Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Deployed c5fa8d81 to main with MkDocs 1.4.3 and mike 1.2.0.dev0

moolen 2 years ago
parent
2ebedc7f41
commit
e370fbe900
100 changed files with 17287 additions and 703 deletions
Split View Show Diff Stats
  1. 64 0
      main/404.html
  2. 64 0
      main/api/clusterexternalsecret/index.html
  3. 66 0
      main/api/clustersecretstore/index.html
  4. 93 0
      main/api/components/index.html
  5. 65 1
      main/api/controller-options/index.html
  6. 73 6
      main/api/externalsecret/index.html
  7. 64 0
      main/api/generator/acr/index.html
  8. 64 0
      main/api/generator/ecr/index.html
  9. 64 0
      main/api/generator/fake/index.html
  10. 64 0
      main/api/generator/gcr/index.html
  11. 64 0
      main/api/generator/index.html
  12. 64 0
      main/api/generator/password/index.html
  13. 64 0
      main/api/generator/vault/index.html
  14. 132 112
      main/api/metrics/index.html
  15. 71 1
      main/api/pushsecret/index.html
  16. 67 2
      main/api/secretstore/index.html
  17. 665 73
      main/api/spec/index.html
  18. 64 0
      main/contributing/coc/index.html
  19. 88 28
      main/contributing/devguide/index.html
  20. 67 1
      main/contributing/process/index.html
  21. 70 3
      main/contributing/release/index.html
  22. 65 1
      main/contributing/roadmap/index.html
  23. 64 0
      main/eso-blogs/index.html
  24. 64 0
      main/eso-demos/index.html
  25. 113 1
      main/eso-talks/index.html
  26. 64 0
      main/examples/anchore-engine-credentials/index.html
  27. 86 1
      main/examples/bitwarden/index.html
  28. 66 2
      main/examples/gitops-using-fluxcd/index.html
  29. 64 0
      main/examples/jenkins-kubernetes-credentials/index.html
  30. 64 0
      main/guides/all-keys-one-secret/index.html
  31. 94 4
      main/guides/common-k8s-secret-types/index.html
  32. 64 0
      main/guides/controller-class/index.html
  33. 64 0
      main/guides/datafrom-rewrite/index.html
  34. 64 0
      main/guides/decoding-strategy/index.html
  35. 64 0
      main/guides/disable-cluster-features/index.html
  36. 64 0
      main/guides/generator/index.html
  37. 64 0
      main/guides/getallsecrets/index.html
  38. 64 0
      main/guides/introduction/index.html
  39. 64 0
      main/guides/multi-tenancy/index.html
  40. 65 3
      main/guides/ownership-deletion-policy/index.html
  41. 2256 0
      main/guides/pushsecrets/index.html
  42. 418 68
      main/guides/security-best-practices/index.html
  43. 64 0
      main/guides/templating-v1/index.html
  44. 105 1
      main/guides/templating/index.html
  45. 2693 0
      main/guides/threat-model/index.html
  46. 64 0
      main/guides/using-latest-image/index.html
  47. 65 1
      main/guides/v1beta1/index.html
  48. 65 1
      main/index.html
  49. 65 1
      main/introduction/deprecation-policy/index.html
  50. 94 10
      main/introduction/faq/index.html
  51. 72 0
      main/introduction/getting-started/index.html
  52. 64 0
      main/introduction/overview/index.html
  53. 105 5
      main/introduction/stability-support/index.html
  54. BIN
      main/pictures/cloak-provider-header.png
  55. BIN
      main/pictures/diagrams-pushsecret-backup.png
  56. BIN
      main/pictures/diagrams-pushsecret-basic.png
  57. 0 0
      main/pictures/diagrams.drawio
  58. BIN
      main/pictures/eso-threat-model-TLS Bootstrap.drawio.png
  59. BIN
      main/pictures/eso-threat-model-overview.drawio.png
  60. 209 0
      main/pictures/eso-threat-model.drawio
  61. 64 0
      main/provider/1password-automation/index.html
  62. 64 0
      main/provider/akeyless/index.html
  63. 64 0
      main/provider/alibaba/index.html
  64. 70 6
      main/provider/aws-parameter-store/index.html
  65. 171 0
      main/provider/aws-secrets-manager/index.html
  66. 66 2
      main/provider/azure-key-vault/index.html
  67. 2364 0
      main/provider/cloak/index.html
  68. 2617 0
      main/provider/conjur/index.html
  69. 194 18
      main/provider/delinea/index.html
  70. 65 0
      main/provider/doppler/index.html
  71. 64 0
      main/provider/fake/index.html
  72. 64 0
      main/provider/gitlab-variables/index.html
  73. 68 3
      main/provider/google-secrets-manager/index.html
  74. 126 11
      main/provider/hashicorp-vault/index.html
  75. 162 1
      main/provider/ibm-secrets-manager/index.html
  76. 65 1
      main/provider/keeper-security/index.html
  77. 64 0
      main/provider/kubernetes/index.html
  78. 112 2
      main/provider/oracle-vault/index.html
  79. 67 3
      main/provider/scaleway/index.html
  80. 64 0
      main/provider/senhasegura-dsm/index.html
  81. 64 0
      main/provider/webhook/index.html
  82. 64 0
      main/provider/yandex-certificate-manager/index.html
  83. 64 0
      main/provider/yandex-lockbox/index.html
  84. 0 0
      main/search/search_index.json
  85. BIN
      main/sitemap.xml.gz
  86. 16 0
      main/snippets/aws-sm-store-secretsmanager-config.yaml
  87. 1 1
      main/snippets/bitwarden-cli-deployment.yaml
  88. 11 0
      main/snippets/bitwarden-secret-store.yaml
  89. 9 0
      main/snippets/bitwarden-secret.yaml
  90. 19 0
      main/snippets/cloak-external-secret.yaml
  91. 28 0
      main/snippets/cloak-proxy-deployment.yaml
  92. 12 0
      main/snippets/cloak-proxy-service.yaml
  93. 15 0
      main/snippets/cloak-secret-store.yaml
  94. 20 0
      main/snippets/conjur-ca-bundle.yaml
  95. 14 0
      main/snippets/conjur-external-secret.yaml
  96. 21 0
      main/snippets/conjur-secret-store-apikey.yaml
  97. 19 0
      main/snippets/conjur-secret-store-jwt-secret-ref.yaml
  98. 21 0
      main/snippets/conjur-secret-store-jwt-service-account-ref.yaml
  99. 535 329
      main/snippets/dashboard.json
  100. 2 0
      main/snippets/full-cluster-secret-store.yaml

+ 64 - 0
main/404.html
View File 

@@ -1189,6 +1189,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1236,6 +1238,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="/guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="/guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1338,6 +1354,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1406,6 +1428,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="/provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="/provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1630,6 +1666,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="/provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="/provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1639,6 +1689,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="/provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 64 - 0
main/api/clusterexternalsecret/index.html
View File 

@@ -1237,6 +1237,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1284,6 +1286,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1386,6 +1402,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1454,6 +1476,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1678,6 +1714,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1687,6 +1737,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 66 - 0
main/api/clustersecretstore/index.html
View File 

@@ -1237,6 +1237,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1284,6 +1286,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1386,6 +1402,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1454,6 +1476,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1678,6 +1714,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1687,6 +1737,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>
 
@@ -2232,10 +2296,12 @@
 
 <span class="w">            </span><span class="c1"># The secret that contains your privatekey</span>
 
 <span class="w">            </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">oci-secret-name</span>
 
 <span class="w">            </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">privateKey</span>
 
+<span class="w">            </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example-namespace</span>
 
 <span class="w">          </span><span class="nt">fingerprint</span><span class="p">:</span>
 
 <span class="w">            </span><span class="c1"># The secret that contains your fingerprint</span>
 
 <span class="w">            </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">oci-secret-name</span>
 
 <span class="w">            </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">fingerprint</span>
 
+<span class="w">            </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example-namespace</span>
 
 
 <span class="w">    </span><span class="c1"># (TODO): add more provider examples here</span>

+ 93 - 0
main/api/components/index.html
View File 

@@ -558,6 +558,19 @@
 
     Overview
 
   </a>
 
   
+    <nav class="md-nav" aria-label="Overview">
 
+      <ul class="md-nav__list">
 
+        
+          <li class="md-nav__item">
 
+  <a href="#tls-bootstrap" class="md-nav__link">
 
+    TLS Bootstrap
 
+  </a>
 
+  
+</li>
 
+        
+      </ul>
 
+    </nav>
 
+  
 </li>
 
       
     </ul>
 
@@ -1243,6 +1256,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1290,6 +1305,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1392,6 +1421,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1460,6 +1495,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1684,6 +1733,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1693,6 +1756,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>
 
@@ -2082,6 +2159,19 @@
 
     Overview
 
   </a>
 
   
+    <nav class="md-nav" aria-label="Overview">
 
+      <ul class="md-nav__list">
 
+        
+          <li class="md-nav__item">
 
+  <a href="#tls-bootstrap" class="md-nav__link">
 
+    TLS Bootstrap
 
+  </a>
 
+  
+</li>
 
+        
+      </ul>
 
+    </nav>
 
+  
 </li>
 
       
     </ul>
 
@@ -2110,6 +2200,9 @@ to provide a ValidatingWebhook for the <code>ExternalSecret</code> and <code>Sec
 
 <p>These features are optional but highly recommended. You can disable them with helm chart values <code>certController.create=false</code> and <code>webhook.create=false</code>.</p>
 
 <p><br/>
 
 <img alt="Component Overview" src="../../pictures/diagrams-component-overview.png" /></p>
 
+<h3 id="tls-bootstrap">TLS Bootstrap</h3>
 
+<p>Cert-controller is responsible for (1) generating TLS credentials which will be used by the webhook component and (2) injecting the certificate as <code>caBundle</code> into <code>Kind=CustomResourceDefinition</code> for conversion webhooks and <code>Kind=ValidatingWebhookConfiguration</code> for validating admission webhook. The TLS credentials are stored in a <code>Kind=Secret</code> which is consumed by the webhook.</p>
 
+<p><img alt="" src="../../pictures/eso-threat-model-TLS%20Bootstrap.drawio.png" style="width:70%;" /></p>

+ 65 - 1
main/api/controller-options/index.html
View File 

@@ -1257,6 +1257,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1304,6 +1306,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1406,6 +1422,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1474,6 +1496,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1698,6 +1734,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1707,6 +1757,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>
 
@@ -2160,7 +2224,7 @@
 
 <td><code>--concurrent</code></td>
 
 <td>int</td>
 
 <td>1</td>
 
-<td>The number of concurrent ExternalSecret reconciles.</td>
 
+<td>The number of concurrent reconciles.</td>
 
 </tr>
 
 <tr>
 
 <td><code>--controller-class</code></td>

+ 73 - 6
main/api/externalsecret/index.html
View File 

@@ -1258,6 +1258,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1305,6 +1307,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1407,6 +1423,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1475,6 +1497,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1699,6 +1735,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1708,6 +1758,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>
 
@@ -2255,14 +2319,17 @@ be transformed and saved as a <code>Kind=Secret</code>:</p>
 
 <span class="w">          </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">aws-secretstore</span>
 
 <span class="w">          </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ClusterSecretStore</span>
 
 
-<span class="w">        </span><span class="c1"># point to a generator resource that provides the secret value</span>
 
-<span class="w">        </span><span class="nt">generatorRef</span><span class="p">:</span>
 
-<span class="w">          </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">generators.external-secrets.io/v1alpha1</span>
 
-<span class="w">          </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Password</span>
 
-<span class="w">          </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">db-password</span>
 
-
 
 <span class="w">  </span><span class="c1"># Used to fetch all properties from the Provider key</span>
 
 <span class="w">  </span><span class="c1"># If multiple dataFrom are specified, secrets are merged in the specified order</span>
 
+<span class="w">  </span><span class="c1"># Can be defined using sourceRef.generatorRef or extract / find</span>
 
+<span class="w">  </span><span class="c1"># Both use cases are exemplified below</span>
 
+<span class="w">  </span><span class="nt">dataFrom</span><span class="p">:</span>
 
+<span class="w">  </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">sourceRef</span><span class="p">:</span>
 
+<span class="w">      </span><span class="nt">generatorRef</span><span class="p">:</span>
 
+<span class="w">        </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">generators.external-secrets.io/v1alpha1</span>
 
+<span class="w">        </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ECRAuthorizationToken</span>
 
+<span class="w">        </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;my-ecr&quot;</span>
 
+<span class="w">  </span><span class="c1">#Or</span>
 
 <span class="w">  </span><span class="nt">dataFrom</span><span class="p">:</span>
 
 <span class="w">  </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">extract</span><span class="p">:</span>
 
 <span class="w">      </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">database-credentials</span>

+ 64 - 0
main/api/generator/acr/index.html
View File 

@@ -1258,6 +1258,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1305,6 +1307,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1407,6 +1423,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1475,6 +1497,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1699,6 +1735,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1708,6 +1758,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 64 - 0
main/api/generator/ecr/index.html
View File 

@@ -1251,6 +1251,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1298,6 +1300,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1400,6 +1416,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1468,6 +1490,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1692,6 +1728,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1701,6 +1751,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 64 - 0
main/api/generator/fake/index.html
View File 

@@ -1237,6 +1237,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1284,6 +1286,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1386,6 +1402,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1454,6 +1476,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1678,6 +1714,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1687,6 +1737,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 64 - 0
main/api/generator/gcr/index.html
View File 

@@ -1271,6 +1271,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1318,6 +1320,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1420,6 +1436,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1488,6 +1510,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1712,6 +1748,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1721,6 +1771,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 64 - 0
main/api/generator/index.html
View File 

@@ -1195,6 +1195,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1242,6 +1244,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1344,6 +1360,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1412,6 +1434,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1636,6 +1672,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1645,6 +1695,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 64 - 0
main/api/generator/password/index.html
View File 

@@ -1251,6 +1251,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1298,6 +1300,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1400,6 +1416,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1468,6 +1490,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1692,6 +1728,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1701,6 +1751,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 64 - 0
main/api/generator/vault/index.html
View File 

@@ -1237,6 +1237,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1284,6 +1286,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1386,6 +1402,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1454,6 +1476,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1678,6 +1714,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1687,6 +1737,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 132 - 112
main/api/metrics/index.html
View File 

@@ -897,65 +897,24 @@
 
     <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
 
       
         <li class="md-nav__item">
 
-  <a href="#external-secret-metrics" class="md-nav__link">
 
-    External Secret Metrics
 
+  <a href="#cluster-external-secret-metrics" class="md-nav__link">
 
+    Cluster External Secret Metrics
 
   </a>
 
   
 </li>
 
       
         <li class="md-nav__item">
 
-  <a href="#dashboard" class="md-nav__link">
 
-    Dashboard
 
+  <a href="#external-secret-metrics" class="md-nav__link">
 
+    External Secret Metrics
 
   </a>
 
   
 </li>
 
       
         <li class="md-nav__item">
 
-  <a href="#service-level-indicators-and-alerts" class="md-nav__link">
 
-    Service Level Indicators and Alerts
 
-  </a>
 
-  
-    <nav class="md-nav" aria-label="Service Level Indicators and Alerts">
 
-      <ul class="md-nav__list">
 
-        
-          <li class="md-nav__item">
 
-  <a href="#webhook-http-status-codes" class="md-nav__link">
 
-    Webhook HTTP Status Codes
 
-  </a>
 
-  
-</li>
 
-        
-          <li class="md-nav__item">
 
-  <a href="#webhook-http-request-latency" class="md-nav__link">
 
-    Webhook HTTP Request Latency
 
-  </a>
 
-  
-</li>
 
-        
-          <li class="md-nav__item">
 
-  <a href="#controller-workqueue-depth" class="md-nav__link">
 
-    Controller Workqueue Depth
 
-  </a>
 
-  
-</li>
 
-        
-          <li class="md-nav__item">
 
-  <a href="#controller-reconcile-latency" class="md-nav__link">
 
-    Controller Reconcile Latency
 
+  <a href="#cluster-secret-store-metrics" class="md-nav__link">
 
+    Cluster Secret Store Metrics
 
   </a>
 
   
-</li>
 
-        
-          <li class="md-nav__item">
 
-  <a href="#controller-reconcile-error" class="md-nav__link">
 
-    Controller Reconcile Error
 
-  </a>
 
-  
-</li>
 
-        
-      </ul>
 
-    </nav>
 
-  
 </li>
 
       
     </ul>
 
@@ -1298,6 +1257,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1345,6 +1306,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1447,6 +1422,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1515,6 +1496,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1739,6 +1734,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1748,6 +1757,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>
 
@@ -2133,65 +2156,24 @@
 
     <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
 
       
         <li class="md-nav__item">
 
-  <a href="#external-secret-metrics" class="md-nav__link">
 
-    External Secret Metrics
 
+  <a href="#cluster-external-secret-metrics" class="md-nav__link">
 
+    Cluster External Secret Metrics
 
   </a>
 
   
 </li>
 
       
         <li class="md-nav__item">
 
-  <a href="#dashboard" class="md-nav__link">
 
-    Dashboard
 
+  <a href="#external-secret-metrics" class="md-nav__link">
 
+    External Secret Metrics
 
   </a>
 
   
 </li>
 
       
         <li class="md-nav__item">
 
-  <a href="#service-level-indicators-and-alerts" class="md-nav__link">
 
-    Service Level Indicators and Alerts
 
-  </a>
 
-  
-    <nav class="md-nav" aria-label="Service Level Indicators and Alerts">
 
-      <ul class="md-nav__list">
 
-        
-          <li class="md-nav__item">
 
-  <a href="#webhook-http-status-codes" class="md-nav__link">
 
-    Webhook HTTP Status Codes
 
-  </a>
 
-  
-</li>
 
-        
-          <li class="md-nav__item">
 
-  <a href="#webhook-http-request-latency" class="md-nav__link">
 
-    Webhook HTTP Request Latency
 
+  <a href="#cluster-secret-store-metrics" class="md-nav__link">
 
+    Cluster Secret Store Metrics
 
   </a>
 
   
-</li>
 
-        
-          <li class="md-nav__item">
 
-  <a href="#controller-workqueue-depth" class="md-nav__link">
 
-    Controller Workqueue Depth
 
-  </a>
 
-  
-</li>
 
-        
-          <li class="md-nav__item">
 
-  <a href="#controller-reconcile-latency" class="md-nav__link">
 
-    Controller Reconcile Latency
 
-  </a>
 
-  
-</li>
 
-        
-          <li class="md-nav__item">
 
-  <a href="#controller-reconcile-error" class="md-nav__link">
 
-    Controller Reconcile Error
 
-  </a>
 
-  
-</li>
 
-        
-      </ul>
 
-    </nav>
 
-  
 </li>
 
       
     </ul>
 
@@ -2213,9 +2195,31 @@
 
 
 
 <h1 id="metrics">Metrics</h1>
 
-<p>The External Secrets Operator exposes its Prometheus metrics in the <code>/metrics</code> path. To enable it, set the <code>serviceMonitor.enabled</code> Helm flag to <code>true</code>. In addition you can also set <code>webhook.serviceMonitor.enabled=true</code> and <code>certController.serviceMonitor.enabled=true</code> to create <code>ServiceMonitor</code> resources for the other components.</p>
 
+<p>The External Secrets Operator exposes its Prometheus metrics in the <code>/metrics</code> path. To enable it, set the <code>serviceMonitor.enabled</code> Helm flag to <code>true</code>.</p>
 
 <p>If you are using a different monitoring tool that also needs a <code>/metrics</code> endpoint, you can set the <code>metrics.service.enabled</code> Helm flag to <code>true</code>. In addition you can also set <code>webhook.metrics.service.enabled</code> and <code>certController.metrics.service.enabled</code> to scrape the other components.</p>
 
-<p>The Operator has the metrics inherited from Kubebuilder plus some custom metrics with the <code>externalsecret</code> prefix.</p>
 
+<p>The Operator has <a href="https://book.kubebuilder.io/reference/metrics-reference.html">the controller-runtime metrics inherited from kubebuilder</a> plus some custom metrics with a resource name prefix, such as <code>externalsecret_</code>.</p>
 
+<h2 id="cluster-external-secret-metrics">Cluster External Secret Metrics</h2>
 
+<table>
 
+<thead>
 
+<tr>
 
+<th>Name</th>
 
+<th>Type</th>
 
+<th>Description</th>
 
+</tr>
 
+</thead>
 
+<tbody>
 
+<tr>
 
+<td><code>clusterexternalsecret_status_condition</code></td>
 
+<td>Gauge</td>
 
+<td>The status condition of a specific Cluster External Secret</td>
 
+</tr>
 
+<tr>
 
+<td><code>clusterexternalsecret_reconcile_duration</code></td>
 
+<td>Gauge</td>
 
+<td>The duration time to reconcile the Cluster External Secret</td>
 
+</tr>
 
+</tbody>
 
+</table>
 
 <h2 id="external-secret-metrics">External Secret Metrics</h2>
 
 <table>
 
 <thead>
 
@@ -2251,38 +2255,54 @@
 
 <td>Gauge</td>
 
 <td>The duration time to reconcile the External Secret</td>
 
 </tr>
 
+</tbody>
 
+</table>
 
+<h2 id="cluster-secret-store-metrics">Cluster Secret Store Metrics</h2>
 
+<table>
 
+<thead>
 
 <tr>
 
-<td><code>controller_runtime_reconcile_total</code></td>
 
-<td>Counter</td>
 
-<td>Holds the totalnumber of reconciliations per controller. It has two labels. controller label refers to the controller name and result label refers to the reconcile result i.e success, error, requeue, requeue_after.</td>
 
+<th>Name</th>
 
+<th>Type</th>
 
+<th>Description</th>
 
 </tr>
 
+</thead>
 
+<tbody>
 
 <tr>
 
-<td><code>controller_runtime_reconcile_errors_total</code></td>
 
-<td>Counter</td>
 
-<td>Total number of reconcile errors per controller</td>
 
+<td><code>clustersecretstore_status_condition</code></td>
 
+<td>Gauge</td>
 
+<td>The status condition of a specific Cluster Secret Store</td>
 
 </tr>
 
 <tr>
 
-<td><code>controller_runtime_reconcile_time_seconds</code></td>
 
-<td>Histogram</td>
 
-<td>Length of time per reconcile per controller</td>
 
+<td><code>clustersecretstore_reconcile_duration</code></td>
 
+<td>Gauge</td>
 
+<td>The duration time to reconcile the Cluster Secret Store</td>
 
 </tr>
 
+</tbody>
 
+</table>
 
+<h1 id="secret-store-metrics">Secret Store Metrics</h1>
 
+<table>
 
+<thead>
 
 <tr>
 
-<td><code>controller_runtime_reconcile_queue_length</code></td>
 
-<td>Gauge</td>
 
-<td>Length of reconcile queue per controller</td>
 
+<th>Name</th>
 
+<th>Type</th>
 
+<th>Description</th>
 
 </tr>
 
+</thead>
 
+<tbody>
 
 <tr>
 
-<td><code>controller_runtime_max_concurrent_reconciles</code></td>
 
+<td><code>secretstore_status_condition</code></td>
 
 <td>Gauge</td>
 
-<td>Maximum number of concurrent reconciles per controller</td>
 
+<td>The status condition of a specific Secret Store</td>
 
 </tr>
 
 <tr>
 
-<td><code>controller_runtime_active_workers</code></td>
 
+<td><code>secretstore_reconcile_duration</code></td>
 
 <td>Gauge</td>
 
-<td>Number of currently used workers per controller</td>
 
+<td>The duration time to reconcile the Secret Store</td>
 
 </tr>
 
 </tbody>
 
 </table>
 
+<h2 id="controller-runtime-metrics">Controller Runtime Metrics</h2>
 
+<p>See <a href="https://book.kubebuilder.io/reference/metrics-reference.html">the kubebuilder documentation</a> on the default exported metrics by controller-runtime.</p>
 
 <h2 id="dashboard">Dashboard</h2>
 
 <p>We provide a <a href="https://raw.githubusercontent.com/external-secrets/external-secrets/main/docs/snippets/dashboard.json">Grafana Dashboard</a> that gives you an overview of External Secrets Operator:</p>
 
 <p><img alt="ESO Dashboard" src="../../pictures/eso-dashboard-1.png" />

+ 71 - 1
main/api/pushsecret/index.html
View File 

@@ -1203,6 +1203,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1250,6 +1252,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1352,6 +1368,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1420,6 +1442,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1644,6 +1680,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1653,6 +1703,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>
 
@@ -2045,13 +2109,19 @@
 
 
   <h1>PushSecret</h1>
 
 
-<p>The <code>PushSecret</code> is namespaced and specifies how to push secrets to secret stores.</p>
 
+<p><img alt="PushSecret" src="../../pictures/diagrams-pushsecret-basic.png" /></p>
 
+<p>The <code>PushSecret</code> is namespaced and it describes what data should be pushed to the secret provider.</p>
 
+<ul>
 
+<li>tells the operator what secrets should be pushed by using <code>spec.selector</code>.</li>
 
+<li>you can specify what secret keys should be pushed by using <code>spec.data</code></li>
 
+</ul>
 
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
 
 <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PushSecret</span>
 
 <span class="nt">metadata</span><span class="p">:</span>
 
 <span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">pushsecret-example</span><span class="w"> </span><span class="c1"># Customisable</span>
 
 <span class="w">  </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span><span class="w"> </span><span class="c1"># Same of the SecretStores</span>
 
 <span class="nt">spec</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">deletionPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Delete</span><span class="w"> </span><span class="c1"># the provider&#39; secret will be deleted if the PushSecret is deleted</span>
 
 <span class="w">  </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">10s</span><span class="w"> </span><span class="c1"># Refresh interval for which push secret will reconcile</span>
 
 <span class="w">  </span><span class="nt">secretStoreRefs</span><span class="p">:</span><span class="w"> </span><span class="c1"># A list of secret stores to push secrets to</span>
 
 <span class="w">    </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">aws-parameterstore</span>

+ 67 - 2
main/api/secretstore/index.html
View File 

@@ -1237,6 +1237,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1284,6 +1286,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1386,6 +1402,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1454,6 +1476,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1678,6 +1714,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1687,6 +1737,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>
 
@@ -2117,7 +2181,7 @@ If you want to design cross-namespace SecretStores you must use <a href="../clus
 
 <span class="w">  </span><span class="c1"># You can specify retry settings for the http connection</span>
 
 <span class="w">  </span><span class="c1"># these fields allow you to set a maxRetries before failure, and</span>
 
 <span class="w">  </span><span class="c1"># an interval between the retries.</span>
 
-<span class="w">  </span><span class="c1"># Current supported providers: AWS, IBM</span>
 
+<span class="w">  </span><span class="c1"># Current supported providers: AWS, Hashicorp Vault, IBM</span>
 
 <span class="w">  </span><span class="nt">retrySettings</span><span class="p">:</span>
 
 <span class="w">    </span><span class="nt">maxRetries</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">5</span>
 
 <span class="w">    </span><span class="nt">retryInterval</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;10s&quot;</span>
 
@@ -2145,6 +2209,7 @@ If you want to design cross-namespace SecretStores you must use <a href="../clus
 
 <span class="w">            </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">awssm-secret</span>
 
 <span class="w">            </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secret-access-key</span>
 
 
+<span class="w">    </span><span class="c1"># (2) Hashicorp Vault</span>
 
 <span class="w">    </span><span class="nt">vault</span><span class="p">:</span>
 
 <span class="w">      </span><span class="nt">server</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;https://vault.acme.org&quot;</span>
 
 <span class="w">      </span><span class="c1"># Path is the mount path of the Vault KV backend endpoint</span>
 
@@ -2192,7 +2257,7 @@ If you want to design cross-namespace SecretStores you must use <a href="../clus
 
 <span class="w">            </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;my-secret&quot;</span>
 
 <span class="w">            </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;vault&quot;</span>
 
 
-<span class="w">    </span><span class="c1"># (2): GCP Secret Manager</span>
 
+<span class="w">    </span><span class="c1"># (3): GCP Secret Manager</span>
 
 <span class="w">    </span><span class="nt">gcpsm</span><span class="p">:</span>
 
 <span class="w">      </span><span class="c1"># Auth defines the information necessary to authenticate against GCP by getting</span>
 
 <span class="w">      </span><span class="c1"># the credentials from an already created Kubernetes Secret.</span>

File diff suppressed because it is too large
+ 665 - 73
main/api/spec/index.html


+ 64 - 0
main/contributing/coc/index.html
View File 

@@ -1200,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1247,6 +1249,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1349,6 +1365,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1417,6 +1439,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1641,6 +1677,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1650,6 +1700,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 88 - 28
main/contributing/devguide/index.html
View File 

@@ -1200,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1247,6 +1249,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1349,6 +1365,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1417,6 +1439,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1641,6 +1677,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1650,6 +1700,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>
 
@@ -2143,21 +2207,6 @@ then clone the repo:</p>
 
 <span class="nb">cd</span><span class="w"> </span>external-secrets
 
 </code></pre></div>
 
 <p><em>Note: many of the <code>make</code> commands use <a href="https://github.com/mikefarah/yq">yq</a>, version 4.2X.X or higher.</em></p>
 
-<p>If you want to run controller tests you also need to install kubebuilder's <code>envtest</code>.</p>
 
-<p>The recommended way to do so is to install <a href="https://pkg.go.dev/sigs.k8s.io/controller-runtime/tools/setup-envtest">setup-envtest</a></p>
 
-<p>Here is an example on how to set it up:</p>
 
-<div class="highlight"><pre><span></span><code>go install sigs.k8s.io/controller-runtime/tools/setup-envtest@latest
 
-
 
-# list available versions
 
-setup-envtest list --os $(go env GOOS) --arch $(go env GOARCH)
 
-
 
-# To use a specific version
 
-setup-envtest use -p path 1.20.2
 
-
 
-#To set environment variables
 
-source &lt;(setup-envtest use 1.20.2 -p env --os $(go env GOOS) --arch $(go env GOARCH))
 
-</code></pre></div>
 
-<p>for more information, please see <a href="https://github.com/kubernetes-sigs/controller-runtime/tree/master/tools/setup-envtest">setup-envtest docs</a></p>
 
 <p>Our helm chart is tested using <code>helm-unittest</code>. You will need it to run tests locally if you modify the helm chart. Install it with the following command:</p>
 
 <div class="highlight"><pre><span></span><code>$ helm plugin install https://github.com/helm-unittest/helm-unittest
 
 </code></pre></div>
 
@@ -2166,9 +2215,9 @@ source &lt;(setup-envtest use 1.20.2 -p env --os $(go env GOOS) --arch $(go env
 
 static code analysis.</p>
 
 <p>Building the operator binary and docker image:</p>
 
 <div class="highlight"><pre><span></span><code>make<span class="w"> </span>build
 
-make<span class="w"> </span>docker.build<span class="w"> </span><span class="nv">IMG</span><span class="o">=</span>external-secrets:latest
 
+make<span class="w"> </span>docker.build<span class="w"> </span><span class="nv">IMAGE_NAME</span><span class="o">=</span>external-secrets<span class="w"> </span><span class="nv">IMAGE_TAG</span><span class="o">=</span>latest
 
 </code></pre></div>
 
-<p>Run tests and lint the code: <em>(golangci-lint@1.49.0 is needed.)</em>
 
+<p>Run tests and lint the code:
 
 <div class="highlight"><pre><span></span><code>make<span class="w"> </span><span class="nb">test</span>
 
 make<span class="w"> </span>lint<span class="w"> </span><span class="c1"># OR</span>
 
 docker<span class="w"> </span>run<span class="w"> </span>--rm<span class="w"> </span>-v<span class="w"> </span><span class="k">$(</span><span class="nb">pwd</span><span class="k">)</span>:/app<span class="w"> </span>-w<span class="w"> </span>/app<span class="w"> </span>golangci/golangci-lint:v1.49.0<span class="w"> </span>golangci-lint<span class="w"> </span>run
 
@@ -2190,22 +2239,33 @@ make<span class="w"> </span>run
 
 <div class="highlight"><pre><span></span><code>make<span class="w"> </span>crds.uninstall
 
 </code></pre></div>
 
 <p>If you need to test some other k8s integrations and need the operator to be deployed to the actual cluster while developing, you can use the following workflow:</p>
 
-<div class="highlight"><pre><span></span><code>kind create cluster --name external-secrets
 
+<div class="highlight"><pre><span></span><code><span class="c1"># Start a local K8S cluster with KinD</span>
 
+kind<span class="w"> </span>create<span class="w"> </span>cluster<span class="w"> </span>--name<span class="w"> </span>external-secrets
 
+
 
+<span class="nb">export</span><span class="w"> </span><span class="nv">TAG</span><span class="o">=</span><span class="k">$(</span>make<span class="w"> </span>docker.tag<span class="k">)</span>
 
+<span class="nb">export</span><span class="w"> </span><span class="nv">IMAGE</span><span class="o">=</span><span class="k">$(</span>make<span class="w"> </span>docker.imagename<span class="k">)</span>
 
+
 
+<span class="c1"># Build docker image</span>
 
+make<span class="w"> </span>docker.build
 
 
-export TAG=v2
 
-export IMAGE=eso-local
 
+<span class="c1"># Load docker image into local kind cluster</span>
 
+kind<span class="w"> </span>load<span class="w"> </span>docker-image<span class="w"> </span><span class="nv">$IMAGE</span>:<span class="nv">$TAG</span><span class="w"> </span>--name<span class="w"> </span>external-secrets
 
 
-#For building in linux
 
-docker build . -t $IMAGE:$TAG --build-arg TARGETARCH=amd64 --build-arg TARGETOS=linux
 
+<span class="c1"># (Optional) Pull the image from GitHub Repo to copy into kind</span>
 
+<span class="c1"># docker pull ghcr.io/external-secrets/external-secrets:v0.8.2</span>
 
+<span class="c1"># kind load docker-image ghcr.io/external-secrets/external-secrets:v0.8.2 -n external-secrets</span>
 
+<span class="c1"># export TAG=v0.8.2</span>
 
 
-#For building in MacOS (OSX)
 
-#docker build . -t $IMAGE:$TAG --build-arg TARGETARCH=amd64 --build-arg TARGETOS=darwin
 
+<span class="c1"># Update helm charts and install to KinD cluster</span>
 
+make<span class="w"> </span>helm.generate
 
+helm<span class="w"> </span>upgrade<span class="w"> </span>--install<span class="w"> </span>external-secrets<span class="w"> </span>./deploy/charts/external-secrets/<span class="w"> </span><span class="se">\</span>
 
+--set<span class="w"> </span>image.repository<span class="o">=</span><span class="nv">$IMAGE</span><span class="w"> </span>--set<span class="w"> </span>image.tag<span class="o">=</span><span class="nv">$TAG</span><span class="w"> </span><span class="se">\</span>
 
+--set<span class="w"> </span>webhook.image.repository<span class="o">=</span><span class="nv">$IMAGE</span><span class="w"> </span>--set<span class="w"> </span>webhook.image.tag<span class="o">=</span><span class="nv">$TAG</span><span class="w"> </span><span class="se">\</span>
 
+--set<span class="w"> </span>certController.image.repository<span class="o">=</span><span class="nv">$IMAGE</span><span class="w"> </span>--set<span class="w"> </span>certController.image.tag<span class="o">=</span><span class="nv">$TAG</span>
 
 
-#For building in ARM
 
-#docker build . -t $IMAGE:$TAG --build-arg TARGETARCH=arm --build-arg TARGETOS=linux
 
 
-make helm.generate
 
-helm upgrade --install external-secrets ./deploy/charts/external-secrets/ --set image.repository=$IMAGE --set image.tag=$TAG
 
+<span class="c1"># Command to delete the cluster when done</span>
 
+<span class="c1"># kind delete cluster -n external-secrets</span>
 
 </code></pre></div>
 
 <div class="admonition note">
 
 <p class="admonition-title">Contributing Flow</p>

+ 67 - 1
main/contributing/process/index.html
View File 

@@ -1200,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1247,6 +1249,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1349,6 +1365,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1417,6 +1439,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1641,6 +1677,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1650,6 +1700,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>
 
@@ -2314,8 +2378,10 @@ a maintainer when a particular provider or authentication mechanism was changed:
 
 <div class="highlight"><pre><span></span><code>/ok-to-test-managed sha=xxxxxx provider=aws
 
 # or
 
 /ok-to-test-managed sha=xxxxxx provider=gcp
 
+# or
 
+/ok-to-test-managed sha=xxxxxx provider=azure
 
 </code></pre></div>
 
-<p>Both tests can run in parallel. Once started they add a dynamic GitHub check <code>integration-managed-(gcp|aws)</code> to the PR that triggered the test.</p>
 
+<p>Both tests can run in parallel. Once started they add a dynamic GitHub check <code>integration-managed-(gcp|aws|azure)</code> to the PR that triggered the test.</p>
 
 <h3 id="executing-managed-kubernetes-e2e-tests-locally">Executing Managed Kubernetes e2e tests locally</h3>
 
 <p>You have to prepare your shell environment with the necessary variables so the e2e
 
 test runner knows what credentials to use. See <code>.github/workflows/e2e-managed.yml</code>

+ 70 - 3
main/contributing/release/index.html
View File 

@@ -1200,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1247,6 +1249,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1349,6 +1365,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1417,6 +1439,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1641,6 +1677,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1650,6 +1700,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>
 
@@ -2125,9 +2189,13 @@
 
 <p>ESO and the ESO Helm Chart have two distinct lifecycles and can be released independently. Helm Chart releases are named <code>external-secrets-x.y.z</code>.</p>
 
 <p>The external-secrets project is released on a as-needed basis. Feel free to open a issue to request a release.</p>
 
 <h2 id="release-eso">Release ESO</h2>
 
+<p>When doing a release it's best to start with  with the <a href="https://github.com/external-secrets/external-secrets/issues/new?assignees=&amp;labels=area%2Frelease&amp;projects=&amp;template=create_release.md&amp;title=Release+x.y">"Create Release" issue template</a>, it has a checklist to go over.</p>
 
+<p>⚠️ Note: when releasing multiple versions, make sure to first release the "old" version, then the newer version.
 
+Otherwise the <code>latest</code> documentation will point to the older version. Also avoid to release both versions at the same time to avoid race conditions in the CI pipeline (updating docs, GitHub Release, helm chart release).</p>
 
 <ol>
 
 <li>Run <code>Create Release</code> Action to create a new release, pass in the desired version number to release.<ol>
 
-<li>note: choose the right <code>branch</code> to execute the action: use <code>main</code> when creating a new release. Use <code>release-x.y</code> when you want to bump a LTS release.</li>
 
+<li>choose the right <code>branch</code> to execute the action: use <code>main</code> when creating a new release. Use <code>release-x.y</code> when you want to bump a LTS release.</li>
 
+<li>⚠️ make sure that CI on the relevant branch has completed the docker build/push jobs. Otherwise an old image will be promoted.</li>
 
 </ol>
 
 </li>
 
 <li>GitHub Release, Changelog will be created by the <code>release.yml</code> workflow which also promotes the container image.</li>
 
@@ -2136,8 +2204,7 @@
 
 </ol>
 
 <h2 id="release-helm-chart">Release Helm Chart</h2>
 
 <ol>
 
-<li>Update <code>version</code> and/or <code>appVersion</code> in <code>Chart.yaml</code> and run <code>make helm.docs helm.update.appversion</code></li>
 
-<li>If there is any CRD change, run <code>make helm.test.update</code> and <code>make helm.test</code></li>
 
+<li>Update <code>version</code> and/or <code>appVersion</code> in <code>Chart.yaml</code> and run <code>make helm.docs helm.update.appversion helm.test.update helm.test</code></li>
 
 <li>push to branch and open pr</li>
 
 <li>run <code>/ok-to-test-managed</code> commands for all cloud providers</li>
 
 <li>merge PR if everyhing is green</li>

+ 65 - 1
main/contributing/roadmap/index.html
View File 

@@ -1200,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1247,6 +1249,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1349,6 +1365,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1417,6 +1439,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1641,6 +1677,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1650,6 +1700,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>
 
@@ -2079,7 +2143,7 @@
 
 <li>Troubleshooting Guides</li>
 
 <li>✓ FAQ</li>
 
 <li>✓ review multi tenancy docs</li>
 
-<li>security model for infosec teams</li>
 
+<li>security model for infosec teams</li>
 
 <li>✓ security best practices guide</li>
 
 <li>✓ provider specific guides</li>
 
 </ul>

+ 64 - 0
main/eso-blogs/index.html
View File 

@@ -1198,6 +1198,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1245,6 +1247,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1347,6 +1363,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1415,6 +1437,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1639,6 +1675,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1648,6 +1698,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 64 - 0
main/eso-demos/index.html
View File 

@@ -1200,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1247,6 +1249,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1349,6 +1365,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1417,6 +1439,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1641,6 +1677,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1650,6 +1700,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 113 - 1
main/eso-talks/index.html
View File 

@@ -1200,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1247,6 +1249,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1349,6 +1365,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1417,6 +1439,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1641,6 +1677,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1650,6 +1700,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>
 
@@ -2030,6 +2094,27 @@
 
     FOSDEM '23 (Containers devroom)
 
   </a>
 
   
+</li>
 
+      
+        <li class="md-nav__item">
 
+  <a href="#form3-tech-podcast-building-and-maintaining-external-secrets-operator" class="md-nav__link">
 
+    Form3 .tech Podcast - Building and maintaining External Secrets Operator
 
+  </a>
 
+  
+</li>
 
+      
+        <li class="md-nav__item">
 
+  <a href="#enlightning-exploring-external-secrets-operator" class="md-nav__link">
 
+    ⚡️ Enlightning - Exploring External Secrets Operator
 
+  </a>
 
+  
+</li>
 
+      
+        <li class="md-nav__item">
 
+  <a href="#kubecon-eu-23-protecting-your-crown-jewels-with-external-secrets-operator" class="md-nav__link">
 
+    KubeCon EU '23 - Protecting Your Crown Jewels with External Secrets Operator
 
+  </a>
 
+  
 </li>
 
       
     </ul>
 
@@ -2148,6 +2233,27 @@
 
     FOSDEM '23 (Containers devroom)
 
   </a>
 
   
+</li>
 
+      
+        <li class="md-nav__item">
 
+  <a href="#form3-tech-podcast-building-and-maintaining-external-secrets-operator" class="md-nav__link">
 
+    Form3 .tech Podcast - Building and maintaining External Secrets Operator
 
+  </a>
 
+  
+</li>
 
+      
+        <li class="md-nav__item">
 
+  <a href="#enlightning-exploring-external-secrets-operator" class="md-nav__link">
 
+    ⚡️ Enlightning - Exploring External Secrets Operator
 
+  </a>
 
+  
+</li>
 
+      
+        <li class="md-nav__item">
 
+  <a href="#kubecon-eu-23-protecting-your-crown-jewels-with-external-secrets-operator" class="md-nav__link">
 
+    KubeCon EU '23 - Protecting Your Crown Jewels with External Secrets Operator
 
+  </a>
 
+  
 </li>
 
       
     </ul>
 
@@ -2181,7 +2287,13 @@
 
 <h2 id="aws-containers-from-the-couch">AWS Containers from the Couch</h2>
 
 <p><a href="https://www.youtube.com/watch?v=FityN80Cpto"><img alt="AWS Containers from the Couch" src="https://img.youtube.com/vi/FityN80Cpto/0.jpg" /></a></p>
 
 <h2 id="fosdem-23-containers-devroom">FOSDEM '23 (Containers devroom)</h2>
 
-<p><a href="https://fosdem.org/2023/schedule/event/container_kubernetes_secret_rotation/"><img alt="FOSDEM '23 (Containers devroom)" src="https://slides.sagikazarmark.hu/2023-02-04-automating-secret-rotation-in-kubernetes/preview.png" /></a></p>
 
+<p><a href="https://fosdem.org/2023/schedule/event/container_kubernetes_secret_rotation/">FOSDEM '23 (Containers devroom)</a></p>
 
+<h2 id="form3-tech-podcast-building-and-maintaining-external-secrets-operator">Form3 .tech Podcast - Building and maintaining External Secrets Operator</h2>
 
+<p><a href="https://www.form3.tech/engineering/content/podcast-ext-secrets">Podcast and Blog</a></p>
 
+<h2 id="enlightning-exploring-external-secrets-operator">⚡️ Enlightning - Exploring External Secrets Operator</h2>
 
+<p><a href="https://www.youtube.com/watch?v=7uY_qW6TWf8&amp;ab_channel=VMwareTanzu"><img alt="" src="https://img.youtube.com/vi/7uY_qW6TWf8/0.jpg" /></a></p>
 
+<h2 id="kubecon-eu-23-protecting-your-crown-jewels-with-external-secrets-operator">KubeCon EU '23 - Protecting Your Crown Jewels with External Secrets Operator</h2>
 
+<p><a href="https://www.youtube.com/watch?v=upwIlUHkDf8&amp;ab_channel=CNCF%5BCloudNativeComputingFoundation%5D"><img alt="Protecting Your Crown Jewels with External Secrets Operator" src="https://img.youtube.com/vi/upwIlUHkDf8/0.jpg" /></a></p>

+ 64 - 0
main/examples/anchore-engine-credentials/index.html
View File 

@@ -1200,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1247,6 +1249,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1349,6 +1365,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1417,6 +1439,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1641,6 +1677,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1650,6 +1700,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 86 - 1
main/examples/bitwarden/index.html
View File 

@@ -1200,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1247,6 +1249,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1349,6 +1365,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1417,6 +1439,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1641,6 +1677,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1650,6 +1700,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>
 
@@ -2283,7 +2347,7 @@ bw<span class="w"> </span>serve<span class="w"> </span>--hostname<span class="w"
 
 <span class="w">              </span><span class="nt">command</span><span class="p">:</span>
 
 <span class="w">                </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">wget</span>
 
 <span class="w">                </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">-q</span>
 
-<span class="w">                </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">http://127.0.0.1:8087/sync</span>
 
+<span class="w">                </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">http://127.0.0.1:8087/sync?force=true</span>
 
 <span class="w">                </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">--post-data=&#39;&#39;</span>
 
 <span class="w">            </span><span class="nt">initialDelaySeconds</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">20</span>
 
 <span class="w">            </span><span class="nt">failureThreshold</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">3</span>
 
@@ -2371,11 +2435,23 @@ bw<span class="w"> </span>serve<span class="w"> </span>--hostname<span class="w"
 
 <span class="w">      </span><span class="nt">url</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;http://bitwarden-cli:8087/object/item/{{</span><span class="nv"> </span><span class="s">.remoteRef.key</span><span class="nv"> </span><span class="s">}}&quot;</span>
 
 <span class="w">      </span><span class="nt">result</span><span class="p">:</span>
 
 <span class="w">        </span><span class="nt">jsonPath</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;$.data.fields[?@.name==\&quot;{{</span><span class="nv"> </span><span class="s">.remoteRef.property</span><span class="nv"> </span><span class="s">}}\&quot;].value&quot;</span>
 
+<span class="nn">---</span>
 
+<span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ClusterSecretStore</span>
 
+<span class="nt">metadata</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">bitwarden-notes</span>
 
+<span class="nt">spec</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">provider</span><span class="p">:</span>
 
+<span class="w">    </span><span class="nt">webhook</span><span class="p">:</span>
 
+<span class="w">      </span><span class="nt">url</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;http://bitwarden-cli:8087/object/item/{{</span><span class="nv"> </span><span class="s">.remoteRef.key</span><span class="nv"> </span><span class="s">}}&quot;</span>
 
+<span class="w">      </span><span class="nt">result</span><span class="p">:</span>
 
+<span class="w">        </span><span class="nt">jsonPath</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;$.data.notes&quot;</span>
 
 </code></pre></div>
 
 <h2 id="how-to-use-it">How to use it ?</h2>
 
 <ul>
 
 <li>If you need the <code>username</code> or the <code>password</code> of a secret, you have to use <code>bitwarden-login</code></li>
 
 <li>If you need a custom field of a secret, you have to use <code>bitwarden-fields</code></li>
 
+<li>If you need to use a Bitwarden Note for multiline strings (SSH keys, service account json files), you have to use <code>bitwarden-notes</code></li>
 
 <li>The <code>key</code> is the ID of a secret, which can be find in the URL with the <code>itemId</code> value:
 
   <code>https://myvault.com/#/vault?itemId=........-....-....-....-............</code></li>
 
 <li>The <code>property</code> is the name of the field:</li>
 
@@ -2405,6 +2481,8 @@ bw<span class="w"> </span>serve<span class="w"> </span>--hostname<span class="w"
 
 <span class="w">          </span><span class="no">{{ .postgres_replication_password }}</span>
 
 <span class="w">        </span><span class="nt">db_url</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">|-</span>
 
 <span class="w">          </span><span class="no">postgresql://{{ .username }}:{{ .password }}@my-postgresql:5432/mydb</span>
 
+<span class="w">        </span><span class="nt">service_account_key</span><span class="p">:</span><span class="w"> </span><span class="p p-Indicator">|-</span>
 
+<span class="w">          </span><span class="no">{{ .service_account_key }}</span>
 
 <span class="w">  </span><span class="nt">data</span><span class="p">:</span>
 
 <span class="w">    </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">username</span>
 
 <span class="w">      </span><span class="nt">sourceRef</span><span class="p">:</span>
 
@@ -2438,6 +2516,13 @@ bw<span class="w"> </span>serve<span class="w"> </span>--hostname<span class="w"
 
 <span class="w">      </span><span class="nt">remoteRef</span><span class="p">:</span>
 
 <span class="w">        </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">aaaabbbb-cccc-dddd-eeee-000011112222</span>
 
 <span class="w">        </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">postgres-replication-password</span>
 
+<span class="w">    </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">service_account_key</span>
 
+<span class="w">      </span><span class="nt">sourceRef</span><span class="p">:</span>
 
+<span class="w">        </span><span class="nt">storeRef</span><span class="p">:</span>
 
+<span class="w">          </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">bitwarden-notes</span>
 
+<span class="w">          </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ClusterSecretStore</span><span class="w">  </span><span class="c1"># or SecretStore</span>
 
+<span class="w">      </span><span class="nt">remoteRef</span><span class="p">:</span>
 
+<span class="w">        </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">service_account_key</span>
 
 </code></pre></div>

+ 66 - 2
main/examples/gitops-using-fluxcd/index.html
View File 

@@ -9,7 +9,7 @@
 
       
       
       
-        <link rel="prev" href="../../provider/scaleway/">
 
+        <link rel="prev" href="../../provider/delinea/">
 
       
       
         <link rel="next" href="../anchore-engine-credentials/">
 
@@ -1200,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1247,6 +1249,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1349,6 +1365,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1417,6 +1439,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1641,6 +1677,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1650,6 +1700,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>
 
@@ -2380,7 +2444,7 @@ the deployment must be disabled in the <code>values</code> of the manifest calle
 
 <span class="w">  </span><span class="nt">chart</span><span class="p">:</span>
 
 <span class="w">    </span><span class="nt">spec</span><span class="p">:</span>
 
 <span class="w">      </span><span class="nt">chart</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets</span>
 
-<span class="w">      </span><span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">0.3.9</span>
 
+<span class="w">      </span><span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">0.9.4</span>
 
 <span class="w">      </span><span class="nt">sourceRef</span><span class="p">:</span>
 
 <span class="w">        </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">HelmRepository</span>
 
 <span class="w">        </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets</span>

+ 64 - 0
main/examples/jenkins-kubernetes-credentials/index.html
View File 

@@ -1200,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1247,6 +1249,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1349,6 +1365,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1417,6 +1439,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1641,6 +1677,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1650,6 +1700,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 64 - 0
main/guides/all-keys-one-secret/index.html
View File 

@@ -1241,6 +1241,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1288,6 +1290,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1390,6 +1406,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1458,6 +1480,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1682,6 +1718,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1691,6 +1741,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 94 - 4
main/guides/common-k8s-secret-types/index.html
View File 

@@ -1262,6 +1262,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1309,6 +1311,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1411,6 +1427,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1479,6 +1501,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1703,6 +1739,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1712,6 +1762,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>
 
@@ -2195,7 +2259,33 @@
 
 <p>For more information, please see <a href="https://github.com/helm/helm/issues/2798">this issue</a></p>
 
 <p>This will generate a valid dockerconfigjson secret for you to use!</p>
 
 <p>You can get the final value with:</p>
 
-<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>get<span class="w"> </span>secret<span class="w"> </span>secret-to-be-created<span class="w"> </span>-n<span class="w"> </span>&lt;namespace&gt;<span class="w"> </span><span class="p">|</span><span class="w"> </span>-o<span class="w"> </span><span class="nv">jsonpath</span><span class="o">=</span><span class="s2">&quot;{.data\.dockerconfigjson}&quot;</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>base64<span class="w"> </span>-d
 
+<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>get<span class="w"> </span>secret<span class="w"> </span>secret-to-be-created<span class="w"> </span>-n<span class="w"> </span>&lt;namespace&gt;<span class="w"> </span>-o<span class="w"> </span><span class="nv">jsonpath</span><span class="o">=</span><span class="s2">&quot;{.data\.dockerconfigjson}&quot;</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>base64<span class="w"> </span>-d
 
+</code></pre></div>
 
+<p>Alternately, if you only have the container registry name and password value, you can take advantage of the advanced ExternalSecret templating functions to create the secret:</p>
 
+<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
 
+<span class="nt">metadata</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">dk-cfg-example</span>
 
+<span class="nt">spec</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1h</span>
 
+<span class="w">  </span><span class="nt">secretStoreRef</span><span class="p">:</span>
 
+<span class="w">    </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example</span>
 
+<span class="w">    </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
 
+<span class="w">  </span><span class="nt">target</span><span class="p">:</span>
 
+<span class="w">    </span><span class="nt">template</span><span class="p">:</span>
 
+<span class="w">      </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">kubernetes.io/dockerconfigjson</span>
 
+<span class="w">      </span><span class="nt">data</span><span class="p">:</span>
 
+<span class="w">        </span><span class="nt">.dockerconfigjson</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;{&quot;auths&quot;:{&quot;{{</span><span class="nv"> </span><span class="s">.registryName</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">lower</span><span class="nv"> </span><span class="s">}}.{{</span><span class="nv"> </span><span class="s">.registryHost</span><span class="nv"> </span><span class="s">}}&quot;:{&quot;username&quot;:&quot;{{</span><span class="nv"> </span><span class="s">.registryName</span><span class="nv"> </span><span class="s">}}&quot;,&quot;password&quot;:&quot;{{</span><span class="nv"> </span><span class="s">.password</span><span class="nv"> </span><span class="s">}}&quot;,&quot;auth&quot;:&quot;{{</span><span class="nv"> </span><span class="s">printf</span><span class="nv"> </span><span class="s">&quot;%s:%s&quot;</span><span class="nv"> </span><span class="s">.registryName</span><span class="nv"> </span><span class="s">.password</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">b64enc</span><span class="nv"> </span><span class="s">}}&quot;}}}&#39;</span>
 
+<span class="w">  </span><span class="nt">data</span><span class="p">:</span>
 
+<span class="w">  </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">registryName</span>
 
+<span class="w">    </span><span class="nt">remoteRef</span><span class="p">:</span>
 
+<span class="w">      </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secret/docker-registry-name</span><span class="w"> </span><span class="c1"># &quot;myRegistry&quot;</span>
 
+<span class="w">  </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">registryHost</span>
 
+<span class="w">    </span><span class="nt">remoteRef</span><span class="p">:</span>
 
+<span class="w">      </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secret/docker-registry-host</span><span class="w"> </span><span class="c1"># &quot;docker.io&quot;</span>
 
+<span class="w">  </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">password</span>
 
+<span class="w">    </span><span class="nt">remoteRef</span><span class="p">:</span>
 
+<span class="w">      </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secret/docker-registry-password</span>
 
 </code></pre></div>
 
 <h2 id="tls-cert-example">TLS Cert example</h2>
 
 <p>We are assuming here that you already have valid certificates, maybe generated with letsencrypt or any other CA. So to simplify you can use openssl to generate a single secret pkcs12 cert based on your cert.pem and privkey.pen files.</p>
 
@@ -2230,8 +2320,8 @@
 
 <span class="w">      </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ssl-certificate-p12-example</span>
 
 </code></pre></div>
 
 <p>You can get their values with:</p>
 
-<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>get<span class="w"> </span>secret<span class="w"> </span>secret-to-be-created<span class="w"> </span>-n<span class="w"> </span>&lt;namespace&gt;<span class="w"> </span><span class="p">|</span><span class="w"> </span>-o<span class="w"> </span><span class="nv">jsonpath</span><span class="o">=</span><span class="s2">&quot;{.data.tls\.crt}&quot;</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>base64<span class="w"> </span>-d
 
-kubectl<span class="w"> </span>get<span class="w"> </span>secret<span class="w"> </span>secret-to-be-created<span class="w"> </span>-n<span class="w"> </span>&lt;namespace&gt;<span class="w"> </span><span class="p">|</span><span class="w"> </span>-o<span class="w"> </span><span class="nv">jsonpath</span><span class="o">=</span><span class="s2">&quot;{.data.tls\.key}&quot;</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>base64<span class="w"> </span>-d
 
+<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>get<span class="w"> </span>secret<span class="w"> </span>secret-to-be-created<span class="w"> </span>-n<span class="w"> </span>&lt;namespace&gt;<span class="w"> </span>-o<span class="w"> </span><span class="nv">jsonpath</span><span class="o">=</span><span class="s2">&quot;{.data.tls\.crt}&quot;</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>base64<span class="w"> </span>-d
 
+kubectl<span class="w"> </span>get<span class="w"> </span>secret<span class="w"> </span>secret-to-be-created<span class="w"> </span>-n<span class="w"> </span>&lt;namespace&gt;<span class="w"> </span>-o<span class="w"> </span><span class="nv">jsonpath</span><span class="o">=</span><span class="s2">&quot;{.data.tls\.key}&quot;</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>base64<span class="w"> </span>-d
 
 </code></pre></div>
 
 <h2 id="ssh-auth-example">SSH Auth example</h2>
 
 <p>Add the ssh privkey to a new Google Cloud Secrets Manager secret:</p>
 
@@ -2260,7 +2350,7 @@ kubectl<span class="w"> </span>get<span class="w"> </span>secret<span class="w">
 
 <span class="w">      </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ssh-priv-key-example</span>
 
 </code></pre></div>
 
 <p>You can get the privkey value with:</p>
 
-<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>get<span class="w"> </span>secret<span class="w"> </span>secret-to-be-created<span class="w"> </span>-n<span class="w"> </span>&lt;namespace&gt;<span class="w"> </span><span class="p">|</span><span class="w"> </span>-o<span class="w"> </span><span class="nv">jsonpath</span><span class="o">=</span><span class="s2">&quot;{.data.ssh-privatekey}&quot;</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>base64<span class="w"> </span>-d
 
+<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>get<span class="w"> </span>secret<span class="w"> </span>secret-to-be-created<span class="w"> </span>-n<span class="w"> </span>&lt;namespace&gt;<span class="w"> </span>-o<span class="w"> </span><span class="nv">jsonpath</span><span class="o">=</span><span class="s2">&quot;{.data.ssh-privatekey}&quot;</span><span class="w"> </span><span class="p">|</span><span class="w"> </span>base64<span class="w"> </span>-d
 
 </code></pre></div>
 
 <h2 id="more-examples">More examples</h2>
 
 <div class="admonition note">

+ 64 - 0
main/guides/controller-class/index.html
View File 

@@ -1241,6 +1241,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1288,6 +1290,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1390,6 +1406,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1458,6 +1480,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1682,6 +1718,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1691,6 +1741,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 64 - 0
main/guides/datafrom-rewrite/index.html
View File 

@@ -1295,6 +1295,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1342,6 +1344,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1444,6 +1460,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1512,6 +1534,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1736,6 +1772,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1745,6 +1795,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 64 - 0
main/guides/decoding-strategy/index.html
View File 

@@ -1289,6 +1289,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1336,6 +1338,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1438,6 +1454,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1506,6 +1528,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1730,6 +1766,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1739,6 +1789,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 64 - 0
main/guides/disable-cluster-features/index.html
View File 

@@ -1200,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1247,6 +1249,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1359,6 +1375,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1427,6 +1449,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1651,6 +1687,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1660,6 +1710,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 64 - 0
main/guides/generator/index.html
View File 

@@ -1237,6 +1237,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1284,6 +1286,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1386,6 +1402,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1454,6 +1476,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1678,6 +1714,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1687,6 +1737,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 64 - 0
main/guides/getallsecrets/index.html
View File 

@@ -1262,6 +1262,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1309,6 +1311,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1411,6 +1427,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1479,6 +1501,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1703,6 +1739,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1712,6 +1762,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 64 - 0
main/guides/introduction/index.html
View File 

@@ -1210,6 +1210,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1257,6 +1259,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1359,6 +1375,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1427,6 +1449,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1651,6 +1687,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1660,6 +1710,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 64 - 0
main/guides/multi-tenancy/index.html
View File 

@@ -1200,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1298,6 +1300,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1400,6 +1416,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1468,6 +1490,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1692,6 +1728,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1701,6 +1751,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 65 - 3
main/guides/ownership-deletion-policy/index.html
View File 

@@ -1309,6 +1309,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1356,6 +1358,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1458,6 +1474,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1526,6 +1548,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1750,6 +1786,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1759,6 +1809,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>
 
@@ -2255,9 +2319,7 @@
 
 <p>The operator does not create or update the secret, this is basically a no-op.</p>
 
 <h2 id="deletion-policy">Deletion Policy</h2>
 
 <p>DeletionPolicy defines what should happen if a given secret gets deleted <strong>from the provider</strong>.</p>
 
-<p>DeletionPolicy is only supported on the following providers. Please feel free to contribute more:
 
-* AWS Secrets Manager
 
-* AWS Parameter Store</p>
 
+<p>DeletionPolicy is only supported on the specific providers, please refer to our <a href="../../introduction/stability-support/">stability/support table</a>.</p>
 
 <h3 id="retain-default">Retain (default)</h3>
 
 <p>Retain will retain the secret if all provider secrets have been deleted.
 
 If a provider secret does not exist the ExternalSecret gets into the

+ 2256 - 0
main/guides/pushsecrets/index.html
View File 

@@ -0,0 +1,2256 @@
 
+
 
+<!doctype html>
 
+<html lang="en" class="no-js">
 
+  <head>
 
+    
+      <meta charset="utf-8">
 
+      <meta name="viewport" content="width=device-width,initial-scale=1">
 
+      
+      
+      
+      
+      
+      <link rel="icon" href="../../assets/images/favicon.png">
 
+      <meta name="generator" content="mkdocs-1.4.3, mkdocs-material-9.1.9">
 
+    
+    
+      
+        <title>Pushsecrets - External Secrets Operator</title>
 
+      
+    
+    
+      <link rel="stylesheet" href="../../assets/stylesheets/main.85bb2934.min.css">
 
+      
+      
+
 
+    
+    
+    
+      
+        
+        
+        <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
 
+        <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
 
+        <style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
 
+      
+    
+    
+    <script>__md_scope=new URL("../..",location),__md_hash=e=>[...e].reduce((e,_)=>(e<<5)-e+_.charCodeAt(0),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
 
+    
+      
+  
+
 
+
 
+  
+  
+
 
+
 
+  <script id="__analytics">function __md_analytics(){function n(){dataLayer.push(arguments)}window.dataLayer=window.dataLayer||[],n("js",new Date),n("config","G-QP38TD8K7V"),document.addEventListener("DOMContentLoaded",function(){document.forms.search&&document.forms.search.query.addEventListener("blur",function(){this.value&&n("event","search",{search_term:this.value})}),document$.subscribe(function(){var a=document.forms.feedback;if(void 0!==a)for(var e of a.querySelectorAll("[type=submit]"))e.addEventListener("click",function(e){e.preventDefault();var t=document.location.pathname,e=this.getAttribute("data-md-value");n("event","feedback",{page:t,data:e}),a.firstElementChild.disabled=!0;e=a.querySelector(".md-feedback__note [data-md-value='"+e+"']");e&&(e.hidden=!1)}),a.hidden=!1}),location$.subscribe(function(e){n("config","G-QP38TD8K7V",{page_path:e.pathname})})});var e=document.createElement("script");e.async=!0,e.src="https://www.googletagmanager.com/gtag/js?id=G-QP38TD8K7V",document.getElementById("__analytics").insertAdjacentElement("afterEnd",e)}</script>
 
+
 
+  
+    <script>"undefined"!=typeof __md_analytics&&__md_analytics()</script>
 
+  
+
 
+    
+    
+    
+  </head>
 
+  
+  
+    <body dir="ltr">
 
+  
+    
+    
+      <script>var palette=__md_get("__palette");if(palette&&"object"==typeof palette.color)for(var key of Object.keys(palette.color))document.body.setAttribute("data-md-color-"+key,palette.color[key])</script>
 
+    
+    <input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
 
+    <input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
 
+    <label class="md-overlay" for="__drawer"></label>
 
+    <div data-md-component="skip">
 
+      
+        
+        <a href="#backup-use-case" class="md-skip">
 
+          Skip to content
 
+        </a>
 
+      
+    </div>
 
+    <div data-md-component="announce">
 
+      
+    </div>
 
+    
+      <div data-md-color-scheme="default" data-md-component="outdated" hidden>
 
+        
+          <aside class="md-banner md-banner--warning">
 
+            <div class="md-banner__inner md-grid md-typeset">
 
+              
+  You're not viewing the latest version.
 
+  <a href="../../..">
 
+    <strong>Click here to go to latest.</strong>
 
+  </a>
 
+
 
+            </div>
 
+            <script>var el=document.querySelector("[data-md-component=outdated]"),outdated=__md_get("__outdated",sessionStorage);!0===outdated&&el&&(el.hidden=!1)</script>
 
+          </aside>
 
+        
+      </div>
 
+    
+    
+      
+
 
+<header class="md-header" data-md-component="header">
 
+  <nav class="md-header__inner md-grid" aria-label="Header">
 
+    <a href="../.." title="External Secrets Operator" class="md-header__button md-logo" aria-label="External Secrets Operator" data-md-component="logo">
 
+      
+  
+  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg>
 
+
 
+    </a>
 
+    <label class="md-header__button md-icon" for="__drawer">
 
+      <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2Z"/></svg>
 
+    </label>
 
+    <div class="md-header__title" data-md-component="header-title">
 
+      <div class="md-header__ellipsis">
 
+        <div class="md-header__topic">
 
+          <span class="md-ellipsis">
 
+            External Secrets Operator
 
+          </span>
 
+        </div>
 
+        <div class="md-header__topic" data-md-component="header-topic">
 
+          <span class="md-ellipsis">
 
+            
+              Pushsecrets
 
+            
+          </span>
 
+        </div>
 
+      </div>
 
+    </div>
 
+    
+    
+    
+      <label class="md-header__button md-icon" for="__search">
 
+        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
 
+      </label>
 
+      <div class="md-search" data-md-component="search" role="dialog">
 
+  <label class="md-search__overlay" for="__search"></label>
 
+  <div class="md-search__inner" role="search">
 
+    <form class="md-search__form" name="search">
 
+      <input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
 
+      <label class="md-search__icon md-icon" for="__search">
 
+        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
 
+        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg>
 
+      </label>
 
+      <nav class="md-search__options" aria-label="Search">
 
+        
+        <button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1">
 
+          <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"/></svg>
 
+        </button>
 
+      </nav>
 
+      
+    </form>
 
+    <div class="md-search__output">
 
+      <div class="md-search__scrollwrap" data-md-scrollfix>
 
+        <div class="md-search-result" data-md-component="search-result">
 
+          <div class="md-search-result__meta">
 
+            Initializing search
 
+          </div>
 
+          <ol class="md-search-result__list" role="presentation"></ol>
 
+        </div>
 
+      </div>
 
+    </div>
 
+  </div>
 
+</div>
 
+    
+    
+      <div class="md-header__source">
 
+        <a href="https://github.com/external-secrets/external-secrets" title="Go to repository" class="md-source" data-md-component="source">
 
+  <div class="md-source__icon md-icon">
 
+    
+    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.4.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2023 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
 
+  </div>
 
+  <div class="md-source__repository">
 
+    External Secrets Operator
 
+  </div>
 
+</a>
 
+      </div>
 
+    
+  </nav>
 
+  
+</header>
 
+    
+    <div class="md-container" data-md-component="container">
 
+      
+      
+        
+          
+            
+<nav class="md-tabs" aria-label="Tabs" data-md-component="tabs">
 
+  <div class="md-grid">
 
+    <ul class="md-tabs__list">
 
+      
+        
+  
+  
+
 
+
 
+  
+  
+  
+    <li class="md-tabs__item">
 
+      <a href="../.." class="md-tabs__link">
 
+        Introduction
 
+      </a>
 
+    </li>
 
+  
+
 
+      
+        
+  
+  
+
 
+
 
+  
+  
+  
+    <li class="md-tabs__item">
 
+      <a href="../../api/components/" class="md-tabs__link">
 
+        API
 
+      </a>
 
+    </li>
 
+  
+
 
+      
+        
+  
+  
+
 
+
 
+  
+  
+  
+    <li class="md-tabs__item">
 
+      <a href="../introduction/" class="md-tabs__link">
 
+        Guides
 
+      </a>
 
+    </li>
 
+  
+
 
+      
+        
+  
+  
+
 
+
 
+  
+  
+  
+    <li class="md-tabs__item">
 
+      <a href="../../provider/aws-secrets-manager/" class="md-tabs__link">
 
+        Provider
 
+      </a>
 
+    </li>
 
+  
+
 
+      
+        
+  
+  
+
 
+
 
+  
+  
+  
+    <li class="md-tabs__item">
 
+      <a href="../../examples/gitops-using-fluxcd/" class="md-tabs__link">
 
+        Examples
 
+      </a>
 
+    </li>
 
+  
+
 
+      
+        
+  
+  
+
 
+
 
+  
+  
+  
+    
+
 
+  
+  
+  
+    <li class="md-tabs__item">
 
+      <a href="../../contributing/devguide/" class="md-tabs__link">
 
+        Community
 
+      </a>
 
+    </li>
 
+  
+
 
+  
+
 
+      
+    </ul>
 
+  </div>
 
+</nav>
 
+          
+        
+      
+      <main class="md-main" data-md-component="main">
 
+        <div class="md-main__inner md-grid">
 
+          
+            
+              
+              <div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
 
+                <div class="md-sidebar__scrollwrap">
 
+                  <div class="md-sidebar__inner">
 
+                    
+
 
+  
+
 
+
 
+<nav class="md-nav md-nav--primary md-nav--lifted" aria-label="Navigation" data-md-level="0">
 
+  <label class="md-nav__title" for="__drawer">
 
+    <a href="../.." title="External Secrets Operator" class="md-nav__button md-logo" aria-label="External Secrets Operator" data-md-component="logo">
 
+      
+  
+  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg>
 
+
 
+    </a>
 
+    External Secrets Operator
 
+  </label>
 
+  
+    <div class="md-nav__source">
 
+      <a href="https://github.com/external-secrets/external-secrets" title="Go to repository" class="md-source" data-md-component="source">
 
+  <div class="md-source__icon md-icon">
 
+    
+    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.4.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2023 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
 
+  </div>
 
+  <div class="md-source__repository">
 
+    External Secrets Operator
 
+  </div>
 
+</a>
 
+    </div>
 
+  
+  <ul class="md-nav__list" data-md-scrollfix>
 
+    
+      
+      
+      
+
 
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_1" >
 
+      
+      
+        
+          
+            
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        
+        
+        <div class="md-nav__link md-nav__link--index ">
 
+          <a href="../..">Introduction</a>
 
+          
+            <label for="__nav_1">
 
+              <span class="md-nav__icon md-icon"></span>
 
+            </label>
 
+          
+        </div>
 
+      
+      <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_1_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_1">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Introduction
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../introduction/overview/" class="md-nav__link">
 
+        Overview
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../introduction/getting-started/" class="md-nav__link">
 
+        Getting started
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../introduction/faq/" class="md-nav__link">
 
+        FAQ
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../introduction/stability-support/" class="md-nav__link">
 
+        Stability and Support
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../introduction/deprecation-policy/" class="md-nav__link">
 
+        Deprecation Policy
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+    
+      
+      
+      
+
 
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_2" id="__nav_2_label" tabindex="0">
 
+          API
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_2_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_2">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          API
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/components/" class="md-nav__link">
 
+        Components
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2_2" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_2_2" id="__nav_2_2_label" tabindex="0">
 
+          Core Resources
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_2_2_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_2_2">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Core Resources
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/externalsecret/" class="md-nav__link">
 
+        ExternalSecret
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/secretstore/" class="md-nav__link">
 
+        SecretStore
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/clustersecretstore/" class="md-nav__link">
 
+        ClusterSecretStore
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/clusterexternalsecret/" class="md-nav__link">
 
+        ClusterExternalSecret
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/pushsecret/" class="md-nav__link">
 
+        PushSecret
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2_3" >
 
+      
+      
+        
+          
+            
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        
+        
+        <div class="md-nav__link md-nav__link--index ">
 
+          <a href="../../api/generator/">Generators</a>
 
+          
+            <label for="__nav_2_3">
 
+              <span class="md-nav__icon md-icon"></span>
 
+            </label>
 
+          
+        </div>
 
+      
+      <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_2_3_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_2_3">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Generators
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/generator/acr/" class="md-nav__link">
 
+        Azure Container Registry
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/generator/ecr/" class="md-nav__link">
 
+        AWS Elastic Container Registry
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/generator/gcr/" class="md-nav__link">
 
+        Google Container Registry
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/generator/vault/" class="md-nav__link">
 
+        Vault Dynamic Secret
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/generator/password/" class="md-nav__link">
 
+        Password
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/generator/fake/" class="md-nav__link">
 
+        Fake
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2_4" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_2_4" id="__nav_2_4_label" tabindex="0">
 
+          Reference Docs
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_2_4_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_2_4">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Reference Docs
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/spec/" class="md-nav__link">
 
+        API specification
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/controller-options/" class="md-nav__link">
 
+        Controller Options
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/metrics/" class="md-nav__link">
 
+        Metrics
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+    
+      
+      
+      
+
 
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_3" id="__nav_3_label" tabindex="0">
 
+          Guides
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_3_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_3">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Guides
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../introduction/" class="md-nav__link">
 
+        Introduction
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3_2" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_3_2" id="__nav_3_2_label" tabindex="0">
 
+          External Secrets
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_3_2_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_3_2">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          External Secrets
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../all-keys-one-secret/" class="md-nav__link">
 
+        Extract structured data
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../getallsecrets/" class="md-nav__link">
 
+        Find Secrets by Name or Metadata
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../datafrom-rewrite/" class="md-nav__link">
 
+        Rewriting Keys
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3_2_4" >
 
+      
+      
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_3_2_4" id="__nav_3_2_4_label" tabindex="0">
 
+          Advanced Templating
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="3" aria-labelledby="__nav_3_2_4_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_3_2_4">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Advanced Templating
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../templating/" class="md-nav__link">
 
+        v2
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../templating-v1/" class="md-nav__link">
 
+        v1
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../common-k8s-secret-types/" class="md-nav__link">
 
+        Kubernetes Secret Types
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../ownership-deletion-policy/" class="md-nav__link">
 
+        Lifecycle: ownership & deletion
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../decoding-strategy/" class="md-nav__link">
 
+        Decoding Strategies
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../controller-class/" class="md-nav__link">
 
+        Controller Classes
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../generator/" class="md-nav__link">
 
+        Generators
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3_4" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
+          Operations
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_3_4_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_3_4">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Operations
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../multi-tenancy/" class="md-nav__link">
 
+        Multi Tenancy
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../security-best-practices/" class="md-nav__link">
 
+        Security Best Practices
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../v1beta1/" class="md-nav__link">
 
+        Upgrading to v1beta1
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../using-latest-image/" class="md-nav__link">
 
+        Using Latest Image
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../disable-cluster-features/" class="md-nav__link">
 
+        Disable Cluster Features
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+    
+      
+      
+      
+
 
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_4" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_4" id="__nav_4_label" tabindex="0">
 
+          Provider
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_4">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Provider
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/aws-secrets-manager/" class="md-nav__link">
 
+        AWS Secrets Manager
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/aws-parameter-store/" class="md-nav__link">
 
+        AWS Parameter Store
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/azure-key-vault/" class="md-nav__link">
 
+        Azure Key Vault
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
+        Google Cloud Secret Manager
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/hashicorp-vault/" class="md-nav__link">
 
+        HashiCorp Vault
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/kubernetes/" class="md-nav__link">
 
+        Kubernetes
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/ibm-secrets-manager/" class="md-nav__link">
 
+        IBM Secrets Manager
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/akeyless/" class="md-nav__link">
 
+        Akeyless
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/yandex-certificate-manager/" class="md-nav__link">
 
+        Yandex Certificate Manager
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/yandex-lockbox/" class="md-nav__link">
 
+        Yandex Lockbox
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/alibaba/" class="md-nav__link">
 
+        Alibaba Cloud
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/gitlab-variables/" class="md-nav__link">
 
+        GitLab Variables
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/oracle-vault/" class="md-nav__link">
 
+        Oracle Vault
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/1password-automation/" class="md-nav__link">
 
+        1Password Secrets Automation
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/webhook/" class="md-nav__link">
 
+        Webhook
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/fake/" class="md-nav__link">
 
+        Fake
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/senhasegura-dsm/" class="md-nav__link">
 
+        senhasegura DevOps Secrets Management (DSM)
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/doppler/" class="md-nav__link">
 
+        Doppler
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/keeper-security/" class="md-nav__link">
 
+        Keeper Security
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/scaleway/" class="md-nav__link">
 
+        Scaleway
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+    
+      
+      
+      
+
 
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_5" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_5" id="__nav_5_label" tabindex="0">
 
+          Examples
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_5_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_5">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Examples
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../examples/gitops-using-fluxcd/" class="md-nav__link">
 
+        FluxCD
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../examples/anchore-engine-credentials/" class="md-nav__link">
 
+        Anchore Engine
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../examples/jenkins-kubernetes-credentials/" class="md-nav__link">
 
+        Jenkins
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../examples/bitwarden/" class="md-nav__link">
 
+        BitWarden
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+    
+      
+      
+      
+
 
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_6" >
 
+      
+      
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_6" id="__nav_6_label" tabindex="0">
 
+          Community
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_6_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_6">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Community
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_6_1" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_6_1" id="__nav_6_1_label" tabindex="0">
 
+          Contributing
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_6_1_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_6_1">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Contributing
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../contributing/devguide/" class="md-nav__link">
 
+        Developer guide
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../contributing/process/" class="md-nav__link">
 
+        Contributing Process
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../contributing/release/" class="md-nav__link">
 
+        Release Process
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../contributing/coc/" class="md-nav__link">
 
+        Code of Conduct
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../contributing/roadmap/" class="md-nav__link">
 
+        Roadmap
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_6_2" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_6_2" id="__nav_6_2_label" tabindex="0">
 
+          External Resources
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_6_2_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_6_2">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          External Resources
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../eso-talks/" class="md-nav__link">
 
+        Talks
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../eso-demos/" class="md-nav__link">
 
+        Demos
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../eso-blogs/" class="md-nav__link">
 
+        Blogs
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+    
+  </ul>
 
+</nav>
 
+                  </div>
 
+                </div>
 
+              </div>
 
+            
+            
+              
+              <div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
 
+                <div class="md-sidebar__scrollwrap">
 
+                  <div class="md-sidebar__inner">
 
+                    
+
 
+<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
 
+  
+  
+  
+  
+    <label class="md-nav__title" for="__toc">
 
+      <span class="md-nav__icon md-icon"></span>
 
+      Table of contents
 
+    </label>
 
+    <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
 
+      
+        <li class="md-nav__item">
 
+  <a href="#backup-use-case" class="md-nav__link">
 
+    Backup use case
 
+  </a>
 
+  
+</li>
 
+      
+        <li class="md-nav__item">
 
+  <a href="#pushing-the-whole-secret" class="md-nav__link">
 
+    Pushing the whole secret
 
+  </a>
 
+  
+</li>
 
+      
+    </ul>
 
+  
+</nav>
 
+                  </div>
 
+                </div>
 
+              </div>
 
+            
+          
+          
+            <div class="md-content" data-md-component="content">
 
+              <article class="md-content__inner md-typeset">
 
+                
+                  
+
 
+  
+  
+
 
+
 
+  <h1>Pushsecrets</h1>
 
+
 
+<p>Contrary to what <code>ExternalSecret</code> does by pulling secrets from secret providers and creating <code>kind=Secret</code> in your cluster, <code>PushSecret</code> reads a local <code>kind=Secret</code> and pushes its content to a secret provider.</p>
 
+<p>If there's already a secret in the secrets provided with the intended name of the secret to be created by the <code>PushSecret</code> you'll see the <code>PushSecret</code> in Error state, and when described you'll see a message saying <code>secret not managed by external-secrets</code>.</p>
 
+<p>By default, the secret created in the secret provided will not be deleted even after deleting the <code>PushSecret</code>, unless you set <code>spec.deletionPolicy</code> to Delete. </p>
 
+<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
 
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PushSecret</span>
 
+<span class="nt">metadata</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">pushsecret-example</span><span class="w"> </span><span class="c1"># Customisable</span>
 
+<span class="w">  </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span><span class="w"> </span><span class="c1"># Same of the SecretStores</span>
 
+<span class="nt">spec</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">deletionPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Delete</span><span class="w"> </span><span class="c1"># the provider&#39; secret will be deleted if the PushSecret is deleted</span>
 
+<span class="w">  </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">10s</span><span class="w"> </span><span class="c1"># Refresh interval for which push secret will reconcile</span>
 
+<span class="w">  </span><span class="nt">secretStoreRefs</span><span class="p">:</span><span class="w"> </span><span class="c1"># A list of secret stores to push secrets to</span>
 
+<span class="w">    </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">aws-parameterstore</span>
 
+<span class="w">      </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
 
+<span class="w">  </span><span class="nt">selector</span><span class="p">:</span>
 
+<span class="w">    </span><span class="nt">secret</span><span class="p">:</span>
 
+<span class="w">      </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">pokedex-credentials</span><span class="w"> </span><span class="c1"># Source Kubernetes secret to be pushed</span>
 
+<span class="w">  </span><span class="nt">data</span><span class="p">:</span>
 
+<span class="w">    </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">match</span><span class="p">:</span>
 
+<span class="w">        </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">best-pokemon</span><span class="w"> </span><span class="c1"># Source Kubernetes secret key to be pushed</span>
 
+<span class="w">        </span><span class="nt">remoteRef</span><span class="p">:</span>
 
+<span class="w">          </span><span class="nt">remoteKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-first-parameter</span><span class="w"> </span><span class="c1"># Remote reference (where the secret is going to be pushed)</span>
 
+</code></pre></div>
 
+<h2 id="backup-use-case">Backup use case</h2>
 
+<p>An interesting use case for <code>kind=PushSecret</code> is backing up your current secret from one provider to another one.</p>
 
+<p>Imagine you have your secrets in GCP and you want to back them up in Azure Key Vault. You would then create a <code>SecretStore</code> for each provider, and an <code>ExternalSecret</code> to pull the secrets from GCP. This will generetae <code>kind=Secret</code> in your cluster that you can use as the source of a <code>PushSecret</code> configured with the Azure <code>SecretStore</code>. </p>
 
+<p><img alt="PushSecretBackup" src="../../pictures/diagrams-pushsecret-backup.png" /></p>
 
+<h2 id="pushing-the-whole-secret">Pushing the whole secret</h2>
 
+<p>There are two ways to push an entire secret without defining all keys individually.</p>
 
+<p>By leaving off the secret key and remote property options.</p>
 
+<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
 
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PushSecret</span>
 
+<span class="nt">metadata</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">pushsecret-example</span><span class="w"> </span><span class="c1"># Customisable</span>
 
+<span class="w">  </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span><span class="w"> </span><span class="c1"># Same of the SecretStores</span>
 
+<span class="nt">spec</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">deletionPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Delete</span><span class="w"> </span><span class="c1"># the provider&#39; secret will be deleted if the PushSecret is deleted</span>
 
+<span class="w">  </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">10s</span><span class="w"> </span><span class="c1"># Refresh interval for which push secret will reconcile</span>
 
+<span class="w">  </span><span class="nt">secretStoreRefs</span><span class="p">:</span><span class="w"> </span><span class="c1"># A list of secret stores to push secrets to</span>
 
+<span class="w">    </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">aws-parameterstore</span>
 
+<span class="w">      </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
 
+<span class="w">  </span><span class="nt">selector</span><span class="p">:</span>
 
+<span class="w">    </span><span class="nt">secret</span><span class="p">:</span>
 
+<span class="w">      </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">pokedex-credentials</span><span class="w"> </span><span class="c1"># Source Kubernetes secret to be pushed</span>
 
+<span class="w">  </span><span class="nt">data</span><span class="p">:</span>
 
+<span class="w">    </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">match</span><span class="p">:</span>
 
+<span class="w">        </span><span class="nt">remoteRef</span><span class="p">:</span>
 
+<span class="w">          </span><span class="nt">remoteKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-first-parameter</span><span class="w"> </span><span class="c1"># Remote reference (where the secret is going to be pushed)</span>
 
+</code></pre></div>
 
+<p>This will result in all keys being pushed as they are into the remote location.</p>
 
+<p>By leaving off the secret key but setting the remote property option.</p>
 
+<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
 
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PushSecret</span>
 
+<span class="nt">metadata</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">pushsecret-example</span><span class="w"> </span><span class="c1"># Customisable</span>
 
+<span class="w">  </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span><span class="w"> </span><span class="c1"># Same of the SecretStores</span>
 
+<span class="nt">spec</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">deletionPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Delete</span><span class="w"> </span><span class="c1"># the provider&#39; secret will be deleted if the PushSecret is deleted</span>
 
+<span class="w">  </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">10s</span><span class="w"> </span><span class="c1"># Refresh interval for which push secret will reconcile</span>
 
+<span class="w">  </span><span class="nt">secretStoreRefs</span><span class="p">:</span><span class="w"> </span><span class="c1"># A list of secret stores to push secrets to</span>
 
+<span class="w">    </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">aws-parameterstore</span>
 
+<span class="w">      </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
 
+<span class="w">  </span><span class="nt">selector</span><span class="p">:</span>
 
+<span class="w">    </span><span class="nt">secret</span><span class="p">:</span>
 
+<span class="w">      </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">pokedex-credentials</span><span class="w"> </span><span class="c1"># Source Kubernetes secret to be pushed</span>
 
+<span class="w">  </span><span class="nt">data</span><span class="p">:</span>
 
+<span class="w">    </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">match</span><span class="p">:</span>
 
+<span class="w">        </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">best-pokemon</span><span class="w"> </span><span class="c1"># Source Kubernetes secret key to be pushed</span>
 
+<span class="w">        </span><span class="nt">remoteRef</span><span class="p">:</span>
 
+<span class="w">          </span><span class="nt">remoteKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-first-parameter</span><span class="w"> </span><span class="c1"># Remote reference (where the secret is going to be pushed)</span>
 
+<span class="w">          </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">single-value-secret</span><span class="w"> </span><span class="c1"># the property to use to push into</span>
 
+</code></pre></div>
 
+<p>This will <em>marshal</em> the entire secret data and push it into this single property as a JSON object.</p>
 
+<div class="admonition warning inline end">
 
+<p class="admonition-title">Warning</p>
 
+<p>This should <em>ONLY</em> be done if the secret data is marshal-able. Values like, binary data cannot be marshaled and will result in error or invalid secret data.</p>
 
+</div>
 
+
 
+
 
+  
+
 
+
 
+
 
+
 
+                
+              </article>
 
+            </div>
 
+          
+          
+        </div>
 
+        
+      </main>
 
+      
+        <footer class="md-footer">
 
+  
+  <div class="md-footer-meta md-typeset">
 
+    <div class="md-footer-meta__inner md-grid">
 
+      <div class="md-copyright">
 
+  
+    <div class="md-copyright__highlight">
 
+      &copy; 2023 The external-secrets Authors.<br/>
 
+&copy; 2023 The Linux Foundation. All rights reserved.<br/><br/>
 
+The Linux Foundation has registered trademarks and uses trademarks.<br/>
 
+For a list of trademarks of The Linux Foundation, please see our <a href="https://www.linuxfoundation.org/trademark-usage/">Trademark Usage page</a>.
 
+
 
+    </div>
 
+  
+  
+    Made with
 
+    <a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
 
+      Material for MkDocs
 
+    </a>
 
+  
+</div>
 
+      
+    </div>
 
+  </div>
 
+</footer>
 
+      
+    </div>
 
+    <div class="md-dialog" data-md-component="dialog">
 
+      <div class="md-dialog__inner md-typeset"></div>
 
+    </div>
 
+    
+    <script id="__config" type="application/json">{"base": "../..", "features": ["navigation.tabs", "navigation.indexes", "navigation.expand"], "search": "../../assets/javascripts/workers/search.208ed371.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}, "version": {"provider": "mike"}}</script>
 
+    
+    
+      <script src="../../assets/javascripts/bundle.fac441b0.min.js"></script>
 
+      
+    
+  </body>
 
+</html>

+ 418 - 68
main/guides/security-best-practices/index.html
View File 

@@ -12,7 +12,7 @@
 
         <link rel="prev" href="../multi-tenancy/">
 
       
       
-        <link rel="next" href="../v1beta1/">
 
+        <link rel="next" href="../threat-model/">
 
       
       <link rel="icon" href="../../assets/images/favicon.png">
 
       <meta name="generator" content="mkdocs-1.4.3, mkdocs-material-9.1.9">
 
@@ -1200,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1267,6 +1269,47 @@
 
     </label>
 
     <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
 
       
+        <li class="md-nav__item">
 
+  <a href="#security-functions-and-features" class="md-nav__link">
 
+    Security Functions and Features
 
+  </a>
 
+  
+    <nav class="md-nav" aria-label="Security Functions and Features">
 
+      <ul class="md-nav__list">
 
+        
+          <li class="md-nav__item">
 
+  <a href="#1-namespace-isolation" class="md-nav__link">
 
+    1. Namespace Isolation
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#2-configure-clustersecretstore-match-conditions" class="md-nav__link">
 
+    2. Configure ClusterSecretStore match conditions
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#3-selectively-disable-reconciliation-of-cluster-wide-resources" class="md-nav__link">
 
+    3. Selectively Disable Reconciliation of Cluster-Wide Resources
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#4-implement-namespace-scoped-installation" class="md-nav__link">
 
+    4. Implement Namespace-Scoped Installation
 
+  </a>
 
+  
+</li>
 
+        
+      </ul>
 
+    </nav>
 
+  
+</li>
 
+      
         <li class="md-nav__item">
 
   <a href="#pod-security" class="md-nav__link">
 
     Pod Security
 
@@ -1275,17 +1318,91 @@
 
 </li>
 
       
         <li class="md-nav__item">
 
-  <a href="#rbac" class="md-nav__link">
 
-    RBAC
 
+  <a href="#role-based-access-control-rbac" class="md-nav__link">
 
+    Role-Based Access Control (RBAC)
 
   </a>
 
   
 </li>
 
       
         <li class="md-nav__item">
 
-  <a href="#network-policy" class="md-nav__link">
 
-    Network Policy
 
+  <a href="#network-traffic-and-security" class="md-nav__link">
 
+    Network Traffic and Security
 
+  </a>
 
+  
+    <nav class="md-nav" aria-label="Network Traffic and Security">
 
+      <ul class="md-nav__list">
 
+        
+          <li class="md-nav__item">
 
+  <a href="#outbound-traffic-restrictions" class="md-nav__link">
 
+    Outbound Traffic Restrictions
 
+  </a>
 
+  
+    <nav class="md-nav" aria-label="Outbound Traffic Restrictions">
 
+      <ul class="md-nav__list">
 
+        
+          <li class="md-nav__item">
 
+  <a href="#core-controller" class="md-nav__link">
 
+    Core Controller
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#webhook" class="md-nav__link">
 
+    Webhook
 
   </a>
 
   
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#cert-controller" class="md-nav__link">
 
+    Cert Controller
 
+  </a>
 
+  
+</li>
 
+        
+      </ul>
 
+    </nav>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#inbound-traffic-restrictions" class="md-nav__link">
 
+    Inbound Traffic Restrictions
 
+  </a>
 
+  
+    <nav class="md-nav" aria-label="Inbound Traffic Restrictions">
 
+      <ul class="md-nav__list">
 
+        
+          <li class="md-nav__item">
 
+  <a href="#core-controller_1" class="md-nav__link">
 
+    Core Controller
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#cert-controller_1" class="md-nav__link">
 
+    Cert Controller
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#webhook_1" class="md-nav__link">
 
+    Webhook
 
+  </a>
 
+  
+</li>
 
+        
+      </ul>
 
+    </nav>
 
+  
+</li>
 
+        
+      </ul>
 
+    </nav>
 
+  
 </li>
 
       
         <li class="md-nav__item">
 
@@ -1318,8 +1435,8 @@
 
 </li>
 
         
           <li class="md-nav__item">
 
-  <a href="#verify-provenance" class="md-nav__link">
 
-    Verify Provenance
 
+  <a href="#verifying-provenance" class="md-nav__link">
 
+    Verifying Provenance
 
   </a>
 
   
 </li>
 
@@ -1350,6 +1467,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1452,6 +1583,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1520,6 +1657,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1744,6 +1895,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1753,6 +1918,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>
 
@@ -2135,6 +2314,47 @@
 
     </label>
 
     <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
 
       
+        <li class="md-nav__item">
 
+  <a href="#security-functions-and-features" class="md-nav__link">
 
+    Security Functions and Features
 
+  </a>
 
+  
+    <nav class="md-nav" aria-label="Security Functions and Features">
 
+      <ul class="md-nav__list">
 
+        
+          <li class="md-nav__item">
 
+  <a href="#1-namespace-isolation" class="md-nav__link">
 
+    1. Namespace Isolation
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#2-configure-clustersecretstore-match-conditions" class="md-nav__link">
 
+    2. Configure ClusterSecretStore match conditions
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#3-selectively-disable-reconciliation-of-cluster-wide-resources" class="md-nav__link">
 
+    3. Selectively Disable Reconciliation of Cluster-Wide Resources
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#4-implement-namespace-scoped-installation" class="md-nav__link">
 
+    4. Implement Namespace-Scoped Installation
 
+  </a>
 
+  
+</li>
 
+        
+      </ul>
 
+    </nav>
 
+  
+</li>
 
+      
         <li class="md-nav__item">
 
   <a href="#pod-security" class="md-nav__link">
 
     Pod Security
 
@@ -2143,17 +2363,91 @@
 
 </li>
 
       
         <li class="md-nav__item">
 
-  <a href="#rbac" class="md-nav__link">
 
-    RBAC
 
+  <a href="#role-based-access-control-rbac" class="md-nav__link">
 
+    Role-Based Access Control (RBAC)
 
   </a>
 
   
 </li>
 
       
         <li class="md-nav__item">
 
-  <a href="#network-policy" class="md-nav__link">
 
-    Network Policy
 
+  <a href="#network-traffic-and-security" class="md-nav__link">
 
+    Network Traffic and Security
 
+  </a>
 
+  
+    <nav class="md-nav" aria-label="Network Traffic and Security">
 
+      <ul class="md-nav__list">
 
+        
+          <li class="md-nav__item">
 
+  <a href="#outbound-traffic-restrictions" class="md-nav__link">
 
+    Outbound Traffic Restrictions
 
+  </a>
 
+  
+    <nav class="md-nav" aria-label="Outbound Traffic Restrictions">
 
+      <ul class="md-nav__list">
 
+        
+          <li class="md-nav__item">
 
+  <a href="#core-controller" class="md-nav__link">
 
+    Core Controller
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#webhook" class="md-nav__link">
 
+    Webhook
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#cert-controller" class="md-nav__link">
 
+    Cert Controller
 
+  </a>
 
+  
+</li>
 
+        
+      </ul>
 
+    </nav>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#inbound-traffic-restrictions" class="md-nav__link">
 
+    Inbound Traffic Restrictions
 
   </a>
 
   
+    <nav class="md-nav" aria-label="Inbound Traffic Restrictions">
 
+      <ul class="md-nav__list">
 
+        
+          <li class="md-nav__item">
 
+  <a href="#core-controller_1" class="md-nav__link">
 
+    Core Controller
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#cert-controller_1" class="md-nav__link">
 
+    Cert Controller
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#webhook_1" class="md-nav__link">
 
+    Webhook
 
+  </a>
 
+  
+</li>
 
+        
+      </ul>
 
+    </nav>
 
+  
+</li>
 
+        
+      </ul>
 
+    </nav>
 
+  
 </li>
 
       
         <li class="md-nav__item">
 
@@ -2186,8 +2480,8 @@
 
 </li>
 
         
           <li class="md-nav__item">
 
-  <a href="#verify-provenance" class="md-nav__link">
 
-    Verify Provenance
 
+  <a href="#verifying-provenance" class="md-nav__link">
 
+    Verifying Provenance
 
   </a>
 
   
 </li>
 
@@ -2223,75 +2517,123 @@
 
 
 
 <h1 id="security-best-practices">Security Best Practices</h1>
 
-<p>The purpose of this document is to provide a set of best practices for securing External Secrets Operator. These best practices are designed to reduce the risk of a successful attack against the operator or the Kubernetes cluster it integrates with.</p>
 
+<p>The purpose of this document is to outline a set of best practices for securing the External Secrets Operator (ESO). These practices aim to mitigate the risk of successful attacks against ESO and the Kubernetes cluster it integrates with.</p>
 
+<h2 id="security-functions-and-features">Security Functions and Features</h2>
 
+<h3 id="1-namespace-isolation">1. Namespace Isolation</h3>
 
+<p>To maintain security boundaries, ESO ensures that namespaced resources like <code>SecretStore</code> and <code>ExternalSecret</code> are limited to their respective namespaces. The following rules apply:</p>
 
+<ol>
 
+<li><code>ExternalSecret</code> resources must not have cross-namespace references of <code>Kind=SecretStore</code> or <code>Kind=Secret</code> resources</li>
 
+<li><code>SecretStore</code> resources must not have cross-namespace references of <code>Kind=Secret</code> or others</li>
 
+</ol>
 
+<p>For cluster-wide resources like <code>ClusterSecretStore</code> and <code>ClusterExternalSecret</code>, exercise caution since they have access to Secret resources across all namespaces. Minimize RBAC permissions for administrators and developers to the necessary minimum. If cluster-wide resources are not required, it is recommended to disable them.</p>
 
+<h3 id="2-configure-clustersecretstore-match-conditions">2. Configure ClusterSecretStore match conditions</h3>
 
+<p>Utilize the ClusterSecretStore resource to define specific match conditions using <code>namespaceSelector</code> or an explicit namespaces list. This restricts the usage of the <code>ClusterSecretStore</code> to a predetermined list of namespaces or a namespace that matches a predefined label. Here's an example:</p>
 
+<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ClusterSecretStore</span>
 
+<span class="nt">metadata</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">fake</span>
 
+<span class="nt">spec</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">conditions</span><span class="p">:</span>
 
+<span class="w">    </span><span class="nt">namespaceSelector</span><span class="p">:</span>
 
+<span class="w">      </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">frontend</span>
 
+</code></pre></div>
 
+<h3 id="3-selectively-disable-reconciliation-of-cluster-wide-resources">3. Selectively Disable Reconciliation of Cluster-Wide Resources</h3>
 
+<p>ESO allows you to selectively disable the reconciliation of cluster-wide resources such as <code>ClusterSecretStore</code>, <code>ClusterExternalSecret</code>, and <code>PushSecret</code>. You can disable the installation of CRDs in the Helm chart or disable reconciliation in the core-controller using the following options:</p>
 
+<p>To disable CRD installation:</p>
 
+<div class="highlight"><pre><span></span><code><span class="c1"># disable cluster-wide resources &amp; push secret</span>
 
+<span class="nt">crds</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">createClusterExternalSecret</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">false</span>
 
+<span class="w">  </span><span class="nt">createClusterSecretStore</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">false</span>
 
+<span class="w">  </span><span class="nt">createPushSecret</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">false</span>
 
+</code></pre></div>
 
+<p>To disable reconciliation in the core-controller:</p>
 
+<div class="highlight"><pre><span></span><code>--enable-cluster-external-secret-reconciler
 
+--enable-cluster-store-reconciler
 
+</code></pre></div>
 
+<h3 id="4-implement-namespace-scoped-installation">4. Implement Namespace-Scoped Installation</h3>
 
+<p>To further enhance security, consider installing ESO into a specific namespace with restricted access to only that namespace's resources. This prevents access to cluster-wide secrets. Use the following Helm values to scope the controller to a specific namespace:</p>
 
+<div class="highlight"><pre><span></span><code><span class="c1"># If set to true, create scoped RBAC roles under the scoped namespace</span>
 
+<span class="c1"># and implicitly disable cluster stores and cluster external secrets</span>
 
+<span class="nt">scopedRBAC</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span>
 
+
 
+<span class="c1"># Specify the namespace where external secrets should be reconciled</span>
 
+<span class="nt">scopedNamespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-namespace</span>
 
+</code></pre></div>
 
 <h2 id="pod-security">Pod Security</h2>
 
-<p>The External Secrets Operator Pods have been configured to adhere to <a href="https://kubernetes.io/docs/concepts/security/pod-security-standards/">Pod Security Standards</a> <code>restricted</code> profile which establish a great security posture by following current Pod hardening best practices such as the <a href="https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF">NSA Kubernetes Hardening Guide</a>.</p>
 
-<p>These measures provide a secure and robust environment for the External Secrets Operator to operate within. They have been set as default since <code>v0.8.2</code> and should not be changed to conform with the principle of least privilege.</p>
 
-<h2 id="rbac">RBAC</h2>
 
-<p>The External Secrets Operator runs with highly privileged access to your Kubernetes cluster. Due to it's purpose it is able to read and write to all secrets across all namespaces.</p>
 
-<p>Make sure to restrict access to ESO resources like <code>ExternalSecret</code>, <code>SecretStore</code> etc. where appropriate. This is particularly important for cluster-scoped resources like <code>ClusterExternalSecret</code> and <code>ClusterSecretStore</code>. If an attacker is able to tamper with these resources he could potentially get unauthorized access to secrets or may be able to exfiltrate data out of your system.</p>
 
-<p>In most scenarios the External Secrets Operator runs cluster-wide. If this is not desired and you want to run it per-namespace, you can scope it to a particular namespace, see <code>scopedRBAC</code> and <code>scopedNamespace</code> in the helm chart.</p>
 
-<p>A short checklist for you to walk through:</p>
 
+<p>The Pods of the External Secrets Operator have been configured to meet the <a href="https://kubernetes.io/docs/concepts/security/pod-security-standards/">Pod Security Standards</a>, specifically the restricted profile. This configuration ensures a strong security posture by implementing recommended best practices for hardening Pods, including those outlined in the <a href="https://media.defense.gov/2022/Aug/29/2003066362/-1/-1/0/CTR_KUBERNETES_HARDENING_GUIDANCE_1.2_20220829.PDF">NSA Kubernetes Hardening Guide</a>.</p>
 
+<p>By adhering to these standards, the External Secrets Operator benefits from a secure and resilient operating environment. The restricted profile has been set as the default configuration since version <code>v0.8.2</code>, and it is recommended to maintain this setting to align with the principle of least privilege.</p>
 
+<h2 id="role-based-access-control-rbac">Role-Based Access Control (RBAC)</h2>
 
+<p>The External Secrets Operator operates with elevated privileges within your Kubernetes cluster, allowing it to read and write to all secrets across all namespaces. It is crucial to properly restrict access to ESO resources such as <code>ExternalSecret</code> and <code>SecretStore</code> where necessary. This is particularly important for cluster-scoped resources like <code>ClusterExternalSecret</code> and <code>ClusterSecretStore</code>. Unauthorized tampering with these resources by an attacker could lead to unauthorized access to secrets or potential data exfiltration from your system.</p>
 
+<p>In most scenarios, the External Secrets Operator is deployed cluster-wide. However, if you prefer to run it on a per-namespace basis, you can scope it to a specific namespace using the <code>scopedRBAC</code> and <code>scopedNamespace</code> options in the helm chart.</p>
 
+<p>To ensure a secure RBAC configuration, consider the following checklist:</p>
 
+<ul>
 
+<li>Restrict access to execute shell commands (pods/exec) within the External Secrets Operator Pod.</li>
 
+<li>Restrict access to (Cluster)ExternalSecret and (Cluster)SecretStore resources.</li>
 
+<li>Limit access to aggregated ClusterRoles (view/edit/admin) as needed.</li>
 
+<li>If necessary, deploy ESO with scoped RBAC or within a specific namespace.</li>
 
+</ul>
 
+<p>By carefully managing RBAC permissions and scoping the External Secrets Operator appropriately, you can enhance the security of your Kubernetes cluster.</p>
 
+<h2 id="network-traffic-and-security">Network Traffic and Security</h2>
 
+<p>To ensure a secure network environment, it is recommended to restrict network traffic to and from the External Secrets Operator using <code>NetworkPolicies</code> or similar mechanisms. By default, the External Secrets Operator does not include pre-defined Network Policies.</p>
 
+<p>To implement network restrictions effectively, consider the following steps:</p>
 
 <ul>
 
-<li>restrict access to execute a shell <code>pods/exec</code> in External Secrets Operator Pod</li>
 
-<li>restrict access to <code>(Cluster)ExternalSecret</code> and <code>(Cluster)SecretStore</code></li>
 
-<li>restrict access to <a href="https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles">aggregated ClusterRoles</a> <code>view/edit/admin</code> where needed</li>
 
-<li>run ESO with scoped RBAC/Namespace if needed</li>
 
+<li>Define and apply appropriate NetworkPolicies to limit inbound and outbound traffic for the External Secrets Operator.</li>
 
+<li>Specify a "deny all" policy by default and selectively permit necessary communication based on your specific requirements.</li>
 
+<li>Restrict access to only the required endpoints and protocols for the External Secrets Operator, such as communication with the Kubernetes API server or external secret providers.</li>
 
+<li>Regularly review and update the Network Policies to align with changes in your network infrastructure and security requirements.</li>
 
 </ul>
 
-<h2 id="network-policy">Network Policy</h2>
 
-<p>Network Traffic from/to the operator should be restricted using <code>NetworkPolicies</code> or similar. By default, External Secrets Operator does not provide Network Policies for you.</p>
 
+<p>It is the responsibility of the user to define and configure Network Policies tailored to their specific environment and security needs. By implementing proper network restrictions, you can enhance the overall security posture of the External Secrets Operator within your Kubernetes cluster.</p>
 
 <div class="admonition danger">
 
 <p class="admonition-title">Data Exfiltration Risk</p>
 
 <p>If not configured properly ESO may be used to exfiltrate data out of your cluster.
 
 It is advised to create tight NetworkPolicies and use a policy engine such as kyverno to prevent data exfiltration.</p>
 
 </div>
 
-<p>You should restrict access in <strong>egress</strong> direction:</p>
 
+<h3 id="outbound-traffic-restrictions">Outbound Traffic Restrictions</h3>
 
+<h4 id="core-controller">Core Controller</h4>
 
+<p>Restrict outbound traffic from the core controller component to the following destinations:</p>
 
 <ul>
 
-<li>controller<ul>
 
-<li>kube-apiserver</li>
 
-<li>secret provider (AWS, GCP, ...), where possible use private endpoints.</li>
 
+<li><code>kube-apiserver</code>: The Kubernetes API server.</li>
 
+<li>Secret provider (e.g., AWS, GCP): Whenever possible, use private endpoints to establish secure and private communication.</li>
 
 </ul>
 
-</li>
 
-<li>webhook<ul>
 
-<li>kube-apiserver</li>
 
-</ul>
 
-</li>
 
-<li>cert-controller<ul>
 
-<li>kube-apiserver</li>
 
-</ul>
 
-</li>
 
+<h4 id="webhook">Webhook</h4>
 
+<ul>
 
+<li>Restrict outbound traffic from the webhook component to the <code>kube-apiserver</code>.</li>
 
 </ul>
 
-<p>Further, you also should restrict <strong>ingress</strong> traffic to ESO Pods:</p>
 
+<h4 id="cert-controller">Cert Controller</h4>
 
 <ul>
 
-<li>controller<ul>
 
-<li><code>:8080</code> from you monitoring agent</li>
 
+<li>Restrict outbound traffic from the cert controller component to the <code>kube-apiserver</code>.</li>
 
 </ul>
 
-</li>
 
-<li>cert-controller:<ul>
 
-<li><code>:8080</code> from you monitoring agent</li>
 
-<li><code>:8081</code> from kubelet (healthz/readyz)</li>
 
+<h3 id="inbound-traffic-restrictions">Inbound Traffic Restrictions</h3>
 
+<h4 id="core-controller_1">Core Controller</h4>
 
+<ul>
 
+<li>Restrict inbound traffic to the core controller component by allowing communication on port <code>8080</code> from your monitoring agent.</li>
 
 </ul>
 
-</li>
 
-<li>webhook:<ul>
 
-<li><code>:10250</code> from the kube-apiserver</li>
 
-<li><code>:8080</code> from you monitoring agent</li>
 
-<li><code>:8081</code> from kubelet (healthz/readyz)</li>
 
+<h4 id="cert-controller_1">Cert Controller</h4>
 
+<ul>
 
+<li>Restrict inbound traffic to the cert controller component by allowing communication on port <code>8080</code> from your monitoring agent.</li>
 
+<li>Additionally, permit inbound traffic on port <code>8081</code> from the kubelet for health check endpoints (healthz/readyz).</li>
 
 </ul>
 
-</li>
 
+<h4 id="webhook_1">Webhook</h4>
 
+<p>Restrict inbound traffic to the webhook component as follows:</p>
 
+<ul>
 
+<li>Allow communication on port <code>10250</code> from the kube-apiserver.</li>
 
+<li>Allow communication on port <code>8080</code> from your monitoring agent.</li>
 
+<li>Permit inbound traffic on port <code>8081</code> from the kubelet for health check endpoints (healthz/readyz).</li>
 
 </ul>
 
 <h2 id="policy-engine-best-practices">Policy Engine Best Practices</h2>
 
-<p>You should use a policy engine like <a href="http://kyverno.io/">kyverno</a> or <a href="https://github.com/open-policy-agent/gatekeeper">OPA Gatekeeper</a> to restrict changes made to ESO resources like <code>SecretStore</code> and <code>ExternalSecret</code>.</p>
 
+<p>To enhance the security and enforce specific policies for External Secrets Operator (ESO) resources such as SecretStore and ExternalSecret, it is recommended to utilize a policy engine like <a href="http://kyverno.io/">Kyverno</a> or <a href="https://github.com/open-policy-agent/gatekeeper">OPA Gatekeeper</a>. These policy engines provide a way to define and enforce custom policies that restrict changes made to ESO resources.</p>
 
 <div class="admonition danger">
 
 <p class="admonition-title">Data Exfiltration Risk</p>
 
 <p>ESO could be used to exfiltrate data out of your cluster. You should disable all providers you don't need.
 
 Further, you should implement <code>NetworkPolicies</code> to restrict network access to known entities (see above), to prevent data exfiltration.</p>
 
 </div>
 
-<p>Here a couple of recommendations for you to consider:</p>
 
-<ul>
 
-<li>explicitly deny usage of the providers you don't need</li>
 
-<li>restrict access to secrets with/without a particular prefix in <code>.spec.data[].remoteRef.key</code></li>
 
-<li>restrict usage of a <code>(Cluster)SecretStore</code> reference in an ExternalSecret</li>
 
-</ul>
 
+<p>Here are some recommendations to consider when configuring your policies:</p>
 
+<ol>
 
+<li><strong>Explicitly Deny Unused Providers</strong>: Create policies that explicitly deny the usage of secret providers that are not required in your environment. This prevents unauthorized access to unnecessary providers and reduces the attack surface.</li>
 
+<li><strong>Restrict Access to Secrets</strong>: Implement policies that restrict access to secrets based on specific conditions. For example, you can define policies to allow access to secrets only if they have a particular prefix in the <code>.spec.data[].remoteRef.key</code> field. This helps ensure that only authorized entities can access sensitive information.</li>
 
+<li><strong>Restrict <code>ClusterSecretStore</code> References</strong>: Define policies to restrict the usage of ClusterSecretStore references within ExternalSecret resources. This ensures that the resources are properly scoped and prevent potential unauthorized access to secrets across namespaces.</li>
 
+</ol>
 
+<p>By leveraging a policy engine, you can implement these recommendations and enforce custom policies that align with your organization's security requirements. Please refer to the documentation of the chosen policy engine (e.g., Kyverno or OPA Gatekeeper) for detailed instructions on how to define and enforce policies for ESO resources.</p>
 
 <div class="admonition note">
 
 <p class="admonition-title">Provider Validation Example Policy</p>
 
 <p>The following policy validates the usage of the <code>provider</code> field in the SecretStore manifest.</p>
 
@@ -2319,14 +2661,21 @@ Further, you should implement <code>NetworkPolicies</code> to restrict network a
 
 </code></pre></div>
 
 </div>
 
 <h2 id="regular-patches">Regular Patches</h2>
 
-<p>Regularly patch and update all software components of ESO and the cluster to ensure that known vulnerabilities are addressed. Use automated patching and updating tools to ensure that all components are kept up-to-date.</p>
 
-<p>We provide regular updates to ESO, see <a href="../../introduction/stability-support.md">Stability and Support</a>.</p>
 
+<p>To maintain a secure environment, it is crucial to regularly patch and update all software components of External Secrets Operator and the underlying cluster. By doing so, known vulnerabilities can be addressed, and the overall system's security can be improved. Here are some recommended practices for ensuring timely updates:</p>
 
+<ol>
 
+<li><strong>Automated Patching and Updating</strong>: Utilize automated patching and updating tools to streamline the process of keeping software components up-to-date</li>
 
+<li><strong>Regular Update ESO</strong>: Stay informed about the latest updates and releases provided for ESO. The development team regularly releases updates to improve stability, performance, and security. Please refer to the <a href="../../introduction/stability-support/">Stability and Support</a> documentation for more information on the available updates</li>
 
+<li><strong>Cluster-wide Updates</strong>: Apart from ESO, ensure that all other software components within your cluster, such as the operating system, container runtime, and Kubernetes itself, are regularly patched and updated.</li>
 
+</ol>
 
+<p>By adhering to a regular patching and updating schedule, you can proactively mitigate security risks associated with known vulnerabilities and ensure the overall stability and security of your ESO deployment.</p>
 
 <h2 id="verify-artefacts">Verify Artefacts</h2>
 
 <h3 id="verify-container-images">Verify Container Images</h3>
 
-<p>External Secrets Operator container images are signed using Cosign and the keyless signing feature. To verify the container image, follow the steps below.</p>
 
-<div class="highlight"><pre><span></span><code>$<span class="w"> </span>crane<span class="w"> </span>digest<span class="w"> </span>ghcr.io/external-secrets/external-secrets:v0.8.1
 
+<p>The container images of External Secrets Operator are signed using Cosign and the keyless signing feature. To ensure the authenticity and integrity of the container image, you can follow the steps outlined below:</p>
 
+<div class="highlight"><pre><span></span><code><span class="c1"># Retrieve Image Signature</span>
 
+$<span class="w"> </span>crane<span class="w"> </span>digest<span class="w"> </span>ghcr.io/external-secrets/external-secrets:v0.8.1
 
 sha256:36e606279dbebac51b4b9300b9fa85e8c08c1c673ba3ecc38af1402a0b035554
 
 
+<span class="c1"># verify signature</span>
 
 $<span class="w"> </span><span class="nv">COSIGN_EXPERIMENTAL</span><span class="o">=</span><span class="m">1</span><span class="w"> </span>cosign<span class="w"> </span>verify<span class="w"> </span>ghcr.io/external-secrets/external-secrets@sha256:36e606279dbebac51b4b9300b9fa85e8c08c1c673ba3ecc38af1402a0b035554<span class="w"> </span><span class="p">|</span><span class="w"> </span>jq
 
 
 <span class="c1"># ...</span>
 
@@ -2363,9 +2712,10 @@ $<span class="w"> </span><span class="nv">COSIGN_EXPERIMENTAL</span><span class=
 
 <span class="w">  </span><span class="o">}</span>
 
 <span class="o">]</span>
 
 </code></pre></div>
 
-<p>Note that the important fields to verify in the output are <code>optional.Issuer</code> and <code>optional.Subject</code>. If Issuer and Subject do not match the values shown above, the image is not legit and should not be used.</p>
 
-<h3 id="verify-provenance">Verify Provenance</h3>
 
-<p>External Secrets Operator creates and attests to the provenance of its builds using the <a href="https://slsa.dev/provenance/v0.1">SLSA standard</a>. The attested provenance may be verified using the cosign tool.</p>
 
+<p>In the output of the verification process, pay close attention to the <code>optional.Issuer</code> and <code>optional.Subject</code> fields. These fields contain important information about the image's authenticity. Verify that the values of Issuer and Subject match the expected values for the ESO container image. If they do not match, it indicates that the image is not legitimate and should not be used.</p>
 
+<p>By following these steps and confirming that the Issuer and Subject fields align with the expected values for the ESO container image, you can ensure that the image has not been tampered with and is safe to use.</p>
 
+<h3 id="verifying-provenance">Verifying Provenance</h3>
 
+<p>The External Secrets Operator employs the <a href="https://slsa.dev/provenance/v0.1">SLSA</a> (Supply Chain Levels for Software Artifacts) standard to create and attest to the provenance of its builds. Provenance verification is essential to ensure the integrity and trustworthiness of the software supply chain. This outlines the process of verifying the attested provenance of External Secrets Operator builds using the cosign tool.</p>
 
 <div class="highlight"><pre><span></span><code>$<span class="w"> </span><span class="nv">COSIGN_EXPERIMENTAL</span><span class="o">=</span><span class="m">1</span><span class="w"> </span>cosign<span class="w"> </span>verify-attestation<span class="w"> </span>--type<span class="w"> </span>slsaprovenance<span class="w"> </span>ghcr.io/external-secrets/external-secrets:v0.8.1<span class="w"> </span><span class="p">|</span><span class="w"> </span>jq<span class="w"> </span>.payload<span class="w"> </span>-r<span class="w"> </span><span class="p">|</span><span class="w"> </span>base64<span class="w"> </span>--decode<span class="w"> </span><span class="p">|</span><span class="w"> </span>jq
 
 
 Verification<span class="w"> </span><span class="k">for</span><span class="w"> </span>ghcr.io/external-secrets/external-secrets:v0.8.1<span class="w"> </span>--
 
@@ -2413,7 +2763,7 @@ GitHub<span class="w"> </span>Workflow<span class="w"> </span>Ref:<span class="w
 
 <span class="o">}</span>
 
 </code></pre></div>
 
 <h3 id="fetching-sbom">Fetching SBOM</h3>
 
-<p>An SBOM (Software Bill of Materials) in Software Package Data Exchange (SPDX) JSON format is attached to every External Secrets Operator image.  To download and verify the SBOM for a specific version, install Cosign and run:</p>
 
+<p>Every External Secrets Operator image is accompanied by an SBOM (Software Bill of Materials) in SPDX JSON format. The SBOM provides detailed information about the software components and dependencies used in the image. This technical documentation explains the process of downloading and verifying the SBOM for a specific version of External Secrets Operator using the Cosign tool.</p>
 
 <div class="highlight"><pre><span></span><code>$<span class="w"> </span>crane<span class="w"> </span>digest<span class="w"> </span>ghcr.io/external-secrets/external-secrets:v0.8.1
 
 sha256:36e606279dbebac51b4b9300b9fa85e8c08c1c673ba3ecc38af1402a0b035554

+ 64 - 0
main/guides/templating-v1/index.html
View File 

@@ -1261,6 +1261,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1308,6 +1310,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1410,6 +1426,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1478,6 +1500,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1702,6 +1738,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1711,6 +1761,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 105 - 1
main/guides/templating/index.html
View File 

@@ -1100,6 +1100,13 @@
 
     </label>
 
     <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
 
       
+        <li class="md-nav__item">
 
+  <a href="#helm" class="md-nav__link">
 
+    Helm
 
+  </a>
 
+  
+</li>
 
+      
         <li class="md-nav__item">
 
   <a href="#examples" class="md-nav__link">
 
     Examples
 
@@ -1309,6 +1316,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1356,6 +1365,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1458,6 +1481,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1526,6 +1555,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1750,6 +1793,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1759,6 +1816,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>
 
@@ -2141,6 +2212,13 @@
 
     </label>
 
     <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
 
       
+        <li class="md-nav__item">
 
+  <a href="#helm" class="md-nav__link">
 
+    Helm
 
+  </a>
 
+  
+</li>
 
+      
         <li class="md-nav__item">
 
   <a href="#examples" class="md-nav__link">
 
     Examples
 
@@ -2236,6 +2314,32 @@
 
 
 <h1 id="advanced-templating-v2">Advanced Templating v2</h1>
 
 <p>With External Secrets Operator you can transform the data from the external secret provider before it is stored as <code>Kind=Secret</code>. You can do this with the <code>Spec.Target.Template</code>. Each data value is interpreted as a <a href="https://golang.org/pkg/text/template/">golang template</a>.</p>
 
+<div class="admonition note">
 
+<p class="admonition-title">Note</p>
 
+<p>Consider using camelcase when defining  <strong>.'spec.data.secretkey'</strong>, example: serviceAccountToken</p>
 
+<p>If your secret keys contain <strong><code>-</code> (dashes)</strong>, you will need to reference them using <strong><code>index</code></strong> </br>
 
+Example: <strong><code>\{\{ index .data "service-account-token" \}\}</code></strong></p>
 
+</div>
 
+<h2 id="helm">Helm</h2>
 
+<p>When installing ExternalSecrets via <code>helm</code>, the template must be escaped so that <code>helm</code> will not try to render it. The most straightforward way to accomplish this would be to use backticks (<a href="https://pkg.go.dev/text/template#hdr-Examples">raw string constants</a>):</p>
 
+<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
 
+<span class="nt">metadata</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">template</span>
 
+<span class="nt">spec</span><span class="p">:</span>
 
+<span class="w">  </span><span class="c1"># ...</span>
 
+<span class="w">  </span><span class="nt">target</span><span class="p">:</span>
 
+<span class="w">    </span><span class="nt">template</span><span class="p">:</span>
 
+<span class="w">      </span><span class="nt">engineVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v2</span>
 
+<span class="w">      </span><span class="nt">data</span><span class="p">:</span>
 
+<span class="w">        </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">admin</span>
 
+<span class="w">        </span><span class="c1"># password: &quot;{{ .mysecret }}&quot;               # If you are using plain manifests or gitops tools</span>
 
+<span class="w">        </span><span class="nt">password</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;{{</span><span class="nv"> </span><span class="s">`{{</span><span class="nv"> </span><span class="s">.mysecret</span><span class="nv"> </span><span class="s">}}`</span><span class="nv"> </span><span class="s">}}&quot;</span><span class="w">         </span><span class="c1"># If you are using helm</span>
 
+<span class="w">  </span><span class="nt">data</span><span class="p">:</span>
 
+<span class="w">  </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mysecret</span>
 
+<span class="w">    </span><span class="nt">remoteRef</span><span class="p">:</span>
 
+<span class="w">      </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/credentials</span>
 
+</code></pre></div>
 
 <h2 id="examples">Examples</h2>
 
 <p>You can use templates to inject your secrets into a configuration file that you mount into your pod:</p>
 
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 
@@ -2286,7 +2390,7 @@
 
 <span class="w">      </span><span class="nt">data</span><span class="p">:</span>
 
 <span class="w">        </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">admin</span>
 
 <span class="w">        </span><span class="nt">password</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;{{</span><span class="nv"> </span><span class="s">.mysecret</span><span class="nv"> </span><span class="s">}}&quot;</span><span class="w">                   </span><span class="c1"># If you are using plain manifests or gitops tools</span>
 
-<span class="w">        </span><span class="c1"># password: &#39;{{ printf &quot;{{ .mysecret }}&quot; }}&#39;  # If you are using templated tools like helm</span>
 
+<span class="w">        </span><span class="c1"># password: &quot;{{ `{{ .mysecret }}` }}&quot;         # If you are using templated tools like helm</span>
 
 <span class="w">  </span><span class="nt">data</span><span class="p">:</span>
 
 <span class="w">  </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mysecret</span>
 
 <span class="w">    </span><span class="nt">remoteRef</span><span class="p">:</span>

+ 2693 - 0
main/guides/threat-model/index.html
View File 

@@ -0,0 +1,2693 @@
 
+
 
+<!doctype html>
 
+<html lang="en" class="no-js">
 
+  <head>
 
+    
+      <meta charset="utf-8">
 
+      <meta name="viewport" content="width=device-width,initial-scale=1">
 
+      
+      
+      
+      
+        <link rel="prev" href="../security-best-practices/">
 
+      
+      
+        <link rel="next" href="../v1beta1/">
 
+      
+      <link rel="icon" href="../../assets/images/favicon.png">
 
+      <meta name="generator" content="mkdocs-1.4.3, mkdocs-material-9.1.9">
 
+    
+    
+      
+        <title>Threat Model - External Secrets Operator</title>
 
+      
+    
+    
+      <link rel="stylesheet" href="../../assets/stylesheets/main.85bb2934.min.css">
 
+      
+      
+
 
+    
+    
+    
+      
+        
+        
+        <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
 
+        <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
 
+        <style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
 
+      
+    
+    
+    <script>__md_scope=new URL("../..",location),__md_hash=e=>[...e].reduce((e,_)=>(e<<5)-e+_.charCodeAt(0),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
 
+    
+      
+  
+
 
+
 
+  
+  
+
 
+
 
+  <script id="__analytics">function __md_analytics(){function n(){dataLayer.push(arguments)}window.dataLayer=window.dataLayer||[],n("js",new Date),n("config","G-QP38TD8K7V"),document.addEventListener("DOMContentLoaded",function(){document.forms.search&&document.forms.search.query.addEventListener("blur",function(){this.value&&n("event","search",{search_term:this.value})}),document$.subscribe(function(){var a=document.forms.feedback;if(void 0!==a)for(var e of a.querySelectorAll("[type=submit]"))e.addEventListener("click",function(e){e.preventDefault();var t=document.location.pathname,e=this.getAttribute("data-md-value");n("event","feedback",{page:t,data:e}),a.firstElementChild.disabled=!0;e=a.querySelector(".md-feedback__note [data-md-value='"+e+"']");e&&(e.hidden=!1)}),a.hidden=!1}),location$.subscribe(function(e){n("config","G-QP38TD8K7V",{page_path:e.pathname})})});var e=document.createElement("script");e.async=!0,e.src="https://www.googletagmanager.com/gtag/js?id=G-QP38TD8K7V",document.getElementById("__analytics").insertAdjacentElement("afterEnd",e)}</script>
 
+
 
+  
+    <script>"undefined"!=typeof __md_analytics&&__md_analytics()</script>
 
+  
+
 
+    
+    
+    
+  </head>
 
+  
+  
+    <body dir="ltr">
 
+  
+    
+    
+      <script>var palette=__md_get("__palette");if(palette&&"object"==typeof palette.color)for(var key of Object.keys(palette.color))document.body.setAttribute("data-md-color-"+key,palette.color[key])</script>
 
+    
+    <input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
 
+    <input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
 
+    <label class="md-overlay" for="__drawer"></label>
 
+    <div data-md-component="skip">
 
+      
+        
+        <a href="#background" class="md-skip">
 
+          Skip to content
 
+        </a>
 
+      
+    </div>
 
+    <div data-md-component="announce">
 
+      
+    </div>
 
+    
+      <div data-md-color-scheme="default" data-md-component="outdated" hidden>
 
+        
+          <aside class="md-banner md-banner--warning">
 
+            <div class="md-banner__inner md-grid md-typeset">
 
+              
+  You're not viewing the latest version.
 
+  <a href="../../..">
 
+    <strong>Click here to go to latest.</strong>
 
+  </a>
 
+
 
+            </div>
 
+            <script>var el=document.querySelector("[data-md-component=outdated]"),outdated=__md_get("__outdated",sessionStorage);!0===outdated&&el&&(el.hidden=!1)</script>
 
+          </aside>
 
+        
+      </div>
 
+    
+    
+      
+
 
+<header class="md-header" data-md-component="header">
 
+  <nav class="md-header__inner md-grid" aria-label="Header">
 
+    <a href="../.." title="External Secrets Operator" class="md-header__button md-logo" aria-label="External Secrets Operator" data-md-component="logo">
 
+      
+  
+  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg>
 
+
 
+    </a>
 
+    <label class="md-header__button md-icon" for="__drawer">
 
+      <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2Z"/></svg>
 
+    </label>
 
+    <div class="md-header__title" data-md-component="header-title">
 
+      <div class="md-header__ellipsis">
 
+        <div class="md-header__topic">
 
+          <span class="md-ellipsis">
 
+            External Secrets Operator
 
+          </span>
 
+        </div>
 
+        <div class="md-header__topic" data-md-component="header-topic">
 
+          <span class="md-ellipsis">
 
+            
+              Threat Model
 
+            
+          </span>
 
+        </div>
 
+      </div>
 
+    </div>
 
+    
+    
+    
+      <label class="md-header__button md-icon" for="__search">
 
+        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
 
+      </label>
 
+      <div class="md-search" data-md-component="search" role="dialog">
 
+  <label class="md-search__overlay" for="__search"></label>
 
+  <div class="md-search__inner" role="search">
 
+    <form class="md-search__form" name="search">
 
+      <input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
 
+      <label class="md-search__icon md-icon" for="__search">
 
+        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
 
+        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg>
 
+      </label>
 
+      <nav class="md-search__options" aria-label="Search">
 
+        
+        <button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1">
 
+          <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"/></svg>
 
+        </button>
 
+      </nav>
 
+      
+    </form>
 
+    <div class="md-search__output">
 
+      <div class="md-search__scrollwrap" data-md-scrollfix>
 
+        <div class="md-search-result" data-md-component="search-result">
 
+          <div class="md-search-result__meta">
 
+            Initializing search
 
+          </div>
 
+          <ol class="md-search-result__list" role="presentation"></ol>
 
+        </div>
 
+      </div>
 
+    </div>
 
+  </div>
 
+</div>
 
+    
+    
+      <div class="md-header__source">
 
+        <a href="https://github.com/external-secrets/external-secrets" title="Go to repository" class="md-source" data-md-component="source">
 
+  <div class="md-source__icon md-icon">
 
+    
+    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.4.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2023 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
 
+  </div>
 
+  <div class="md-source__repository">
 
+    External Secrets Operator
 
+  </div>
 
+</a>
 
+      </div>
 
+    
+  </nav>
 
+  
+</header>
 
+    
+    <div class="md-container" data-md-component="container">
 
+      
+      
+        
+          
+            
+<nav class="md-tabs" aria-label="Tabs" data-md-component="tabs">
 
+  <div class="md-grid">
 
+    <ul class="md-tabs__list">
 
+      
+        
+  
+  
+
 
+
 
+  
+  
+  
+    <li class="md-tabs__item">
 
+      <a href="../.." class="md-tabs__link">
 
+        Introduction
 
+      </a>
 
+    </li>
 
+  
+
 
+      
+        
+  
+  
+
 
+
 
+  
+  
+  
+    <li class="md-tabs__item">
 
+      <a href="../../api/components/" class="md-tabs__link">
 
+        API
 
+      </a>
 
+    </li>
 
+  
+
 
+      
+        
+  
+  
+    
+  
+
 
+
 
+  
+  
+  
+    <li class="md-tabs__item">
 
+      <a href="../introduction/" class="md-tabs__link md-tabs__link--active">
 
+        Guides
 
+      </a>
 
+    </li>
 
+  
+
 
+      
+        
+  
+  
+
 
+
 
+  
+  
+  
+    <li class="md-tabs__item">
 
+      <a href="../../provider/aws-secrets-manager/" class="md-tabs__link">
 
+        Provider
 
+      </a>
 
+    </li>
 
+  
+
 
+      
+        
+  
+  
+
 
+
 
+  
+  
+  
+    <li class="md-tabs__item">
 
+      <a href="../../examples/gitops-using-fluxcd/" class="md-tabs__link">
 
+        Examples
 
+      </a>
 
+    </li>
 
+  
+
 
+      
+        
+  
+  
+
 
+
 
+  
+  
+  
+    
+
 
+  
+  
+  
+    <li class="md-tabs__item">
 
+      <a href="../../contributing/devguide/" class="md-tabs__link">
 
+        Community
 
+      </a>
 
+    </li>
 
+  
+
 
+  
+
 
+      
+    </ul>
 
+  </div>
 
+</nav>
 
+          
+        
+      
+      <main class="md-main" data-md-component="main">
 
+        <div class="md-main__inner md-grid">
 
+          
+            
+              
+                
+              
+              <div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
 
+                <div class="md-sidebar__scrollwrap">
 
+                  <div class="md-sidebar__inner">
 
+                    
+
 
+  
+
 
+
 
+<nav class="md-nav md-nav--primary md-nav--lifted" aria-label="Navigation" data-md-level="0">
 
+  <label class="md-nav__title" for="__drawer">
 
+    <a href="../.." title="External Secrets Operator" class="md-nav__button md-logo" aria-label="External Secrets Operator" data-md-component="logo">
 
+      
+  
+  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg>
 
+
 
+    </a>
 
+    External Secrets Operator
 
+  </label>
 
+  
+    <div class="md-nav__source">
 
+      <a href="https://github.com/external-secrets/external-secrets" title="Go to repository" class="md-source" data-md-component="source">
 
+  <div class="md-source__icon md-icon">
 
+    
+    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.4.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2023 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
 
+  </div>
 
+  <div class="md-source__repository">
 
+    External Secrets Operator
 
+  </div>
 
+</a>
 
+    </div>
 
+  
+  <ul class="md-nav__list" data-md-scrollfix>
 
+    
+      
+      
+      
+
 
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_1" >
 
+      
+      
+        
+          
+            
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        
+        
+        <div class="md-nav__link md-nav__link--index ">
 
+          <a href="../..">Introduction</a>
 
+          
+            <label for="__nav_1">
 
+              <span class="md-nav__icon md-icon"></span>
 
+            </label>
 
+          
+        </div>
 
+      
+      <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_1_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_1">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Introduction
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../introduction/overview/" class="md-nav__link">
 
+        Overview
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../introduction/getting-started/" class="md-nav__link">
 
+        Getting started
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../introduction/faq/" class="md-nav__link">
 
+        FAQ
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../introduction/stability-support/" class="md-nav__link">
 
+        Stability and Support
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../introduction/deprecation-policy/" class="md-nav__link">
 
+        Deprecation Policy
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+    
+      
+      
+      
+
 
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_2" id="__nav_2_label" tabindex="0">
 
+          API
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_2_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_2">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          API
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/components/" class="md-nav__link">
 
+        Components
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2_2" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_2_2" id="__nav_2_2_label" tabindex="0">
 
+          Core Resources
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_2_2_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_2_2">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Core Resources
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/externalsecret/" class="md-nav__link">
 
+        ExternalSecret
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/secretstore/" class="md-nav__link">
 
+        SecretStore
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/clustersecretstore/" class="md-nav__link">
 
+        ClusterSecretStore
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/clusterexternalsecret/" class="md-nav__link">
 
+        ClusterExternalSecret
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/pushsecret/" class="md-nav__link">
 
+        PushSecret
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2_3" >
 
+      
+      
+        
+          
+            
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        
+        
+        <div class="md-nav__link md-nav__link--index ">
 
+          <a href="../../api/generator/">Generators</a>
 
+          
+            <label for="__nav_2_3">
 
+              <span class="md-nav__icon md-icon"></span>
 
+            </label>
 
+          
+        </div>
 
+      
+      <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_2_3_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_2_3">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Generators
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/generator/acr/" class="md-nav__link">
 
+        Azure Container Registry
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/generator/ecr/" class="md-nav__link">
 
+        AWS Elastic Container Registry
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/generator/gcr/" class="md-nav__link">
 
+        Google Container Registry
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/generator/vault/" class="md-nav__link">
 
+        Vault Dynamic Secret
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/generator/password/" class="md-nav__link">
 
+        Password
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/generator/fake/" class="md-nav__link">
 
+        Fake
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2_4" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_2_4" id="__nav_2_4_label" tabindex="0">
 
+          Reference Docs
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_2_4_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_2_4">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Reference Docs
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/spec/" class="md-nav__link">
 
+        API specification
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/controller-options/" class="md-nav__link">
 
+        Controller Options
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/metrics/" class="md-nav__link">
 
+        Metrics
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+    
+      
+      
+      
+
 
+  
+  
+    
+  
+  
+    
+    <li class="md-nav__item md-nav__item--active md-nav__item--nested">
 
+      
+      
+      
+      
+      <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_3" checked>
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_3" id="__nav_3_label" tabindex="0">
 
+          Guides
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_3_label" aria-expanded="true">
 
+        <label class="md-nav__title" for="__nav_3">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Guides
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../introduction/" class="md-nav__link">
 
+        Introduction
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3_2" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_3_2" id="__nav_3_2_label" tabindex="0">
 
+          External Secrets
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_3_2_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_3_2">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          External Secrets
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../all-keys-one-secret/" class="md-nav__link">
 
+        Extract structured data
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../getallsecrets/" class="md-nav__link">
 
+        Find Secrets by Name or Metadata
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../datafrom-rewrite/" class="md-nav__link">
 
+        Rewriting Keys
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3_2_4" >
 
+      
+      
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_3_2_4" id="__nav_3_2_4_label" tabindex="0">
 
+          Advanced Templating
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="3" aria-labelledby="__nav_3_2_4_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_3_2_4">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Advanced Templating
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../templating/" class="md-nav__link">
 
+        v2
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../templating-v1/" class="md-nav__link">
 
+        v1
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../common-k8s-secret-types/" class="md-nav__link">
 
+        Kubernetes Secret Types
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../ownership-deletion-policy/" class="md-nav__link">
 
+        Lifecycle: ownership & deletion
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../decoding-strategy/" class="md-nav__link">
 
+        Decoding Strategies
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../controller-class/" class="md-nav__link">
 
+        Controller Classes
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../generator/" class="md-nav__link">
 
+        Generators
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+    
+  
+  
+    
+    <li class="md-nav__item md-nav__item--active md-nav__item--nested">
 
+      
+      
+      
+      
+      <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_3_4" checked>
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
+          Operations
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_3_4_label" aria-expanded="true">
 
+        <label class="md-nav__title" for="__nav_3_4">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Operations
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../multi-tenancy/" class="md-nav__link">
 
+        Multi Tenancy
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../security-best-practices/" class="md-nav__link">
 
+        Security Best Practices
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+    
+  
+  
+    <li class="md-nav__item md-nav__item--active">
 
+      
+      <input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
 
+      
+      
+      
+        <label class="md-nav__link md-nav__link--active" for="__toc">
 
+          Threat Model
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <a href="./" class="md-nav__link md-nav__link--active">
 
+        Threat Model
 
+      </a>
 
+      
+        
+
 
+<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
 
+  
+  
+  
+  
+    <label class="md-nav__title" for="__toc">
 
+      <span class="md-nav__icon md-icon"></span>
 
+      Table of contents
 
+    </label>
 
+    <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
 
+      
+        <li class="md-nav__item">
 
+  <a href="#background" class="md-nav__link">
 
+    Background
 
+  </a>
 
+  
+    <nav class="md-nav" aria-label="Background">
 
+      <ul class="md-nav__list">
 
+        
+          <li class="md-nav__item">
 
+  <a href="#summary" class="md-nav__link">
 
+    Summary
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#components" class="md-nav__link">
 
+    Components
 
+  </a>
 
+  
+</li>
 
+        
+      </ul>
 
+    </nav>
 
+  
+</li>
 
+      
+        <li class="md-nav__item">
 
+  <a href="#overview" class="md-nav__link">
 
+    Overview
 
+  </a>
 
+  
+    <nav class="md-nav" aria-label="Overview">
 
+      <ul class="md-nav__list">
 
+        
+          <li class="md-nav__item">
 
+  <a href="#scope" class="md-nav__link">
 
+    Scope
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#assets" class="md-nav__link">
 
+    Assets
 
+  </a>
 
+  
+    <nav class="md-nav" aria-label="Assets">
 
+      <ul class="md-nav__list">
 
+        
+          <li class="md-nav__item">
 
+  <a href="#a01-cluster-level-access-to-secrets" class="md-nav__link">
 
+    A01: Cluster-Level access to secrets
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#a02-crd-and-webhook-write-access" class="md-nav__link">
 
+    A02: CRD and Webhook Write access
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#a03-secret-provider-access" class="md-nav__link">
 
+    A03: secret provider access
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#a04-capability-to-modify-resources" class="md-nav__link">
 
+    A04: capability to modify resources
 
+  </a>
 
+  
+</li>
 
+        
+      </ul>
 
+    </nav>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#threats" class="md-nav__link">
 
+    Threats
 
+  </a>
 
+  
+    <nav class="md-nav" aria-label="Threats">
 
+      <ul class="md-nav__list">
 
+        
+          <li class="md-nav__item">
 
+  <a href="#t01-tampering-with-resources-through-mitm" class="md-nav__link">
 
+    T01: Tampering with resources through MITM
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#t02-webhook-dos" class="md-nav__link">
 
+    T02: Webhook DOS
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#t03-unauthorized-access-to-cluster-secrets" class="md-nav__link">
 
+    T03: Unauthorized access to cluster secrets
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#t04-unauthorized-access-to-secret-provider-credentials" class="md-nav__link">
 
+    T04: unauthorized access to secret provider credentials
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#t05-data-exfiltration-through-malicious-resources" class="md-nav__link">
 
+    T05: data exfiltration through malicious resources
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#t06-supply-chain-attacks" class="md-nav__link">
 
+    T06: supply chain attacks
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#t07-malicious-workloads-in-eso-namespace" class="md-nav__link">
 
+    T07: malicious workloads in eso namespace
 
+  </a>
 
+  
+</li>
 
+        
+      </ul>
 
+    </nav>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#controls" class="md-nav__link">
 
+    Controls
 
+  </a>
 
+  
+    <nav class="md-nav" aria-label="Controls">
 
+      <ul class="md-nav__list">
 
+        
+          <li class="md-nav__item">
 
+  <a href="#c01-network-security-policy" class="md-nav__link">
 
+    C01: Network Security Policy
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#c02-least-privilege-rbac" class="md-nav__link">
 
+    C02: Least Privilege RBAC
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#c03-policy-enforcement" class="md-nav__link">
 
+    C03: Policy Enforcement
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#c04-provider-access-policy" class="md-nav__link">
 
+    C04: Provider Access Policy
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#c05-entirely-disable-crds" class="md-nav__link">
 
+    C05: Entirely disable CRDs
 
+  </a>
 
+  
+</li>
 
+        
+      </ul>
 
+    </nav>
 
+  
+</li>
 
+        
+      </ul>
 
+    </nav>
 
+  
+</li>
 
+      
+    </ul>
 
+  
+</nav>
 
+      
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../v1beta1/" class="md-nav__link">
 
+        Upgrading to v1beta1
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../using-latest-image/" class="md-nav__link">
 
+        Using Latest Image
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../disable-cluster-features/" class="md-nav__link">
 
+        Disable Cluster Features
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+    
+      
+      
+      
+
 
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_4" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_4" id="__nav_4_label" tabindex="0">
 
+          Provider
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_4">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Provider
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/aws-secrets-manager/" class="md-nav__link">
 
+        AWS Secrets Manager
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/aws-parameter-store/" class="md-nav__link">
 
+        AWS Parameter Store
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/azure-key-vault/" class="md-nav__link">
 
+        Azure Key Vault
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
+        Google Cloud Secret Manager
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/hashicorp-vault/" class="md-nav__link">
 
+        HashiCorp Vault
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/kubernetes/" class="md-nav__link">
 
+        Kubernetes
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/ibm-secrets-manager/" class="md-nav__link">
 
+        IBM Secrets Manager
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/akeyless/" class="md-nav__link">
 
+        Akeyless
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/yandex-certificate-manager/" class="md-nav__link">
 
+        Yandex Certificate Manager
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/yandex-lockbox/" class="md-nav__link">
 
+        Yandex Lockbox
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/alibaba/" class="md-nav__link">
 
+        Alibaba Cloud
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/gitlab-variables/" class="md-nav__link">
 
+        GitLab Variables
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/oracle-vault/" class="md-nav__link">
 
+        Oracle Vault
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/1password-automation/" class="md-nav__link">
 
+        1Password Secrets Automation
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/webhook/" class="md-nav__link">
 
+        Webhook
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/fake/" class="md-nav__link">
 
+        Fake
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/senhasegura-dsm/" class="md-nav__link">
 
+        senhasegura DevOps Secrets Management (DSM)
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/doppler/" class="md-nav__link">
 
+        Doppler
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/keeper-security/" class="md-nav__link">
 
+        Keeper Security
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/scaleway/" class="md-nav__link">
 
+        Scaleway
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+    
+      
+      
+      
+
 
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_5" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_5" id="__nav_5_label" tabindex="0">
 
+          Examples
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_5_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_5">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Examples
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../examples/gitops-using-fluxcd/" class="md-nav__link">
 
+        FluxCD
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../examples/anchore-engine-credentials/" class="md-nav__link">
 
+        Anchore Engine
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../examples/jenkins-kubernetes-credentials/" class="md-nav__link">
 
+        Jenkins
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../examples/bitwarden/" class="md-nav__link">
 
+        BitWarden
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+    
+      
+      
+      
+
 
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_6" >
 
+      
+      
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_6" id="__nav_6_label" tabindex="0">
 
+          Community
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_6_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_6">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Community
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_6_1" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_6_1" id="__nav_6_1_label" tabindex="0">
 
+          Contributing
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_6_1_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_6_1">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Contributing
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../contributing/devguide/" class="md-nav__link">
 
+        Developer guide
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../contributing/process/" class="md-nav__link">
 
+        Contributing Process
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../contributing/release/" class="md-nav__link">
 
+        Release Process
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../contributing/coc/" class="md-nav__link">
 
+        Code of Conduct
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../contributing/roadmap/" class="md-nav__link">
 
+        Roadmap
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_6_2" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_6_2" id="__nav_6_2_label" tabindex="0">
 
+          External Resources
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_6_2_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_6_2">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          External Resources
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../eso-talks/" class="md-nav__link">
 
+        Talks
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../eso-demos/" class="md-nav__link">
 
+        Demos
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../eso-blogs/" class="md-nav__link">
 
+        Blogs
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+    
+  </ul>
 
+</nav>
 
+                  </div>
 
+                </div>
 
+              </div>
 
+            
+            
+              
+                
+              
+              <div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" hidden>
 
+                <div class="md-sidebar__scrollwrap">
 
+                  <div class="md-sidebar__inner">
 
+                    
+
 
+<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
 
+  
+  
+  
+  
+    <label class="md-nav__title" for="__toc">
 
+      <span class="md-nav__icon md-icon"></span>
 
+      Table of contents
 
+    </label>
 
+    <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
 
+      
+        <li class="md-nav__item">
 
+  <a href="#background" class="md-nav__link">
 
+    Background
 
+  </a>
 
+  
+    <nav class="md-nav" aria-label="Background">
 
+      <ul class="md-nav__list">
 
+        
+          <li class="md-nav__item">
 
+  <a href="#summary" class="md-nav__link">
 
+    Summary
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#components" class="md-nav__link">
 
+    Components
 
+  </a>
 
+  
+</li>
 
+        
+      </ul>
 
+    </nav>
 
+  
+</li>
 
+      
+        <li class="md-nav__item">
 
+  <a href="#overview" class="md-nav__link">
 
+    Overview
 
+  </a>
 
+  
+    <nav class="md-nav" aria-label="Overview">
 
+      <ul class="md-nav__list">
 
+        
+          <li class="md-nav__item">
 
+  <a href="#scope" class="md-nav__link">
 
+    Scope
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#assets" class="md-nav__link">
 
+    Assets
 
+  </a>
 
+  
+    <nav class="md-nav" aria-label="Assets">
 
+      <ul class="md-nav__list">
 
+        
+          <li class="md-nav__item">
 
+  <a href="#a01-cluster-level-access-to-secrets" class="md-nav__link">
 
+    A01: Cluster-Level access to secrets
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#a02-crd-and-webhook-write-access" class="md-nav__link">
 
+    A02: CRD and Webhook Write access
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#a03-secret-provider-access" class="md-nav__link">
 
+    A03: secret provider access
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#a04-capability-to-modify-resources" class="md-nav__link">
 
+    A04: capability to modify resources
 
+  </a>
 
+  
+</li>
 
+        
+      </ul>
 
+    </nav>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#threats" class="md-nav__link">
 
+    Threats
 
+  </a>
 
+  
+    <nav class="md-nav" aria-label="Threats">
 
+      <ul class="md-nav__list">
 
+        
+          <li class="md-nav__item">
 
+  <a href="#t01-tampering-with-resources-through-mitm" class="md-nav__link">
 
+    T01: Tampering with resources through MITM
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#t02-webhook-dos" class="md-nav__link">
 
+    T02: Webhook DOS
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#t03-unauthorized-access-to-cluster-secrets" class="md-nav__link">
 
+    T03: Unauthorized access to cluster secrets
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#t04-unauthorized-access-to-secret-provider-credentials" class="md-nav__link">
 
+    T04: unauthorized access to secret provider credentials
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#t05-data-exfiltration-through-malicious-resources" class="md-nav__link">
 
+    T05: data exfiltration through malicious resources
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#t06-supply-chain-attacks" class="md-nav__link">
 
+    T06: supply chain attacks
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#t07-malicious-workloads-in-eso-namespace" class="md-nav__link">
 
+    T07: malicious workloads in eso namespace
 
+  </a>
 
+  
+</li>
 
+        
+      </ul>
 
+    </nav>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#controls" class="md-nav__link">
 
+    Controls
 
+  </a>
 
+  
+    <nav class="md-nav" aria-label="Controls">
 
+      <ul class="md-nav__list">
 
+        
+          <li class="md-nav__item">
 
+  <a href="#c01-network-security-policy" class="md-nav__link">
 
+    C01: Network Security Policy
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#c02-least-privilege-rbac" class="md-nav__link">
 
+    C02: Least Privilege RBAC
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#c03-policy-enforcement" class="md-nav__link">
 
+    C03: Policy Enforcement
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#c04-provider-access-policy" class="md-nav__link">
 
+    C04: Provider Access Policy
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#c05-entirely-disable-crds" class="md-nav__link">
 
+    C05: Entirely disable CRDs
 
+  </a>
 
+  
+</li>
 
+        
+      </ul>
 
+    </nav>
 
+  
+</li>
 
+        
+      </ul>
 
+    </nav>
 
+  
+</li>
 
+      
+    </ul>
 
+  
+</nav>
 
+                  </div>
 
+                </div>
 
+              </div>
 
+            
+          
+          
+            <div class="md-content" data-md-component="content">
 
+              <article class="md-content__inner md-typeset">
 
+                
+                  
+
 
+  
+  
+
 
+
 
+  <h1>Threat Model</h1>
 
+
 
+<h2 id="background">Background</h2>
 
+<p>The External Secrets Operator is a Kubernetes Operator that seamlessly incorporates external secret management systems into Kubernetes. This Operator retrieves data from the external API and generates Kubernetes Secret resources using the corresponding secret values. This process occurs continuously in the background through regular polling of the external API. Consequently, whenever a secret undergoes changes in the external API, the corresponding Kubernetes Secret will also be updated accordingly.</p>
 
+<h3 id="summary">Summary</h3>
 
+<table>
 
+<thead>
 
+<tr>
 
+<th>Purpose</th>
 
+<th>Description</th>
 
+</tr>
 
+</thead>
 
+<tbody>
 
+<tr>
 
+<td>Intended Usage</td>
 
+<td>Sync Secrets into Kubernetes</td>
 
+</tr>
 
+<tr>
 
+<td>Data Classifiation</td>
 
+<td>Critical</td>
 
+</tr>
 
+<tr>
 
+<td>Highest Risk Impact</td>
 
+<td>Organisation takeover</td>
 
+</tr>
 
+</tbody>
 
+</table>
 
+<h3 id="components">Components</h3>
 
+<p>ESO comprises three main components: <code>webhook</code>, <code>cert controller</code> and a <code>core controller</code>. For more detailed information, please refer to the documentation on <a href="../../api/components/">components</a>.</p>
 
+<h2 id="overview">Overview</h2>
 
+<p>This section provides an overview of the security aspects of the External Secrets Operator (ESO) and includes information on assets, threats, and controls involved in its operation.</p>
 
+<p>The following diagram illustrates the security perspective of how ESO functions, highlighting the assets (items to protect), threats (potential risks), and controls (measures to mitigate threats).</p>
 
+<p><img alt="Overview" src="../../pictures/eso-threat-model-overview.drawio.png" /></p>
 
+<h3 id="scope">Scope</h3>
 
+<p>For the purpose of this threat model, we assume an ESO installation using helm and default settings on a public cloud provider. It is important to note that the <a href="https://github.com/kubernetes/community/tree/master/sig-security">Kubernetes SIG Security</a> team has defined an <a href="https://github.com/kubernetes/sig-security/blob/main/sig-security-docs/papers/admission-control/kubernetes-admission-control-threat-model.md">Admission Control Threat Model</a>, which is recommended reading for a better understanding of the security aspects that partially apply to External Secrets Operator.</p>
 
+<p>ESO utilizes the <code>ValidatingWebhookConfiguration</code> mechanism to validate <code>(Cluster)SecretStore</code> and <code>(Cluster)ExternalSecret</code> resources. However, it is essential to understand that this validation process does not serve as a security control mechanism. Instead, ESO performs validation by enforcing additional rules that go beyond the <a href="https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#validation">CustomResourceDefinition OpenAPI v3 Validation schema</a>.</p>
 
+<h3 id="assets">Assets</h3>
 
+<h4 id="a01-cluster-level-access-to-secrets">A01: Cluster-Level access to secrets</h4>
 
+<p>The controller possesses privileged access to the <code>kube-apiserver</code> and is authorized to read and write secret resources across all namespaces within a cluster.</p>
 
+<h4 id="a02-crd-and-webhook-write-access">A02: CRD and Webhook Write access</h4>
 
+<p>The cert-controller component has read/write access to <code>ValidatingWebhookConfigurations</code> and <code>CustomResourceDefinitions</code> resources. This access is necessary to inject/modify the caBundle property.</p>
 
+<h4 id="a03-secret-provider-access">A03: secret provider access</h4>
 
+<p>The <code>core-controller</code> component accesses a secret provider using user-supplied credentials. These credentials can be derived from environment variables, mounted service account tokens, files within the controller container, or fetched from the Kubernetes API (e.g., <code>Kind=Secret</code>). The scope of these credentials may vary, potentially providing full access to a cloud provider.</p>
 
+<h4 id="a04-capability-to-modify-resources">A04: capability to modify resources</h4>
 
+<p>The webhook component validates and converts ExternalSecret and SecretStore resources. The conversion webhook is essential for migrating resources from the old version <code>v1alpha1</code> to the new version <code>v1beta1</code>. The webhook component possesses the ability to modify resources during runtime.</p>
 
+<h3 id="threats">Threats</h3>
 
+<h4 id="t01-tampering-with-resources-through-mitm">T01: Tampering with resources through MITM</h4>
 
+<p>An adversary could launch a Man-in-the-Middle (MITM) attack to hijack the webhook pod, enabling them to manipulate the data of the conversion webhook. This could involve injecting malicious resources or causing a Denial-of-Service (DoS) attack. To mitigate this threat, a mutual authentication mechanism should be enforced for the connection between the Kubernetes API server and the webhook service to ensure that only authenticated endpoints can communicate.</p>
 
+<h4 id="t02-webhook-dos">T02: Webhook DOS</h4>
 
+<p>Currently, ESO generates an X.509 certificate for webhook registration without authenticating the kube-apiserver. Consequently, if an attacker gains network access to the webhook Pod, they can overload the webhook server and initiate a DoS attack. As a result, modifications to ESO resources may fail, and the ESO core controller may be impacted due to the unavailability of the conversion webhook.</p>
 
+<h4 id="t03-unauthorized-access-to-cluster-secrets">T03: Unauthorized access to cluster secrets</h4>
 
+<p>An attacker can gain unauthorized access to secrets by utilizing the service account token of the ESO core controller Pod or exploiting software vulnerabilities. This unauthorized access allows the attacker to read secrets within the cluster, potentially leading to a cluster takeover.</p>
 
+<h4 id="t04-unauthorized-access-to-secret-provider-credentials">T04: unauthorized access to secret provider credentials</h4>
 
+<p>An attacker can gain unauthorized access to credentials that provide access to external APIs storing secrets. If the credentials have overly broad permissions, this could result in an organization takeover.</p>
 
+<h4 id="t05-data-exfiltration-through-malicious-resources">T05: data exfiltration through malicious resources</h4>
 
+<p>An attacker can exfiltrate data from the cluster by utilizing maliciously crafted resources. Multiple attack vectors can be employed, e.g.:</p>
 
+<ol>
 
+<li>copying data from a namespace to an unauthorized namespace</li>
 
+<li>exfiltrating data to an unauthorized secret provider</li>
 
+<li>exfiltrating data through an authorized secret provider to a malicious provider account</li>
 
+</ol>
 
+<p>Successful data exfiltration can lead to intellectual property loss, information misuse, loss of customer trust, and damage to the brand or reputation.</p>
 
+<h4 id="t06-supply-chain-attacks">T06: supply chain attacks</h4>
 
+<p>An attack can infiltrate the ESO container through various attack vectors. The following are some potential entry points, although this is not an exhaustive list. For a comprehensive analysis, refer to <a href="https://slsa.dev/spec/v0.1/threats">SLSA Threats and mitigations</a> or <a href="https://cloud.google.com/software-supply-chain-security/docs/attack-vectors">GCP software supply chain threats</a>.</p>
 
+<ol>
 
+<li>Source Threats: Unauthorized changes or inclusion of vulnerable code in ESO through code submissions.</li>
 
+<li>Build Threats: Creation and distribution of malicious builds of ESO, such as in container registries, Artifact Hub, or Operator Hub.</li>
 
+<li>Dependency Threats: Introduction of vulnerable code into ESO dependencies.</li>
 
+<li>Deployment and Runtime Threats: Injection of malicious code through compromised deployment processes.</li>
 
+</ol>
 
+<h4 id="t07-malicious-workloads-in-eso-namespace">T07: malicious workloads in eso namespace</h4>
 
+<p>An attacker can deploy malicious workloads within the external-secrets namespace, taking advantage of the ESO service account with potentially cluster-wide privileges.</p>
 
+<h3 id="controls">Controls</h3>
 
+<h4 id="c01-network-security-policy">C01: Network Security Policy</h4>
 
+<p>Implement a NetworkPolicy to restrict traffic in both inbound and outbound directions on all networks. Employ a "deny all" / "permit by exception" approach for inbound and outbound network traffic. The specific network policies for the core-controller depend on the chosen provider. The webhook and cert-controller have well-defined sets of endpoints they communicate with. Refer to the <a href="../security-best-practices/">Security Best Practices</a> documentation for inbound and outbound network requirements.</p>
 
+<p>Please note that ESO does not provide pre-packaged network policies, and it is the user's responsibility to implement the necessary security controls.</p>
 
+<h4 id="c02-least-privilege-rbac">C02: Least Privilege RBAC</h4>
 
+<p>Adhere to the principle of least privilege by configuring Role-Based Access Control (RBAC) permissions not only for the ESO workload but also for all users interacting with it. Ensure that RBAC permissions on provider side are appropriate according to your setup, by for example limiting which sensitive information a given credential can have access to. Ensure that  kubernetes RBAC are set up to grant access to ESO resources only where necessary. For example, allowing write access to <code>ClusterSecretStore</code>/<code>ExternalSecret</code> may be sufficient for a threat to become a reality.</p>
 
+<h4 id="c03-policy-enforcement">C03: Policy Enforcement</h4>
 
+<p>Implement a Policy Engine such as Kyverno or OPA to enforce restrictions on changes to ESO resources. The specific policies to be enforced depend on the environment. Here are a few suggestions:</p>
 
+<ol>
 
+<li>(Cluster)SecretStore: Restrict the allowed secret providers, disallowing unused or undesired providers (e.g. Webhook).</li>
 
+<li>(Cluster)SecretStore: Restrict the permitted authentication mechanisms (e.g. prevent usage of <code>secretRef</code>).</li>
 
+<li>(Cluster)SecretStore: Enforce limitations on modifications to provider-specific fields relevant for security, such as <code>caBundle</code>, <code>caProvider</code>, <code>region</code>, <code>role</code>, <code>url</code>, <code>environmentType</code>, <code>identityId</code>, and <code>others</code>.</li>
 
+<li>ClusterSecretStore: Control the usage of <code>namespaceSelector</code>, such as forbidding or mandating the usage of the <code>kube-system</code> namespace.</li>
 
+<li>ClusterExternalSecret: Restrict the usage of <code>namespaceSelector</code>.</li>
 
+</ol>
 
+<p>Please note that ESO does not provide pre-packaged policies, and it is the user's responsibility to implement the necessary security controls.</p>
 
+<h4 id="c04-provider-access-policy">C04: Provider Access Policy</h4>
 
+<p>Configure fine-grained access control on the HTTP endpoint of the secret provider to prevent data exfiltration across accounts or organizations. Consult the documentation of your specific provider (e.g.: <a href="https://docs.aws.amazon.com/secretsmanager/latest/userguide/vpc-endpoint-overview.html">AWS Secrets Manager VPC Endpoint Policies</a>, <a href="https://cloud.google.com/vpc/docs/private-service-connect">GCP Private Service Connect</a>, or <a href="https://learn.microsoft.com/en-us/azure/key-vault/general/private-link-service">Azure Private Link</a>) for guidance on setting up access policies.</p>
 
+<h4 id="c05-entirely-disable-crds">C05: Entirely disable CRDs</h4>
 
+<p>You should disable unused CRDs to narrow down your attack surface. Not all users require the use of <code>PushSecret</code>, <code>ClusterSecretStore</code> or <code>ClusterExternalSecret</code> resources.</p>
 
+
 
+
 
+  
+
 
+
 
+  
+
 
+
 
+
 
+                
+              </article>
 
+            </div>
 
+          
+          
+        </div>
 
+        
+      </main>
 
+      
+        <footer class="md-footer">
 
+  
+  <div class="md-footer-meta md-typeset">
 
+    <div class="md-footer-meta__inner md-grid">
 
+      <div class="md-copyright">
 
+  
+    <div class="md-copyright__highlight">
 
+      &copy; 2023 The external-secrets Authors.<br/>
 
+&copy; 2023 The Linux Foundation. All rights reserved.<br/><br/>
 
+The Linux Foundation has registered trademarks and uses trademarks.<br/>
 
+For a list of trademarks of The Linux Foundation, please see our <a href="https://www.linuxfoundation.org/trademark-usage/">Trademark Usage page</a>.
 
+
 
+    </div>
 
+  
+  
+    Made with
 
+    <a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
 
+      Material for MkDocs
 
+    </a>
 
+  
+</div>
 
+      
+    </div>
 
+  </div>
 
+</footer>
 
+      
+    </div>
 
+    <div class="md-dialog" data-md-component="dialog">
 
+      <div class="md-dialog__inner md-typeset"></div>
 
+    </div>
 
+    
+    <script id="__config" type="application/json">{"base": "../..", "features": ["navigation.tabs", "navigation.indexes", "navigation.expand"], "search": "../../assets/javascripts/workers/search.208ed371.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}, "version": {"provider": "mike"}}</script>
 
+    
+    
+      <script src="../../assets/javascripts/bundle.fac441b0.min.js"></script>
 
+      
+    
+  </body>
 
+</html>

+ 64 - 0
main/guides/using-latest-image/index.html
View File 

@@ -1200,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1247,6 +1249,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1393,6 +1409,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1461,6 +1483,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1685,6 +1721,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1694,6 +1744,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 65 - 1
main/guides/v1beta1/index.html
View File 

@@ -9,7 +9,7 @@
 
       
       
       
-        <link rel="prev" href="../security-best-practices/">
 
+        <link rel="prev" href="../threat-model/">
 
       
       
         <link rel="next" href="../using-latest-image/">
 
@@ -1200,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1246,6 +1248,20 @@
 
               
   
   
+  
+    <li class="md-nav__item">
 
+      <a href="../threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
     
   
   
@@ -1397,6 +1413,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1465,6 +1487,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1689,6 +1725,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1698,6 +1748,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 65 - 1
main/index.html
View File 

@@ -1198,6 +1198,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1245,6 +1247,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1347,6 +1363,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1415,6 +1437,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1639,6 +1675,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1648,6 +1698,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>
 
@@ -2090,7 +2154,7 @@ secret management systems like <a href="https://aws.amazon.com/secrets-manager/"
 
 Manager</a>, <a href="https://www.vaultproject.io/">HashiCorp
 
 Vault</a>, <a href="https://cloud.google.com/secret-manager">Google Secrets
 
 Manager</a>, <a href="https://azure.microsoft.com/en-us/services/key-vault/">Azure Key
 
-Vault</a>, <a href="https://www.ibm.com/cloud/secrets-manager">IBM Cloud Secrets Manager</a>, and many more. The
 
+Vault</a>, <a href="https://www.ibm.com/cloud/secrets-manager">IBM Cloud Secrets Manager</a>, <a href="https://www.conjur.org">CyberArk Conjur</a> and many more. The
 
 operator reads information from external APIs and automatically injects the
 
 values into a <a href="https://kubernetes.io/docs/concepts/configuration/secret/">Kubernetes
 
 Secret</a>.</p>

+ 65 - 1
main/introduction/deprecation-policy/index.html
View File 

@@ -1261,6 +1261,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1308,6 +1310,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1410,6 +1426,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1478,6 +1500,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1702,6 +1738,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1711,6 +1761,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>
 
@@ -2166,7 +2230,7 @@
 
 </li>
 
 </ul>
 
 <h2 id="api-surface">API Surface</h2>
 
-<p>We define the following scope that is covered by our deprecation policy. We follow the <a href="https://kubernetes.io/docs/reference/using-api/deprecation-policy/">9 Rules of the Kuberenetes Deprecation Policy</a>.</p>
 
+<p>We define the following scope that is covered by our deprecation policy. We follow the <a href="https://kubernetes.io/docs/reference/using-api/deprecation-policy/">9 Rules of the Kubernetes Deprecation Policy</a>.</p>
 
 <h3 id="scope">Scope</h3>
 
 <ul>
 
 <li>API Objects and fields: <code>.Spec</code>, <code>.Status</code> and <code>.Status.Conditions[]</code></li>

+ 94 - 10
main/introduction/faq/index.html
View File 

@@ -460,14 +460,21 @@
 
       
         <li class="md-nav__item">
 
   <a href="#can-i-manually-trigger-a-secret-refresh" class="md-nav__link">
 
-    Can i manually trigger a secret refresh?
 
+    Can I manually trigger a secret refresh?
 
   </a>
 
   
 </li>
 
       
         <li class="md-nav__item">
 
   <a href="#how-do-i-know-when-my-secret-was-last-synced" class="md-nav__link">
 
-    How do i know when my secret was last synced?
 
+    How do I know when my secret was last synced?
 
+  </a>
 
+  
+</li>
 
+      
+        <li class="md-nav__item">
 
+  <a href="#how-do-i-know-when-the-status-of-my-secret-changed-the-last-time" class="md-nav__link">
 
+    How do I know when the status of my secret changed the last time?
 
   </a>
 
   
 </li>
 
@@ -481,7 +488,7 @@
 
       
         <li class="md-nav__item">
 
   <a href="#how-do-i-debug-an-external-secret-that-doesnt-sync" class="md-nav__link">
 
-    How do i debug an external-secret that doesn't sync?
 
+    How do I debug an external-secret that doesn't sync?
 
   </a>
 
   
 </li>
 
@@ -1265,6 +1272,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1312,6 +1321,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1414,6 +1437,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1482,6 +1511,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1706,6 +1749,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1715,6 +1772,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>
 
@@ -2097,14 +2168,21 @@
 
       
         <li class="md-nav__item">
 
   <a href="#can-i-manually-trigger-a-secret-refresh" class="md-nav__link">
 
-    Can i manually trigger a secret refresh?
 
+    Can I manually trigger a secret refresh?
 
   </a>
 
   
 </li>
 
       
         <li class="md-nav__item">
 
   <a href="#how-do-i-know-when-my-secret-was-last-synced" class="md-nav__link">
 
-    How do i know when my secret was last synced?
 
+    How do I know when my secret was last synced?
 
+  </a>
 
+  
+</li>
 
+      
+        <li class="md-nav__item">
 
+  <a href="#how-do-i-know-when-the-status-of-my-secret-changed-the-last-time" class="md-nav__link">
 
+    How do I know when the status of my secret changed the last time?
 
   </a>
 
   
 </li>
 
@@ -2118,7 +2196,7 @@
 
       
         <li class="md-nav__item">
 
   <a href="#how-do-i-debug-an-external-secret-that-doesnt-sync" class="md-nav__link">
 
-    How do i debug an external-secret that doesn't sync?
 
+    How do I debug an external-secret that doesn't sync?
 
   </a>
 
   
 </li>
 
@@ -2150,13 +2228,19 @@
 
 
   <h1>FAQ</h1>
 
 
-<h2 id="can-i-manually-trigger-a-secret-refresh">Can i manually trigger a secret refresh?</h2>
 
+<h2 id="can-i-manually-trigger-a-secret-refresh">Can I manually trigger a secret refresh?</h2>
 
 <p>You can trigger a secret refresh by using kubectl or any other kubernetes api client.
 
 You just need to change an annotation, label or the spec of the resource:</p>
 
 <div class="highlight"><pre><span></span><code>kubectl annotate es my-es force-sync=$(date +%s) --overwrite
 
 </code></pre></div>
 
-<h2 id="how-do-i-know-when-my-secret-was-last-synced">How do i know when my secret was last synced?</h2>
 
-<p>Every ExternalSecret resource contains a status condition that indicates the time when the secret was last synced:</p>
 
+<h2 id="how-do-i-know-when-my-secret-was-last-synced">How do I know when my secret was last synced?</h2>
 
+<p>The last synchronization timestamp of an ExternalSecret can be retrieved from the field <code>refreshTime</code>. </p>
 
+<div class="highlight"><pre><span></span><code>kubectl get es my-external-secret -o yaml | grep refreshTime
 
+  refreshTime: &quot;2022-05-21T23:02:47Z&quot;
 
+</code></pre></div>
 
+<p>The interval can be changed by the <code>spec.refreshInterval</code> in the ExternalSecret.</p>
 
+<h2 id="how-do-i-know-when-the-status-of-my-secret-changed-the-last-time">How do I know when the status of my secret changed the last time?</h2>
 
+<p>Every ExternalSecret resource contains a status condition that indicates whether a secret was successfully synchronized, along with the timestamp of the last status change of the ExternalSecret (e.g. from SecretSyncedError to SecretSynced). This can be obtained from the field <code>lastTransitionTime</code>:</p>
 
 <div class="highlight"><pre><span></span><code>kubectl get es my-external-secret -o yaml | grep condition -A 5
 
   conditions:
 
   - lastTransitionTime: &quot;2022-05-21T21:02:47Z&quot;
 
@@ -2167,7 +2251,7 @@ You just need to change an annotation, label or the spec of the resource:</p>
 
 </code></pre></div>
 
 <h2 id="differences-to-csi-secret-store">Differences to csi-secret-store</h2>
 
 <p>Please take a look at this <a href="https://github.com/external-secrets/external-secrets/issues/478#issuecomment-964413129">issue comment here</a>.</p>
 
-<h2 id="how-do-i-debug-an-external-secret-that-doesnt-sync">How do i debug an external-secret that doesn't sync?</h2>
 
+<h2 id="how-do-i-debug-an-external-secret-that-doesnt-sync">How do I debug an external-secret that doesn't sync?</h2>
 
 <p>First, check the status of the ExternalSecret resource using <code>kubectl describe</code>. That displays the status conditions as well as recent events.
 
 You should expect a status condition with <code>Type=Ready</code>, <code>Status=True</code>. Further you shouldn't see any events with <code>Type=Warning</code>. Read carefully if they exist.</p>
 
 <div class="highlight"><pre><span></span><code>kubectl describe es my-external-secret

+ 72 - 0
main/introduction/getting-started/index.html
View File 

@@ -1309,6 +1309,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1356,6 +1358,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1458,6 +1474,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1526,6 +1548,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1750,6 +1786,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1759,6 +1809,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>
 
@@ -2270,6 +2334,7 @@ helm<span class="w"> </span>install<span class="w"> </span>external-secrets<span
 
 kubectl<span class="w"> </span>create<span class="w"> </span>secret<span class="w"> </span>generic<span class="w"> </span>awssm-secret<span class="w"> </span>--from-file<span class="o">=</span>./access-key<span class="w"> </span>--from-file<span class="o">=</span>./secret-access-key
 
 </code></pre></div>
 
 <h3 id="create-your-first-secretstore">Create your first SecretStore</h3>
 
+<p>Create a file 'basic-secret-store.yaml' with the following content.</p>
 
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 
 <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
 
 <span class="nt">metadata</span><span class="p">:</span>
 
@@ -2288,7 +2353,11 @@ kubectl<span class="w"> </span>create<span class="w"> </span>secret<span class="
 
 <span class="w">            </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">awssm-secret</span>
 
 <span class="w">            </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secret-access-key</span>
 
 </code></pre></div>
 
+<p>Apply it to create a SecretStore resource.</p>
 
+<div class="highlight"><pre><span></span><code>kubectl apply -f &quot;basic-secret-store.yaml&quot;
 
+</code></pre></div>
 
 <h3 id="create-your-first-externalsecret">Create your first ExternalSecret</h3>
 
+<p>Create a file 'basic-external-secret.yaml' with the following content.</p>
 
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 
 <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
 
 <span class="nt">metadata</span><span class="p">:</span>
 
@@ -2311,6 +2380,9 @@ kubectl<span class="w"> </span>create<span class="w"> </span>secret<span class="
 
 <span class="w">  </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">extract</span><span class="p">:</span>
 
 <span class="w">      </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">remote-key-in-the-provider</span>
 
 </code></pre></div>
 
+<p>Apply it to create an External Secret resource.</p>
 
+<div class="highlight"><pre><span></span><code>kubectl apply -f &quot;basic-external-secret.yaml&quot;
 
+</code></pre></div>
 
 <div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>describe<span class="w"> </span>externalsecret<span class="w"> </span>example
 
 <span class="c1"># [...]</span>
 
 Name:<span class="w">  </span>example

+ 64 - 0
main/introduction/overview/index.html
View File 

@@ -1303,6 +1303,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1350,6 +1352,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1452,6 +1468,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1520,6 +1542,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1744,6 +1780,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1753,6 +1803,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 105 - 5
main/introduction/stability-support/index.html
View File 

@@ -1273,6 +1273,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1320,6 +1322,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1422,6 +1438,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1490,6 +1512,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1714,6 +1750,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../provider/cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../provider/scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1723,6 +1773,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../provider/delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>
 
@@ -2188,8 +2252,14 @@ We aim for a 2-3 month minor release cycle, i.e. a given release is supported fo
 
 </thead>
 
 <tbody>
 
 <tr>
 
+<td>0.9.x</td>
 
+<td>1.19 → 1.28</td>
 
+<td>Jun 22, 2023</td>
 
+<td>Release of 1.1</td>
 
+</tr>
 
+<tr>
 
 <td>0.8.x</td>
 
-<td>1.19 → 1.26</td>
 
+<td>1.19 → 1.28</td>
 
 <td>Mar 16, 2023</td>
 
 <td>Release of 1.0</td>
 
 </tr>
 
@@ -2197,7 +2267,7 @@ We aim for a 2-3 month minor release cycle, i.e. a given release is supported fo
 
 <td>0.7.x</td>
 
 <td>1.19 → 1.26</td>
 
 <td>Dec 11, 2022</td>
 
-<td>Release of 0.9</td>
 
+<td>Jun 22, 2023</td>
 
 </tr>
 
 <tr>
 
 <td>0.6.x</td>
 
@@ -2326,6 +2396,16 @@ We aim for a 2-3 month minor release cycle, i.e. a given release is supported fo
 
 <td align="center">alpha</td>
 
 <td align="right"><a href="https://github.com/azert9/">@azert9</a></td>
 
 </tr>
 
+<tr>
 
+<td><a href="https://external-secrets.io/latest/provider/conjur">Conjur</a></td>
 
+<td align="center">alpha</td>
 
+<td align="right"><a href="https://github.com/davidh-cyberark/">@davidh-cyberark</a></td>
 
+</tr>
 
+<tr>
 
+<td><a href="https://external-secrets.io/latest/provider/delinea">Delinea</a></td>
 
+<td align="center">alpha</td>
 
+<td align="right"><a href="https://github.com/michaelsauter/">@michaelsauter</a></td>
 
+</tr>
 
 </tbody>
 
 </table>
 
 <h2 id="provider-feature-support">Provider Feature Support</h2>
 
@@ -2378,7 +2458,7 @@ We aim for a 2-3 month minor release cycle, i.e. a given release is supported fo
 
 <td>GCP Secret Manager</td>
 
 <td align="center">x</td>
 
 <td align="center">x</td>
 
-<td align="center"></td>
 
+<td align="center">x</td>
 
 <td align="center">x</td>
 
 <td align="center">x</td>
 
 <td align="center">x</td>
 
@@ -2406,9 +2486,9 @@ We aim for a 2-3 month minor release cycle, i.e. a given release is supported fo
 
 </tr>
 
 <tr>
 
 <td>IBM Cloud Secrets Manager</td>
 
+<td align="center">x</td>
 
 <td align="center"></td>
 
-<td align="center"></td>
 
-<td align="center"></td>
 
+<td align="center">x</td>
 
 <td align="center"></td>
 
 <td align="center">x</td>
 
 <td align="center"></td>
 
@@ -2524,6 +2604,26 @@ We aim for a 2-3 month minor release cycle, i.e. a given release is supported fo
 
 <td align="center">x</td>
 
 <td align="center">x</td>
 
 </tr>
 
+<tr>
 
+<td>Conjur</td>
 
+<td align="center"></td>
 
+<td align="center"></td>
 
+<td align="center"></td>
 
+<td align="center"></td>
 
+<td align="center">x</td>
 
+<td align="center"></td>
 
+<td align="center"></td>
 
+</tr>
 
+<tr>
 
+<td>Delinea</td>
 
+<td align="center">x</td>
 
+<td align="center"></td>
 
+<td align="center"></td>
 
+<td align="center"></td>
 
+<td align="center">x</td>
 
+<td align="center"></td>
 
+<td align="center"></td>
 
+</tr>
 
 </tbody>
 
 </table>
 
 <h2 id="support-policy">Support Policy</h2>

BIN
main/pictures/cloak-provider-header.png
View File


BIN
main/pictures/diagrams-pushsecret-backup.png
View File


BIN
main/pictures/diagrams-pushsecret-basic.png
View File


File diff suppressed because it is too large
+ 0 - 0
main/pictures/diagrams.drawio


BIN
main/pictures/eso-threat-model-TLS Bootstrap.drawio.png
View File


BIN
main/pictures/eso-threat-model-overview.drawio.png
View File


+ 209 - 0
main/pictures/eso-threat-model.drawio
View File 

@@ -0,0 +1,209 @@
 
+<mxfile host="app.diagrams.net" modified="2023-06-08T07:50:48.059Z" agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36" etag="rknZ4nRD0hLUAzhrPp6X" version="21.3.7" type="device" pages="2">
 
+  <diagram name="Overview" id="Bc-KUSc10sxP7uZ9etOK">
 
+    <mxGraphModel dx="1388" dy="702" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="827" pageHeight="1169" math="0" shadow="0">
 
+      <root>
 
+        <mxCell id="0" />
 
+        <mxCell id="1" parent="0" />
 
+        <mxCell id="-eq3P-sCqOfjKJ7X8hlF-10" value="" style="rounded=0;whiteSpace=wrap;html=1;fillColor=none;dashed=1;" parent="1" vertex="1">
 
+          <mxGeometry x="540" y="381.26" width="180" height="100" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="-eq3P-sCqOfjKJ7X8hlF-8" value="" style="rounded=0;whiteSpace=wrap;html=1;fillColor=none;dashed=1;" parent="1" vertex="1">
 
+          <mxGeometry x="200" y="740" width="320" height="100" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="-eq3P-sCqOfjKJ7X8hlF-7" value="" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#dae8fc;dashed=1;strokeColor=#6c8ebf;" parent="1" vertex="1">
 
+          <mxGeometry x="110" y="550" width="700" height="100" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="-eq3P-sCqOfjKJ7X8hlF-14" value="conversion/&lt;br&gt;validating webhook" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.164;exitY=-0.031;exitDx=0;exitDy=0;entryX=0.5;entryY=1;entryDx=0;entryDy=0;exitPerimeter=0;labelBackgroundColor=none;" parent="1" source="-eq3P-sCqOfjKJ7X8hlF-1" target="-eq3P-sCqOfjKJ7X8hlF-2" edge="1">
 
+          <mxGeometry x="0.1204" y="47" relative="1" as="geometry">
 
+            <mxPoint x="7" y="25" as="offset" />
 
+          </mxGeometry>
 
+        </mxCell>
 
+        <mxCell id="KWlXfnC0i22sAb0q6HPk-8" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=1;exitY=0.5;exitDx=0;exitDy=0;entryX=0;entryY=0.5;entryDx=0;entryDy=0;" parent="1" source="-eq3P-sCqOfjKJ7X8hlF-1" target="-eq3P-sCqOfjKJ7X8hlF-11" edge="1">
 
+          <mxGeometry relative="1" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="-eq3P-sCqOfjKJ7X8hlF-1" value="kube-apiserver" style="rounded=0;whiteSpace=wrap;html=1;" parent="1" vertex="1">
 
+          <mxGeometry x="220" y="760" width="120" height="60" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="-eq3P-sCqOfjKJ7X8hlF-2" value="webhook" style="rounded=0;whiteSpace=wrap;html=1;" parent="1" vertex="1">
 
+          <mxGeometry x="160" y="570" width="120" height="60" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="-eq3P-sCqOfjKJ7X8hlF-15" value="TLS bootstrap &lt;br&gt;&amp;amp; init webhook" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.25;exitY=1;exitDx=0;exitDy=0;entryX=0.5;entryY=0;entryDx=0;entryDy=0;" parent="1" source="-eq3P-sCqOfjKJ7X8hlF-3" target="-eq3P-sCqOfjKJ7X8hlF-1" edge="1">
 
+          <mxGeometry x="-0.32" y="18" relative="1" as="geometry">
 
+            <Array as="points">
 
+              <mxPoint x="390" y="670" />
 
+              <mxPoint x="280" y="670" />
 
+            </Array>
 
+            <mxPoint as="offset" />
 
+          </mxGeometry>
 
+        </mxCell>
 
+        <mxCell id="-eq3P-sCqOfjKJ7X8hlF-3" value="cert-controller" style="rounded=0;whiteSpace=wrap;html=1;" parent="1" vertex="1">
 
+          <mxGeometry x="360" y="570" width="120" height="60" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="-eq3P-sCqOfjKJ7X8hlF-12" value="read / write secrets" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.5;exitY=0;exitDx=0;exitDy=0;entryX=0.5;entryY=1;entryDx=0;entryDy=0;" parent="1" source="-eq3P-sCqOfjKJ7X8hlF-4" target="-eq3P-sCqOfjKJ7X8hlF-9" edge="1">
 
+          <mxGeometry relative="1" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="-eq3P-sCqOfjKJ7X8hlF-13" value="reconcile state" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.5;exitY=1;exitDx=0;exitDy=0;entryX=0.75;entryY=0;entryDx=0;entryDy=0;" parent="1" source="-eq3P-sCqOfjKJ7X8hlF-4" target="-eq3P-sCqOfjKJ7X8hlF-1" edge="1">
 
+          <mxGeometry x="0.0068" y="-8" relative="1" as="geometry">
 
+            <mxPoint x="420" y="759.9999999999998" as="targetPoint" />
 
+            <Array as="points">
 
+              <mxPoint x="612" y="721" />
 
+              <mxPoint x="310" y="721" />
 
+            </Array>
 
+            <mxPoint as="offset" />
 
+          </mxGeometry>
 
+        </mxCell>
 
+        <mxCell id="-eq3P-sCqOfjKJ7X8hlF-4" value="core controller" style="rounded=0;whiteSpace=wrap;html=1;" parent="1" vertex="1">
 
+          <mxGeometry x="560" y="570" width="120" height="60" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="-eq3P-sCqOfjKJ7X8hlF-6" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;entryX=0.5;entryY=1;entryDx=0;entryDy=0;" parent="1" source="-eq3P-sCqOfjKJ7X8hlF-5" target="-eq3P-sCqOfjKJ7X8hlF-1" edge="1">
 
+          <mxGeometry relative="1" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="-eq3P-sCqOfjKJ7X8hlF-5" value="Developer/&lt;br&gt;Admin" style="shape=umlActor;verticalLabelPosition=bottom;verticalAlign=top;html=1;outlineConnect=0;" parent="1" vertex="1">
 
+          <mxGeometry x="265" y="890" width="30" height="60" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="-eq3P-sCqOfjKJ7X8hlF-9" value="Secret Provider" style="rounded=0;whiteSpace=wrap;html=1;" parent="1" vertex="1">
 
+          <mxGeometry x="560" y="401.26" width="120" height="60" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="-eq3P-sCqOfjKJ7X8hlF-11" value="etcd" style="rounded=0;whiteSpace=wrap;html=1;" parent="1" vertex="1">
 
+          <mxGeometry x="380" y="760" width="120" height="60" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="KWlXfnC0i22sAb0q6HPk-1" value="Security Assets&lt;br&gt;&lt;br&gt;&lt;table cellpadding=&quot;4&quot; style=&quot;border: 1px solid rgb(102, 102, 102); border-collapse: collapse; background-color: rgb(255, 229, 153);&quot; border=&quot;1&quot;&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td style=&quot;border-collapse: collapse;&quot; border=&quot;1&quot;&gt;&lt;b&gt;ID&lt;/b&gt;&lt;/td&gt;&lt;td&gt;&lt;b&gt;Description&lt;/b&gt;&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;A01&lt;/td&gt;&lt;td&gt;cluster-level secret read/write access&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;A02&lt;/td&gt;&lt;td&gt;CRD &amp;amp; webhook write access&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;A03&lt;/td&gt;&lt;td&gt;secret provider access&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;A04&lt;/td&gt;&lt;td&gt;capability to modify resources (conversion)&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;" style="text;html=1;align=center;verticalAlign=middle;resizable=0;points=[];autosize=1;strokeColor=none;fillColor=none;" parent="1" vertex="1">
 
+          <mxGeometry x="845" y="550" width="290" height="160" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="KWlXfnC0i22sAb0q6HPk-2" value="Security Controls&lt;br&gt;&lt;br&gt;&lt;table cellpadding=&quot;4&quot; style=&quot;border: 1px solid rgb(102, 102, 102); border-collapse: collapse; background-color: rgb(185, 224, 165);&quot; border=&quot;1&quot;&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td style=&quot;border-collapse: collapse;&quot; border=&quot;1&quot;&gt;&lt;b&gt;ID&lt;/b&gt;&lt;/td&gt;&lt;td&gt;&lt;b&gt;Description&lt;/b&gt;&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;C01&lt;/td&gt;&lt;td&gt;Network Security Policy (*)&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;C02&lt;/td&gt;&lt;td&gt;Least Privilege RBAC&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;C03&lt;/td&gt;&lt;td&gt;Policy Enforcement (*)&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;C04&lt;/td&gt;&lt;td&gt;Provider Access Policy&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;C05&lt;/td&gt;&lt;td&gt;disable CRDs&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;span style=&quot;white-space: pre;&quot;&gt;&#x9;&lt;/span&gt;" style="text;html=1;align=center;verticalAlign=middle;resizable=0;points=[];autosize=1;strokeColor=none;fillColor=none;" parent="1" vertex="1">
 
+          <mxGeometry x="885" y="710" width="210" height="200" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="KWlXfnC0i22sAb0q6HPk-3" value="Security Threats&lt;br&gt;&lt;br&gt;&lt;table cellpadding=&quot;4&quot; style=&quot;border: 1px solid rgb(102, 102, 102); border-collapse: collapse; background-color: rgb(248, 206, 204);&quot; border=&quot;1&quot;&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td style=&quot;border-collapse: collapse;&quot; border=&quot;1&quot;&gt;&lt;b&gt;ID&lt;/b&gt;&lt;/td&gt;&lt;td&gt;&lt;b&gt;Description&lt;/b&gt;&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;T01&lt;/td&gt;&lt;td&gt;tampering with resources through MITM&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;T02&lt;/td&gt;&lt;td&gt;Webhook DOS&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;T03&lt;/td&gt;&lt;td&gt;unauthorised access to cluster secrets&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;T04&lt;/td&gt;&lt;td&gt;unauthorised access to provider secrets&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;T05&lt;/td&gt;&lt;td&gt;data exfiltration through malicious resources&amp;nbsp;&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;T06&lt;/td&gt;&lt;td&gt;supply chain attacks&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;T07&lt;/td&gt;&lt;td&gt;malicious workloads in eso namespace&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;" style="text;html=1;align=center;verticalAlign=middle;resizable=0;points=[];autosize=1;strokeColor=none;fillColor=none;" parent="1" vertex="1">
 
+          <mxGeometry x="840" y="305" width="300" height="230" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="KWlXfnC0i22sAb0q6HPk-4" value="A01" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#fff2cc;strokeColor=#d6b656;" parent="1" vertex="1">
 
+          <mxGeometry x="680" y="570" width="30" height="20" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="KWlXfnC0i22sAb0q6HPk-6" value="A02" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#fff2cc;strokeColor=#d6b656;" parent="1" vertex="1">
 
+          <mxGeometry x="480" y="570" width="30" height="20" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="KWlXfnC0i22sAb0q6HPk-7" value="A03" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#fff2cc;strokeColor=#d6b656;" parent="1" vertex="1">
 
+          <mxGeometry x="710" y="570" width="30" height="20" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="KWlXfnC0i22sAb0q6HPk-9" value="C01" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#d5e8d4;strokeColor=#82b366;" parent="1" vertex="1">
 
+          <mxGeometry x="680" y="590" width="30" height="20" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="KWlXfnC0i22sAb0q6HPk-10" value="C01" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#d5e8d4;strokeColor=#82b366;" parent="1" vertex="1">
 
+          <mxGeometry x="480" y="590" width="30" height="20" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="KWlXfnC0i22sAb0q6HPk-11" value="C01" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#d5e8d4;strokeColor=#82b366;" parent="1" vertex="1">
 
+          <mxGeometry x="280" y="590" width="30" height="20" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="KWlXfnC0i22sAb0q6HPk-12" value="A04" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#fff2cc;strokeColor=#d6b656;" parent="1" vertex="1">
 
+          <mxGeometry x="280" y="570" width="30" height="20" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="KWlXfnC0i22sAb0q6HPk-13" value="T01" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#F8CECC;strokeColor=#b85450;" parent="1" vertex="1">
 
+          <mxGeometry x="280" y="610" width="30" height="20" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="KWlXfnC0i22sAb0q6HPk-15" value="T02" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#F8CECC;strokeColor=#b85450;" parent="1" vertex="1">
 
+          <mxGeometry x="480" y="610" width="30" height="20" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="KWlXfnC0i22sAb0q6HPk-17" value="T03" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#F8CECC;strokeColor=#b85450;" parent="1" vertex="1">
 
+          <mxGeometry x="680" y="610" width="30" height="20" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="KWlXfnC0i22sAb0q6HPk-19" value="C02" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#d5e8d4;strokeColor=#82b366;" parent="1" vertex="1">
 
+          <mxGeometry x="710" y="590" width="30" height="20" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="KWlXfnC0i22sAb0q6HPk-20" value="C02" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#d5e8d4;strokeColor=#82b366;" parent="1" vertex="1">
 
+          <mxGeometry x="510" y="590" width="30" height="20" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="KWlXfnC0i22sAb0q6HPk-21" value="C02" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#d5e8d4;strokeColor=#82b366;" parent="1" vertex="1">
 
+          <mxGeometry x="310" y="590" width="30" height="20" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="KWlXfnC0i22sAb0q6HPk-18" value="T04" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#F8CECC;strokeColor=#b85450;" parent="1" vertex="1">
 
+          <mxGeometry x="710" y="610" width="30" height="20" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="Ww5IvjzXZUh7UzVtdnaJ-2" value="C03" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#d5e8d4;strokeColor=#82b366;" parent="1" vertex="1">
 
+          <mxGeometry x="740" y="590" width="30" height="20" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="dCErDjv6PzuvUg3lQw2a-1" value="T06" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#F8CECC;strokeColor=#b85450;" parent="1" vertex="1">
 
+          <mxGeometry x="110" y="550" width="30" height="20" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="dCErDjv6PzuvUg3lQw2a-2" value="T07" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#F8CECC;strokeColor=#b85450;" parent="1" vertex="1">
 
+          <mxGeometry x="110" y="570" width="30" height="20" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="dCErDjv6PzuvUg3lQw2a-4" value="C04" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#d5e8d4;strokeColor=#82b366;" parent="1" vertex="1">
 
+          <mxGeometry x="680" y="421.26" width="30" height="20" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="KWlXfnC0i22sAb0q6HPk-14" value="T02" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#F8CECC;strokeColor=#b85450;" parent="1" vertex="1">
 
+          <mxGeometry x="310" y="610" width="30" height="20" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="Ww5IvjzXZUh7UzVtdnaJ-1" value="T05" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#F8CECC;strokeColor=#b85450;" parent="1" vertex="1">
 
+          <mxGeometry x="740" y="610" width="30" height="20" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="dCErDjv6PzuvUg3lQw2a-3" value="T05" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#F8CECC;strokeColor=#b85450;" parent="1" vertex="1">
 
+          <mxGeometry x="680" y="441.26" width="30" height="20" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="pWq7YGlfomeq9d_JThvH-1" value="C05" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#d5e8d4;strokeColor=#82b366;" vertex="1" parent="1">
 
+          <mxGeometry x="770" y="590" width="30" height="20" as="geometry" />
 
+        </mxCell>
 
+      </root>
 
+    </mxGraphModel>
 
+  </diagram>
 
+  <diagram id="cfY7S7NFl4qge9Uy_So4" name="TLS Bootstrap">
 
+    <mxGraphModel dx="844" dy="489" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="827" pageHeight="1169" math="0" shadow="0">
 
+      <root>
 
+        <mxCell id="0" />
 
+        <mxCell id="1" parent="0" />
 
+        <mxCell id="adGjIOf3ydgdso1pvlvY-2" value="" style="rounded=0;whiteSpace=wrap;html=1;fillColor=none;dashed=1;" vertex="1" parent="1">
 
+          <mxGeometry x="200" y="740" width="300" height="100" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="adGjIOf3ydgdso1pvlvY-3" value="" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#dae8fc;dashed=1;strokeColor=#6c8ebf;" vertex="1" parent="1">
 
+          <mxGeometry x="160" y="550" width="440" height="100" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="adGjIOf3ydgdso1pvlvY-4" value="5. send conversion/validating&lt;br&gt;&amp;nbsp;webhook" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.164;exitY=-0.031;exitDx=0;exitDy=0;entryX=0.5;entryY=1;entryDx=0;entryDy=0;exitPerimeter=0;" edge="1" parent="1" source="adGjIOf3ydgdso1pvlvY-5" target="adGjIOf3ydgdso1pvlvY-6">
 
+          <mxGeometry x="-0.0951" y="80" relative="1" as="geometry">
 
+            <mxPoint as="offset" />
 
+          </mxGeometry>
 
+        </mxCell>
 
+        <mxCell id="adGjIOf3ydgdso1pvlvY-5" value="kube-apiserver" style="rounded=0;whiteSpace=wrap;html=1;" vertex="1" parent="1">
 
+          <mxGeometry x="220" y="760" width="120" height="60" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="adGjIOf3ydgdso1pvlvY-6" value="webhook" style="rounded=0;whiteSpace=wrap;html=1;" vertex="1" parent="1">
 
+          <mxGeometry x="180" y="570" width="120" height="60" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="adGjIOf3ydgdso1pvlvY-7" value="2. write TLS secret&lt;br&gt;3. update caBundle in CRD/Webhook" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.25;exitY=1;exitDx=0;exitDy=0;entryX=0.5;entryY=0;entryDx=0;entryDy=0;align=left;" edge="1" parent="1" source="adGjIOf3ydgdso1pvlvY-8" target="adGjIOf3ydgdso1pvlvY-5">
 
+          <mxGeometry x="0.4" y="10" relative="1" as="geometry">
 
+            <Array as="points">
 
+              <mxPoint x="350" y="670" />
 
+              <mxPoint x="280" y="670" />
 
+            </Array>
 
+            <mxPoint as="offset" />
 
+          </mxGeometry>
 
+        </mxCell>
 
+        <mxCell id="adGjIOf3ydgdso1pvlvY-8" value="cert-controller" style="rounded=0;whiteSpace=wrap;html=1;" vertex="1" parent="1">
 
+          <mxGeometry x="320" y="570" width="120" height="60" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="adGjIOf3ydgdso1pvlvY-11" value="core controller" style="rounded=0;whiteSpace=wrap;html=1;" vertex="1" parent="1">
 
+          <mxGeometry x="460" y="570" width="120" height="60" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="adGjIOf3ydgdso1pvlvY-15" value="etcd" style="rounded=0;whiteSpace=wrap;html=1;" vertex="1" parent="1">
 
+          <mxGeometry x="360" y="760" width="120" height="60" as="geometry" />
 
+        </mxCell>
 
+        <mxCell id="qu5wcJP0yzF1II28N2AH-1" value="1. gen private key / self-signed cert" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.25;exitY=0;exitDx=0;exitDy=0;entryX=0.75;entryY=0;entryDx=0;entryDy=0;" edge="1" parent="1" source="adGjIOf3ydgdso1pvlvY-8" target="adGjIOf3ydgdso1pvlvY-8">
 
+          <mxGeometry y="10" relative="1" as="geometry">
 
+            <Array as="points">
 
+              <mxPoint x="350" y="530" />
 
+              <mxPoint x="410" y="530" />
 
+            </Array>
 
+            <mxPoint as="offset" />
 
+          </mxGeometry>
 
+        </mxCell>
 
+        <mxCell id="qu5wcJP0yzF1II28N2AH-2" value="4. configure TLS" style="edgeStyle=orthogonalEdgeStyle;rounded=0;orthogonalLoop=1;jettySize=auto;html=1;exitX=0.25;exitY=0;exitDx=0;exitDy=0;entryX=0.5;entryY=0;entryDx=0;entryDy=0;" edge="1" parent="1" source="adGjIOf3ydgdso1pvlvY-6" target="adGjIOf3ydgdso1pvlvY-6">
 
+          <mxGeometry x="-0.0182" y="12" relative="1" as="geometry">
 
+            <Array as="points">
 
+              <mxPoint x="210" y="530" />
 
+              <mxPoint x="240" y="530" />
 
+            </Array>
 
+            <mxPoint as="offset" />
 
+          </mxGeometry>
 
+        </mxCell>
 
+      </root>
 
+    </mxGraphModel>
 
+  </diagram>
 
+</mxfile>

+ 64 - 0
main/provider/1password-automation/index.html
View File 

@@ -1200,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1247,6 +1249,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1349,6 +1365,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1417,6 +1439,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1815,6 +1851,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1824,6 +1874,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 64 - 0
main/provider/akeyless/index.html
View File 

@@ -1200,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1247,6 +1249,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1349,6 +1365,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1417,6 +1439,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1772,6 +1808,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1781,6 +1831,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 64 - 0
main/provider/alibaba/index.html
View File 

@@ -1200,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1247,6 +1249,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1349,6 +1365,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1417,6 +1439,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1711,6 +1747,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1720,6 +1770,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 70 - 6
main/provider/aws-parameter-store/index.html
View File 

@@ -1200,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1247,6 +1249,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1349,6 +1365,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1562,6 +1584,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1786,6 +1822,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1795,6 +1845,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>
 
@@ -2345,16 +2409,15 @@ is available in different tiers, <a href="https://aws.amazon.com/systems-manager
 
 Please estimate your costs before using ESO. Cost depends on the RefreshInterval of your ExternalSecrets.</p>
 
 </div>
 
 <h3 id="iam-policy">IAM Policy</h3>
 
-<p>Create a IAM Policy to pin down access to secrets matching <code>dev-*</code>, for further information see <a href="https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-access.html">AWS Documentation</a>:</p>
 
+<p>The example policy below shows the minimum required permissions for fetching SSM parameters. This policy permits pinning down access to secrets with a path matching <code>dev-*</code>. Other operations may require additional permission. For example, finding parameters based on tags will also require <code>ssm:DescribeParameters</code> and <code>tag:GetResources</code> permission with <code>"Resource": "*"</code>. Generally, the specific permission required will be logged as an error if an operation fails.</p>
 
+<p>For further information see <a href="https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-access.html">AWS Documentation</a>.</p>
 
 <div class="highlight"><pre><span></span><code><span class="p">{</span>
 
 <span class="w">  </span><span class="nt">&quot;Version&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;2012-10-17&quot;</span><span class="p">,</span>
 
 <span class="w">  </span><span class="nt">&quot;Statement&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
 
 <span class="w">    </span><span class="p">{</span>
 
 <span class="w">      </span><span class="nt">&quot;Effect&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Allow&quot;</span><span class="p">,</span>
 
 <span class="w">      </span><span class="nt">&quot;Action&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
 
-<span class="w">        </span><span class="s2">&quot;ssm:GetParameter&quot;</span><span class="p">,</span>
 
-<span class="w">        </span><span class="s2">&quot;ssm:ListTagsForResource&quot;</span><span class="p">,</span>
 
-<span class="w">        </span><span class="s2">&quot;ssm:DescribeParameters&quot;</span>
 
+<span class="w">        </span><span class="s2">&quot;ssm:GetParameter*&quot;</span><span class="p">,</span>
 
 <span class="w">      </span><span class="p">],</span>
 
 <span class="w">      </span><span class="nt">&quot;Resource&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;arn:aws:ssm:us-east-2:1234567889911:parameter/dev-*&quot;</span>
 
 <span class="w">    </span><span class="p">}</span>
 
@@ -2393,13 +2456,13 @@ Please estimate your costs before using ESO. Cost depends on the RefreshInterval
 
 <span class="w">  </span><span class="c1"># metadataPolicy to fetch all the tags in JSON format</span>
 
 <span class="w">  </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">tags</span>
 
 <span class="w">    </span><span class="nt">remoteRef</span><span class="p">:</span>
 
-<span class="w">      </span><span class="nt">metadataPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Fetch</span><span class="w"> </span>
 
+<span class="w">      </span><span class="nt">metadataPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Fetch</span>
 
 <span class="w">      </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">database-credentials</span>
 
 
 <span class="w">  </span><span class="c1"># metadataPolicy to fetch a specific tag (dev) from the source secret</span>
 
 <span class="w">  </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">developer</span>
 
 <span class="w">    </span><span class="nt">remoteRef</span><span class="p">:</span>
 
-<span class="w">      </span><span class="nt">metadataPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Fetch</span><span class="w"> </span>
 
+<span class="w">      </span><span class="nt">metadataPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Fetch</span>
 
 <span class="w">      </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">database-credentials</span>
 
 <span class="w">      </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">dev</span>
 
 </code></pre></div></p>
 
@@ -2414,6 +2477,7 @@ Please estimate your costs before using ESO. Cost depends on the RefreshInterval
 
 <span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">pushsecret-example</span><span class="w"> </span><span class="c1"># Customisable</span>
 
 <span class="w">  </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span><span class="w"> </span><span class="c1"># Same of the SecretStores</span>
 
 <span class="nt">spec</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">deletionPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Delete</span><span class="w"> </span><span class="c1"># the provider&#39; secret will be deleted if the PushSecret is deleted</span>
 
 <span class="w">  </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">10s</span><span class="w"> </span><span class="c1"># Refresh interval for which push secret will reconcile</span>
 
 <span class="w">  </span><span class="nt">secretStoreRefs</span><span class="p">:</span><span class="w"> </span><span class="c1"># A list of secret stores to push secrets to</span>
 
 <span class="w">    </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">aws-parameterstore</span>

+ 171 - 0
main/provider/aws-secrets-manager/index.html
View File 

@@ -1200,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1247,6 +1249,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1349,6 +1365,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1418,6 +1440,26 @@
 
     IAM Policy
 
   </a>
 
   
+    <nav class="md-nav" aria-label="IAM Policy">
 
+      <ul class="md-nav__list">
 
+        
+          <li class="md-nav__item">
 
+  <a href="#permissions-for-pushsecret" class="md-nav__link">
 
+    Permissions for PushSecret
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#additional-settings-for-pushsecret" class="md-nav__link">
 
+    Additional Settings for PushSecret
 
+  </a>
 
+  
+</li>
 
+        
+      </ul>
 
+    </nav>
 
+  
 </li>
 
         
           <li class="md-nav__item">
 
@@ -1522,6 +1564,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1746,6 +1802,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1755,6 +1825,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>
 
@@ -2148,6 +2232,26 @@
 
     IAM Policy
 
   </a>
 
   
+    <nav class="md-nav" aria-label="IAM Policy">
 
+      <ul class="md-nav__list">
 
+        
+          <li class="md-nav__item">
 
+  <a href="#permissions-for-pushsecret" class="md-nav__link">
 
+    Permissions for PushSecret
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#additional-settings-for-pushsecret" class="md-nav__link">
 
+    Additional Settings for PushSecret
 
+  </a>
 
+  
+</li>
 
+        
+      </ul>
 
+    </nav>
 
+  
 </li>
 
         
           <li class="md-nav__item">
 
@@ -2280,6 +2384,73 @@ way users of the <code>SecretStore</code> can only access the secrets necessary.
 
 <span class="w">  </span><span class="p">]</span>
 
 <span class="p">}</span>
 
 </code></pre></div>
 
+<h4 id="permissions-for-pushsecret">Permissions for PushSecret</h4>
 
+<p>If you're planning to use <code>PushSecret</code>, ensure you also have the following permissions in your IAM policy:</p>
 
+<div class="highlight"><pre><span></span><code><span class="p">{</span>
 
+<span class="w">  </span><span class="nt">&quot;Effect&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Allow&quot;</span><span class="p">,</span>
 
+<span class="w">  </span><span class="nt">&quot;Action&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
 
+<span class="w">    </span><span class="s2">&quot;secretsmanager:CreateSecret&quot;</span><span class="p">,</span>
 
+<span class="w">    </span><span class="s2">&quot;secretsmanager:PutSecretValue&quot;</span><span class="p">,</span>
 
+<span class="w">    </span><span class="s2">&quot;secretsmanager:TagResource&quot;</span><span class="p">,</span>
 
+<span class="w">    </span><span class="s2">&quot;secretsmanager:DeleteSecret&quot;</span>
 
+<span class="w">  </span><span class="p">],</span>
 
+<span class="w">  </span><span class="nt">&quot;Resource&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
 
+<span class="w">    </span><span class="s2">&quot;arn:aws:secretsmanager:us-west-2:111122223333:secret:dev-*&quot;</span>
 
+<span class="w">  </span><span class="p">]</span>
 
+<span class="p">}</span>
 
+</code></pre></div>
 
+<p>Here's a more restrictive version of the IAM policy:</p>
 
+<div class="highlight"><pre><span></span><code><span class="p">{</span>
 
+<span class="w">  </span><span class="nt">&quot;Version&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;2012-10-17&quot;</span><span class="p">,</span>
 
+<span class="w">  </span><span class="nt">&quot;Statement&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
 
+<span class="w">    </span><span class="p">{</span>
 
+<span class="w">      </span><span class="nt">&quot;Effect&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Allow&quot;</span><span class="p">,</span>
 
+<span class="w">      </span><span class="nt">&quot;Action&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
 
+<span class="w">        </span><span class="s2">&quot;secretsmanager:CreateSecret&quot;</span><span class="p">,</span>
 
+<span class="w">        </span><span class="s2">&quot;secretsmanager:PutSecretValue&quot;</span><span class="p">,</span>
 
+<span class="w">        </span><span class="s2">&quot;secretsmanager:TagResource&quot;</span>
 
+<span class="w">      </span><span class="p">],</span>
 
+<span class="w">      </span><span class="nt">&quot;Resource&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
 
+<span class="w">        </span><span class="s2">&quot;arn:aws:secretsmanager:us-west-2:111122223333:secret:dev-*&quot;</span>
 
+<span class="w">      </span><span class="p">]</span>
 
+<span class="w">    </span><span class="p">},</span>
 
+<span class="w">    </span><span class="p">{</span>
 
+<span class="w">      </span><span class="nt">&quot;Effect&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;Allow&quot;</span><span class="p">,</span>
 
+<span class="w">      </span><span class="nt">&quot;Action&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
 
+<span class="w">        </span><span class="s2">&quot;secretsmanager:DeleteSecret&quot;</span>
 
+<span class="w">      </span><span class="p">],</span>
 
+<span class="w">      </span><span class="nt">&quot;Resource&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
 
+<span class="w">        </span><span class="s2">&quot;arn:aws:secretsmanager:us-west-2:111122223333:secret:dev-*&quot;</span>
 
+<span class="w">      </span><span class="p">],</span>
 
+<span class="w">      </span><span class="nt">&quot;Condition&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">{</span>
 
+<span class="w">        </span><span class="nt">&quot;StringEquals&quot;</span><span class="p">:</span><span class="w"> </span><span class="p">{</span>
 
+<span class="w">          </span><span class="nt">&quot;secretsmanager:ResourceTag/managed-by&quot;</span><span class="p">:</span><span class="w"> </span><span class="s2">&quot;external-secrets&quot;</span>
 
+<span class="w">        </span><span class="p">}</span>
 
+<span class="w">      </span><span class="p">}</span>
 
+<span class="w">    </span><span class="p">}</span>
 
+<span class="w">  </span><span class="p">]</span>
 
+<span class="p">}</span>
 
+</code></pre></div>
 
+<p>In this policy, the DeleteSecret action is restricted to secrets that have the specified tag, ensuring that deletion operations are more controlled and in line with the intended management of the secrets.</p>
 
+<h4 id="additional-settings-for-pushsecret">Additional Settings for PushSecret</h4>
 
+<p>Additional settings can be set at the <code>SecretStore</code> level to control the behavior of <code>PushSecret</code> when interacting with AWS Secrets Manager.</p>
 
+<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
 
+<span class="nt">metadata</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">aws-secretsmanager</span>
 
+<span class="nt">spec</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">provider</span><span class="p">:</span>
 
+<span class="w">    </span><span class="nt">aws</span><span class="p">:</span>
 
+<span class="w">      </span><span class="nt">service</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretsManager</span>
 
+<span class="w">      </span><span class="nt">role</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">arn:aws:iam::123456789012:role/external-secrets</span>
 
+<span class="w">      </span><span class="nt">region</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">eu-central-1</span>
 
+<span class="w">      </span><span class="nt">secretsManager</span><span class="p">:</span>
 
+<span class="w">        </span><span class="c1"># Additional parameters can be added to the AWS Secrets Manager DeleteSecret API call.</span>
 
+<span class="w">        </span><span class="c1"># These parameters are only relevant when the deletionPolicy is set to Delete.</span>
 
+<span class="w">        </span><span class="c1"># See: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#API_DeleteSecret_RequestSyntax</span>
 
+<span class="w">        </span><span class="nt">forceDeleteWithoutRecovery</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span>
 
+<span class="w">        </span><span class="c1"># recoveryWindowInDays: 9 (conflicts with forceDeleteWithoutRecovery)</span>
 
+</code></pre></div>
 
 <h3 id="json-secret-values">JSON Secret Values</h3>
 
 <p>SecretsManager supports <em>simple</em> key/value pairs that are stored as json. If you use the API you can store more complex JSON objects. You can access nested values or arrays using <a href="https://github.com/tidwall/gjson/blob/master/SYNTAX.md">gjson syntax</a>:</p>
 
 <p>Consider the following JSON object that is stored in the SecretsManager key <code>friendslist</code>:

+ 66 - 2
main/provider/azure-key-vault/index.html
View File 

@@ -12,7 +12,7 @@
 
         <link rel="prev" href="../aws-parameter-store/">
 
       
       
-        <link rel="next" href="../google-secrets-manager/">
 
+        <link rel="next" href="../conjur/">
 
       
       <link rel="icon" href="../../assets/images/favicon.png">
 
       <meta name="generator" content="mkdocs-1.4.3, mkdocs-material-9.1.9">
 
@@ -1200,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1247,6 +1249,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1349,6 +1365,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1569,6 +1591,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1793,6 +1829,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1802,6 +1852,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>
 
@@ -2384,7 +2448,7 @@ az<span class="w"> </span>keyvault<span class="w"> </span>set-policy<span class=
 
 </code></pre></div>
 
 <p>With these prerequisites met you can configure <code>ESO</code> to use that Service Account. You have two options:</p>
 
 <h5 id="mounted-service-account">Mounted Service Account</h5>
 
-<p>You run the controller and mount that particular service account into the pod. That grants <em>everyone</em> who is able to create a secret store or reference a correctly configured one the ability to read secrets. <strong>This approach is usually not recommended</strong>. But may make sense when you want to share an identity with multiple namespaces. Also see our <a href="../../guides/multi-tenancy/">Multi-Tenancy Guide</a> for design considerations.</p>
 
+<p>You run the controller and mount that particular service account into the pod by adding the label <code>azure.workload.identity/use: "true"</code>to the pod. That grants <em>everyone</em> who is able to create a secret store or reference a correctly configured one the ability to read secrets. <strong>This approach is usually not recommended</strong>. But may make sense when you want to share an identity with multiple namespaces. Also see our <a href="../../guides/multi-tenancy/">Multi-Tenancy Guide</a> for design considerations.</p>
 
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span>
 
 <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ServiceAccount</span>
 
 <span class="nt">metadata</span><span class="p">:</span>

+ 2364 - 0
main/provider/cloak/index.html
View File 

@@ -0,0 +1,2364 @@
 
+
 
+<!doctype html>
 
+<html lang="en" class="no-js">
 
+  <head>
 
+    
+      <meta charset="utf-8">
 
+      <meta name="viewport" content="width=device-width,initial-scale=1">
 
+      
+      
+      
+      
+        <link rel="prev" href="../keeper-security/">
 
+      
+      
+        <link rel="next" href="../scaleway/">
 
+      
+      <link rel="icon" href="../../assets/images/favicon.png">
 
+      <meta name="generator" content="mkdocs-1.4.3, mkdocs-material-9.1.9">
 
+    
+    
+      
+        <title>Cloak End 2 End Encrypted Secrets - External Secrets Operator</title>
 
+      
+    
+    
+      <link rel="stylesheet" href="../../assets/stylesheets/main.85bb2934.min.css">
 
+      
+      
+
 
+    
+    
+    
+      
+        
+        
+        <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
 
+        <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
 
+        <style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
 
+      
+    
+    
+    <script>__md_scope=new URL("../..",location),__md_hash=e=>[...e].reduce((e,_)=>(e<<5)-e+_.charCodeAt(0),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
 
+    
+      
+  
+
 
+
 
+  
+  
+
 
+
 
+  <script id="__analytics">function __md_analytics(){function n(){dataLayer.push(arguments)}window.dataLayer=window.dataLayer||[],n("js",new Date),n("config","G-QP38TD8K7V"),document.addEventListener("DOMContentLoaded",function(){document.forms.search&&document.forms.search.query.addEventListener("blur",function(){this.value&&n("event","search",{search_term:this.value})}),document$.subscribe(function(){var a=document.forms.feedback;if(void 0!==a)for(var e of a.querySelectorAll("[type=submit]"))e.addEventListener("click",function(e){e.preventDefault();var t=document.location.pathname,e=this.getAttribute("data-md-value");n("event","feedback",{page:t,data:e}),a.firstElementChild.disabled=!0;e=a.querySelector(".md-feedback__note [data-md-value='"+e+"']");e&&(e.hidden=!1)}),a.hidden=!1}),location$.subscribe(function(e){n("config","G-QP38TD8K7V",{page_path:e.pathname})})});var e=document.createElement("script");e.async=!0,e.src="https://www.googletagmanager.com/gtag/js?id=G-QP38TD8K7V",document.getElementById("__analytics").insertAdjacentElement("afterEnd",e)}</script>
 
+
 
+  
+    <script>"undefined"!=typeof __md_analytics&&__md_analytics()</script>
 
+  
+
 
+    
+    
+    
+  </head>
 
+  
+  
+    <body dir="ltr">
 
+  
+    
+    
+      <script>var palette=__md_get("__palette");if(palette&&"object"==typeof palette.color)for(var key of Object.keys(palette.color))document.body.setAttribute("data-md-color-"+key,palette.color[key])</script>
 
+    
+    <input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
 
+    <input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
 
+    <label class="md-overlay" for="__drawer"></label>
 
+    <div data-md-component="skip">
 
+      
+        
+        <a href="#cloak" class="md-skip">
 
+          Skip to content
 
+        </a>
 
+      
+    </div>
 
+    <div data-md-component="announce">
 
+      
+    </div>
 
+    
+      <div data-md-color-scheme="default" data-md-component="outdated" hidden>
 
+        
+          <aside class="md-banner md-banner--warning">
 
+            <div class="md-banner__inner md-grid md-typeset">
 
+              
+  You're not viewing the latest version.
 
+  <a href="../../..">
 
+    <strong>Click here to go to latest.</strong>
 
+  </a>
 
+
 
+            </div>
 
+            <script>var el=document.querySelector("[data-md-component=outdated]"),outdated=__md_get("__outdated",sessionStorage);!0===outdated&&el&&(el.hidden=!1)</script>
 
+          </aside>
 
+        
+      </div>
 
+    
+    
+      
+
 
+<header class="md-header" data-md-component="header">
 
+  <nav class="md-header__inner md-grid" aria-label="Header">
 
+    <a href="../.." title="External Secrets Operator" class="md-header__button md-logo" aria-label="External Secrets Operator" data-md-component="logo">
 
+      
+  
+  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg>
 
+
 
+    </a>
 
+    <label class="md-header__button md-icon" for="__drawer">
 
+      <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2Z"/></svg>
 
+    </label>
 
+    <div class="md-header__title" data-md-component="header-title">
 
+      <div class="md-header__ellipsis">
 
+        <div class="md-header__topic">
 
+          <span class="md-ellipsis">
 
+            External Secrets Operator
 
+          </span>
 
+        </div>
 
+        <div class="md-header__topic" data-md-component="header-topic">
 
+          <span class="md-ellipsis">
 
+            
+              Cloak End 2 End Encrypted Secrets
 
+            
+          </span>
 
+        </div>
 
+      </div>
 
+    </div>
 
+    
+    
+    
+      <label class="md-header__button md-icon" for="__search">
 
+        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
 
+      </label>
 
+      <div class="md-search" data-md-component="search" role="dialog">
 
+  <label class="md-search__overlay" for="__search"></label>
 
+  <div class="md-search__inner" role="search">
 
+    <form class="md-search__form" name="search">
 
+      <input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
 
+      <label class="md-search__icon md-icon" for="__search">
 
+        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
 
+        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg>
 
+      </label>
 
+      <nav class="md-search__options" aria-label="Search">
 
+        
+        <button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1">
 
+          <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"/></svg>
 
+        </button>
 
+      </nav>
 
+      
+    </form>
 
+    <div class="md-search__output">
 
+      <div class="md-search__scrollwrap" data-md-scrollfix>
 
+        <div class="md-search-result" data-md-component="search-result">
 
+          <div class="md-search-result__meta">
 
+            Initializing search
 
+          </div>
 
+          <ol class="md-search-result__list" role="presentation"></ol>
 
+        </div>
 
+      </div>
 
+    </div>
 
+  </div>
 
+</div>
 
+    
+    
+      <div class="md-header__source">
 
+        <a href="https://github.com/external-secrets/external-secrets" title="Go to repository" class="md-source" data-md-component="source">
 
+  <div class="md-source__icon md-icon">
 
+    
+    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.4.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2023 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
 
+  </div>
 
+  <div class="md-source__repository">
 
+    External Secrets Operator
 
+  </div>
 
+</a>
 
+      </div>
 
+    
+  </nav>
 
+  
+</header>
 
+    
+    <div class="md-container" data-md-component="container">
 
+      
+      
+        
+          
+            
+<nav class="md-tabs" aria-label="Tabs" data-md-component="tabs">
 
+  <div class="md-grid">
 
+    <ul class="md-tabs__list">
 
+      
+        
+  
+  
+
 
+
 
+  
+  
+  
+    <li class="md-tabs__item">
 
+      <a href="../.." class="md-tabs__link">
 
+        Introduction
 
+      </a>
 
+    </li>
 
+  
+
 
+      
+        
+  
+  
+
 
+
 
+  
+  
+  
+    <li class="md-tabs__item">
 
+      <a href="../../api/components/" class="md-tabs__link">
 
+        API
 
+      </a>
 
+    </li>
 
+  
+
 
+      
+        
+  
+  
+
 
+
 
+  
+  
+  
+    <li class="md-tabs__item">
 
+      <a href="../../guides/introduction/" class="md-tabs__link">
 
+        Guides
 
+      </a>
 
+    </li>
 
+  
+
 
+      
+        
+  
+  
+    
+  
+
 
+
 
+  
+  
+  
+    <li class="md-tabs__item">
 
+      <a href="../aws-secrets-manager/" class="md-tabs__link md-tabs__link--active">
 
+        Provider
 
+      </a>
 
+    </li>
 
+  
+
 
+      
+        
+  
+  
+
 
+
 
+  
+  
+  
+    <li class="md-tabs__item">
 
+      <a href="../../examples/gitops-using-fluxcd/" class="md-tabs__link">
 
+        Examples
 
+      </a>
 
+    </li>
 
+  
+
 
+      
+        
+  
+  
+
 
+
 
+  
+  
+  
+    
+
 
+  
+  
+  
+    <li class="md-tabs__item">
 
+      <a href="../../contributing/devguide/" class="md-tabs__link">
 
+        Community
 
+      </a>
 
+    </li>
 
+  
+
 
+  
+
 
+      
+    </ul>
 
+  </div>
 
+</nav>
 
+          
+        
+      
+      <main class="md-main" data-md-component="main">
 
+        <div class="md-main__inner md-grid">
 
+          
+            
+              
+              <div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
 
+                <div class="md-sidebar__scrollwrap">
 
+                  <div class="md-sidebar__inner">
 
+                    
+
 
+  
+
 
+
 
+<nav class="md-nav md-nav--primary md-nav--lifted" aria-label="Navigation" data-md-level="0">
 
+  <label class="md-nav__title" for="__drawer">
 
+    <a href="../.." title="External Secrets Operator" class="md-nav__button md-logo" aria-label="External Secrets Operator" data-md-component="logo">
 
+      
+  
+  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg>
 
+
 
+    </a>
 
+    External Secrets Operator
 
+  </label>
 
+  
+    <div class="md-nav__source">
 
+      <a href="https://github.com/external-secrets/external-secrets" title="Go to repository" class="md-source" data-md-component="source">
 
+  <div class="md-source__icon md-icon">
 
+    
+    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.4.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2023 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
 
+  </div>
 
+  <div class="md-source__repository">
 
+    External Secrets Operator
 
+  </div>
 
+</a>
 
+    </div>
 
+  
+  <ul class="md-nav__list" data-md-scrollfix>
 
+    
+      
+      
+      
+
 
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_1" >
 
+      
+      
+        
+          
+            
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        
+        
+        <div class="md-nav__link md-nav__link--index ">
 
+          <a href="../..">Introduction</a>
 
+          
+            <label for="__nav_1">
 
+              <span class="md-nav__icon md-icon"></span>
 
+            </label>
 
+          
+        </div>
 
+      
+      <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_1_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_1">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Introduction
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../introduction/overview/" class="md-nav__link">
 
+        Overview
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../introduction/getting-started/" class="md-nav__link">
 
+        Getting started
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../introduction/faq/" class="md-nav__link">
 
+        FAQ
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../introduction/stability-support/" class="md-nav__link">
 
+        Stability and Support
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../introduction/deprecation-policy/" class="md-nav__link">
 
+        Deprecation Policy
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+    
+      
+      
+      
+
 
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_2" id="__nav_2_label" tabindex="0">
 
+          API
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_2_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_2">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          API
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/components/" class="md-nav__link">
 
+        Components
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2_2" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_2_2" id="__nav_2_2_label" tabindex="0">
 
+          Core Resources
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_2_2_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_2_2">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Core Resources
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/externalsecret/" class="md-nav__link">
 
+        ExternalSecret
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/secretstore/" class="md-nav__link">
 
+        SecretStore
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/clustersecretstore/" class="md-nav__link">
 
+        ClusterSecretStore
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/clusterexternalsecret/" class="md-nav__link">
 
+        ClusterExternalSecret
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/pushsecret/" class="md-nav__link">
 
+        PushSecret
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2_3" >
 
+      
+      
+        
+          
+            
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        
+        
+        <div class="md-nav__link md-nav__link--index ">
 
+          <a href="../../api/generator/">Generators</a>
 
+          
+            <label for="__nav_2_3">
 
+              <span class="md-nav__icon md-icon"></span>
 
+            </label>
 
+          
+        </div>
 
+      
+      <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_2_3_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_2_3">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Generators
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/generator/acr/" class="md-nav__link">
 
+        Azure Container Registry
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/generator/ecr/" class="md-nav__link">
 
+        AWS Elastic Container Registry
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/generator/gcr/" class="md-nav__link">
 
+        Google Container Registry
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/generator/vault/" class="md-nav__link">
 
+        Vault Dynamic Secret
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/generator/password/" class="md-nav__link">
 
+        Password
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/generator/fake/" class="md-nav__link">
 
+        Fake
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2_4" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_2_4" id="__nav_2_4_label" tabindex="0">
 
+          Reference Docs
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_2_4_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_2_4">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Reference Docs
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/spec/" class="md-nav__link">
 
+        API specification
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/controller-options/" class="md-nav__link">
 
+        Controller Options
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/metrics/" class="md-nav__link">
 
+        Metrics
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+    
+      
+      
+      
+
 
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_3" id="__nav_3_label" tabindex="0">
 
+          Guides
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_3_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_3">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Guides
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../guides/introduction/" class="md-nav__link">
 
+        Introduction
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3_2" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_3_2" id="__nav_3_2_label" tabindex="0">
 
+          External Secrets
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_3_2_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_3_2">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          External Secrets
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../guides/all-keys-one-secret/" class="md-nav__link">
 
+        Extract structured data
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../guides/getallsecrets/" class="md-nav__link">
 
+        Find Secrets by Name or Metadata
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../guides/datafrom-rewrite/" class="md-nav__link">
 
+        Rewriting Keys
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3_2_4" >
 
+      
+      
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_3_2_4" id="__nav_3_2_4_label" tabindex="0">
 
+          Advanced Templating
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="3" aria-labelledby="__nav_3_2_4_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_3_2_4">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Advanced Templating
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../guides/templating/" class="md-nav__link">
 
+        v2
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../guides/templating-v1/" class="md-nav__link">
 
+        v1
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../guides/common-k8s-secret-types/" class="md-nav__link">
 
+        Kubernetes Secret Types
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../guides/ownership-deletion-policy/" class="md-nav__link">
 
+        Lifecycle: ownership & deletion
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../guides/decoding-strategy/" class="md-nav__link">
 
+        Decoding Strategies
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../guides/controller-class/" class="md-nav__link">
 
+        Controller Classes
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../guides/generator/" class="md-nav__link">
 
+        Generators
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3_4" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
+          Operations
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_3_4_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_3_4">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Operations
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../guides/multi-tenancy/" class="md-nav__link">
 
+        Multi Tenancy
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../guides/security-best-practices/" class="md-nav__link">
 
+        Security Best Practices
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../guides/v1beta1/" class="md-nav__link">
 
+        Upgrading to v1beta1
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../guides/using-latest-image/" class="md-nav__link">
 
+        Using Latest Image
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../guides/disable-cluster-features/" class="md-nav__link">
 
+        Disable Cluster Features
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+    
+      
+      
+      
+
 
+  
+  
+    
+  
+  
+    
+    <li class="md-nav__item md-nav__item--active md-nav__item--nested">
 
+      
+      
+      
+      
+      <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4" checked>
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_4" id="__nav_4_label" tabindex="0">
 
+          Provider
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="true">
 
+        <label class="md-nav__title" for="__nav_4">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Provider
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../aws-secrets-manager/" class="md-nav__link">
 
+        AWS Secrets Manager
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../aws-parameter-store/" class="md-nav__link">
 
+        AWS Parameter Store
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../azure-key-vault/" class="md-nav__link">
 
+        Azure Key Vault
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../google-secrets-manager/" class="md-nav__link">
 
+        Google Cloud Secret Manager
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../hashicorp-vault/" class="md-nav__link">
 
+        HashiCorp Vault
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../kubernetes/" class="md-nav__link">
 
+        Kubernetes
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../ibm-secrets-manager/" class="md-nav__link">
 
+        IBM Secrets Manager
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../akeyless/" class="md-nav__link">
 
+        Akeyless
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../yandex-certificate-manager/" class="md-nav__link">
 
+        Yandex Certificate Manager
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../yandex-lockbox/" class="md-nav__link">
 
+        Yandex Lockbox
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../alibaba/" class="md-nav__link">
 
+        Alibaba Cloud
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../gitlab-variables/" class="md-nav__link">
 
+        GitLab Variables
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../oracle-vault/" class="md-nav__link">
 
+        Oracle Vault
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../1password-automation/" class="md-nav__link">
 
+        1Password Secrets Automation
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../webhook/" class="md-nav__link">
 
+        Webhook
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../fake/" class="md-nav__link">
 
+        Fake
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../senhasegura-dsm/" class="md-nav__link">
 
+        senhasegura DevOps Secrets Management (DSM)
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../doppler/" class="md-nav__link">
 
+        Doppler
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../keeper-security/" class="md-nav__link">
 
+        Keeper Security
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+    
+  
+  
+    <li class="md-nav__item md-nav__item--active">
 
+      
+      <input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
 
+      
+      
+      
+        <label class="md-nav__link md-nav__link--active" for="__toc">
 
+          Cloak End 2 End Encrypted Secrets
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <a href="./" class="md-nav__link md-nav__link--active">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+      
+        
+
 
+<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
 
+  
+  
+  
+  
+    <label class="md-nav__title" for="__toc">
 
+      <span class="md-nav__icon md-icon"></span>
 
+      Table of contents
 
+    </label>
 
+    <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
 
+      
+        <li class="md-nav__item">
 
+  <a href="#cloak" class="md-nav__link">
 
+    Cloak
 
+  </a>
 
+  
+</li>
 
+      
+        <li class="md-nav__item">
 
+  <a href="#key-setup" class="md-nav__link">
 
+    Key Setup
 
+  </a>
 
+  
+</li>
 
+      
+        <li class="md-nav__item">
 
+  <a href="#deploy-the-decryption-proxy" class="md-nav__link">
 
+    Deploy the decryption proxy
 
+  </a>
 
+  
+</li>
 
+      
+        <li class="md-nav__item">
 
+  <a href="#create-a-secret-store" class="md-nav__link">
 
+    Create a secret store
 
+  </a>
 
+  
+</li>
 
+      
+        <li class="md-nav__item">
 
+  <a href="#connect-a-secret-to-the-provider" class="md-nav__link">
 
+    Connect a secret to the provider
 
+  </a>
 
+  
+</li>
 
+      
+    </ul>
 
+  
+</nav>
 
+      
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../scaleway/" class="md-nav__link">
 
+        Scaleway
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+    
+      
+      
+      
+
 
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_5" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_5" id="__nav_5_label" tabindex="0">
 
+          Examples
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_5_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_5">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Examples
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../examples/gitops-using-fluxcd/" class="md-nav__link">
 
+        FluxCD
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../examples/anchore-engine-credentials/" class="md-nav__link">
 
+        Anchore Engine
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../examples/jenkins-kubernetes-credentials/" class="md-nav__link">
 
+        Jenkins
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../examples/bitwarden/" class="md-nav__link">
 
+        BitWarden
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+    
+      
+      
+      
+
 
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_6" >
 
+      
+      
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_6" id="__nav_6_label" tabindex="0">
 
+          Community
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_6_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_6">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Community
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_6_1" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_6_1" id="__nav_6_1_label" tabindex="0">
 
+          Contributing
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_6_1_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_6_1">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Contributing
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../contributing/devguide/" class="md-nav__link">
 
+        Developer guide
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../contributing/process/" class="md-nav__link">
 
+        Contributing Process
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../contributing/release/" class="md-nav__link">
 
+        Release Process
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../contributing/coc/" class="md-nav__link">
 
+        Code of Conduct
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../contributing/roadmap/" class="md-nav__link">
 
+        Roadmap
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_6_2" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_6_2" id="__nav_6_2_label" tabindex="0">
 
+          External Resources
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_6_2_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_6_2">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          External Resources
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../eso-talks/" class="md-nav__link">
 
+        Talks
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../eso-demos/" class="md-nav__link">
 
+        Demos
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../eso-blogs/" class="md-nav__link">
 
+        Blogs
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+    
+  </ul>
 
+</nav>
 
+                  </div>
 
+                </div>
 
+              </div>
 
+            
+            
+              
+              <div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
 
+                <div class="md-sidebar__scrollwrap">
 
+                  <div class="md-sidebar__inner">
 
+                    
+
 
+<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
 
+  
+  
+  
+  
+    <label class="md-nav__title" for="__toc">
 
+      <span class="md-nav__icon md-icon"></span>
 
+      Table of contents
 
+    </label>
 
+    <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
 
+      
+        <li class="md-nav__item">
 
+  <a href="#cloak" class="md-nav__link">
 
+    Cloak
 
+  </a>
 
+  
+</li>
 
+      
+        <li class="md-nav__item">
 
+  <a href="#key-setup" class="md-nav__link">
 
+    Key Setup
 
+  </a>
 
+  
+</li>
 
+      
+        <li class="md-nav__item">
 
+  <a href="#deploy-the-decryption-proxy" class="md-nav__link">
 
+    Deploy the decryption proxy
 
+  </a>
 
+  
+</li>
 
+      
+        <li class="md-nav__item">
 
+  <a href="#create-a-secret-store" class="md-nav__link">
 
+    Create a secret store
 
+  </a>
 
+  
+</li>
 
+      
+        <li class="md-nav__item">
 
+  <a href="#connect-a-secret-to-the-provider" class="md-nav__link">
 
+    Connect a secret to the provider
 
+  </a>
 
+  
+</li>
 
+      
+    </ul>
 
+  
+</nav>
 
+                  </div>
 
+                </div>
 
+              </div>
 
+            
+          
+          
+            <div class="md-content" data-md-component="content">
 
+              <article class="md-content__inner md-typeset">
 
+                
+                  
+
 
+  
+  
+
 
+
 
+  <h1>Cloak End 2 End Encrypted Secrets</h1>
 
+
 
+<p><img alt="Cloak End 2 End Encrypted Secrets" src="../../pictures/cloak-provider-header.png" /></p>
 
+<h2 id="cloak">Cloak</h2>
 
+<p>Sync secrets from the <a href="https://cloak.software">Cloak Encrypted Secrets Platform</a> to Kubernetes using the External Secrets Operator.</p>
 
+<p>Cloak uses the webhook provider built into the External Secrets Operator but also required a proxy service to handle decrypting secrets when they arrive into your cluster.</p>
 
+<h2 id="key-setup">Key Setup</h2>
 
+<p>From the Cloak user interface <a href="https://cloak.software/docs/getting-started/03-cli/">create a service account</a> and store the private key on your file system.</p>
 
+<p>Now create a kubernetes secret in the same namespace as the External Secrets Operator.</p>
 
+<div class="highlight"><pre><span></span><code><span class="nv">HISTIGNORE</span><span class="o">=</span><span class="s1">&#39;*kubectl*&#39;</span><span class="w"> </span>kubectl<span class="w"> </span>--namespace<span class="o">=</span>external-secrets<span class="w"> </span><span class="se">\</span>
 
+<span class="w">    </span>create<span class="w"> </span>secret<span class="w"> </span>generic<span class="w"> </span>cloak-key<span class="w"> </span><span class="se">\</span>
 
+<span class="w">    </span>--from-file<span class="o">=</span><span class="nv">ecdh_private_key</span><span class="o">=</span><span class="nv">$LOCATION_OF_YOUR_PEM_FILE</span>
 
+</code></pre></div>
 
+<h2 id="deploy-the-decryption-proxy">Deploy the decryption proxy</h2>
 
+<div class="highlight"><pre><span></span><code><span class="c1"># The cloak external secrets proxy</span>
 
+<span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">apps/v1</span>
 
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Deployment</span>
 
+<span class="nt">metadata</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">cloak-external-secrets</span>
 
+<span class="w">  </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets</span>
 
+<span class="nt">spec</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">selector</span><span class="p">:</span>
 
+<span class="w">    </span><span class="nt">matchLabels</span><span class="p">:</span>
 
+<span class="w">      </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">cloak-external-secrets</span>
 
+<span class="w">  </span><span class="nt">replicas</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1</span>
 
+<span class="w">  </span><span class="nt">template</span><span class="p">:</span>
 
+<span class="w">    </span><span class="nt">metadata</span><span class="p">:</span>
 
+<span class="w">      </span><span class="nt">labels</span><span class="p">:</span>
 
+<span class="w">        </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">cloak-external-secrets</span>
 
+<span class="w">    </span><span class="nt">spec</span><span class="p">:</span>
 
+<span class="w">      </span><span class="nt">containers</span><span class="p">:</span>
 
+<span class="w">      </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">cloak-external-secrets</span>
 
+<span class="w">        </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">purtontech/cloak-external-secrets:latest</span>
 
+<span class="w">        </span><span class="nt">imagePullPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">IfNotPresent</span>
 
+<span class="w">        </span><span class="nt">env</span><span class="p">:</span><span class="w"> </span>
 
+<span class="w">          </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ECDH_PRIVATE_KEY</span><span class="w"> </span>
 
+<span class="w">            </span><span class="nt">valueFrom</span><span class="p">:</span><span class="w"> </span>
 
+<span class="w">              </span><span class="nt">secretKeyRef</span><span class="p">:</span><span class="w"> </span>
 
+<span class="w">                </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">cloak-key</span><span class="w"> </span>
 
+<span class="w">                </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ecdh_private_key</span><span class="w"> </span>
 
+<span class="w">        </span><span class="nt">ports</span><span class="p">:</span>
 
+<span class="w">        </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">containerPort</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">7105</span>
 
+</code></pre></div>
 
+<p>And a Kubernetes Service so External Secrets Operator can access the proxy.</p>
 
+<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span>
 
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Service</span>
 
+<span class="nt">metadata</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">cloak-external-secrets-service</span>
 
+<span class="w">  </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets</span>
 
+<span class="nt">spec</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">selector</span><span class="p">:</span>
 
+<span class="w">    </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">cloak-external-secrets</span>
 
+<span class="w">  </span><span class="nt">ports</span><span class="p">:</span>
 
+<span class="w">    </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">TCP</span>
 
+<span class="w">      </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">7105</span>
 
+<span class="w">      </span><span class="nt">targetPort</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">7105</span>
 
+</code></pre></div>
 
+<h2 id="create-a-secret-store">Create a secret store</h2>
 
+<p>You can now place the configuration in any Kubernetes Namespace.</p>
 
+<div class="highlight"><pre><span></span><code><span class="c1"># An External secrets webhookl</span>
 
+<span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
 
+<span class="nt">metadata</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">cloak-backend</span>
 
+<span class="nt">spec</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">provider</span><span class="p">:</span>
 
+<span class="w">    </span><span class="nt">webhook</span><span class="p">:</span>
 
+<span class="w">      </span><span class="nt">url</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;http://cloak-external-secrets-service:7105/{{</span><span class="nv"> </span><span class="s">.remoteRef.key</span><span class="nv"> </span><span class="s">}}&quot;</span>
 
+<span class="w">      </span><span class="nt">result</span><span class="p">:</span>
 
+<span class="w">        </span><span class="nt">jsonPath</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;$.value&quot;</span>
 
+<span class="w">      </span><span class="nt">headers</span><span class="p">:</span>
 
+<span class="w">        </span><span class="nt">Content-Type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">application/json</span>
 
+</code></pre></div>
 
+<h2 id="connect-a-secret-to-the-provider">Connect a secret to the provider</h2>
 
+<p>Each <code>secretKey</code> reference in the yaml should point to the name of the secret as it is stored in Cloak.</p>
 
+<div class="highlight"><pre><span></span><code><span class="c1"># Access a secret</span>
 
+<span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
 
+<span class="nt">metadata</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">cloak-example</span>
 
+<span class="nt">spec</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;15m&quot;</span>
 
+<span class="w">  </span><span class="nt">secretStoreRef</span><span class="p">:</span>
 
+<span class="w">    </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">cloak-backend</span>
 
+<span class="w">    </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
 
+<span class="w">  </span><span class="nt">target</span><span class="p">:</span>
 
+<span class="w">    </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example-sync</span>
 
+<span class="w">  </span><span class="nt">data</span><span class="p">:</span>
 
+<span class="w">  </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">access-token</span>
 
+<span class="w">    </span><span class="nt">remoteRef</span><span class="p">:</span>
 
+<span class="w">      </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PULUMI_ACCESS_TOKEN</span>
 
+<span class="w">  </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">do-access-token</span>
 
+<span class="w">    </span><span class="nt">remoteRef</span><span class="p">:</span>
 
+<span class="w">      </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">DIGITALOCEAN_ACCESS_TOKEN</span>
 
+</code></pre></div>
 
+
 
+
 
+  
+
 
+
 
+
 
+
 
+                
+              </article>
 
+            </div>
 
+          
+          
+        </div>
 
+        
+      </main>
 
+      
+        <footer class="md-footer">
 
+  
+  <div class="md-footer-meta md-typeset">
 
+    <div class="md-footer-meta__inner md-grid">
 
+      <div class="md-copyright">
 
+  
+    <div class="md-copyright__highlight">
 
+      &copy; 2023 The external-secrets Authors.<br/>
 
+&copy; 2023 The Linux Foundation. All rights reserved.<br/><br/>
 
+The Linux Foundation has registered trademarks and uses trademarks.<br/>
 
+For a list of trademarks of The Linux Foundation, please see our <a href="https://www.linuxfoundation.org/trademark-usage/">Trademark Usage page</a>.
 
+
 
+    </div>
 
+  
+  
+    Made with
 
+    <a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
 
+      Material for MkDocs
 
+    </a>
 
+  
+</div>
 
+      
+    </div>
 
+  </div>
 
+</footer>
 
+      
+    </div>
 
+    <div class="md-dialog" data-md-component="dialog">
 
+      <div class="md-dialog__inner md-typeset"></div>
 
+    </div>
 
+    
+    <script id="__config" type="application/json">{"base": "../..", "features": ["navigation.tabs", "navigation.indexes", "navigation.expand"], "search": "../../assets/javascripts/workers/search.208ed371.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}, "version": {"provider": "mike"}}</script>
 
+    
+    
+      <script src="../../assets/javascripts/bundle.fac441b0.min.js"></script>
 
+      
+    
+  </body>
 
+</html>

+ 2617 - 0
main/provider/conjur/index.html
View File 

@@ -0,0 +1,2617 @@
 
+
 
+<!doctype html>
 
+<html lang="en" class="no-js">
 
+  <head>
 
+    
+      <meta charset="utf-8">
 
+      <meta name="viewport" content="width=device-width,initial-scale=1">
 
+      
+      
+      
+      
+        <link rel="prev" href="../azure-key-vault/">
 
+      
+      
+        <link rel="next" href="../google-secrets-manager/">
 
+      
+      <link rel="icon" href="../../assets/images/favicon.png">
 
+      <meta name="generator" content="mkdocs-1.4.3, mkdocs-material-9.1.9">
 
+    
+    
+      
+        <title>CyberArk Conjur - External Secrets Operator</title>
 
+      
+    
+    
+      <link rel="stylesheet" href="../../assets/stylesheets/main.85bb2934.min.css">
 
+      
+      
+
 
+    
+    
+    
+      
+        
+        
+        <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
 
+        <link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
 
+        <style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
 
+      
+    
+    
+    <script>__md_scope=new URL("../..",location),__md_hash=e=>[...e].reduce((e,_)=>(e<<5)-e+_.charCodeAt(0),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
 
+    
+      
+  
+
 
+
 
+  
+  
+
 
+
 
+  <script id="__analytics">function __md_analytics(){function n(){dataLayer.push(arguments)}window.dataLayer=window.dataLayer||[],n("js",new Date),n("config","G-QP38TD8K7V"),document.addEventListener("DOMContentLoaded",function(){document.forms.search&&document.forms.search.query.addEventListener("blur",function(){this.value&&n("event","search",{search_term:this.value})}),document$.subscribe(function(){var a=document.forms.feedback;if(void 0!==a)for(var e of a.querySelectorAll("[type=submit]"))e.addEventListener("click",function(e){e.preventDefault();var t=document.location.pathname,e=this.getAttribute("data-md-value");n("event","feedback",{page:t,data:e}),a.firstElementChild.disabled=!0;e=a.querySelector(".md-feedback__note [data-md-value='"+e+"']");e&&(e.hidden=!1)}),a.hidden=!1}),location$.subscribe(function(e){n("config","G-QP38TD8K7V",{page_path:e.pathname})})});var e=document.createElement("script");e.async=!0,e.src="https://www.googletagmanager.com/gtag/js?id=G-QP38TD8K7V",document.getElementById("__analytics").insertAdjacentElement("afterEnd",e)}</script>
 
+
 
+  
+    <script>"undefined"!=typeof __md_analytics&&__md_analytics()</script>
 
+  
+
 
+    
+    
+    
+  </head>
 
+  
+  
+    <body dir="ltr">
 
+  
+    
+    
+      <script>var palette=__md_get("__palette");if(palette&&"object"==typeof palette.color)for(var key of Object.keys(palette.color))document.body.setAttribute("data-md-color-"+key,palette.color[key])</script>
 
+    
+    <input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
 
+    <input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
 
+    <label class="md-overlay" for="__drawer"></label>
 
+    <div data-md-component="skip">
 
+      
+        
+        <a href="#conjur-provider" class="md-skip">
 
+          Skip to content
 
+        </a>
 
+      
+    </div>
 
+    <div data-md-component="announce">
 
+      
+    </div>
 
+    
+      <div data-md-color-scheme="default" data-md-component="outdated" hidden>
 
+        
+          <aside class="md-banner md-banner--warning">
 
+            <div class="md-banner__inner md-grid md-typeset">
 
+              
+  You're not viewing the latest version.
 
+  <a href="../../..">
 
+    <strong>Click here to go to latest.</strong>
 
+  </a>
 
+
 
+            </div>
 
+            <script>var el=document.querySelector("[data-md-component=outdated]"),outdated=__md_get("__outdated",sessionStorage);!0===outdated&&el&&(el.hidden=!1)</script>
 
+          </aside>
 
+        
+      </div>
 
+    
+    
+      
+
 
+<header class="md-header" data-md-component="header">
 
+  <nav class="md-header__inner md-grid" aria-label="Header">
 
+    <a href="../.." title="External Secrets Operator" class="md-header__button md-logo" aria-label="External Secrets Operator" data-md-component="logo">
 
+      
+  
+  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg>
 
+
 
+    </a>
 
+    <label class="md-header__button md-icon" for="__drawer">
 
+      <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2Z"/></svg>
 
+    </label>
 
+    <div class="md-header__title" data-md-component="header-title">
 
+      <div class="md-header__ellipsis">
 
+        <div class="md-header__topic">
 
+          <span class="md-ellipsis">
 
+            External Secrets Operator
 
+          </span>
 
+        </div>
 
+        <div class="md-header__topic" data-md-component="header-topic">
 
+          <span class="md-ellipsis">
 
+            
+              CyberArk Conjur
 
+            
+          </span>
 
+        </div>
 
+      </div>
 
+    </div>
 
+    
+    
+    
+      <label class="md-header__button md-icon" for="__search">
 
+        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
 
+      </label>
 
+      <div class="md-search" data-md-component="search" role="dialog">
 
+  <label class="md-search__overlay" for="__search"></label>
 
+  <div class="md-search__inner" role="search">
 
+    <form class="md-search__form" name="search">
 
+      <input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
 
+      <label class="md-search__icon md-icon" for="__search">
 
+        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
 
+        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg>
 
+      </label>
 
+      <nav class="md-search__options" aria-label="Search">
 
+        
+        <button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1">
 
+          <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"/></svg>
 
+        </button>
 
+      </nav>
 
+      
+    </form>
 
+    <div class="md-search__output">
 
+      <div class="md-search__scrollwrap" data-md-scrollfix>
 
+        <div class="md-search-result" data-md-component="search-result">
 
+          <div class="md-search-result__meta">
 
+            Initializing search
 
+          </div>
 
+          <ol class="md-search-result__list" role="presentation"></ol>
 
+        </div>
 
+      </div>
 
+    </div>
 
+  </div>
 
+</div>
 
+    
+    
+      <div class="md-header__source">
 
+        <a href="https://github.com/external-secrets/external-secrets" title="Go to repository" class="md-source" data-md-component="source">
 
+  <div class="md-source__icon md-icon">
 
+    
+    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.4.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2023 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
 
+  </div>
 
+  <div class="md-source__repository">
 
+    External Secrets Operator
 
+  </div>
 
+</a>
 
+      </div>
 
+    
+  </nav>
 
+  
+</header>
 
+    
+    <div class="md-container" data-md-component="container">
 
+      
+      
+        
+          
+            
+<nav class="md-tabs" aria-label="Tabs" data-md-component="tabs">
 
+  <div class="md-grid">
 
+    <ul class="md-tabs__list">
 
+      
+        
+  
+  
+
 
+
 
+  
+  
+  
+    <li class="md-tabs__item">
 
+      <a href="../.." class="md-tabs__link">
 
+        Introduction
 
+      </a>
 
+    </li>
 
+  
+
 
+      
+        
+  
+  
+
 
+
 
+  
+  
+  
+    <li class="md-tabs__item">
 
+      <a href="../../api/components/" class="md-tabs__link">
 
+        API
 
+      </a>
 
+    </li>
 
+  
+
 
+      
+        
+  
+  
+
 
+
 
+  
+  
+  
+    <li class="md-tabs__item">
 
+      <a href="../../guides/introduction/" class="md-tabs__link">
 
+        Guides
 
+      </a>
 
+    </li>
 
+  
+
 
+      
+        
+  
+  
+    
+  
+
 
+
 
+  
+  
+  
+    <li class="md-tabs__item">
 
+      <a href="../aws-secrets-manager/" class="md-tabs__link md-tabs__link--active">
 
+        Provider
 
+      </a>
 
+    </li>
 
+  
+
 
+      
+        
+  
+  
+
 
+
 
+  
+  
+  
+    <li class="md-tabs__item">
 
+      <a href="../../examples/gitops-using-fluxcd/" class="md-tabs__link">
 
+        Examples
 
+      </a>
 
+    </li>
 
+  
+
 
+      
+        
+  
+  
+
 
+
 
+  
+  
+  
+    
+
 
+  
+  
+  
+    <li class="md-tabs__item">
 
+      <a href="../../contributing/devguide/" class="md-tabs__link">
 
+        Community
 
+      </a>
 
+    </li>
 
+  
+
 
+  
+
 
+      
+    </ul>
 
+  </div>
 
+</nav>
 
+          
+        
+      
+      <main class="md-main" data-md-component="main">
 
+        <div class="md-main__inner md-grid">
 
+          
+            
+              
+              <div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
 
+                <div class="md-sidebar__scrollwrap">
 
+                  <div class="md-sidebar__inner">
 
+                    
+
 
+  
+
 
+
 
+<nav class="md-nav md-nav--primary md-nav--lifted" aria-label="Navigation" data-md-level="0">
 
+  <label class="md-nav__title" for="__drawer">
 
+    <a href="../.." title="External Secrets Operator" class="md-nav__button md-logo" aria-label="External Secrets Operator" data-md-component="logo">
 
+      
+  
+  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54Z"/></svg>
 
+
 
+    </a>
 
+    External Secrets Operator
 
+  </label>
 
+  
+    <div class="md-nav__source">
 
+      <a href="https://github.com/external-secrets/external-secrets" title="Go to repository" class="md-source" data-md-component="source">
 
+  <div class="md-source__icon md-icon">
 
+    
+    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.4.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2023 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
 
+  </div>
 
+  <div class="md-source__repository">
 
+    External Secrets Operator
 
+  </div>
 
+</a>
 
+    </div>
 
+  
+  <ul class="md-nav__list" data-md-scrollfix>
 
+    
+      
+      
+      
+
 
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_1" >
 
+      
+      
+        
+          
+            
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        
+        
+        <div class="md-nav__link md-nav__link--index ">
 
+          <a href="../..">Introduction</a>
 
+          
+            <label for="__nav_1">
 
+              <span class="md-nav__icon md-icon"></span>
 
+            </label>
 
+          
+        </div>
 
+      
+      <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_1_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_1">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Introduction
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../introduction/overview/" class="md-nav__link">
 
+        Overview
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../introduction/getting-started/" class="md-nav__link">
 
+        Getting started
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../introduction/faq/" class="md-nav__link">
 
+        FAQ
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../introduction/stability-support/" class="md-nav__link">
 
+        Stability and Support
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../introduction/deprecation-policy/" class="md-nav__link">
 
+        Deprecation Policy
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+    
+      
+      
+      
+
 
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_2" id="__nav_2_label" tabindex="0">
 
+          API
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_2_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_2">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          API
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/components/" class="md-nav__link">
 
+        Components
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2_2" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_2_2" id="__nav_2_2_label" tabindex="0">
 
+          Core Resources
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_2_2_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_2_2">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Core Resources
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/externalsecret/" class="md-nav__link">
 
+        ExternalSecret
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/secretstore/" class="md-nav__link">
 
+        SecretStore
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/clustersecretstore/" class="md-nav__link">
 
+        ClusterSecretStore
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/clusterexternalsecret/" class="md-nav__link">
 
+        ClusterExternalSecret
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/pushsecret/" class="md-nav__link">
 
+        PushSecret
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2_3" >
 
+      
+      
+        
+          
+            
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        
+        
+        <div class="md-nav__link md-nav__link--index ">
 
+          <a href="../../api/generator/">Generators</a>
 
+          
+            <label for="__nav_2_3">
 
+              <span class="md-nav__icon md-icon"></span>
 
+            </label>
 
+          
+        </div>
 
+      
+      <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_2_3_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_2_3">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Generators
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/generator/acr/" class="md-nav__link">
 
+        Azure Container Registry
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/generator/ecr/" class="md-nav__link">
 
+        AWS Elastic Container Registry
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/generator/gcr/" class="md-nav__link">
 
+        Google Container Registry
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/generator/vault/" class="md-nav__link">
 
+        Vault Dynamic Secret
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/generator/password/" class="md-nav__link">
 
+        Password
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/generator/fake/" class="md-nav__link">
 
+        Fake
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_2_4" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_2_4" id="__nav_2_4_label" tabindex="0">
 
+          Reference Docs
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_2_4_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_2_4">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Reference Docs
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/spec/" class="md-nav__link">
 
+        API specification
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/controller-options/" class="md-nav__link">
 
+        Controller Options
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../api/metrics/" class="md-nav__link">
 
+        Metrics
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+    
+      
+      
+      
+
 
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_3" id="__nav_3_label" tabindex="0">
 
+          Guides
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_3_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_3">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Guides
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../guides/introduction/" class="md-nav__link">
 
+        Introduction
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3_2" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_3_2" id="__nav_3_2_label" tabindex="0">
 
+          External Secrets
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_3_2_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_3_2">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          External Secrets
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../guides/all-keys-one-secret/" class="md-nav__link">
 
+        Extract structured data
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../guides/getallsecrets/" class="md-nav__link">
 
+        Find Secrets by Name or Metadata
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../guides/datafrom-rewrite/" class="md-nav__link">
 
+        Rewriting Keys
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3_2_4" >
 
+      
+      
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_3_2_4" id="__nav_3_2_4_label" tabindex="0">
 
+          Advanced Templating
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="3" aria-labelledby="__nav_3_2_4_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_3_2_4">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Advanced Templating
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../guides/templating/" class="md-nav__link">
 
+        v2
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../guides/templating-v1/" class="md-nav__link">
 
+        v1
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../guides/common-k8s-secret-types/" class="md-nav__link">
 
+        Kubernetes Secret Types
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../guides/ownership-deletion-policy/" class="md-nav__link">
 
+        Lifecycle: ownership & deletion
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../guides/decoding-strategy/" class="md-nav__link">
 
+        Decoding Strategies
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../guides/controller-class/" class="md-nav__link">
 
+        Controller Classes
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../guides/generator/" class="md-nav__link">
 
+        Generators
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_3_4" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
+          Operations
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_3_4_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_3_4">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Operations
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../guides/multi-tenancy/" class="md-nav__link">
 
+        Multi Tenancy
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../guides/security-best-practices/" class="md-nav__link">
 
+        Security Best Practices
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../guides/v1beta1/" class="md-nav__link">
 
+        Upgrading to v1beta1
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../guides/using-latest-image/" class="md-nav__link">
 
+        Using Latest Image
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../guides/disable-cluster-features/" class="md-nav__link">
 
+        Disable Cluster Features
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+    
+      
+      
+      
+
 
+  
+  
+    
+  
+  
+    
+    <li class="md-nav__item md-nav__item--active md-nav__item--nested">
 
+      
+      
+      
+      
+      <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4" checked>
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_4" id="__nav_4_label" tabindex="0">
 
+          Provider
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="true">
 
+        <label class="md-nav__title" for="__nav_4">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Provider
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../aws-secrets-manager/" class="md-nav__link">
 
+        AWS Secrets Manager
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../aws-parameter-store/" class="md-nav__link">
 
+        AWS Parameter Store
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../azure-key-vault/" class="md-nav__link">
 
+        Azure Key Vault
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+    
+  
+  
+    <li class="md-nav__item md-nav__item--active">
 
+      
+      <input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
 
+      
+      
+      
+        <label class="md-nav__link md-nav__link--active" for="__toc">
 
+          CyberArk Conjur
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <a href="./" class="md-nav__link md-nav__link--active">
 
+        CyberArk Conjur
 
+      </a>
 
+      
+        
+
 
+<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
 
+  
+  
+  
+  
+    <label class="md-nav__title" for="__toc">
 
+      <span class="md-nav__icon md-icon"></span>
 
+      Table of contents
 
+    </label>
 
+    <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
 
+      
+        <li class="md-nav__item">
 
+  <a href="#conjur-provider" class="md-nav__link">
 
+    Conjur Provider
 
+  </a>
 
+  
+    <nav class="md-nav" aria-label="Conjur Provider">
 
+      <ul class="md-nav__list">
 
+        
+          <li class="md-nav__item">
 
+  <a href="#pre-requirements" class="md-nav__link">
 
+    Pre-requirements
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#certificate-for-conjur-server" class="md-nav__link">
 
+    Certificate for Conjur server
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#external-secret-store-definition-with-apikey-authentication" class="md-nav__link">
 
+    External Secret Store Definition with ApiKey Authentication
 
+  </a>
 
+  
+    <nav class="md-nav" aria-label="External Secret Store Definition with ApiKey Authentication">
 
+      <ul class="md-nav__list">
 
+        
+          <li class="md-nav__item">
 
+  <a href="#create-external-secret-store-definition" class="md-nav__link">
 
+    Create External Secret Store Definition
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#create-kubernetes-secrets" class="md-nav__link">
 
+    Create Kubernetes Secrets
 
+  </a>
 
+  
+</li>
 
+        
+      </ul>
 
+    </nav>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#external-secret-store-with-jwt-authentication" class="md-nav__link">
 
+    External Secret Store with JWT Authentication
 
+  </a>
 
+  
+    <nav class="md-nav" aria-label="External Secret Store with JWT Authentication">
 
+      <ul class="md-nav__list">
 
+        
+          <li class="md-nav__item">
 
+  <a href="#create-external-secret-store-definition_1" class="md-nav__link">
 
+    Create External Secret Store Definition
 
+  </a>
 
+  
+</li>
 
+        
+      </ul>
 
+    </nav>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#create-external-secret-definition" class="md-nav__link">
 
+    Create External Secret Definition
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#create-the-external-secrets-store" class="md-nav__link">
 
+    Create the External Secrets Store
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#create-the-external-secret" class="md-nav__link">
 
+    Create the External Secret
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#getting-the-k8s-secret" class="md-nav__link">
 
+    Getting the K8S Secret
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#support" class="md-nav__link">
 
+    Support
 
+  </a>
 
+  
+</li>
 
+        
+      </ul>
 
+    </nav>
 
+  
+</li>
 
+      
+    </ul>
 
+  
+</nav>
 
+      
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../google-secrets-manager/" class="md-nav__link">
 
+        Google Cloud Secret Manager
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../hashicorp-vault/" class="md-nav__link">
 
+        HashiCorp Vault
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../kubernetes/" class="md-nav__link">
 
+        Kubernetes
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../ibm-secrets-manager/" class="md-nav__link">
 
+        IBM Secrets Manager
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../akeyless/" class="md-nav__link">
 
+        Akeyless
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../yandex-certificate-manager/" class="md-nav__link">
 
+        Yandex Certificate Manager
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../yandex-lockbox/" class="md-nav__link">
 
+        Yandex Lockbox
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../alibaba/" class="md-nav__link">
 
+        Alibaba Cloud
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../gitlab-variables/" class="md-nav__link">
 
+        GitLab Variables
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../oracle-vault/" class="md-nav__link">
 
+        Oracle Vault
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../1password-automation/" class="md-nav__link">
 
+        1Password Secrets Automation
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../webhook/" class="md-nav__link">
 
+        Webhook
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../fake/" class="md-nav__link">
 
+        Fake
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../senhasegura-dsm/" class="md-nav__link">
 
+        senhasegura DevOps Secrets Management (DSM)
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../doppler/" class="md-nav__link">
 
+        Doppler
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../keeper-security/" class="md-nav__link">
 
+        Keeper Security
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../scaleway/" class="md-nav__link">
 
+        Scaleway
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+    
+      
+      
+      
+
 
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_5" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_5" id="__nav_5_label" tabindex="0">
 
+          Examples
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_5_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_5">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Examples
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../examples/gitops-using-fluxcd/" class="md-nav__link">
 
+        FluxCD
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../examples/anchore-engine-credentials/" class="md-nav__link">
 
+        Anchore Engine
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../examples/jenkins-kubernetes-credentials/" class="md-nav__link">
 
+        Jenkins
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../examples/bitwarden/" class="md-nav__link">
 
+        BitWarden
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+    
+      
+      
+      
+
 
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_6" >
 
+      
+      
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_6" id="__nav_6_label" tabindex="0">
 
+          Community
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_6_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_6">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Community
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_6_1" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_6_1" id="__nav_6_1_label" tabindex="0">
 
+          Contributing
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_6_1_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_6_1">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          Contributing
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../contributing/devguide/" class="md-nav__link">
 
+        Developer guide
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../contributing/process/" class="md-nav__link">
 
+        Contributing Process
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../contributing/release/" class="md-nav__link">
 
+        Release Process
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../contributing/coc/" class="md-nav__link">
 
+        Code of Conduct
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../contributing/roadmap/" class="md-nav__link">
 
+        Roadmap
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    
+    <li class="md-nav__item md-nav__item--nested">
 
+      
+      
+      
+      
+        
+      
+      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_6_2" >
 
+      
+      
+        
+          
+        
+          
+        
+          
+        
+      
+      
+        <label class="md-nav__link" for="__nav_6_2" id="__nav_6_2_label" tabindex="0">
 
+          External Resources
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <nav class="md-nav" data-md-level="2" aria-labelledby="__nav_6_2_label" aria-expanded="false">
 
+        <label class="md-nav__title" for="__nav_6_2">
 
+          <span class="md-nav__icon md-icon"></span>
 
+          External Resources
 
+        </label>
 
+        <ul class="md-nav__list" data-md-scrollfix>
 
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../eso-talks/" class="md-nav__link">
 
+        Talks
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../eso-demos/" class="md-nav__link">
 
+        Demos
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../../eso-blogs/" class="md-nav__link">
 
+        Blogs
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+            
+          
+        </ul>
 
+      </nav>
 
+    </li>
 
+  
+
 
+    
+  </ul>
 
+</nav>
 
+                  </div>
 
+                </div>
 
+              </div>
 
+            
+            
+              
+              <div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
 
+                <div class="md-sidebar__scrollwrap">
 
+                  <div class="md-sidebar__inner">
 
+                    
+
 
+<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
 
+  
+  
+  
+  
+    <label class="md-nav__title" for="__toc">
 
+      <span class="md-nav__icon md-icon"></span>
 
+      Table of contents
 
+    </label>
 
+    <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
 
+      
+        <li class="md-nav__item">
 
+  <a href="#conjur-provider" class="md-nav__link">
 
+    Conjur Provider
 
+  </a>
 
+  
+    <nav class="md-nav" aria-label="Conjur Provider">
 
+      <ul class="md-nav__list">
 
+        
+          <li class="md-nav__item">
 
+  <a href="#pre-requirements" class="md-nav__link">
 
+    Pre-requirements
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#certificate-for-conjur-server" class="md-nav__link">
 
+    Certificate for Conjur server
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#external-secret-store-definition-with-apikey-authentication" class="md-nav__link">
 
+    External Secret Store Definition with ApiKey Authentication
 
+  </a>
 
+  
+    <nav class="md-nav" aria-label="External Secret Store Definition with ApiKey Authentication">
 
+      <ul class="md-nav__list">
 
+        
+          <li class="md-nav__item">
 
+  <a href="#create-external-secret-store-definition" class="md-nav__link">
 
+    Create External Secret Store Definition
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#create-kubernetes-secrets" class="md-nav__link">
 
+    Create Kubernetes Secrets
 
+  </a>
 
+  
+</li>
 
+        
+      </ul>
 
+    </nav>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#external-secret-store-with-jwt-authentication" class="md-nav__link">
 
+    External Secret Store with JWT Authentication
 
+  </a>
 
+  
+    <nav class="md-nav" aria-label="External Secret Store with JWT Authentication">
 
+      <ul class="md-nav__list">
 
+        
+          <li class="md-nav__item">
 
+  <a href="#create-external-secret-store-definition_1" class="md-nav__link">
 
+    Create External Secret Store Definition
 
+  </a>
 
+  
+</li>
 
+        
+      </ul>
 
+    </nav>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#create-external-secret-definition" class="md-nav__link">
 
+    Create External Secret Definition
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#create-the-external-secrets-store" class="md-nav__link">
 
+    Create the External Secrets Store
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#create-the-external-secret" class="md-nav__link">
 
+    Create the External Secret
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#getting-the-k8s-secret" class="md-nav__link">
 
+    Getting the K8S Secret
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#support" class="md-nav__link">
 
+    Support
 
+  </a>
 
+  
+</li>
 
+        
+      </ul>
 
+    </nav>
 
+  
+</li>
 
+      
+    </ul>
 
+  
+</nav>
 
+                  </div>
 
+                </div>
 
+              </div>
 
+            
+          
+          
+            <div class="md-content" data-md-component="content">
 
+              <article class="md-content__inner md-typeset">
 
+                
+                  
+
 
+  
+  
+
 
+
 
+  <h1>CyberArk Conjur</h1>
 
+
 
+<h2 id="conjur-provider">Conjur Provider</h2>
 
+<p>The following sections outline what is needed to get your external-secrets Conjur provider setup.</p>
 
+<h3 id="pre-requirements">Pre-requirements</h3>
 
+<p>This section contains the list of the pre-requirements before installing the Conjur Provider.</p>
 
+<ul>
 
+<li>Running Conjur Server<ul>
 
+<li>These items will be needed in order to configure the secret-store<ul>
 
+<li>Conjur endpoint - include the scheme but no trailing '/', ex: https://myapi.example.com</li>
 
+<li>Conjur authentication info (hostid, apikey, jwt service id, etc)</li>
 
+<li>Conjur must be configured to support your authentication method (<code>apikey</code> is supported by default, <code>jwt</code> requires additional configuration)</li>
 
+<li>Certificate for Conjur server is OPTIONAL -- But, <strong>when using a self-signed cert when setting up your Conjur server, it is strongly recommended to populate "caBundle" with self-signed cert in the secret-store definition</strong></li>
 
+</ul>
 
+</li>
 
+</ul>
 
+</li>
 
+<li>Kubernetes cluster<ul>
 
+<li>External Secrets Operator is installed</li>
 
+</ul>
 
+</li>
 
+</ul>
 
+<h3 id="certificate-for-conjur-server">Certificate for Conjur server</h3>
 
+<p>When using a self-signed cert when setting up your Conjur server, it is strongly recommended to populate "caBundle" with self-signed cert in the secret-store definition. The certificate CA must be referenced on the secret-store definition using either a <code>caBundle</code> or <code>caProvider</code> as below:</p>
 
+<div class="highlight"><pre><span></span><code><span class="l l-Scalar l-Scalar-Plain">....</span>
 
+<span class="l l-Scalar l-Scalar-Plain">spec</span><span class="p p-Indicator">:</span>
 
+<span class="w">  </span><span class="nt">provider</span><span class="p">:</span>
 
+<span class="w">    </span><span class="nt">conjur</span><span class="p">:</span>
 
+<span class="w">      </span><span class="c1"># Service URL</span>
 
+<span class="w">      </span><span class="nt">url</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">https://myapi.conjur.org</span>
 
+
 
+<span class="w">      </span><span class="c1"># [OPTIONAL] base64 encoded string of certificate</span>
 
+<span class="w">      </span><span class="nt">caBundle</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;&lt;base64</span><span class="nv"> </span><span class="s">encoded</span><span class="nv"> </span><span class="s">cabundle&gt;&quot;</span>
 
+
 
+<span class="w">      </span><span class="c1"># [OPTIONAL] caProvider:</span>
 
+<span class="w">      </span><span class="c1"># Instead of caBundle you can also specify a caProvider</span>
 
+<span class="w">      </span><span class="c1"># this will retrieve the cert from a Secret or ConfigMap</span>
 
+<span class="w">      </span><span class="nt">caProvider</span><span class="p">:</span>
 
+<span class="w">        </span><span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;Secret&quot;</span><span class="w"> </span><span class="c1"># Can be Secret or ConfigMap</span>
 
+<span class="w">        </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;&lt;name</span><span class="nv"> </span><span class="s">of</span><span class="nv"> </span><span class="s">secret</span><span class="nv"> </span><span class="s">or</span><span class="nv"> </span><span class="s">configmap&gt;&quot;</span>
 
+<span class="w">        </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;&lt;key</span><span class="nv"> </span><span class="s">inside</span><span class="nv"> </span><span class="s">secret</span><span class="nv"> </span><span class="s">or</span><span class="nv"> </span><span class="s">configmap&gt;&quot;</span>
 
+<span class="w">        </span><span class="c1"># namespace is mandatory for ClusterSecretStore and not relevant for SecretStore</span>
 
+<span class="w">        </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;my-cert-secret-namespace&quot;</span>
 
+<span class="w">  </span><span class="l l-Scalar l-Scalar-Plain">....</span>
 
+</code></pre></div>
 
+<h3 id="external-secret-store-definition-with-apikey-authentication">External Secret Store Definition with ApiKey Authentication</h3>
 
+<p>This method uses a combination of the Conjur <code>hostid</code> and <code>apikey</code> to authenticate to Conjur. This method is the simplest to setup and use as your Conjur instance requires no special setup.</p>
 
+<h4 id="create-external-secret-store-definition">Create External Secret Store Definition</h4>
 
+<p>Recommend to save as filename: <code>conjur-secret-store.yaml</code></p>
 
+<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
 
+<span class="nt">metadata</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">conjur</span>
 
+<span class="nt">spec</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">provider</span><span class="p">:</span>
 
+<span class="w">    </span><span class="nt">conjur</span><span class="p">:</span>
 
+<span class="w">      </span><span class="c1"># Service URL</span>
 
+<span class="w">      </span><span class="nt">url</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">https://myapi.conjur.org</span>
 
+<span class="w">      </span><span class="c1"># [OPTIONAL] base64 encoded string of certificate</span>
 
+<span class="w">      </span><span class="nt">caBundle</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">OPTIONALxFIELDxxxBase64xCertxString==</span><span class="w">  </span>
 
+<span class="w">      </span><span class="nt">auth</span><span class="p">:</span>
 
+<span class="w">        </span><span class="nt">apikey</span><span class="p">:</span>
 
+<span class="w">          </span><span class="c1"># conjur account</span>
 
+<span class="w">          </span><span class="nt">account</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">conjur</span>
 
+<span class="w">          </span><span class="nt">userRef</span><span class="p">:</span><span class="w"> </span><span class="c1"># Get this from K8S secret</span>
 
+<span class="w">            </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">conjur-creds</span>
 
+<span class="w">            </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">hostid</span>
 
+<span class="w">          </span><span class="nt">apiKeyRef</span><span class="p">:</span><span class="w"> </span><span class="c1"># Get this from K8S secret</span>
 
+<span class="w">            </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">conjur-creds</span>
 
+<span class="w">            </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">apikey</span>
 
+</code></pre></div>
 
+<h4 id="create-kubernetes-secrets">Create Kubernetes Secrets</h4>
 
+<p>In order for the ESO <strong>Conjur</strong> provider to connect to the Conjur server using the <code>apikey</code> creds, these creds should be stored as k8s secrets.  Please refer to <a href="https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret">https://kubernetes.io/docs/concepts/configuration/secret/#creating-a-secret</a> for various methods to create secrets.  Here is one way to do it using <code>kubectl</code></p>
 
+<p><strong><em>NOTE</em></strong>: "conjur-creds" is the "name" used in "userRef" and "apikeyRef" in the conjur-secret-store definition</p>
 
+<div class="highlight"><pre><span></span><code><span class="c1"># This is all one line</span>
 
+kubectl<span class="w"> </span>-n<span class="w"> </span>external-secrets<span class="w"> </span>create<span class="w"> </span>secret<span class="w"> </span>generic<span class="w"> </span>conjur-creds<span class="w"> </span>--from-literal<span class="o">=</span><span class="nv">hostid</span><span class="o">=</span>MYCONJURHOSTID<span class="w"> </span>--from-literal<span class="o">=</span><span class="nv">apikey</span><span class="o">=</span>MYAPIKEY
 
+
 
+<span class="c1"># Example:</span>
 
+<span class="c1"># kubectl -n external-secrets create secret generic conjur-creds --from-literal=hostid=host/data/app1/host001 --from-literal=apikey=321blahblah</span>
 
+</code></pre></div>
 
+<h3 id="external-secret-store-with-jwt-authentication">External Secret Store with JWT Authentication</h3>
 
+<p>This method uses JWT tokens to authenticate with Conjur. The following methods for retrieving the JWT token for authentication are supported:</p>
 
+<ul>
 
+<li>JWT token from a referenced Kubernetes Service Account</li>
 
+<li>JWT token stored in a Kubernetes secret</li>
 
+</ul>
 
+<h4 id="create-external-secret-store-definition_1">Create External Secret Store Definition</h4>
 
+<p>When using JWT authentication the following must be specified in the <code>SecretStore</code>:</p>
 
+<ul>
 
+<li><code>account</code> -  The name of the Conjur account</li>
 
+<li><code>serviceId</code> - The ID of the JWT Authenticator <code>WebService</code> configured in Conjur that will be used to authenticate the JWT token</li>
 
+</ul>
 
+<p>You can then choose to either retrieve the JWT token using a Service Account reference or from a Kubernetes Secret.</p>
 
+<p>To use a JWT token from a referenced Kubernetes Service Account, the following secret store definition can be used:</p>
 
+<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
 
+<span class="nt">metadata</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">conjur</span>
 
+<span class="nt">spec</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">provider</span><span class="p">:</span>
 
+<span class="w">    </span><span class="nt">conjur</span><span class="p">:</span>
 
+<span class="w">      </span><span class="c1"># Service URL</span>
 
+<span class="w">      </span><span class="nt">url</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">https://myapi.conjur.org</span>
 
+<span class="w">      </span><span class="c1"># [OPTIONAL] base64 encoded string of certificate</span>
 
+<span class="w">      </span><span class="nt">caBundle</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">OPTIONALxFIELDxxxBase64xCertxString==</span>
 
+<span class="w">      </span><span class="nt">auth</span><span class="p">:</span>
 
+<span class="w">        </span><span class="nt">jwt</span><span class="p">:</span>
 
+<span class="w">          </span><span class="c1"># conjur account</span>
 
+<span class="w">          </span><span class="nt">account</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">conjur</span>
 
+<span class="w">          </span><span class="nt">serviceID</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-jwt-auth-service</span><span class="w"> </span><span class="c1"># The authn-jwt service ID</span>
 
+<span class="w">          </span><span class="nt">serviceAccountRef</span><span class="p">:</span><span class="w"> </span><span class="c1"># Service account to retrieve JWT token for</span>
 
+<span class="w">            </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-service-account</span>
 
+<span class="w">            </span><span class="nt">audiences</span><span class="p">:</span><span class="w">  </span><span class="c1"># [OPTIONAL] audiences to include in JWT token</span>
 
+<span class="w">              </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">https://conjur.company.com</span>
 
+</code></pre></div>
 
+<p>This is only supported in Kubernetes 1.22 and above as it uses the <a href="https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-request-v1/">TokenRequest API</a> to get the JWT token from the referenced service account. Audiences can be set as required by the <a href="https://docs.conjur.org/Latest/en/Content/Integrations/k8s-ocp/k8s-jwt-authn.htm">Conjur JWT authenticator</a>.</p>
 
+<p>Alternatively, a secret containing a valid JWT token can be referenced as follows:</p>
 
+<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
 
+<span class="nt">metadata</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">conjur</span>
 
+<span class="nt">spec</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">provider</span><span class="p">:</span>
 
+<span class="w">    </span><span class="nt">conjur</span><span class="p">:</span>
 
+<span class="w">      </span><span class="c1"># Service URL</span>
 
+<span class="w">      </span><span class="nt">url</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">https://myapi.conjur.org</span>
 
+<span class="w">      </span><span class="c1"># [OPTIONAL] base64 encoded string of certificate</span>
 
+<span class="w">      </span><span class="nt">caBundle</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">OPTIONALxFIELDxxxBase64xCertxString==</span>
 
+<span class="w">      </span><span class="nt">auth</span><span class="p">:</span>
 
+<span class="w">        </span><span class="nt">jwt</span><span class="p">:</span>
 
+<span class="w">          </span><span class="c1"># conjur account</span>
 
+<span class="w">          </span><span class="nt">account</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">conjur</span>
 
+<span class="w">          </span><span class="nt">serviceID</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-jwt-auth-service</span><span class="w"> </span><span class="c1"># The authn-jwt service ID</span>
 
+<span class="w">          </span><span class="nt">secretRef</span><span class="p">:</span><span class="w"> </span><span class="c1"># Secret containing a valid JWT token</span>
 
+<span class="w">            </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">my-jwt-secret</span>
 
+<span class="w">            </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">token</span>
 
+</code></pre></div>
 
+<p>This secret must contain a JWT token that identifies your Conjur host. The secret must contain a JWT token consumable by a configured Conjur JWT authenticator and must satisfy all <a href="https://docs.conjur.org/Latest/en/Content/Operations/Services/cjr-authn-jwt-guidelines.htm#Best">Conjur JWT guidelines</a>. This can be a JWT created by an external JWT issuer or the Kubernetes api server itself. Such a with Kubernetes Service Account token can be created using the below command:</p>
 
+<div class="highlight"><pre><span></span><code>kubectl<span class="w"> </span>create<span class="w"> </span>token<span class="w"> </span>my-service-account<span class="w"> </span>--audience<span class="o">=</span><span class="s1">&#39;https://conjur.company.com&#39;</span><span class="w"> </span>--duration<span class="o">=</span>3600s
 
+</code></pre></div>
 
+<p>Save the <code>SecretStore</code> definition as filename <code>conjur-secret-store.yaml</code> as referenced in later steps.</p>
 
+<h3 id="create-external-secret-definition">Create External Secret Definition</h3>
 
+<p>Important note: <strong>Creds must live in the same namespace as a SecretStore  - the secret store may only reference secrets from the same namespace.</strong>  When using a ClusterSecretStore this limitation is lifted and the creds can live in any namespace.</p>
 
+<p>Recommend to save as filename: <code>conjur-external-secret.yaml</code></p>
 
+<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
 
+<span class="nt">metadata</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">conjur</span>
 
+<span class="nt">spec</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">10s</span>
 
+<span class="w">  </span><span class="nt">secretStoreRef</span><span class="p">:</span>
 
+<span class="w">    </span><span class="c1"># This name must match the metadata.name in the `SecretStore`</span>
 
+<span class="w">    </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">conjur</span>
 
+<span class="w">    </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
 
+<span class="w">  </span><span class="nt">data</span><span class="p">:</span>
 
+<span class="w">  </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secret00</span>
 
+<span class="w">    </span><span class="nt">remoteRef</span><span class="p">:</span>
 
+<span class="w">      </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">data/app1/secret00</span>
 
+</code></pre></div>
 
+<h3 id="create-the-external-secrets-store">Create the External Secrets Store</h3>
 
+<div class="highlight"><pre><span></span><code><span class="c1"># WARNING: this will create the store configuration in the &quot;external-secrets&quot; namespace, adjust this to your own situation</span>
 
+<span class="c1">#</span>
 
+kubectl<span class="w"> </span>apply<span class="w"> </span>-n<span class="w"> </span>external-secrets<span class="w"> </span>-f<span class="w"> </span>conjur-secret-store.yaml
 
+
 
+<span class="c1"># WARNING: running the delete command will delete the secret store configuration</span>
 
+<span class="c1">#</span>
 
+<span class="c1"># If there is a need to delete the external secretstore</span>
 
+<span class="c1"># kubectl delete secretstore -n external-secrets conjur</span>
 
+</code></pre></div>
 
+<h3 id="create-the-external-secret">Create the External Secret</h3>
 
+<div class="highlight"><pre><span></span><code><span class="c1"># WARNING: this will create the external-secret configuration in the &quot;external-secrets&quot; namespace, adjust this to your own situation</span>
 
+<span class="c1">#</span>
 
+kubectl<span class="w"> </span>apply<span class="w"> </span>-n<span class="w"> </span>external-secrets<span class="w"> </span>-f<span class="w"> </span>conjur-external-secret.yaml
 
+
 
+<span class="c1"># WARNING: running the delete command will delete the external-secrets configuration</span>
 
+<span class="c1">#</span>
 
+<span class="c1"># If there is a need to delete the external secret</span>
 
+<span class="c1"># kubectl delete externalsecret -n external-secrets conjur</span>
 
+</code></pre></div>
 
+<h3 id="getting-the-k8s-secret">Getting the K8S Secret</h3>
 
+<ul>
 
+<li>Login to your Conjur server and verify that your secret exists</li>
 
+<li>Review the value of your Kubernetes secret to see that it contains the same value from Conjur</li>
 
+</ul>
 
+<div class="highlight"><pre><span></span><code><span class="c1"># WARNING: this command will reveal the stored secret in plain text</span>
 
+<span class="c1">#</span>
 
+<span class="c1"># Assuming the secret name is &quot;secret00&quot;, this will show the value</span>
 
+kubectl<span class="w"> </span>get<span class="w"> </span>secret<span class="w"> </span>-n<span class="w"> </span>external-secrets<span class="w"> </span>conjur<span class="w"> </span>-o<span class="w"> </span><span class="nv">jsonpath</span><span class="o">=</span><span class="s2">&quot;{.data.secret00}&quot;</span><span class="w">  </span><span class="p">|</span><span class="w"> </span>base64<span class="w"> </span>--decode<span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span><span class="nb">echo</span>
 
+</code></pre></div>
 
+<h3 id="support">Support</h3>
 
+<p>Copyright (c) 2023 CyberArk Software Ltd. All rights reserved.</p>
 
+<p>Licensed under the Apache License, Version 2.0 (the "License");
 
+you may not use this file except in compliance with the License.
 
+You may obtain a copy of the License at</p>
 
+<p><a href="http://www.apache.org/licenses/LICENSE-2.0">http://www.apache.org/licenses/LICENSE-2.0</a></p>
 
+<p>Unless required by applicable law or agreed to in writing, software
 
+distributed under the License is distributed on an "AS IS" BASIS,
 
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 
+See the License for the specific language governing permissions and
 
+limitations under the License.</p>
 
+
 
+
 
+  
+
 
+
 
+
 
+
 
+                
+              </article>
 
+            </div>
 
+          
+          
+        </div>
 
+        
+      </main>
 
+      
+        <footer class="md-footer">
 
+  
+  <div class="md-footer-meta md-typeset">
 
+    <div class="md-footer-meta__inner md-grid">
 
+      <div class="md-copyright">
 
+  
+    <div class="md-copyright__highlight">
 
+      &copy; 2023 The external-secrets Authors.<br/>
 
+&copy; 2023 The Linux Foundation. All rights reserved.<br/><br/>
 
+The Linux Foundation has registered trademarks and uses trademarks.<br/>
 
+For a list of trademarks of The Linux Foundation, please see our <a href="https://www.linuxfoundation.org/trademark-usage/">Trademark Usage page</a>.
 
+
 
+    </div>
 
+  
+  
+    Made with
 
+    <a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
 
+      Material for MkDocs
 
+    </a>
 
+  
+</div>
 
+      
+    </div>
 
+  </div>
 
+</footer>
 
+      
+    </div>
 
+    <div class="md-dialog" data-md-component="dialog">
 
+      <div class="md-dialog__inner md-typeset"></div>
 
+    </div>
 
+    
+    <script id="__config" type="application/json">{"base": "../..", "features": ["navigation.tabs", "navigation.indexes", "navigation.expand"], "search": "../../assets/javascripts/workers/search.208ed371.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}, "version": {"provider": "mike"}}</script>
 
+    
+    
+      <script src="../../assets/javascripts/bundle.fac441b0.min.js"></script>
 
+      
+    
+  </body>
 
+</html>

+ 194 - 18
main/provider/aws-pushsecret/index.html → main/provider/delinea/index.html
View File 

@@ -9,13 +9,17 @@
 
       
       
       
+        <link rel="prev" href="../scaleway/">
 
+      
+      
+        <link rel="next" href="../../examples/gitops-using-fluxcd/">
 
       
       <link rel="icon" href="../../assets/images/favicon.png">
 
       <meta name="generator" content="mkdocs-1.4.3, mkdocs-material-9.1.9">
 
     
     
       
-        <title>Aws pushsecret - External Secrets Operator</title>
 
+        <title>Delinea - External Secrets Operator</title>
 
       
     
     
@@ -69,7 +73,7 @@
 
     <div data-md-component="skip">
 
       
         
-        <a href="#push-secret" class="md-skip">
 
+        <a href="#delinea-devops-secrets-vault" class="md-skip">
 
           Skip to content
 
         </a>
 
       
@@ -118,7 +122,7 @@
 
         <div class="md-header__topic" data-md-component="header-topic">
 
           <span class="md-ellipsis">
 
             
-              Aws pushsecret
 
+              Delinea
 
             
           </span>
 
         </div>
 
@@ -238,13 +242,15 @@
 
         
   
   
+    
+  
 
 
   
   
   
     <li class="md-tabs__item">
 
-      <a href="../aws-secrets-manager/" class="md-tabs__link">
 
+      <a href="../aws-secrets-manager/" class="md-tabs__link md-tabs__link--active">
 
         Provider
 
       </a>
 
     </li>
 
@@ -1194,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1241,6 +1249,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1297,16 +1319,16 @@
 
 
   
   
+    
+  
   
     
-    <li class="md-nav__item md-nav__item--nested">
 
+    <li class="md-nav__item md-nav__item--active md-nav__item--nested">
 
       
       
       
       
-        
-      
-      <input class="md-nav__toggle md-toggle md-toggle--indeterminate" type="checkbox" id="__nav_4" >
 
+      <input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4" checked>
 
       
       
         
@@ -1343,6 +1365,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1357,7 +1385,7 @@
 
           <span class="md-nav__icon md-icon"></span>
 
         </label>
 
       
-      <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="false">
 
+      <nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="true">
 
         <label class="md-nav__title" for="__nav_4">
 
           <span class="md-nav__icon md-icon"></span>
 
           Provider
 
@@ -1411,6 +1439,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1635,6 +1677,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1644,6 +1700,77 @@
 
 
             
           
+            
+              
+  
+  
+    
+  
+  
+    <li class="md-nav__item md-nav__item--active">
 
+      
+      <input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
 
+      
+      
+      
+        <label class="md-nav__link md-nav__link--active" for="__toc">
 
+          Delinea
 
+          <span class="md-nav__icon md-icon"></span>
 
+        </label>
 
+      
+      <a href="./" class="md-nav__link md-nav__link--active">
 
+        Delinea
 
+      </a>
 
+      
+        
+
 
+<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
 
+  
+  
+  
+  
+    <label class="md-nav__title" for="__toc">
 
+      <span class="md-nav__icon md-icon"></span>
 
+      Table of contents
 
+    </label>
 
+    <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
 
+      
+        <li class="md-nav__item">
 
+  <a href="#delinea-devops-secrets-vault" class="md-nav__link">
 
+    Delinea DevOps Secrets Vault
 
+  </a>
 
+  
+    <nav class="md-nav" aria-label="Delinea DevOps Secrets Vault">
 
+      <ul class="md-nav__list">
 
+        
+          <li class="md-nav__item">
 
+  <a href="#creating-a-secretstore" class="md-nav__link">
 
+    Creating a SecretStore
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#referencing-secrets" class="md-nav__link">
 
+    Referencing Secrets
 
+  </a>
 
+  
+</li>
 
+        
+      </ul>
 
+    </nav>
 
+  
+</li>
 
+      
+    </ul>
 
+  
+</nav>
 
+      
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>
 
@@ -2025,16 +2152,23 @@
 
     <ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
 
       
         <li class="md-nav__item">
 
-  <a href="#push-secret" class="md-nav__link">
 
-    Push Secret
 
+  <a href="#delinea-devops-secrets-vault" class="md-nav__link">
 
+    Delinea DevOps Secrets Vault
 
   </a>
 
   
-    <nav class="md-nav" aria-label="Push Secret">
 
+    <nav class="md-nav" aria-label="Delinea DevOps Secrets Vault">
 
       <ul class="md-nav__list">
 
         
           <li class="md-nav__item">
 
-  <a href="#iam-policy" class="md-nav__link">
 
-    IAM Policy
 
+  <a href="#creating-a-secretstore" class="md-nav__link">
 
+    Creating a SecretStore
 
+  </a>
 
+  
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#referencing-secrets" class="md-nav__link">
 
+    Referencing Secrets
 
   </a>
 
   
 </li>
 
@@ -2062,10 +2196,52 @@
 
   
 
 
-  <h1>Aws pushsecret</h1>
 
-
 
-<h2 id="push-secret">Push Secret</h2>
 
-<h3 id="iam-policy">IAM Policy</h3>
 
+  <h1>Delinea</h1>
 
+
 
+<h2 id="delinea-devops-secrets-vault">Delinea DevOps Secrets Vault</h2>
 
+<p>External Secrets Operator integrates with <a href="https://docs.delinea.com/online-help/products/devops-secrets-vault/current">Delinea DevOps Secrets Vault</a>.</p>
 
+<p>Please note that the <a href="https://delinea.com/products/secret-server">Delinea Secret Server</a> product is NOT in scope of this integration.</p>
 
+<h3 id="creating-a-secretstore">Creating a SecretStore</h3>
 
+<p>You need client ID, client secret and tenant to authenticate with DSV.
 
+Both client ID and client secret can be specified either directly in the config, or by referencing a kubernetes secret.</p>
 
+<p>To acquire client ID and client secret, refer to the  <a href="https://docs.delinea.com/dsv/current/tutorials/policy.md">policy management</a> and <a href="https://docs.delinea.com/dsv/current/usage/cli-ref/client.md">client management</a> documentation.</p>
 
+<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
 
+<span class="nt">metadata</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secret-store</span>
 
+<span class="nt">spec</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">provider</span><span class="p">:</span>
 
+<span class="w">    </span><span class="nt">delinea</span><span class="p">:</span>
 
+<span class="w">      </span><span class="nt">tenant</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">&lt;TENANT&gt;</span>
 
+<span class="w">      </span><span class="nt">tld</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">&lt;TLD&gt;</span>
 
+<span class="w">      </span><span class="nt">clientId</span><span class="p">:</span>
 
+<span class="w">        </span><span class="nt">value</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">&lt;CLIENT_ID&gt;</span>
 
+<span class="w">      </span><span class="nt">clientSecret</span><span class="p">:</span>
 
+<span class="w">        </span><span class="nt">secretRef</span><span class="p">:</span>
 
+<span class="w">          </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">&lt;NAME_OF_KUBE_SECRET&gt;</span>
 
+<span class="w">          </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">&lt;KEY_IN_KUBE_SECRET&gt;</span>
 
+</code></pre></div>
 
+<p>Both <code>clientId</code> and <code>clientSecret</code> can either be specified directly via the <code>value</code> field or can reference a kubernetes secret.</p>
 
+<p>The <code>tenant</code> field must correspond to the host name / site name of your DevOps vault. If you selected a region other than the US you must also specify the TLD, e.g. <code>tld: eu</code>.</p>
 
+<p>If required, the URL template (<code>urlTemplate</code>) can be customized as well.</p>
 
+<h3 id="referencing-secrets">Referencing Secrets</h3>
 
+<p>Secrets can be referenced by path. Getting a specific version of a secret is not yet supported.</p>
 
+<p>Note that because all DSV secrets are JSON objects, you must specify <code>remoteRef.property</code>. You can access nested values or arrays using <a href="https://github.com/tidwall/gjson/blob/master/SYNTAX.md">gjson syntax</a>.</p>
 
+<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
 
+<span class="nt">metadata</span><span class="p">:</span>
 
+<span class="w">    </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secret</span>
 
+<span class="nt">spec</span><span class="p">:</span>
 
+<span class="w">    </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">20s</span>
 
+<span class="w">    </span><span class="nt">secretStoreRef</span><span class="p">:</span>
 
+<span class="w">        </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
 
+<span class="w">        </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">secret-store</span>
 
+<span class="w">    </span><span class="nt">data</span><span class="p">:</span>
 
+<span class="w">      </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">&lt;KEY_IN_KUBE_SECRET&gt;</span>
 
+<span class="w">        </span><span class="nt">remoteRef</span><span class="p">:</span>
 
+<span class="w">          </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">&lt;SECRET_PATH&gt;</span>
 
+<span class="w">          </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">&lt;JSON_PROPERTY&gt;</span>
 
+</code></pre></div>

+ 65 - 0
main/provider/doppler/index.html
View File 

@@ -1200,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1247,6 +1249,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1349,6 +1365,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1417,6 +1439,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1740,6 +1776,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1749,6 +1799,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>
 
@@ -2348,6 +2412,7 @@
 
 <li>lower-snake</li>
 
 <li>tf-var</li>
 
 <li>dotnet-env</li>
 
+<li>lower-kebab</li>
 
 </ul>
 
 <p>Name transformers require a specifically configured <code>SecretStore</code>:</p>
 
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>

+ 64 - 0
main/provider/fake/index.html
View File 

@@ -1195,6 +1195,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1242,6 +1244,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1344,6 +1360,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1412,6 +1434,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1644,6 +1680,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1653,6 +1703,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 64 - 0
main/provider/gitlab-variables/index.html
View File 

@@ -1200,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1247,6 +1249,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1349,6 +1365,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1417,6 +1439,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1732,6 +1768,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1741,6 +1791,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 68 - 3
main/provider/google-secrets-manager/index.html
View File 

@@ -9,7 +9,7 @@
 
       
       
       
-        <link rel="prev" href="../azure-key-vault/">
 
+        <link rel="prev" href="../conjur/">
 
       
       
         <link rel="next" href="../hashicorp-vault/">
 
@@ -1200,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1247,6 +1249,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1349,6 +1365,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1416,6 +1438,20 @@
 
               
   
   
+  
+    <li class="md-nav__item">
 
+      <a href="../conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
     
   
   
@@ -1752,6 +1788,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1761,6 +1811,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>
 
@@ -2270,6 +2334,7 @@
 
 <span class="w">    </span><span class="nt">iam.gke.io/gcp-service-account</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example-team-a@my-project.iam.gserviceaccount.com</span>
 
 </code></pre></div>
 
 <p>You can reference this particular ServiceAccount in a <code>SecretStore</code> or <code>ClusterSecretStore</code>. It's important that you also set the <code>projectID</code>, <code>clusterLocation</code> and <code>clusterName</code>. The Namespace on the <code>serviceAccountRef</code> is ignored when using a <code>SecretStore</code> resource. This is needed to isolate the namespaces properly.</p>
 
+<p><em>When filling <code>clusterLocation</code> parameter keep in mind if it is Regional or Zonal cluster.</em></p>
 
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 
 <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ClusterSecretStore</span>
 
 <span class="nt">metadata</span><span class="p">:</span>
 
@@ -2280,7 +2345,7 @@
 
 <span class="w">      </span><span class="nt">projectID</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">alphabet-123</span>
 
 <span class="w">      </span><span class="nt">auth</span><span class="p">:</span>
 
 <span class="w">        </span><span class="nt">workloadIdentity</span><span class="p">:</span>
 
-<span class="w">          </span><span class="c1"># name of the cluster region</span>
 
+<span class="w">          </span><span class="c1"># name of the cluster Location, region or zone</span>
 
 <span class="w">          </span><span class="nt">clusterLocation</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">europe-central2</span>
 
 <span class="w">          </span><span class="c1"># name of the GKE cluster</span>
 
 <span class="w">          </span><span class="nt">clusterName</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">alpha-cluster-42</span>
 
@@ -2388,7 +2453,7 @@ The <code>Secret Manager Secret Accessor</code> role is required to access secre
 
 <span class="w">      </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">database_password</span><span class="w">      </span><span class="c1"># name of the GCPSM secret key</span>
 
 </code></pre></div>
 
 <p>The operator will fetch the GCP Secret Manager secret and inject it as a <code>Kind=Secret</code>
 
-<div class="highlight"><pre><span></span><code>kubectl get secret secret-to-be-created -n &lt;namespace&gt; | -o jsonpath=&#39;{.data.dev-secret-test}&#39; | base64 -d
 
+<div class="highlight"><pre><span></span><code>kubectl get secret secret-to-be-created -n &lt;namespace&gt; -o jsonpath=&#39;{.data.dev-secret-test}&#39; | base64 -d
 
 </code></pre></div></p>

+ 126 - 11
main/provider/hashicorp-vault/index.html
View File 

@@ -1200,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1247,6 +1249,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1349,6 +1365,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1417,6 +1439,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1544,6 +1580,13 @@
 
     LDAP authentication
 
   </a>
 
   
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#userpass-authentication" class="md-nav__link">
 
+    UserPass authentication
 
+  </a>
 
+  
 </li>
 
         
           <li class="md-nav__item">
 
@@ -1849,6 +1892,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1858,6 +1915,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>
 
@@ -2321,6 +2392,13 @@
 
     LDAP authentication
 
   </a>
 
   
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#userpass-authentication" class="md-nav__link">
 
+    UserPass authentication
 
+  </a>
 
+  
 </li>
 
         
           <li class="md-nav__item">
 
@@ -2658,6 +2736,7 @@ Will generate a secret with:
 
 <a href="https://www.vaultproject.io/docs/auth/approle">appRole</a>,
 
 <a href="https://www.vaultproject.io/docs/auth/kubernetes">kubernetes-native</a>,
 
 <a href="https://www.vaultproject.io/docs/auth/ldap">ldap</a>,
 
+<a href="https://www.vaultproject.io/docs/auth/userpass">userPass</a>,
 
 <a href="https://www.vaultproject.io/docs/auth/jwt">jwt/oidc</a> and
 
 <a href="https://developer.hashicorp.com/vault/docs/auth/aws">awsAuth</a>, each one comes with it's own
 
 trade-offs. Depending on the authentication method you need to adapt your environment.</p>
 
@@ -2720,6 +2799,7 @@ options of obtaining credentials for vault:</p>
 
 <li>by using transient credentials from the mounted service account token within the
 
     external-secrets operator</li>
 
 </ol>
 
+<p>Vault validates the service account token by using the TokenReview API. ⚠️ You have to bind the <code>system:auth-delegator</code> ClusterRole to the service account that is used for authentication. Please follow the <a href="https://developer.hashicorp.com/vault/docs/auth/kubernetes#configuring-kubernetes">Vault documentation</a>.</p>
 
 <p><div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 
 <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
 
 <span class="nt">metadata</span><span class="p">:</span>
 
@@ -2780,6 +2860,34 @@ in a <code>Kind=Secret</code> referenced by the <code>secretRef</code>.</p>
 
 <span class="w">            </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;ldap-password&quot;</span>
 
 </code></pre></div>
 
 <strong>NOTE:</strong> In case of a <code>ClusterSecretStore</code>, Be sure to provide <code>namespace</code> in <code>secretRef</code> with the namespace where the secret resides.</p>
 
+<h4 id="userpass-authentication">UserPass authentication</h4>
 
+<p><a href="https://www.vaultproject.io/docs/auth/userpass">UserPass authentication</a> uses
 
+username/password pair to get an access token. Username is stored directly in
 
+a <code>Kind=SecretStore</code> or <code>Kind=ClusterSecretStore</code> resource, password is stored
 
+in a <code>Kind=Secret</code> referenced by the <code>secretRef</code>.</p>
 
+<p><div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
 
+<span class="nt">metadata</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">vault-backend</span>
 
+<span class="w">  </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example</span>
 
+<span class="nt">spec</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">provider</span><span class="p">:</span>
 
+<span class="w">    </span><span class="nt">vault</span><span class="p">:</span>
 
+<span class="w">      </span><span class="nt">server</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;https://vault.acme.org&quot;</span>
 
+<span class="w">      </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;secret&quot;</span>
 
+<span class="w">      </span><span class="nt">version</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;v2&quot;</span>
 
+<span class="w">      </span><span class="nt">auth</span><span class="p">:</span>
 
+<span class="w">        </span><span class="c1"># VaultUserPass authenticates with Vault using the UserPass auth mechanism</span>
 
+<span class="w">        </span><span class="c1"># https://www.vaultproject.io/docs/auth/userpass</span>
 
+<span class="w">        </span><span class="nt">userPass</span><span class="p">:</span>
 
+<span class="w">          </span><span class="c1"># Path where the UserPass authentication backend is mounted</span>
 
+<span class="w">          </span><span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;userpass&quot;</span>
 
+<span class="w">          </span><span class="nt">username</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;username&quot;</span>
 
+<span class="w">          </span><span class="nt">secretRef</span><span class="p">:</span>
 
+<span class="w">            </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;my-secret&quot;</span>
 
+<span class="w">            </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;password&quot;</span>
 
+</code></pre></div>
 
+<strong>NOTE:</strong> In case of a <code>ClusterSecretStore</code>, Be sure to provide <code>namespace</code> in <code>secretRef</code> with the namespace where the secret resides.</p>
 
 <h4 id="jwtoidc-authentication">JWT/OIDC authentication</h4>
 
 <p><a href="https://www.vaultproject.io/docs/auth/jwt">JWT/OIDC</a> uses either a
 
 <a href="https://jwt.io/">JWT</a> token stored in a <code>Kind=Secret</code> and referenced by the
 
@@ -2963,16 +3071,17 @@ You must have <a href="https://kubernetes.io/docs/tasks/configure-pod-container/
 
 </code></pre></div>
 
 <strong>NOTE:</strong> In case of a <code>ClusterSecretStore</code>, Be sure to provide <code>namespace</code> in <code>secretRef</code> with the namespace where the secret resides.</p>
 
 <h3 id="pushsecret">PushSecret</h3>
 
-<p>Vault supports PushSecret features which allow you to sync a given kubernetes secret key into a hashicorp vault secret. In order to do so, it is expected that the secret key is a valid JSON object.</p>
 
-<p>In order to use PushSecret, you need to give <code>create</code>, <code>read</code> and <code>update</code> permissions to the path where you want to push secrets to for both <code>data</code> and <code>metadata</code> of the secret. Use it with care!</p>
 
-<p>Here is an example on how to set it up:
 
+<p>Vault supports PushSecret features which allow you to sync a given Kubernetes secret key into a Hashicorp vault secret. To do so, it is expected that the secret key is a valid JSON object or that the <code>property</code> attribute has been specified under the <code>remoteRef</code>.
 
+To use PushSecret, you need to give <code>create</code>, <code>read</code> and <code>update</code> permissions to the path where you want to push secrets for both <code>data</code> and <code>metadata</code> of the secret. Use it with care!</p>
 
+<p>Here is an example of how to set up <code>PushSecret</code>:</p>
 
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span>
 
 <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Secret</span>
 
 <span class="nt">metadata</span><span class="p">:</span>
 
 <span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">source-secret</span>
 
 <span class="w">  </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span>
 
 <span class="nt">stringData</span><span class="p">:</span>
 
-<span class="w">  </span><span class="nt">source-key</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;{\&quot;foo\&quot;:\&quot;bar\&quot;}&quot;</span><span class="w"> </span><span class="c1"># Needs to be a JSON</span>
 
+<span class="w">  </span><span class="nt">source-key1</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;{\&quot;foo\&quot;:\&quot;bar\&quot;}&quot;</span><span class="w"> </span><span class="c1"># Needs to be a JSON</span>
 
+<span class="w">  </span><span class="nt">source-key2</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">bar</span><span class="w">  </span><span class="c1"># Could be a plain string</span>
 
 <span class="nn">---</span>
 
 <span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
 
 <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PushSecret</span>
 
@@ -2980,19 +3089,25 @@ You must have <a href="https://kubernetes.io/docs/tasks/configure-pod-container/
 
 <span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">pushsecret-example</span>
 
 <span class="w">  </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">default</span>
 
 <span class="nt">spec</span><span class="p">:</span>
 
-<span class="w">  </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">10s</span><span class="w"> </span><span class="c1"># Refresh interval for which push secret will reconcile</span>
 
-<span class="w">  </span><span class="nt">secretStoreRefs</span><span class="p">:</span><span class="w"> </span><span class="c1"># A list of secret stores to push secrets to</span>
 
+<span class="w">  </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">10s</span>
 
+<span class="w">  </span><span class="nt">secretStoreRefs</span><span class="p">:</span>
 
 <span class="w">    </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">vault-secretstore</span>
 
 <span class="w">      </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
 
 <span class="w">  </span><span class="nt">selector</span><span class="p">:</span>
 
 <span class="w">    </span><span class="nt">secret</span><span class="p">:</span>
 
-<span class="w">      </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">source-secret</span><span class="w"> </span><span class="c1"># Source Kubernetes secret to be pushed</span>
 
+<span class="w">      </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">source-secret</span>
 
 <span class="w">  </span><span class="nt">data</span><span class="p">:</span>
 
 <span class="w">    </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">match</span><span class="p">:</span>
 
-<span class="w">        </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">source-key</span><span class="w"> </span><span class="c1"># Source Kubernetes secret key containing the vault secret (in JSON format)</span>
 
-<span class="w">        </span><span class="nt">remoteRef</span><span class="p">:</span>
 
-<span class="w">          </span><span class="nt">remoteKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">vault/secret</span><span class="w"> </span><span class="c1"># path to vault secret. This path is appended with the vault-store path.</span>
 
-</code></pre></div></p>
 
+<span class="w">      </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">source-key1</span>
 
+<span class="w">      </span><span class="nt">remoteRef</span><span class="p">:</span>
 
+<span class="w">        </span><span class="nt">remoteKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">vault/secret1</span>
 
+<span class="w">    </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">match</span><span class="p">:</span>
 
+<span class="w">      </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">source-key2</span>
 
+<span class="w">      </span><span class="nt">remoteRef</span><span class="p">:</span>
 
+<span class="w">        </span><span class="nt">remoteKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">vault/secret2</span>
 
+<span class="w">        </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">foo</span>
 
+</code></pre></div>
 
+<p>Note that in this example, we are generating two secrets in the target vault with the same structure but using different input formats.</p>
 
 <h3 id="vault-enterprise">Vault Enterprise</h3>
 
 <h4 id="eventual-consistency-and-performance-standby-nodes">Eventual Consistency and Performance Standby Nodes</h4>
 
 <p>When using Vault Enterprise with <a href="https://www.vaultproject.io/docs/enterprise/consistency#performance-standby-nodes">performance standby nodes</a>,

+ 162 - 1
main/provider/ibm-secrets-manager/index.html
View File 

@@ -1200,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1247,6 +1249,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1349,6 +1365,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1417,6 +1439,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1591,6 +1627,13 @@
 
     Getting the Kubernetes secret
 
   </a>
 
   
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#populating-the-kubernetes-secret-with-metadata-from-ibm-secrets-manager-provider" class="md-nav__link">
 
+    Populating the Kubernetes secret with metadata from IBM Secrets Manager Provider
 
+  </a>
 
+  
 </li>
 
         
       </ul>
 
@@ -1780,6 +1823,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1789,6 +1846,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>
 
@@ -2271,6 +2342,13 @@
 
     Getting the Kubernetes secret
 
   </a>
 
   
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#populating-the-kubernetes-secret-with-metadata-from-ibm-secrets-manager-provider" class="md-nav__link">
 
+    Populating the Kubernetes secret with metadata from IBM Secrets Manager Provider
 
+  </a>
 
+  
 </li>
 
         
       </ul>
 
@@ -2531,7 +2609,7 @@ Below example creates a kubernetes secret based on ID of the secret in Secrets M
 
 <span class="w">      </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">username_password/&lt;SECRET_ID&gt;</span>
 
 <span class="w">      </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">password</span>
 
 </code></pre></div>
 
-<p>Alternatively, secret name can be specified instead of secret ID.</p>
 
+<p>Alternatively, the secret name along with its secret group name can be specified instead of secret ID to fetch the secret.</p>
 
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 
 <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
 
 <span class="nt">metadata</span><span class="p">:</span>
 
@@ -2547,6 +2625,30 @@ Below example creates a kubernetes secret based on ID of the secret in Secrets M
 
 <span class="w">  </span><span class="nt">data</span><span class="p">:</span>
 
 <span class="w">  </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">username</span>
 
 <span class="w">    </span><span class="nt">remoteRef</span><span class="p">:</span>
 
+<span class="w">      </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">&lt;SECRET_GROUP_NAME&gt;/username_password/&lt;SECRET_NAME&gt;</span>
 
+<span class="w">      </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">username</span>
 
+<span class="w">  </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">password</span>
 
+<span class="w">    </span><span class="nt">remoteRef</span><span class="p">:</span>
 
+<span class="w">      </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">&lt;SECRET_GROUP_NAME&gt;/username_password/&lt;SECRET_NAME&gt;</span>
 
+<span class="w">      </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">password</span>
 
+</code></pre></div>
 
+<p>Please note that the below mechanism to get the secret by name is deprecated and not supported.</p>
 
+<div class="highlight"><pre><span></span><code><span class="c1"># NOTE: Below way of fetching the secret by name is deprecated and not supported.</span>
 
+<span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
 
+<span class="nt">metadata</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">database-credentials</span>
 
+<span class="nt">spec</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">refreshInterval</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">60m</span>
 
+<span class="w">  </span><span class="nt">secretStoreRef</span><span class="p">:</span>
 
+<span class="w">    </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ibm-store</span>
 
+<span class="w">    </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
 
+<span class="w">  </span><span class="nt">target</span><span class="p">:</span>
 
+<span class="w">    </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">database-credentials</span>
 
+<span class="w">    </span><span class="nt">creationPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Owner</span>
 
+<span class="w">  </span><span class="nt">data</span><span class="p">:</span>
 
+<span class="w">  </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">username</span>
 
+<span class="w">    </span><span class="nt">remoteRef</span><span class="p">:</span>
 
 <span class="w">      </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">username_password/&lt;SECRET_NAME&gt;</span>
 
 <span class="w">      </span><span class="nt">property</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">username</span>
 
 <span class="w">  </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">password</span>
 
@@ -2558,6 +2660,65 @@ Below example creates a kubernetes secret based on ID of the secret in Secrets M
 
 <p>The operator will fetch the IBM Secret Manager secret and inject it as a <code>Kind=Secret</code>
 
 <div class="highlight"><pre><span></span><code>kubectl get secret secret-to-be-created -n &lt;namespace&gt; | -o jsonpath=&#39;{.data.test}&#39; | base64 -d
 
 </code></pre></div></p>
 
+<h3 id="populating-the-kubernetes-secret-with-metadata-from-ibm-secrets-manager-provider">Populating the Kubernetes secret with metadata from IBM Secrets Manager Provider</h3>
 
+<p>ESO can add metadata while creating or updating a Kubernetes secret to be reflected in its labels or annotations. The metadata could be any of the fields that are supported and returned in the response by IBM Secrets Manager.</p>
 
+<p>In order for the user to opt-in to adding metadata to secret, an existing optional field <code>spec.dataFrom.extract.metadataPolicy</code> can be be set to <code>Fetch</code>, its default value being <code>None</code>. In addition to this, templating provided be ESO can be leveraged to specify the key-value pairs of the resultant secrets' labels and annotation.</p>
 
+<p>In order for the required metadata to be populated in the Kubernetes secret, combination of below should be provided in the External Secrets resource:
 
+1. The required metadata should be specified under <code>template.metadata.labels</code> or <code>template.metadata.annotations</code>.
 
+2. The required secret data should be specified under <code>template.data</code>.
 
+3. The spec.dataFrom.extract should be specified with details of the Secrets Manager secret with <code>spec.dataFrom.extract.metadataPolicy</code> set to <code>Fetch</code>.
 
+Below is an example, where <code>secret_id</code> and <code>updated_at</code> are the metadata of a secret in IBM Secrets Manager:</p>
 
+<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
 
+<span class="nt">metadata</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">database-credentials</span>
 
+<span class="w">  </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets</span>
 
+<span class="nt">spec</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">dataFrom</span><span class="p">:</span>
 
+<span class="w">  </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">extract</span><span class="p">:</span>
 
+<span class="w">      </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">username_password/&lt;SECRET_ID&gt;</span>
 
+<span class="w">      </span><span class="nt">metadataPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Fetch</span><span class="w">           </span><span class="c1"># leveraging optional parameter, defaults to None</span>
 
+<span class="w">    </span><span class="nt">secretKey</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">username</span>
 
+<span class="w">  </span><span class="nt">secretStoreRef</span><span class="p">:</span>
 
+<span class="w">    </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
 
+<span class="w">    </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ibm-store</span>
 
+<span class="w">  </span><span class="nt">target</span><span class="p">:</span>
 
+<span class="w">    </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">database-credentials</span>
 
+<span class="w">    </span><span class="nt">template</span><span class="p">:</span>
 
+<span class="w">      </span><span class="nt">engineVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v2</span>
 
+<span class="w">      </span><span class="nt">data</span><span class="p">:</span>
 
+<span class="w">        </span><span class="nt">secret</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;{{</span><span class="nv"> </span><span class="s">.password</span><span class="nv"> </span><span class="s">}}&quot;</span>
 
+<span class="w">      </span><span class="nt">metadata</span><span class="p">:</span>
 
+<span class="w">        </span><span class="nt">annotations</span><span class="p">:</span>
 
+<span class="w">          </span><span class="nt">secret_id</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;{{</span><span class="nv"> </span><span class="s">.id</span><span class="nv"> </span><span class="s">}}&quot;</span><span class="w">     </span><span class="c1"># adding metadata key whose value would be added to the secret as a label</span>
 
+<span class="w">          </span><span class="nt">updated_at</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;{{</span><span class="nv"> </span><span class="s">.updated_at</span><span class="nv"> </span><span class="s">}}&quot;</span>
 
+</code></pre></div>
 
+<p>While the secret is being reconciled, it will have the secret data along with the required annotations. Below is the example of the secret after reconciliation:</p>
 
+<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span>
 
+<span class="nt">data</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">secret</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">OHE0MFV5MGhQb2FmRjZTOGVva3dPQjRMeVZXeXpWSDlrSWgyR1BiVDZTMyc=</span>
 
+<span class="nt">immutable</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">false</span>
 
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Secret</span>
 
+<span class="nt">metadata</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">annotations</span><span class="p">:</span>
 
+<span class="w">    </span><span class="nt">reconcile.external-secrets.io/data-hash</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">02217008d13ed228e75cf6d26fe74324</span>
 
+<span class="w">  </span><span class="nt">creationTimestamp</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;2023-05-04T08:41:24Z&quot;</span>
 
+<span class="w">  </span><span class="nt">annotations</span><span class="p">:</span>
 
+<span class="w">    </span><span class="nt">secret_id</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">1234</span>
 
+<span class="w">    </span><span class="nt">updated_at</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">2023-05-04T08:57:19Z</span>
 
+<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">database-credentials</span>
 
+<span class="w">  </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets</span>
 
+<span class="w">  </span><span class="nt">ownerReferences</span><span class="p">:</span>
 
+<span class="w">  </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 
+<span class="w">    </span><span class="nt">blockOwnerDeletion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span>
 
+<span class="w">    </span><span class="nt">controller</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span>
 
+<span class="w">    </span><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
 
+<span class="w">    </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">database-credentials</span>
 
+<span class="w">    </span><span class="nt">uid</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">c2a018e7-1ac3-421b-bd3b-d9497204f843</span>
 
+<span class="w">  </span><span class="nt">resourceVersion</span><span class="p">:</span><span class="w"> </span><span class="s">&quot;1803567&quot;</span>
 
+<span class="w">  </span><span class="nt">uid</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">f5dff604-611b-4d41-9d65-b860c61a0b8d</span>
 
+<span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Opaque</span>
 
+</code></pre></div>

+ 65 - 1
main/provider/keeper-security/index.html
View File 

@@ -12,7 +12,7 @@
 
         <link rel="prev" href="../doppler/">
 
       
       
-        <link rel="next" href="../scaleway/">
 
+        <link rel="next" href="../cloak/">
 
       
       <link rel="icon" href="../../assets/images/favicon.png">
 
       <meta name="generator" content="mkdocs-1.4.3, mkdocs-material-9.1.9">
 
@@ -1200,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1247,6 +1249,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1349,6 +1365,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1417,6 +1439,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1799,6 +1835,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1808,6 +1858,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 64 - 0
main/provider/kubernetes/index.html
View File 

@@ -1200,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1247,6 +1249,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1349,6 +1365,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1417,6 +1439,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1752,6 +1788,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1761,6 +1811,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 112 - 2
main/provider/oracle-vault/index.html
View File 

@@ -1200,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1247,6 +1249,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1349,6 +1365,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1417,6 +1439,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1620,6 +1656,13 @@
 
     Getting the Kubernetes secret
 
   </a>
 
   
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#pushsecrets-and-retrieving-multiple-secrets" class="md-nav__link">
 
+    PushSecrets and retrieving multiple secrets.
 
+  </a>
 
+  
 </li>
 
         
       </ul>
 
@@ -1725,6 +1768,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1734,6 +1791,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>
 
@@ -2161,6 +2232,13 @@
 
     Getting the Kubernetes secret
 
   </a>
 
   
+</li>
 
+        
+          <li class="md-nav__item">
 
+  <a href="#pushsecrets-and-retrieving-multiple-secrets" class="md-nav__link">
 
+    PushSecrets and retrieving multiple secrets.
 
+  </a>
 
+  
 </li>
 
         
       </ul>
 
@@ -2191,8 +2269,9 @@
 
 <h2 id="oracle-vault">Oracle Vault</h2>
 
 <p>External Secrets Operator integrates with <a href="https://github.com/oracle/oci-go-sdk">OCI API</a> to sync secret on the Oracle Vault to secrets held on the Kubernetes cluster.</p>
 
 <h3 id="authentication">Authentication</h3>
 
-<p>If <code>auth</code> is not specified, the operator uses the instance principal.</p>
 
-<p>For using a specific user credentials, userOCID, tenancyOCID, fingerprint and private key are required.
 
+<p>Specify the authenticating principal with <code>principalType</code>, using <code>UserPrincipal</code>, <code>InstancePrincipal</code>, or <code>Workload</code> as values.
 
+If <code>principalType</code> or <code>auth</code> are not set, the operator defaults to instance principal for authentication.</p>
 
+<p>For user principal, userOCID, tenancyOCID, fingerprint and private key are required.
 
 The fingerprint and key file should be supplied in the secret with the rest being provided in the secret store.</p>
 
 <p>See url for what region you you are accessing.
 
 <img alt="userOCID-details" src="../../pictures/screenshot_region.png" /></p>
 
@@ -2229,6 +2308,20 @@ This will automatically generate a fingerprint.
 
 <span class="w">    </span><span class="nt">oracle</span><span class="p">:</span>
 
 <span class="w">      </span><span class="nt">vault</span><span class="p">:</span><span class="w"> </span><span class="c1"># The vault OCID</span>
 
 <span class="w">      </span><span class="nt">region</span><span class="p">:</span><span class="w"> </span><span class="c1"># The vault region</span>
 
+<span class="w">      </span><span class="nt">principalType</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">InstancePrincipal</span>
 
+
 
+<span class="nn">---</span>
 
+
 
+<span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
 
+<span class="nt">metadata</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example-workload-identity</span>
 
+<span class="nt">spec</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">provider</span><span class="p">:</span>
 
+<span class="w">    </span><span class="nt">oracle</span><span class="p">:</span>
 
+<span class="w">      </span><span class="nt">vault</span><span class="p">:</span><span class="w"> </span><span class="c1"># The vault OCID</span>
 
+<span class="w">      </span><span class="nt">region</span><span class="p">:</span><span class="w"> </span><span class="c1"># The vault region</span>
 
+<span class="w">      </span><span class="nt">principalType</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Workload</span>
 
 
 <span class="nn">---</span>
 
 
@@ -2244,6 +2337,7 @@ This will automatically generate a fingerprint.
 
 <span class="w">      </span><span class="nt">auth</span><span class="p">:</span>
 
 <span class="w">        </span><span class="nt">user</span><span class="p">:</span><span class="w"> </span><span class="c1"># A user OCID</span>
 
 <span class="w">        </span><span class="nt">tenancy</span><span class="p">:</span><span class="w"> </span><span class="c1"># A user&#39;s tenancy</span>
 
+<span class="w">        </span><span class="nt">principalType</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">UserPrincipal</span>
 
 <span class="w">        </span><span class="nt">secretRef</span><span class="p">:</span>
 
 <span class="w">          </span><span class="nt">privatekey</span><span class="p">:</span>
 
 <span class="w">            </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">oracle-secret</span>
 
@@ -2275,6 +2369,22 @@ This will automatically generate a fingerprint.
 
 <p>The operator will fetch the project variable and inject it as a <code>Kind=Secret</code>.
 
 <div class="highlight"><pre><span></span><code>kubectl get secret oracle-secret-to-create -o jsonpath=&#39;{.data.dev-secret-test}&#39; | base64 -d
 
 </code></pre></div></p>
 
+<h3 id="pushsecrets-and-retrieving-multiple-secrets">PushSecrets and retrieving multiple secrets.</h3>
 
+<p>When using <a href="https://external-secrets.io/latest/guides/pushsecrets/">PushSecrets</a>, the compartment OCID and encryption key OCID must be specified in the
 
+Oracle SecretStore. You can find your compartment and encrpytion key OCIDs in the OCI console.</p>
 
+<p>If <a href="https://external-secrets.io/latest/guides/getallsecrets/">retrieving multiple secrets</a> by tag or regex, only the compartment OCID must be specified.</p>
 
+<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
 
+<span class="nt">metadata</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example-instance-principal</span>
 
+<span class="nt">spec</span><span class="p">:</span>
 
+<span class="w">  </span><span class="nt">provider</span><span class="p">:</span>
 
+<span class="w">    </span><span class="nt">oracle</span><span class="p">:</span>
 
+<span class="w">      </span><span class="nt">vault</span><span class="p">:</span><span class="w"> </span><span class="c1"># The vault OCID</span>
 
+<span class="w">      </span><span class="nt">compartment</span><span class="p">:</span><span class="w"> </span><span class="c1"># The compartment OCID where the vault is located. Required when using PushSecrets or retrieving multiple secrets.</span>
 
+<span class="w">      </span><span class="nt">encryptionKey</span><span class="p">:</span><span class="w"> </span><span class="c1"># The OCID of the master encryption key that will be used for PushSecret encryption. Must exist in the vault, required when using PushSecrets.</span>
 
+<span class="w">      </span><span class="nt">principalType</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Workload</span>
 
+</code></pre></div>

+ 67 - 3
main/provider/scaleway/index.html
View File 

@@ -9,10 +9,10 @@
 
       
       
       
-        <link rel="prev" href="../keeper-security/">
 
+        <link rel="prev" href="../cloak/">
 
       
       
-        <link rel="next" href="../../examples/gitops-using-fluxcd/">
 
+        <link rel="next" href="../delinea/">
 
       
       <link rel="icon" href="../../assets/images/favicon.png">
 
       <meta name="generator" content="mkdocs-1.4.3, mkdocs-material-9.1.9">
 
@@ -1200,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1247,6 +1249,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1349,6 +1365,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1417,6 +1439,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1640,6 +1676,20 @@
 
               
   
   
+  
+    <li class="md-nav__item">
 
+      <a href="../cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
     
   
   
@@ -1707,6 +1757,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>
 
@@ -2157,7 +2221,7 @@ a kubernetes secret.</p>
 
 <span class="w">          </span><span class="nt">key</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">&lt;KEY_IN_KUBE_SECRET&gt;</span>
 
 </code></pre></div>
 
 <h3 id="referencing-secrets">Referencing Secrets</h3>
 
-<p>Secrets can be referenced by name or by id, using the prefixes <code>"name:"</code> and <code>"id:"</code> respectively.</p>
 
+<p>Secrets can be referenced by name, id or path, using the prefixes <code>"name:"</code>, <code>"id:"</code> and <code>"path:"</code> respectively.</p>
 
 <p>A PushSecret resource can only use a name reference.</p>
 
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span>
 
 <span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>

+ 64 - 0
main/provider/senhasegura-dsm/index.html
View File 

@@ -1200,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1247,6 +1249,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1349,6 +1365,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1417,6 +1439,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1739,6 +1775,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1748,6 +1798,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 64 - 0
main/provider/webhook/index.html
View File 

@@ -1200,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1247,6 +1249,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1349,6 +1365,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1417,6 +1439,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1718,6 +1754,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1727,6 +1777,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 64 - 0
main/provider/yandex-certificate-manager/index.html
View File 

@@ -1200,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1247,6 +1249,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1349,6 +1365,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1417,6 +1439,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1705,6 +1741,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1714,6 +1764,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

+ 64 - 0
main/provider/yandex-lockbox/index.html
View File 

@@ -1200,6 +1200,8 @@
 
         
           
         
+          
+        
       
       
         <label class="md-nav__link" for="__nav_3_4" id="__nav_3_4_label" tabindex="0">
 
@@ -1247,6 +1249,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../../guides/threat-model/" class="md-nav__link">
 
+        Threat Model
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../../guides/v1beta1/" class="md-nav__link">
 
         Upgrading to v1beta1
 
@@ -1349,6 +1365,12 @@
 
           
         
           
+        
+          
+        
+          
+        
+          
         
           
         
@@ -1417,6 +1439,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../conjur/" class="md-nav__link">
 
+        CyberArk Conjur
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../google-secrets-manager/" class="md-nav__link">
 
         Google Cloud Secret Manager
 
@@ -1705,6 +1741,20 @@
 
   
   
   
+    <li class="md-nav__item">
 
+      <a href="../cloak/" class="md-nav__link">
 
+        Cloak End 2 End Encrypted Secrets
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
+            
+              
+  
+  
+  
     <li class="md-nav__item">
 
       <a href="../scaleway/" class="md-nav__link">
 
         Scaleway
 
@@ -1714,6 +1764,20 @@
 
 
             
           
+            
+              
+  
+  
+  
+    <li class="md-nav__item">
 
+      <a href="../delinea/" class="md-nav__link">
 
+        Delinea
 
+      </a>
 
+    </li>
 
+  
+
 
+            
+          
         </ul>
 
       </nav>
 
     </li>

File diff suppressed because it is too large
+ 0 - 0
main/search/search_index.json


BIN
main/sitemap.xml.gz
View File


+ 16 - 0
main/snippets/aws-sm-store-secretsmanager-config.yaml
View File 

@@ -0,0 +1,16 @@
 
+apiVersion: external-secrets.io/v1beta1
 
+kind: SecretStore
 
+metadata:
 
+  name: aws-secretsmanager
 
+spec:
 
+  provider:
 
+    aws:
 
+      service: SecretsManager
 
+      role: arn:aws:iam::123456789012:role/external-secrets
 
+      region: eu-central-1
 
+      secretsManager:
 
+        # Additional parameters can be added to the AWS Secrets Manager DeleteSecret API call.
 
+        # These parameters are only relevant when the deletionPolicy is set to Delete.
 
+        # See: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#API_DeleteSecret_RequestSyntax
 
+        forceDeleteWithoutRecovery: true
 
+        # recoveryWindowInDays: 9 (conflicts with forceDeleteWithoutRecovery)

+ 1 - 1
main/snippets/bitwarden-cli-deployment.yaml
View File 

@@ -50,7 +50,7 @@ spec:
 
               command:
 
                 - wget
 
                 - -q
 
-                - http://127.0.0.1:8087/sync
 
+                - http://127.0.0.1:8087/sync?force=true
 
                 - --post-data=''
 
             initialDelaySeconds: 20
 
             failureThreshold: 3

+ 11 - 0
main/snippets/bitwarden-secret-store.yaml
View File 

@@ -23,4 +23,15 @@ spec:
 
       url: "http://bitwarden-cli:8087/object/item/{{ .remoteRef.key }}"
 
       result:
 
         jsonPath: "$.data.fields[?@.name==\"{{ .remoteRef.property }}\"].value"
 
+---
 
+apiVersion: external-secrets.io/v1beta1
 
+kind: ClusterSecretStore
 
+metadata:
 
+  name: bitwarden-notes
 
+spec:
 
+  provider:
 
+    webhook:
 
+      url: "http://bitwarden-cli:8087/object/item/{{ .remoteRef.key }}"
 
+      result:
 
+        jsonPath: "$.data.notes"
 
 {% endraw %}

+ 9 - 0
main/snippets/bitwarden-secret.yaml
View File 

@@ -21,6 +21,8 @@ spec:
 
           {{ .postgres_replication_password }}
 
         db_url: |-
 
           postgresql://{{ .username }}:{{ .password }}@my-postgresql:5432/mydb
 
+        service_account_key: |-
 
+          {{ .service_account_key }}
 
   data:
 
     - secretKey: username
 
       sourceRef:
 
@@ -54,4 +56,11 @@ spec:
 
       remoteRef:
 
         key: aaaabbbb-cccc-dddd-eeee-000011112222
 
         property: postgres-replication-password
 
+    - secretKey: service_account_key
 
+      sourceRef:
 
+        storeRef:
 
+          name: bitwarden-notes
 
+          kind: ClusterSecretStore  # or SecretStore
 
+      remoteRef:
 
+        key: service_account_key
 
 {% endraw %}

+ 19 - 0
main/snippets/cloak-external-secret.yaml
View File 

@@ -0,0 +1,19 @@
 
+# Access a secret
 
+apiVersion: external-secrets.io/v1beta1
 
+kind: ExternalSecret
 
+metadata:
 
+  name: cloak-example
 
+spec:
 
+  refreshInterval: "15m"
 
+  secretStoreRef:
 
+    name: cloak-backend
 
+    kind: SecretStore
 
+  target:
 
+    name: example-sync
 
+  data:
 
+  - secretKey: access-token
 
+    remoteRef:
 
+      key: PULUMI_ACCESS_TOKEN
 
+  - secretKey: do-access-token
 
+    remoteRef:
 
+      key: DIGITALOCEAN_ACCESS_TOKEN

+ 28 - 0
main/snippets/cloak-proxy-deployment.yaml
View File 

@@ -0,0 +1,28 @@
 
+# The cloak external secrets proxy
 
+apiVersion: apps/v1
 
+kind: Deployment
 
+metadata:
 
+  name: cloak-external-secrets
 
+  namespace: external-secrets
 
+spec:
 
+  selector:
 
+    matchLabels:
 
+      app: cloak-external-secrets
 
+  replicas: 1
 
+  template:
 
+    metadata:
 
+      labels:
 
+        app: cloak-external-secrets
 
+    spec:
 
+      containers:
 
+      - name: cloak-external-secrets
 
+        image: purtontech/cloak-external-secrets:latest
 
+        imagePullPolicy: IfNotPresent
 
+        env: 
+          - name: ECDH_PRIVATE_KEY 
+            valueFrom: 
+              secretKeyRef: 
+                name: cloak-key 
+                key: ecdh_private_key 
+        ports:
 
+        - containerPort: 7105

+ 12 - 0
main/snippets/cloak-proxy-service.yaml
View File 

@@ -0,0 +1,12 @@
 
+apiVersion: v1
 
+kind: Service
 
+metadata:
 
+  name: cloak-external-secrets-service
 
+  namespace: external-secrets
 
+spec:
 
+  selector:
 
+    app: cloak-external-secrets
 
+  ports:
 
+    - protocol: TCP
 
+      port: 7105
 
+      targetPort: 7105

+ 15 - 0
main/snippets/cloak-secret-store.yaml
View File 

@@ -0,0 +1,15 @@
 
+{% raw %}
 
+# An External secrets webhookl
 
+apiVersion: external-secrets.io/v1beta1
 
+kind: SecretStore
 
+metadata:
 
+  name: cloak-backend
 
+spec:
 
+  provider:
 
+    webhook:
 
+      url: "http://cloak-external-secrets-service:7105/{{ .remoteRef.key }}"
 
+      result:
 
+        jsonPath: "$.value"
 
+      headers:
 
+        Content-Type: application/json
 
+{%- endraw %}

+ 20 - 0
main/snippets/conjur-ca-bundle.yaml
View File 

@@ -0,0 +1,20 @@
 
+....
 
+spec:
 
+  provider:
 
+    conjur:
 
+      # Service URL
 
+      url: https://myapi.conjur.org
 
+
 
+      # [OPTIONAL] base64 encoded string of certificate
 
+      caBundle: "<base64 encoded cabundle>"
 
+
 
+      # [OPTIONAL] caProvider:
 
+      # Instead of caBundle you can also specify a caProvider
 
+      # this will retrieve the cert from a Secret or ConfigMap
 
+      caProvider:
 
+        type: "Secret" # Can be Secret or ConfigMap
 
+        name: "<name of secret or configmap>"
 
+        key: "<key inside secret or configmap>"
 
+        # namespace is mandatory for ClusterSecretStore and not relevant for SecretStore
 
+        namespace: "my-cert-secret-namespace"
 
+  ....

+ 14 - 0
main/snippets/conjur-external-secret.yaml
View File 

@@ -0,0 +1,14 @@
 
+apiVersion: external-secrets.io/v1beta1
 
+kind: ExternalSecret
 
+metadata:
 
+  name: conjur
 
+spec:
 
+  refreshInterval: 10s
 
+  secretStoreRef:
 
+    # This name must match the metadata.name in the `SecretStore`
 
+    name: conjur
 
+    kind: SecretStore
 
+  data:
 
+  - secretKey: secret00
 
+    remoteRef:
 
+      key: data/app1/secret00

+ 21 - 0
main/snippets/conjur-secret-store-apikey.yaml
View File 

@@ -0,0 +1,21 @@
 
+apiVersion: external-secrets.io/v1beta1
 
+kind: SecretStore
 
+metadata:
 
+  name: conjur
 
+spec:
 
+  provider:
 
+    conjur:
 
+      # Service URL
 
+      url: https://myapi.conjur.org
 
+      # [OPTIONAL] base64 encoded string of certificate
 
+      caBundle: OPTIONALxFIELDxxxBase64xCertxString==  
+      auth:
 
+        apikey:
 
+          # conjur account
 
+          account: conjur
 
+          userRef: # Get this from K8S secret
 
+            name: conjur-creds
 
+            key: hostid
 
+          apiKeyRef: # Get this from K8S secret
 
+            name: conjur-creds
 
+            key: apikey

+ 19 - 0
main/snippets/conjur-secret-store-jwt-secret-ref.yaml
View File 

@@ -0,0 +1,19 @@
 
+apiVersion: external-secrets.io/v1beta1
 
+kind: SecretStore
 
+metadata:
 
+  name: conjur
 
+spec:
 
+  provider:
 
+    conjur:
 
+      # Service URL
 
+      url: https://myapi.conjur.org
 
+      # [OPTIONAL] base64 encoded string of certificate
 
+      caBundle: OPTIONALxFIELDxxxBase64xCertxString==
 
+      auth:
 
+        jwt:
 
+          # conjur account
 
+          account: conjur
 
+          serviceID: my-jwt-auth-service # The authn-jwt service ID
 
+          secretRef: # Secret containing a valid JWT token
 
+            name: my-jwt-secret
 
+            key: token

+ 21 - 0
main/snippets/conjur-secret-store-jwt-service-account-ref.yaml
View File 

@@ -0,0 +1,21 @@
 
+apiVersion: external-secrets.io/v1beta1
 
+kind: SecretStore
 
+metadata:
 
+  name: conjur
 
+spec:
 
+  provider:
 
+    conjur:
 
+      # Service URL
 
+      url: https://myapi.conjur.org
 
+      # [OPTIONAL] base64 encoded string of certificate
 
+      caBundle: OPTIONALxFIELDxxxBase64xCertxString==
 
+      auth:
 
+        jwt:
 
+          # conjur account
 
+          account: conjur
 
+          serviceID: my-jwt-auth-service # The authn-jwt service ID
 
+          serviceAccountRef: # Service account to retrieve JWT token for
 
+            name: my-service-account
 
+            audiences:  # [OPTIONAL] audiences to include in JWT token
 
+              - https://conjur.company.com
 
+

File diff suppressed because it is too large
+ 535 - 329
main/snippets/dashboard.json


+ 2 - 0
main/snippets/full-cluster-secret-store.yaml
View File 

@@ -131,10 +131,12 @@ spec:
 
             # The secret that contains your privatekey
 
             name: oci-secret-name
 
             key: privateKey
 
+            namespace: example-namespace
 
           fingerprint:
 
             # The secret that contains your fingerprint
 
             name: oci-secret-name
 
             key: fingerprint
 
+            namespace: example-namespace
 
 
     # (TODO): add more provider examples here

Some files were not shown because too many files changed in this diff