{},
+	schema.Register(&ProviderKubernetes{}, &esv1beta1.SecretStoreProvider{
+		Kubernetes: &esv1beta1.KubernetesProvider{},
 	})
 }
 
 // NewClient constructs a Kubernetes Provider.
-func (k *ProviderKubernetes) NewClient(ctx context.Context, store esv1alpha1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
+func (k *ProviderKubernetes) NewClient(ctx context.Context, store esv1beta1.GenericStore, kube kclient.Client, namespace string) (provider.SecretsClient, error) {
 	storeSpec := store.GetSpec()
 	if storeSpec == nil || storeSpec.Provider == nil || storeSpec.Provider.Kubernetes == nil {
 		return nil, fmt.Errorf("no store type or wrong store type")
@@ -114,7 +114,7 @@ func (k *ProviderKubernetes) Close(ctx context.Context) error {
 	return nil
 }
 
-func (k *ProviderKubernetes) GetSecret(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) ([]byte, error) {
+func (k *ProviderKubernetes) GetSecret(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) ([]byte, error) {
 	if ref.Property == "" {
 		return nil, fmt.Errorf(errPropertyNotFound)
 	}
@@ -132,7 +132,7 @@ func (k *ProviderKubernetes) GetSecret(ctx context.Context, ref esv1alpha1.Exter
 	return val, nil
 }
 
-func (k *ProviderKubernetes) GetSecretMap(ctx context.Context, ref esv1alpha1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
+func (k *ProviderKubernetes) GetSecretMap(ctx context.Context, ref esv1beta1.ExternalSecretDataRemoteRef) (map[string][]byte, error) {
 	if utils.IsNil(k.Client) {
 		return nil, fmt.Errorf(errUninitalizedKubernetesProvider)
 	}
@@ -151,6 +151,10 @@ func (k *ProviderKubernetes) GetSecretMap(ctx context.Context, ref esv1alpha1.Ex
 	return payload, nil
 }
 
+func (k *ProviderKubernetes) GetAllSecrets(ctx context.Context, ref esv1beta1.ExternalSecretFind) (map[string][]byte, error) {
+	return nil, fmt.Errorf("not implemented")
+}
+
 func (k *BaseClient) setAuth(ctx context.Context) error {
 	var err error
 	if len(k.store.Server.CABundle) > 0 {
@@ -203,7 +207,7 @@ func (k *BaseClient) fetchSecretKey(ctx context.Context, key esmeta.SecretKeySel
 		Namespace: k.namespace,
 	}
 	// only ClusterStore is allowed to set namespace (and then it's required)
-	if k.storeKind == esv1alpha1.ClusterSecretStoreKind {
+	if k.storeKind == esv1beta1.ClusterSecretStoreKind {
 		if key.Namespace == nil {
 			return nil, fmt.Errorf(errInvalidClusterStoreMissingNamespace)
 		}