Deployed d7022b1 to main with MkDocs 1.2.3 and mike 1.1.2

main/provider-hashicorp-vault/index.html

@@ -1967,9 +1967,9 @@ in a <code>Kind=Secret</code> referenced by the <code>secretRef</code>.</p>
 </code></pre></div>
 <strong>NOTE:</strong> In case of a <code>ClusterSecretStore</code>, Be sure to provide <code>namespace</code> in <code>secretRef</code> with the namespace where the secret resides.</p>
 <h4 id="jwtoidc-authentication">JWT/OIDC authentication</h4>
-<p><a href="https://www.vaultproject.io/docs/auth/jwt">JWT/OIDC</a> uses a
+<p><a href="https://www.vaultproject.io/docs/auth/jwt">JWT/OIDC</a> uses either a
 <a href="https://jwt.io/">JWT</a> token stored in a <code>Kind=Secret</code> and referenced by the
-<code>secretRef</code>. Optionally a <code>role</code> field can be defined in a <code>Kind=SecretStore</code>
+<code>secretRef</code> or a temporary Kubernetes service account token retrieved via the <code>TokenRequest</code> API. Optionally a <code>role</code> field can be defined in a <code>Kind=SecretStore</code>
 or <code>Kind=ClusterSecretStore</code> resource.</p>
 <p><div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span><span class="w"></span>
 <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span><span class="w"></span>
@@ -1990,9 +1990,21 @@ or <code>Kind=ClusterSecretStore</code> resource.</p>
 <span class="w">          </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;jwt&quot;</span><span class="w"></span>
 <span class="w">          </span><span class="c1"># JWT role configured in a Vault server, optional.</span><span class="w"></span>
 <span class="w">          </span><span class="nt">role</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;vault-jwt-role&quot;</span><span class="w"></span>
+
+<span class="w">          </span><span class="c1"># Retrieve JWT token from a Kubernetes secret</span><span class="w"></span>
 <span class="w">          </span><span class="nt">secretRef</span><span class="p">:</span><span class="w"></span>
 <span class="w">            </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;my-secret&quot;</span><span class="w"></span>
 <span class="w">            </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;jwt-token&quot;</span><span class="w"></span>
+
+<span class="w">          </span><span class="c1"># ... or retrieve a Kubernetes service account token via the `TokenRequest` API</span><span class="w"></span>
+<span class="w">          </span><span class="nt">kubernetesServiceAccountToken</span><span class="p">:</span><span class="w"></span>
+<span class="w">            </span><span class="nt">serviceAccountRef</span><span class="p">:</span><span class="w"></span>
+<span class="w">              </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;my-sa&quot;</span><span class="w"></span>
+<span class="w">            </span><span class="c1"># `audiences` defaults to `[&quot;vault&quot;]` it not supplied</span><span class="w"></span>
+<span class="w">            </span><span class="nt">audiences</span><span class="p">:</span><span class="w"></span>
+<span class="w">            </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">vault</span><span class="w"></span>
+<span class="w">            </span><span class="c1"># `expirationSeconds` defaults to 10 minutes if not supplied</span><span class="w"></span>
+<span class="w">            </span><span class="nt">expirationSeconds</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">600</span><span class="w"></span>
 </code></pre></div>
 <strong>NOTE:</strong> In case of a <code>ClusterSecretStore</code>, Be sure to provide <code>namespace</code> in <code>secretRef</code> with the namespace where the secret resides.</p>
 <h3 id="vault-enterprise-and-eventual-consistency">Vault Enterprise and Eventual Consistency</h3>

main/snippets/vault-jwt-store.yaml

@@ -17,6 +17,18 @@ spec:
           path: "jwt"
           # JWT role configured in a Vault server, optional.
           role: "vault-jwt-role"
+
+          # Retrieve JWT token from a Kubernetes secret
           secretRef:
             name: "my-secret"
             key: "jwt-token"
+
+          # ... or retrieve a Kubernetes service account token via the `TokenRequest` API
+          kubernetesServiceAccountToken:
+            serviceAccountRef:
+              name: "my-sa"
+            # `audiences` defaults to `["vault"]` it not supplied
+            audiences:
+            - vault
+            # `expirationSeconds` defaults to 10 minutes if not supplied
+            expirationSeconds: 600

main/spec/index.html

@@ -4716,7 +4716,8 @@ authenticate with Vault using the Cert authentication method</p>
 </p>
 <p>
 <p>VaultJwtAuth authenticates with Vault using the JWT/OIDC authentication
-method, with the role name and token stored in a Kubernetes Secret resource.</p>
+method, with the role name and a token stored in a Kubernetes Secret resource or
+a Kubernetes service account token retrieved via <code>TokenRequest</code>.</p>
 </p>
 <table>
 <thead>
@@ -4759,8 +4760,24 @@ github.com/external-secrets/external-secrets/apis/meta/v1.SecretKeySelector
 </em>
 </td>
 <td>
-<p>SecretRef to a key in a Secret resource containing JWT token to
-authenticate with Vault using the JWT/OIDC authentication method</p>
+<em>(Optional)</em>
+<p>Optional SecretRef that refers to a key in a Secret resource containing JWT token to
+authenticate with Vault using the JWT/OIDC authentication method.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>kubernetesServiceAccountToken</code></br>
+<em>
+<a href="#external-secrets.io/v1alpha1.VaultKubernetesServiceAccountTokenAuth">
+VaultKubernetesServiceAccountTokenAuth
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Optional ServiceAccountToken specifies the Kubernetes service account for which to request
+a token for with the <code>TokenRequest</code> API.</p>
 </td>
 </tr>
 </tbody>
@@ -4860,6 +4877,66 @@ Kubernetes ServiceAccount with a set of Vault policies.</p>
 </tr>
 </tbody>
 </table>
+<h3 id="external-secrets.io/v1alpha1.VaultKubernetesServiceAccountTokenAuth">VaultKubernetesServiceAccountTokenAuth
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#external-secrets.io/v1alpha1.VaultJwtAuth">VaultJwtAuth</a>)
+</p>
+<p>
+<p>VaultKubernetesServiceAccountTokenAuth authenticates with Vault using a temporary
+Kubernetes service account token retrieved by the <code>TokenRequest</code> API.</p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>serviceAccountRef</code></br>
+<em>
+github.com/external-secrets/external-secrets/apis/meta/v1.ServiceAccountSelector
+</em>
+</td>
+<td>
+<p>Service account field containing the name of a kubernetes ServiceAccount.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>audiences</code></br>
+<em>
+[]string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Optional audiences field that will be used to request a temporary Kubernetes service
+account token for the service account referenced by <code>serviceAccountRef</code>.
+Defaults to a single audience <code>vault</code> it not specified.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>expirationSeconds</code></br>
+<em>
+int64
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Optional expiration time in seconds that will be used to request a temporary
+Kubernetes service account token for the service account referenced by
+<code>serviceAccountRef</code>.
+Defaults to 10 minutes.</p>
+</td>
+</tr>
+</tbody>
+</table>
 <h3 id="external-secrets.io/v1alpha1.VaultLdapAuth">VaultLdapAuth
 </h3>
 <p>