helm-external-secrets/config/crds/bases/external-secrets.io_clustersecretstores.yaml

apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.16.1
  labels:
    external-secrets.io/component: controller
  name: clustersecretstores.external-secrets.io
spec:
  group: external-secrets.io
  names:
    categories:
    - externalsecrets
    kind: ClusterSecretStore
    listKind: ClusterSecretStoreList
    plural: clustersecretstores
    shortNames:
    - css
    singular: clustersecretstore
  scope: Cluster
  versions:
  - additionalPrinterColumns:
    - jsonPath: .metadata.creationTimestamp
      name: AGE
      type: date
    - jsonPath: .status.conditions[?(@.type=="Ready")].reason
      name: Status
      type: string
    deprecated: true
    name: v1alpha1
    schema:
      openAPIV3Schema:
        description: ClusterSecretStore represents a secure external location for
          storing secrets, which can be referenced as part of `storeRef` fields.
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: SecretStoreSpec defines the desired state of SecretStore.
            properties:
              controller:
                description: |-
                  Used to select the correct ESO controller (think: ingress.ingressClassName)
                  The ESO controller is instantiated with a specific controller name and filters ES based on this property
                type: string
              provider:
                description: Used to configure the provider. Only one provider may
                  be set
                maxProperties: 1
                minProperties: 1
                properties:
                  akeyless:
                    description: Akeyless configures this store to sync secrets using
                      Akeyless Vault provider
                    properties:
                      akeylessGWApiURL:
                        description: Akeyless GW API Url from which the secrets to
                          be fetched from.
                        type: string
                      authSecretRef:
                        description: Auth configures how the operator authenticates
                          with Akeyless.
                        properties:
                          kubernetesAuth:
                            description: |-
                              Kubernetes authenticates with Akeyless by passing the ServiceAccount
                              token stored in the named Secret resource.
                            properties:
                              accessID:
                                description: the Akeyless Kubernetes auth-method access-id
                                type: string
                              k8sConfName:
                                description: Kubernetes-auth configuration name in
                                  Akeyless-Gateway
                                type: string
                              secretRef:
                                description: |-
                                  Optional secret field containing a Kubernetes ServiceAccount JWT used
                                  for authenticating with Akeyless. If a name is specified without a key,
                                  `token` is the default. If one is not specified, the one bound to
                                  the controller will be used.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                              serviceAccountRef:
                                description: |-
                                  Optional service account field containing the name of a kubernetes ServiceAccount.
                                  If the service account is specified, the service account secret token JWT will be used
                                  for authenticating with Akeyless. If the service account selector is not supplied,
                                  the secretRef will be used instead.
                                properties:
                                  audiences:
                                    description: |-
                                      Audience specifies the `aud` claim for the service account token
                                      If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                      then this audiences will be appended to the list
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                required:
                                - name
                                type: object
                            required:
                            - accessID
                            - k8sConfName
                            type: object
                          secretRef:
                            description: |-
                              Reference to a Secret that contains the details
                              to authenticate with Akeyless.
                            properties:
                              accessID:
                                description: The SecretAccessID is used for authentication
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                              accessType:
                                description: |-
                                  A reference to a specific 'key' within a Secret resource,
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                              accessTypeParam:
                                description: |-
                                  A reference to a specific 'key' within a Secret resource,
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                            type: object
                        type: object
                      caBundle:
                        description: |-
                          PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
                          if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
                          are used to validate the TLS connection.
                        format: byte
                        type: string
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          Akeyless Gateway certificate.
                        properties:
                          key:
                            description: The key the value inside of the provider
                              type to use, only used with "Secret" type
                            type: string
                          name:
                            description: The name of the object located at the provider
                              type.
                            type: string
                          namespace:
                            description: The namespace the Provider type is in.
                            type: string
                          type:
                            description: The type of provider to use such as "Secret",
                              or "ConfigMap".
                            enum:
                            - Secret
                            - ConfigMap
                            type: string
                        required:
                        - name
                        - type
                        type: object
                    required:
                    - akeylessGWApiURL
                    - authSecretRef
                    type: object
                  alibaba:
                    description: Alibaba configures this store to sync secrets using
                      Alibaba Cloud provider
                    properties:
                      auth:
                        description: AlibabaAuth contains a secretRef for credentials.
                        properties:
                          rrsa:
                            description: Authenticate against Alibaba using RRSA.
                            properties:
                              oidcProviderArn:
                                type: string
                              oidcTokenFilePath:
                                type: string
                              roleArn:
                                type: string
                              sessionName:
                                type: string
                            required:
                            - oidcProviderArn
                            - oidcTokenFilePath
                            - roleArn
                            - sessionName
                            type: object
                          secretRef:
                            description: AlibabaAuthSecretRef holds secret references
                              for Alibaba credentials.
                            properties:
                              accessKeyIDSecretRef:
                                description: The AccessKeyID is used for authentication
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                              accessKeySecretSecretRef:
                                description: The AccessKeySecret is used for authentication
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                            required:
                            - accessKeyIDSecretRef
                            - accessKeySecretSecretRef
                            type: object
                        type: object
                      regionID:
                        description: Alibaba Region to be used for the provider
                        type: string
                    required:
                    - auth
                    - regionID
                    type: object
                  aws:
                    description: AWS configures this store to sync secrets using AWS
                      Secret Manager provider
                    properties:
                      auth:
                        description: |-
                          Auth defines the information necessary to authenticate against AWS
                          if not set aws sdk will infer credentials from your environment
                          see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
                        properties:
                          jwt:
                            description: Authenticate against AWS using service account
                              tokens.
                            properties:
                              serviceAccountRef:
                                description: A reference to a ServiceAccount resource.
                                properties:
                                  audiences:
                                    description: |-
                                      Audience specifies the `aud` claim for the service account token
                                      If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                      then this audiences will be appended to the list
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                required:
                                - name
                                type: object
                            type: object
                          secretRef:
                            description: |-
                              AWSAuthSecretRef holds secret references for AWS credentials
                              both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
                            properties:
                              accessKeyIDSecretRef:
                                description: The AccessKeyID is used for authentication
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                              secretAccessKeySecretRef:
                                description: The SecretAccessKey is used for authentication
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                            type: object
                        type: object
                      region:
                        description: AWS Region to be used for the provider
                        type: string
                      role:
                        description: Role is a Role ARN which the SecretManager provider
                          will assume
                        type: string
                      service:
                        description: Service defines which service should be used
                          to fetch the secrets
                        enum:
                        - SecretsManager
                        - ParameterStore
                        type: string
                    required:
                    - region
                    - service
                    type: object
                  azurekv:
                    description: AzureKV configures this store to sync secrets using
                      Azure Key Vault provider
                    properties:
                      authSecretRef:
                        description: Auth configures how the operator authenticates
                          with Azure. Required for ServicePrincipal auth type.
                        properties:
                          clientId:
                            description: The Azure clientId of the service principle
                              used for authentication.
                            properties:
                              key:
                                description: |-
                                  The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                  defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                  to the namespace of the referent.
                                type: string
                            type: object
                          clientSecret:
                            description: The Azure ClientSecret of the service principle
                              used for authentication.
                            properties:
                              key:
                                description: |-
                                  The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                  defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                  to the namespace of the referent.
                                type: string
                            type: object
                        type: object
                      authType:
                        default: ServicePrincipal
                        description: |-
                          Auth type defines how to authenticate to the keyvault service.
                          Valid values are:
                          - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
                          - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
                        enum:
                        - ServicePrincipal
                        - ManagedIdentity
                        - WorkloadIdentity
                        type: string
                      identityId:
                        description: If multiple Managed Identity is assigned to the
                          pod, you can select the one to be used
                        type: string
                      serviceAccountRef:
                        description: |-
                          ServiceAccountRef specified the service account
                          that should be used when authenticating with WorkloadIdentity.
                        properties:
                          audiences:
                            description: |-
                              Audience specifies the `aud` claim for the service account token
                              If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                              then this audiences will be appended to the list
                            items:
                              type: string
                            type: array
                          name:
                            description: The name of the ServiceAccount resource being
                              referred to.
                            type: string
                          namespace:
                            description: |-
                              Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                              to the namespace of the referent.
                            type: string
                        required:
                        - name
                        type: object
                      tenantId:
                        description: TenantID configures the Azure Tenant to send
                          requests to. Required for ServicePrincipal auth type.
                        type: string
                      vaultUrl:
                        description: Vault Url from which the secrets to be fetched
                          from.
                        type: string
                    required:
                    - vaultUrl
                    type: object
                  fake:
                    description: Fake configures a store with static key/value pairs
                    properties:
                      data:
                        items:
                          properties:
                            key:
                              type: string
                            value:
                              type: string
                            valueMap:
                              additionalProperties:
                                type: string
                              type: object
                            version:
                              type: string
                          required:
                          - key
                          type: object
                        type: array
                    required:
                    - data
                    type: object
                  gcpsm:
                    description: GCPSM configures this store to sync secrets using
                      Google Cloud Platform Secret Manager provider
                    properties:
                      auth:
                        description: Auth defines the information necessary to authenticate
                          against GCP
                        properties:
                          secretRef:
                            properties:
                              secretAccessKeySecretRef:
                                description: The SecretAccessKey is used for authentication
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                            type: object
                          workloadIdentity:
                            properties:
                              clusterLocation:
                                type: string
                              clusterName:
                                type: string
                              clusterProjectID:
                                type: string
                              serviceAccountRef:
                                description: A reference to a ServiceAccount resource.
                                properties:
                                  audiences:
                                    description: |-
                                      Audience specifies the `aud` claim for the service account token
                                      If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                      then this audiences will be appended to the list
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                required:
                                - name
                                type: object
                            required:
                            - clusterLocation
                            - clusterName
                            - serviceAccountRef
                            type: object
                        type: object
                      projectID:
                        description: ProjectID project where secret is located
                        type: string
                    type: object
                  gitlab:
                    description: GitLab configures this store to sync secrets using
                      GitLab Variables provider
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with a GitLab instance.
                        properties:
                          SecretRef:
                            properties:
                              accessToken:
                                description: AccessToken is used for authentication.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                            type: object
                        required:
                        - SecretRef
                        type: object
                      projectID:
                        description: ProjectID specifies a project where secrets are
                          located.
                        type: string
                      url:
                        description: URL configures the GitLab instance URL. Defaults
                          to https://gitlab.com/.
                        type: string
                    required:
                    - auth
                    type: object
                  ibm:
                    description: IBM configures this store to sync secrets using IBM
                      Cloud provider
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with the IBM secrets manager.
                        properties:
                          secretRef:
                            properties:
                              secretApiKeySecretRef:
                                description: The SecretAccessKey is used for authentication
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                            type: object
                        required:
                        - secretRef
                        type: object
                      serviceUrl:
                        description: ServiceURL is the Endpoint URL that is specific
                          to the Secrets Manager service instance
                        type: string
                    required:
                    - auth
                    type: object
                  kubernetes:
                    description: Kubernetes configures this store to sync secrets
                      using a Kubernetes cluster provider
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with a Kubernetes instance.
                        maxProperties: 1
                        minProperties: 1
                        properties:
                          cert:
                            description: has both clientCert and clientKey as secretKeySelector
                            properties:
                              clientCert:
                                description: |-
                                  A reference to a specific 'key' within a Secret resource,
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                              clientKey:
                                description: |-
                                  A reference to a specific 'key' within a Secret resource,
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                            type: object
                          serviceAccount:
                            description: points to a service account that should be
                              used for authentication
                            properties:
                              serviceAccount:
                                description: A reference to a ServiceAccount resource.
                                properties:
                                  audiences:
                                    description: |-
                                      Audience specifies the `aud` claim for the service account token
                                      If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                      then this audiences will be appended to the list
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                required:
                                - name
                                type: object
                            type: object
                          token:
                            description: use static token to authenticate with
                            properties:
                              bearerToken:
                                description: |-
                                  A reference to a specific 'key' within a Secret resource,
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                            type: object
                        type: object
                      remoteNamespace:
                        default: default
                        description: Remote namespace to fetch the secrets from
                        type: string
                      server:
                        description: configures the Kubernetes server Address.
                        properties:
                          caBundle:
                            description: CABundle is a base64-encoded CA certificate
                            format: byte
                            type: string
                          caProvider:
                            description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
                            properties:
                              key:
                                description: The key the value inside of the provider
                                  type to use, only used with "Secret" type
                                type: string
                              name:
                                description: The name of the object located at the
                                  provider type.
                                type: string
                              namespace:
                                description: The namespace the Provider type is in.
                                type: string
                              type:
                                description: The type of provider to use such as "Secret",
                                  or "ConfigMap".
                                enum:
                                - Secret
                                - ConfigMap
                                type: string
                            required:
                            - name
                            - type
                            type: object
                          url:
                            default: kubernetes.default
                            description: configures the Kubernetes server Address.
                            type: string
                        type: object
                    required:
                    - auth
                    type: object
                  oracle:
                    description: Oracle configures this store to sync secrets using
                      Oracle Vault provider
                    properties:
                      auth:
                        description: |-
                          Auth configures how secret-manager authenticates with the Oracle Vault.
                          If empty, instance principal is used. Optionally, the authenticating principal type
                          and/or user data may be supplied for the use of workload identity and user principal.
                        properties:
                          secretRef:
                            description: SecretRef to pass through sensitive information.
                            properties:
                              fingerprint:
                                description: Fingerprint is the fingerprint of the
                                  API private key.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                              privatekey:
                                description: PrivateKey is the user's API Signing
                                  Key in PEM format, used for authentication.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                            required:
                            - fingerprint
                            - privatekey
                            type: object
                          tenancy:
                            description: Tenancy is the tenancy OCID where user is
                              located.
                            type: string
                          user:
                            description: User is an access OCID specific to the account.
                            type: string
                        required:
                        - secretRef
                        - tenancy
                        - user
                        type: object
                      compartment:
                        description: |-
                          Compartment is the vault compartment OCID.
                          Required for PushSecret
                        type: string
                      encryptionKey:
                        description: |-
                          EncryptionKey is the OCID of the encryption key within the vault.
                          Required for PushSecret
                        type: string
                      principalType:
                        description: |-
                          The type of principal to use for authentication. If left blank, the Auth struct will
                          determine the principal type. This optional field must be specified if using
                          workload identity.
                        enum:
                        - ""
                        - UserPrincipal
                        - InstancePrincipal
                        - Workload
                        type: string
                      region:
                        description: Region is the region where vault is located.
                        type: string
                      serviceAccountRef:
                        description: |-
                          ServiceAccountRef specified the service account
                          that should be used when authenticating with WorkloadIdentity.
                        properties:
                          audiences:
                            description: |-
                              Audience specifies the `aud` claim for the service account token
                              If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                              then this audiences will be appended to the list
                            items:
                              type: string
                            type: array
                          name:
                            description: The name of the ServiceAccount resource being
                              referred to.
                            type: string
                          namespace:
                            description: |-
                              Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                              to the namespace of the referent.
                            type: string
                        required:
                        - name
                        type: object
                      vault:
                        description: Vault is the vault's OCID of the specific vault
                          where secret is located.
                        type: string
                    required:
                    - region
                    - vault
                    type: object
                  passworddepot:
                    description: Configures a store to sync secrets with a Password
                      Depot instance.
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with a Password Depot instance.
                        properties:
                          secretRef:
                            properties:
                              credentials:
                                description: Username / Password is used for authentication.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                            type: object
                        required:
                        - secretRef
                        type: object
                      database:
                        description: Database to use as source
                        type: string
                      host:
                        description: URL configures the Password Depot instance URL.
                        type: string
                    required:
                    - auth
                    - database
                    - host
                    type: object
                  vault:
                    description: Vault configures this store to sync secrets using
                      Hashi provider
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with the Vault server.
                        properties:
                          appRole:
                            description: |-
                              AppRole authenticates with Vault using the App Role auth mechanism,
                              with the role and secret stored in a Kubernetes Secret resource.
                            properties:
                              path:
                                default: approle
                                description: |-
                                  Path where the App Role authentication backend is mounted
                                  in Vault, e.g: "approle"
                                type: string
                              roleId:
                                description: |-
                                  RoleID configured in the App Role authentication backend when setting
                                  up the authentication backend in Vault.
                                type: string
                              secretRef:
                                description: |-
                                  Reference to a key in a Secret that contains the App Role secret used
                                  to authenticate with Vault.
                                  The `key` field must be specified and denotes which entry within the Secret
                                  resource is used as the app role secret.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                            required:
                            - path
                            - roleId
                            - secretRef
                            type: object
                          cert:
                            description: |-
                              Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
                              Cert authentication method
                            properties:
                              clientCert:
                                description: |-
                                  ClientCert is a certificate to authenticate using the Cert Vault
                                  authentication method
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                              secretRef:
                                description: |-
                                  SecretRef to a key in a Secret resource containing client private key to
                                  authenticate with Vault using the Cert authentication method
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                            type: object
                          jwt:
                            description: |-
                              Jwt authenticates with Vault by passing role and JWT token using the
                              JWT/OIDC authentication method
                            properties:
                              kubernetesServiceAccountToken:
                                description: |-
                                  Optional ServiceAccountToken specifies the Kubernetes service account for which to request
                                  a token for with the `TokenRequest` API.
                                properties:
                                  audiences:
                                    description: |-
                                      Optional audiences field that will be used to request a temporary Kubernetes service
                                      account token for the service account referenced by `serviceAccountRef`.
                                      Defaults to a single audience `vault` it not specified.
                                    items:
                                      type: string
                                    type: array
                                  expirationSeconds:
                                    description: |-
                                      Optional expiration time in seconds that will be used to request a temporary
                                      Kubernetes service account token for the service account referenced by
                                      `serviceAccountRef`.
                                      Defaults to 10 minutes.
                                    format: int64
                                    type: integer
                                  serviceAccountRef:
                                    description: Service account field containing
                                      the name of a kubernetes ServiceAccount.
                                    properties:
                                      audiences:
                                        description: |-
                                          Audience specifies the `aud` claim for the service account token
                                          If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                          then this audiences will be appended to the list
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: The name of the ServiceAccount
                                          resource being referred to.
                                        type: string
                                      namespace:
                                        description: |-
                                          Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                          to the namespace of the referent.
                                        type: string
                                    required:
                                    - name
                                    type: object
                                required:
                                - serviceAccountRef
                                type: object
                              path:
                                default: jwt
                                description: |-
                                  Path where the JWT authentication backend is mounted
                                  in Vault, e.g: "jwt"
                                type: string
                              role:
                                description: |-
                                  Role is a JWT role to authenticate using the JWT/OIDC Vault
                                  authentication method
                                type: string
                              secretRef:
                                description: |-
                                  Optional SecretRef that refers to a key in a Secret resource containing JWT token to
                                  authenticate with Vault using the JWT/OIDC authentication method.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                            required:
                            - path
                            type: object
                          kubernetes:
                            description: |-
                              Kubernetes authenticates with Vault by passing the ServiceAccount
                              token stored in the named Secret resource to the Vault server.
                            properties:
                              mountPath:
                                default: kubernetes
                                description: |-
                                  Path where the Kubernetes authentication backend is mounted in Vault, e.g:
                                  "kubernetes"
                                type: string
                              role:
                                description: |-
                                  A required field containing the Vault Role to assume. A Role binds a
                                  Kubernetes ServiceAccount with a set of Vault policies.
                                type: string
                              secretRef:
                                description: |-
                                  Optional secret field containing a Kubernetes ServiceAccount JWT used
                                  for authenticating with Vault. If a name is specified without a key,
                                  `token` is the default. If one is not specified, the one bound to
                                  the controller will be used.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                              serviceAccountRef:
                                description: |-
                                  Optional service account field containing the name of a kubernetes ServiceAccount.
                                  If the service account is specified, the service account secret token JWT will be used
                                  for authenticating with Vault. If the service account selector is not supplied,
                                  the secretRef will be used instead.
                                properties:
                                  audiences:
                                    description: |-
                                      Audience specifies the `aud` claim for the service account token
                                      If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                      then this audiences will be appended to the list
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                required:
                                - name
                                type: object
                            required:
                            - mountPath
                            - role
                            type: object
                          ldap:
                            description: |-
                              Ldap authenticates with Vault by passing username/password pair using
                              the LDAP authentication method
                            properties:
                              path:
                                default: ldap
                                description: |-
                                  Path where the LDAP authentication backend is mounted
                                  in Vault, e.g: "ldap"
                                type: string
                              secretRef:
                                description: |-
                                  SecretRef to a key in a Secret resource containing password for the LDAP
                                  user used to authenticate with Vault using the LDAP authentication
                                  method
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                              username:
                                description: |-
                                  Username is a LDAP user name used to authenticate using the LDAP Vault
                                  authentication method
                                type: string
                            required:
                            - path
                            - username
                            type: object
                          tokenSecretRef:
                            description: TokenSecretRef authenticates with Vault by
                              presenting a token.
                            properties:
                              key:
                                description: |-
                                  The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                  defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                  to the namespace of the referent.
                                type: string
                            type: object
                        type: object
                      caBundle:
                        description: |-
                          PEM encoded CA bundle used to validate Vault server certificate. Only used
                          if the Server URL is using HTTPS protocol. This parameter is ignored for
                          plain HTTP protocol connection. If not set the system root certificates
                          are used to validate the TLS connection.
                        format: byte
                        type: string
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          Vault server certificate.
                        properties:
                          key:
                            description: The key the value inside of the provider
                              type to use, only used with "Secret" type
                            type: string
                          name:
                            description: The name of the object located at the provider
                              type.
                            type: string
                          namespace:
                            description: The namespace the Provider type is in.
                            type: string
                          type:
                            description: The type of provider to use such as "Secret",
                              or "ConfigMap".
                            enum:
                            - Secret
                            - ConfigMap
                            type: string
                        required:
                        - name
                        - type
                        type: object
                      forwardInconsistent:
                        description: |-
                          ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
                          leader instead of simply retrying within a loop. This can increase performance if
                          the option is enabled serverside.
                          https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
                        type: boolean
                      namespace:
                        description: |-
                          Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
                          Vault environments to support Secure Multi-tenancy. e.g: "ns1".
                          More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
                        type: string
                      path:
                        description: |-
                          Path is the mount path of the Vault KV backend endpoint, e.g:
                          "secret". The v2 KV secret engine version specific "/data" path suffix
                          for fetching secrets from Vault is optional and will be appended
                          if not present in specified path.
                        type: string
                      readYourWrites:
                        description: |-
                          ReadYourWrites ensures isolated read-after-write semantics by
                          providing discovered cluster replication states in each request.
                          More information about eventual consistency in Vault can be found here
                          https://www.vaultproject.io/docs/enterprise/consistency
                        type: boolean
                      server:
                        description: 'Server is the connection address for the Vault
                          server, e.g: "https://vault.example.com:8200".'
                        type: string
                      version:
                        default: v2
                        description: |-
                          Version is the Vault KV secret engine version. This can be either "v1" or
                          "v2". Version defaults to "v2".
                        enum:
                        - v1
                        - v2
                        type: string
                    required:
                    - auth
                    - server
                    type: object
                  webhook:
                    description: Webhook configures this store to sync secrets using
                      a generic templated webhook
                    properties:
                      body:
                        description: Body
                        type: string
                      caBundle:
                        description: |-
                          PEM encoded CA bundle used to validate webhook server certificate. Only used
                          if the Server URL is using HTTPS protocol. This parameter is ignored for
                          plain HTTP protocol connection. If not set the system root certificates
                          are used to validate the TLS connection.
                        format: byte
                        type: string
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          webhook server certificate.
                        properties:
                          key:
                            description: The key the value inside of the provider
                              type to use, only used with "Secret" type
                            type: string
                          name:
                            description: The name of the object located at the provider
                              type.
                            type: string
                          namespace:
                            description: The namespace the Provider type is in.
                            type: string
                          type:
                            description: The type of provider to use such as "Secret",
                              or "ConfigMap".
                            enum:
                            - Secret
                            - ConfigMap
                            type: string
                        required:
                        - name
                        - type
                        type: object
                      headers:
                        additionalProperties:
                          type: string
                        description: Headers
                        type: object
                      method:
                        description: Webhook Method
                        type: string
                      result:
                        description: Result formatting
                        properties:
                          jsonPath:
                            description: Json path of return value
                            type: string
                        type: object
                      secrets:
                        description: |-
                          Secrets to fill in templates
                          These secrets will be passed to the templating function as key value pairs under the given name
                        items:
                          properties:
                            name:
                              description: Name of this secret in templates
                              type: string
                            secretRef:
                              description: Secret ref to fill in credentials
                              properties:
                                key:
                                  description: |-
                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                    defaulted, in others it may be required.
                                  type: string
                                name:
                                  description: The name of the Secret resource being
                                    referred to.
                                  type: string
                                namespace:
                                  description: |-
                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                    to the namespace of the referent.
                                  type: string
                              type: object
                          required:
                          - name
                          - secretRef
                          type: object
                        type: array
                      timeout:
                        description: Timeout
                        type: string
                      url:
                        description: Webhook url to call
                        type: string
                    required:
                    - result
                    - url
                    type: object
                  yandexlockbox:
                    description: YandexLockbox configures this store to sync secrets
                      using Yandex Lockbox provider
                    properties:
                      apiEndpoint:
                        description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
                        type: string
                      auth:
                        description: Auth defines the information necessary to authenticate
                          against Yandex Lockbox
                        properties:
                          authorizedKeySecretRef:
                            description: The authorized key used for authentication
                            properties:
                              key:
                                description: |-
                                  The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                  defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                  to the namespace of the referent.
                                type: string
                            type: object
                        type: object
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          Yandex.Cloud server certificate.
                        properties:
                          certSecretRef:
                            description: |-
                              A reference to a specific 'key' within a Secret resource,
                              In some instances, `key` is a required field.
                            properties:
                              key:
                                description: |-
                                  The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                  defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                  to the namespace of the referent.
                                type: string
                            type: object
                        type: object
                    required:
                    - auth
                    type: object
                type: object
              retrySettings:
                description: Used to configure http retries if failed
                properties:
                  maxRetries:
                    format: int32
                    type: integer
                  retryInterval:
                    type: string
                type: object
            required:
            - provider
            type: object
          status:
            description: SecretStoreStatus defines the observed state of the SecretStore.
            properties:
              conditions:
                items:
                  properties:
                    lastTransitionTime:
                      format: date-time
                      type: string
                    message:
                      type: string
                    reason:
                      type: string
                    status:
                      type: string
                    type:
                      type: string
                  required:
                  - status
                  - type
                  type: object
                type: array
            type: object
        type: object
    served: true
    storage: false
    subresources:
      status: {}
  - additionalPrinterColumns:
    - jsonPath: .metadata.creationTimestamp
      name: AGE
      type: date
    - jsonPath: .status.conditions[?(@.type=="Ready")].reason
      name: Status
      type: string
    - jsonPath: .status.capabilities
      name: Capabilities
      type: string
    - jsonPath: .status.conditions[?(@.type=="Ready")].status
      name: Ready
      type: string
    name: v1beta1
    schema:
      openAPIV3Schema:
        description: ClusterSecretStore represents a secure external location for
          storing secrets, which can be referenced as part of `storeRef` fields.
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: SecretStoreSpec defines the desired state of SecretStore.
            properties:
              conditions:
                description: Used to constraint a ClusterSecretStore to specific namespaces.
                  Relevant only to ClusterSecretStore
                items:
                  description: |-
                    ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
                    for a ClusterSecretStore instance.
                  properties:
                    namespaceRegexes:
                      description: Choose namespaces by using regex matching
                      items:
                        type: string
                      type: array
                    namespaceSelector:
                      description: Choose namespace using a labelSelector
                      properties:
                        matchExpressions:
                          description: matchExpressions is a list of label selector
                            requirements. The requirements are ANDed.
                          items:
                            description: |-
                              A label selector requirement is a selector that contains values, a key, and an operator that
                              relates the key and values.
                            properties:
                              key:
                                description: key is the label key that the selector
                                  applies to.
                                type: string
                              operator:
                                description: |-
                                  operator represents a key's relationship to a set of values.
                                  Valid operators are In, NotIn, Exists and DoesNotExist.
                                type: string
                              values:
                                description: |-
                                  values is an array of string values. If the operator is In or NotIn,
                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                  the values array must be empty. This array is replaced during a strategic
                                  merge patch.
                                items:
                                  type: string
                                type: array
                                x-kubernetes-list-type: atomic
                            required:
                            - key
                            - operator
                            type: object
                          type: array
                          x-kubernetes-list-type: atomic
                        matchLabels:
                          additionalProperties:
                            type: string
                          description: |-
                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                            map is equivalent to an element of matchExpressions, whose key field is "key", the
                            operator is "In", and the values array contains only "value". The requirements are ANDed.
                          type: object
                      type: object
                      x-kubernetes-map-type: atomic
                    namespaces:
                      description: Choose namespaces by name
                      items:
                        type: string
                      type: array
                  type: object
                type: array
              controller:
                description: |-
                  Used to select the correct ESO controller (think: ingress.ingressClassName)
                  The ESO controller is instantiated with a specific controller name and filters ES based on this property
                type: string
              provider:
                description: Used to configure the provider. Only one provider may
                  be set
                maxProperties: 1
                minProperties: 1
                properties:
                  akeyless:
                    description: Akeyless configures this store to sync secrets using
                      Akeyless Vault provider
                    properties:
                      akeylessGWApiURL:
                        description: Akeyless GW API Url from which the secrets to
                          be fetched from.
                        type: string
                      authSecretRef:
                        description: Auth configures how the operator authenticates
                          with Akeyless.
                        properties:
                          kubernetesAuth:
                            description: |-
                              Kubernetes authenticates with Akeyless by passing the ServiceAccount
                              token stored in the named Secret resource.
                            properties:
                              accessID:
                                description: the Akeyless Kubernetes auth-method access-id
                                type: string
                              k8sConfName:
                                description: Kubernetes-auth configuration name in
                                  Akeyless-Gateway
                                type: string
                              secretRef:
                                description: |-
                                  Optional secret field containing a Kubernetes ServiceAccount JWT used
                                  for authenticating with Akeyless. If a name is specified without a key,
                                  `token` is the default. If one is not specified, the one bound to
                                  the controller will be used.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                              serviceAccountRef:
                                description: |-
                                  Optional service account field containing the name of a kubernetes ServiceAccount.
                                  If the service account is specified, the service account secret token JWT will be used
                                  for authenticating with Akeyless. If the service account selector is not supplied,
                                  the secretRef will be used instead.
                                properties:
                                  audiences:
                                    description: |-
                                      Audience specifies the `aud` claim for the service account token
                                      If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                      then this audiences will be appended to the list
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                required:
                                - name
                                type: object
                            required:
                            - accessID
                            - k8sConfName
                            type: object
                          secretRef:
                            description: |-
                              Reference to a Secret that contains the details
                              to authenticate with Akeyless.
                            properties:
                              accessID:
                                description: The SecretAccessID is used for authentication
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                              accessType:
                                description: |-
                                  A reference to a specific 'key' within a Secret resource,
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                              accessTypeParam:
                                description: |-
                                  A reference to a specific 'key' within a Secret resource,
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                            type: object
                        type: object
                      caBundle:
                        description: |-
                          PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
                          if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
                          are used to validate the TLS connection.
                        format: byte
                        type: string
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          Akeyless Gateway certificate.
                        properties:
                          key:
                            description: The key where the CA certificate can be found
                              in the Secret or ConfigMap.
                            type: string
                          name:
                            description: The name of the object located at the provider
                              type.
                            type: string
                          namespace:
                            description: |-
                              The namespace the Provider type is in.
                              Can only be defined when used in a ClusterSecretStore.
                            type: string
                          type:
                            description: The type of provider to use such as "Secret",
                              or "ConfigMap".
                            enum:
                            - Secret
                            - ConfigMap
                            type: string
                        required:
                        - name
                        - type
                        type: object
                    required:
                    - akeylessGWApiURL
                    - authSecretRef
                    type: object
                  alibaba:
                    description: Alibaba configures this store to sync secrets using
                      Alibaba Cloud provider
                    properties:
                      auth:
                        description: AlibabaAuth contains a secretRef for credentials.
                        properties:
                          rrsa:
                            description: Authenticate against Alibaba using RRSA.
                            properties:
                              oidcProviderArn:
                                type: string
                              oidcTokenFilePath:
                                type: string
                              roleArn:
                                type: string
                              sessionName:
                                type: string
                            required:
                            - oidcProviderArn
                            - oidcTokenFilePath
                            - roleArn
                            - sessionName
                            type: object
                          secretRef:
                            description: AlibabaAuthSecretRef holds secret references
                              for Alibaba credentials.
                            properties:
                              accessKeyIDSecretRef:
                                description: The AccessKeyID is used for authentication
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                              accessKeySecretSecretRef:
                                description: The AccessKeySecret is used for authentication
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                            required:
                            - accessKeyIDSecretRef
                            - accessKeySecretSecretRef
                            type: object
                        type: object
                      regionID:
                        description: Alibaba Region to be used for the provider
                        type: string
                    required:
                    - auth
                    - regionID
                    type: object
                  aws:
                    description: AWS configures this store to sync secrets using AWS
                      Secret Manager provider
                    properties:
                      additionalRoles:
                        description: AdditionalRoles is a chained list of Role ARNs
                          which the provider will sequentially assume before assuming
                          the Role
                        items:
                          type: string
                        type: array
                      auth:
                        description: |-
                          Auth defines the information necessary to authenticate against AWS
                          if not set aws sdk will infer credentials from your environment
                          see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
                        properties:
                          jwt:
                            description: Authenticate against AWS using service account
                              tokens.
                            properties:
                              serviceAccountRef:
                                description: A reference to a ServiceAccount resource.
                                properties:
                                  audiences:
                                    description: |-
                                      Audience specifies the `aud` claim for the service account token
                                      If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                      then this audiences will be appended to the list
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                required:
                                - name
                                type: object
                            type: object
                          secretRef:
                            description: |-
                              AWSAuthSecretRef holds secret references for AWS credentials
                              both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
                            properties:
                              accessKeyIDSecretRef:
                                description: The AccessKeyID is used for authentication
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                              secretAccessKeySecretRef:
                                description: The SecretAccessKey is used for authentication
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                              sessionTokenSecretRef:
                                description: |-
                                  The SessionToken used for authentication
                                  This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
                                  see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                            type: object
                        type: object
                      externalID:
                        description: AWS External ID set on assumed IAM roles
                        type: string
                      prefix:
                        description: Prefix adds a prefix to all retrieved values.
                        type: string
                      region:
                        description: AWS Region to be used for the provider
                        type: string
                      role:
                        description: Role is a Role ARN which the provider will assume
                        type: string
                      secretsManager:
                        description: SecretsManager defines how the provider behaves
                          when interacting with AWS SecretsManager
                        properties:
                          forceDeleteWithoutRecovery:
                            description: |-
                              Specifies whether to delete the secret without any recovery window. You
                              can't use both this parameter and RecoveryWindowInDays in the same call.
                              If you don't use either, then by default Secrets Manager uses a 30 day
                              recovery window.
                              see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
                            type: boolean
                          recoveryWindowInDays:
                            description: |-
                              The number of days from 7 to 30 that Secrets Manager waits before
                              permanently deleting the secret. You can't use both this parameter and
                              ForceDeleteWithoutRecovery in the same call. If you don't use either,
                              then by default Secrets Manager uses a 30 day recovery window.
                              see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
                            format: int64
                            type: integer
                        type: object
                      service:
                        description: Service defines which service should be used
                          to fetch the secrets
                        enum:
                        - SecretsManager
                        - ParameterStore
                        type: string
                      sessionTags:
                        description: AWS STS assume role session tags
                        items:
                          properties:
                            key:
                              type: string
                            value:
                              type: string
                          required:
                          - key
                          - value
                          type: object
                        type: array
                      transitiveTagKeys:
                        description: AWS STS assume role transitive session tags.
                          Required when multiple rules are used with the provider
                        items:
                          type: string
                        type: array
                    required:
                    - region
                    - service
                    type: object
                  azurekv:
                    description: AzureKV configures this store to sync secrets using
                      Azure Key Vault provider
                    properties:
                      authSecretRef:
                        description: Auth configures how the operator authenticates
                          with Azure. Required for ServicePrincipal auth type. Optional
                          for WorkloadIdentity.
                        properties:
                          clientCertificate:
                            description: The Azure ClientCertificate of the service
                              principle used for authentication.
                            properties:
                              key:
                                description: |-
                                  The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                  defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                  to the namespace of the referent.
                                type: string
                            type: object
                          clientId:
                            description: The Azure clientId of the service principle
                              or managed identity used for authentication.
                            properties:
                              key:
                                description: |-
                                  The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                  defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                  to the namespace of the referent.
                                type: string
                            type: object
                          clientSecret:
                            description: The Azure ClientSecret of the service principle
                              used for authentication.
                            properties:
                              key:
                                description: |-
                                  The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                  defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                  to the namespace of the referent.
                                type: string
                            type: object
                          tenantId:
                            description: The Azure tenantId of the managed identity
                              used for authentication.
                            properties:
                              key:
                                description: |-
                                  The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                  defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                  to the namespace of the referent.
                                type: string
                            type: object
                        type: object
                      authType:
                        default: ServicePrincipal
                        description: |-
                          Auth type defines how to authenticate to the keyvault service.
                          Valid values are:
                          - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
                          - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
                        enum:
                        - ServicePrincipal
                        - ManagedIdentity
                        - WorkloadIdentity
                        type: string
                      environmentType:
                        default: PublicCloud
                        description: |-
                          EnvironmentType specifies the Azure cloud environment endpoints to use for
                          connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
                          The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
                          PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
                        enum:
                        - PublicCloud
                        - USGovernmentCloud
                        - ChinaCloud
                        - GermanCloud
                        type: string
                      identityId:
                        description: If multiple Managed Identity is assigned to the
                          pod, you can select the one to be used
                        type: string
                      serviceAccountRef:
                        description: |-
                          ServiceAccountRef specified the service account
                          that should be used when authenticating with WorkloadIdentity.
                        properties:
                          audiences:
                            description: |-
                              Audience specifies the `aud` claim for the service account token
                              If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                              then this audiences will be appended to the list
                            items:
                              type: string
                            type: array
                          name:
                            description: The name of the ServiceAccount resource being
                              referred to.
                            type: string
                          namespace:
                            description: |-
                              Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                              to the namespace of the referent.
                            type: string
                        required:
                        - name
                        type: object
                      tenantId:
                        description: TenantID configures the Azure Tenant to send
                          requests to. Required for ServicePrincipal auth type. Optional
                          for WorkloadIdentity.
                        type: string
                      vaultUrl:
                        description: Vault Url from which the secrets to be fetched
                          from.
                        type: string
                    required:
                    - vaultUrl
                    type: object
                  beyondtrust:
                    description: Beyondtrust configures this store to sync secrets
                      using Password Safe provider.
                    properties:
                      auth:
                        description: Auth configures how the operator authenticates
                          with Beyondtrust.
                        properties:
                          certificate:
                            description: Content of the certificate (cert.pem) for
                              use when authenticating with an OAuth client Id using
                              a Client Certificate.
                            properties:
                              secretRef:
                                description: SecretRef references a key in a secret
                                  that will be used as value.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                              value:
                                description: Value can be specified directly to set
                                  a value without using a secret.
                                type: string
                            type: object
                          certificateKey:
                            description: Certificate private key (key.pem). For use
                              when authenticating with an OAuth client Id
                            properties:
                              secretRef:
                                description: SecretRef references a key in a secret
                                  that will be used as value.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                              value:
                                description: Value can be specified directly to set
                                  a value without using a secret.
                                type: string
                            type: object
                          clientId:
                            properties:
                              secretRef:
                                description: SecretRef references a key in a secret
                                  that will be used as value.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                              value:
                                description: Value can be specified directly to set
                                  a value without using a secret.
                                type: string
                            type: object
                          clientSecret:
                            properties:
                              secretRef:
                                description: SecretRef references a key in a secret
                                  that will be used as value.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                              value:
                                description: Value can be specified directly to set
                                  a value without using a secret.
                                type: string
                            type: object
                        required:
                        - clientId
                        - clientSecret
                        type: object
                      server:
                        description: Auth configures how API server works.
                        properties:
                          apiUrl:
                            type: string
                          clientTimeOutSeconds:
                            description: Timeout specifies a time limit for requests
                              made by this Client. The timeout includes connection
                              time, any redirects, and reading the response body.
                              Defaults to 45 seconds.
                            type: integer
                          retrievalType:
                            description: The secret retrieval type. SECRET = Secrets
                              Safe (credential, text, file). MANAGED_ACCOUNT = Password
                              Safe account associated with a system.
                            type: string
                          separator:
                            description: A character that separates the folder names.
                            type: string
                          verifyCA:
                            type: boolean
                        required:
                        - apiUrl
                        - verifyCA
                        type: object
                    required:
                    - auth
                    - server
                    type: object
                  bitwardensecretsmanager:
                    description: BitwardenSecretsManager configures this store to
                      sync secrets using BitwardenSecretsManager provider
                    properties:
                      apiURL:
                        type: string
                      auth:
                        description: |-
                          Auth configures how secret-manager authenticates with a bitwarden machine account instance.
                          Make sure that the token being used has permissions on the given secret.
                        properties:
                          secretRef:
                            description: BitwardenSecretsManagerSecretRef contains
                              the credential ref to the bitwarden instance.
                            properties:
                              credentials:
                                description: AccessToken used for the bitwarden instance.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                            required:
                            - credentials
                            type: object
                        required:
                        - secretRef
                        type: object
                      bitwardenServerSDKURL:
                        type: string
                      caBundle:
                        description: |-
                          Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
                          can be performed.
                        type: string
                      caProvider:
                        description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
                        properties:
                          key:
                            description: The key where the CA certificate can be found
                              in the Secret or ConfigMap.
                            type: string
                          name:
                            description: The name of the object located at the provider
                              type.
                            type: string
                          namespace:
                            description: |-
                              The namespace the Provider type is in.
                              Can only be defined when used in a ClusterSecretStore.
                            type: string
                          type:
                            description: The type of provider to use such as "Secret",
                              or "ConfigMap".
                            enum:
                            - Secret
                            - ConfigMap
                            type: string
                        required:
                        - name
                        - type
                        type: object
                      identityURL:
                        type: string
                      organizationID:
                        description: OrganizationID determines which organization
                          this secret store manages.
                        type: string
                      projectID:
                        description: ProjectID determines which project this secret
                          store manages.
                        type: string
                    required:
                    - auth
                    - organizationID
                    - projectID
                    type: object
                  chef:
                    description: Chef configures this store to sync secrets with chef
                      server
                    properties:
                      auth:
                        description: Auth defines the information necessary to authenticate
                          against chef Server
                        properties:
                          secretRef:
                            description: ChefAuthSecretRef holds secret references
                              for chef server login credentials.
                            properties:
                              privateKeySecretRef:
                                description: SecretKey is the Signing Key in PEM format,
                                  used for authentication.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                            required:
                            - privateKeySecretRef
                            type: object
                        required:
                        - secretRef
                        type: object
                      serverUrl:
                        description: ServerURL is the chef server URL used to connect
                          to. If using orgs you should include your org in the url
                          and terminate the url with a "/"
                        type: string
                      username:
                        description: UserName should be the user ID on the chef server
                        type: string
                    required:
                    - auth
                    - serverUrl
                    - username
                    type: object
                  conjur:
                    description: Conjur configures this store to sync secrets using
                      conjur provider
                    properties:
                      auth:
                        properties:
                          apikey:
                            properties:
                              account:
                                type: string
                              apiKeyRef:
                                description: |-
                                  A reference to a specific 'key' within a Secret resource,
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                              userRef:
                                description: |-
                                  A reference to a specific 'key' within a Secret resource,
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                            required:
                            - account
                            - apiKeyRef
                            - userRef
                            type: object
                          jwt:
                            properties:
                              account:
                                type: string
                              hostId:
                                description: |-
                                  Optional HostID for JWT authentication. This may be used depending
                                  on how the Conjur JWT authenticator policy is configured.
                                type: string
                              secretRef:
                                description: |-
                                  Optional SecretRef that refers to a key in a Secret resource containing JWT token to
                                  authenticate with Conjur using the JWT authentication method.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                              serviceAccountRef:
                                description: |-
                                  Optional ServiceAccountRef specifies the Kubernetes service account for which to request
                                  a token for with the `TokenRequest` API.
                                properties:
                                  audiences:
                                    description: |-
                                      Audience specifies the `aud` claim for the service account token
                                      If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                      then this audiences will be appended to the list
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                required:
                                - name
                                type: object
                              serviceID:
                                description: The conjur authn jwt webservice id
                                type: string
                            required:
                            - account
                            - serviceID
                            type: object
                        type: object
                      caBundle:
                        type: string
                      caProvider:
                        description: |-
                          Used to provide custom certificate authority (CA) certificates
                          for a secret store. The CAProvider points to a Secret or ConfigMap resource
                          that contains a PEM-encoded certificate.
                        properties:
                          key:
                            description: The key where the CA certificate can be found
                              in the Secret or ConfigMap.
                            type: string
                          name:
                            description: The name of the object located at the provider
                              type.
                            type: string
                          namespace:
                            description: |-
                              The namespace the Provider type is in.
                              Can only be defined when used in a ClusterSecretStore.
                            type: string
                          type:
                            description: The type of provider to use such as "Secret",
                              or "ConfigMap".
                            enum:
                            - Secret
                            - ConfigMap
                            type: string
                        required:
                        - name
                        - type
                        type: object
                      url:
                        type: string
                    required:
                    - auth
                    - url
                    type: object
                  delinea:
                    description: |-
                      Delinea DevOps Secrets Vault
                      https://docs.delinea.com/online-help/products/devops-secrets-vault/current
                    properties:
                      clientId:
                        description: ClientID is the non-secret part of the credential.
                        properties:
                          secretRef:
                            description: SecretRef references a key in a secret that
                              will be used as value.
                            properties:
                              key:
                                description: |-
                                  The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                  defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                  to the namespace of the referent.
                                type: string
                            type: object
                          value:
                            description: Value can be specified directly to set a
                              value without using a secret.
                            type: string
                        type: object
                      clientSecret:
                        description: ClientSecret is the secret part of the credential.
                        properties:
                          secretRef:
                            description: SecretRef references a key in a secret that
                              will be used as value.
                            properties:
                              key:
                                description: |-
                                  The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                  defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                  to the namespace of the referent.
                                type: string
                            type: object
                          value:
                            description: Value can be specified directly to set a
                              value without using a secret.
                            type: string
                        type: object
                      tenant:
                        description: Tenant is the chosen hostname / site name.
                        type: string
                      tld:
                        description: |-
                          TLD is based on the server location that was chosen during provisioning.
                          If unset, defaults to "com".
                        type: string
                      urlTemplate:
                        description: |-
                          URLTemplate
                          If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
                        type: string
                    required:
                    - clientId
                    - clientSecret
                    - tenant
                    type: object
                  device42:
                    description: Device42 configures this store to sync secrets using
                      the Device42 provider
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with a Device42 instance.
                        properties:
                          secretRef:
                            properties:
                              credentials:
                                description: Username / Password is used for authentication.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                            type: object
                        required:
                        - secretRef
                        type: object
                      host:
                        description: URL configures the Device42 instance URL.
                        type: string
                    required:
                    - auth
                    - host
                    type: object
                  doppler:
                    description: Doppler configures this store to sync secrets using
                      the Doppler provider
                    properties:
                      auth:
                        description: Auth configures how the Operator authenticates
                          with the Doppler API
                        properties:
                          secretRef:
                            properties:
                              dopplerToken:
                                description: |-
                                  The DopplerToken is used for authentication.
                                  See https://docs.doppler.com/reference/api#authentication for auth token types.
                                  The Key attribute defaults to dopplerToken if not specified.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                            required:
                            - dopplerToken
                            type: object
                        required:
                        - secretRef
                        type: object
                      config:
                        description: Doppler config (required if not using a Service
                          Token)
                        type: string
                      format:
                        description: Format enables the downloading of secrets as
                          a file (string)
                        enum:
                        - json
                        - dotnet-json
                        - env
                        - yaml
                        - docker
                        type: string
                      nameTransformer:
                        description: Environment variable compatible name transforms
                          that change secret names to a different format
                        enum:
                        - upper-camel
                        - camel
                        - lower-snake
                        - tf-var
                        - dotnet-env
                        - lower-kebab
                        type: string
                      project:
                        description: Doppler project (required if not using a Service
                          Token)
                        type: string
                    required:
                    - auth
                    type: object
                  fake:
                    description: Fake configures a store with static key/value pairs
                    properties:
                      data:
                        items:
                          properties:
                            key:
                              type: string
                            value:
                              type: string
                            valueMap:
                              additionalProperties:
                                type: string
                              description: 'Deprecated: ValueMap is deprecated and
                                is intended to be removed in the future, use the `value`
                                field instead.'
                              type: object
                            version:
                              type: string
                          required:
                          - key
                          type: object
                        type: array
                    required:
                    - data
                    type: object
                  fortanix:
                    description: Fortanix configures this store to sync secrets using
                      the Fortanix provider
                    properties:
                      apiKey:
                        description: APIKey is the API token to access SDKMS Applications.
                        properties:
                          secretRef:
                            description: SecretRef is a reference to a secret containing
                              the SDKMS API Key.
                            properties:
                              key:
                                description: |-
                                  The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                  defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                  to the namespace of the referent.
                                type: string
                            type: object
                        type: object
                      apiUrl:
                        description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
                        type: string
                    type: object
                  gcpsm:
                    description: GCPSM configures this store to sync secrets using
                      Google Cloud Platform Secret Manager provider
                    properties:
                      auth:
                        description: Auth defines the information necessary to authenticate
                          against GCP
                        properties:
                          secretRef:
                            properties:
                              secretAccessKeySecretRef:
                                description: The SecretAccessKey is used for authentication
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                            type: object
                          workloadIdentity:
                            properties:
                              clusterLocation:
                                type: string
                              clusterName:
                                type: string
                              clusterProjectID:
                                type: string
                              serviceAccountRef:
                                description: A reference to a ServiceAccount resource.
                                properties:
                                  audiences:
                                    description: |-
                                      Audience specifies the `aud` claim for the service account token
                                      If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                      then this audiences will be appended to the list
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                required:
                                - name
                                type: object
                            required:
                            - clusterLocation
                            - clusterName
                            - serviceAccountRef
                            type: object
                        type: object
                      location:
                        description: Location optionally defines a location for a
                          secret
                        type: string
                      projectID:
                        description: ProjectID project where secret is located
                        type: string
                    type: object
                  gitlab:
                    description: GitLab configures this store to sync secrets using
                      GitLab Variables provider
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with a GitLab instance.
                        properties:
                          SecretRef:
                            properties:
                              accessToken:
                                description: AccessToken is used for authentication.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                            type: object
                        required:
                        - SecretRef
                        type: object
                      environment:
                        description: Environment environment_scope of gitlab CI/CD
                          variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment
                          on how to create environments)
                        type: string
                      groupIDs:
                        description: GroupIDs specify, which gitlab groups to pull
                          secrets from. Group secrets are read from left to right
                          followed by the project variables.
                        items:
                          type: string
                        type: array
                      inheritFromGroups:
                        description: InheritFromGroups specifies whether parent groups
                          should be discovered and checked for secrets.
                        type: boolean
                      projectID:
                        description: ProjectID specifies a project where secrets are
                          located.
                        type: string
                      url:
                        description: URL configures the GitLab instance URL. Defaults
                          to https://gitlab.com/.
                        type: string
                    required:
                    - auth
                    type: object
                  ibm:
                    description: IBM configures this store to sync secrets using IBM
                      Cloud provider
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with the IBM secrets manager.
                        maxProperties: 1
                        minProperties: 1
                        properties:
                          containerAuth:
                            description: IBM Container-based auth with IAM Trusted
                              Profile.
                            properties:
                              iamEndpoint:
                                type: string
                              profile:
                                description: the IBM Trusted Profile
                                type: string
                              tokenLocation:
                                description: Location the token is mounted on the
                                  pod
                                type: string
                            required:
                            - profile
                            type: object
                          secretRef:
                            properties:
                              secretApiKeySecretRef:
                                description: The SecretAccessKey is used for authentication
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                            type: object
                        type: object
                      serviceUrl:
                        description: ServiceURL is the Endpoint URL that is specific
                          to the Secrets Manager service instance
                        type: string
                    required:
                    - auth
                    type: object
                  infisical:
                    description: Infisical configures this store to sync secrets using
                      the Infisical provider
                    properties:
                      auth:
                        description: Auth configures how the Operator authenticates
                          with the Infisical API
                        properties:
                          universalAuthCredentials:
                            properties:
                              clientId:
                                description: |-
                                  A reference to a specific 'key' within a Secret resource,
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                              clientSecret:
                                description: |-
                                  A reference to a specific 'key' within a Secret resource,
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                            required:
                            - clientId
                            - clientSecret
                            type: object
                        type: object
                      hostAPI:
                        default: https://app.infisical.com/api
                        type: string
                      secretsScope:
                        properties:
                          environmentSlug:
                            type: string
                          projectSlug:
                            type: string
                          secretsPath:
                            default: /
                            type: string
                        required:
                        - environmentSlug
                        - projectSlug
                        type: object
                    required:
                    - auth
                    - secretsScope
                    type: object
                  keepersecurity:
                    description: KeeperSecurity configures this store to sync secrets
                      using the KeeperSecurity provider
                    properties:
                      authRef:
                        description: |-
                          A reference to a specific 'key' within a Secret resource,
                          In some instances, `key` is a required field.
                        properties:
                          key:
                            description: |-
                              The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                              defaulted, in others it may be required.
                            type: string
                          name:
                            description: The name of the Secret resource being referred
                              to.
                            type: string
                          namespace:
                            description: |-
                              Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                              to the namespace of the referent.
                            type: string
                        type: object
                      folderID:
                        type: string
                    required:
                    - authRef
                    - folderID
                    type: object
                  kubernetes:
                    description: Kubernetes configures this store to sync secrets
                      using a Kubernetes cluster provider
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with a Kubernetes instance.
                        maxProperties: 1
                        minProperties: 1
                        properties:
                          cert:
                            description: has both clientCert and clientKey as secretKeySelector
                            properties:
                              clientCert:
                                description: |-
                                  A reference to a specific 'key' within a Secret resource,
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                              clientKey:
                                description: |-
                                  A reference to a specific 'key' within a Secret resource,
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                            type: object
                          serviceAccount:
                            description: points to a service account that should be
                              used for authentication
                            properties:
                              audiences:
                                description: |-
                                  Audience specifies the `aud` claim for the service account token
                                  If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                  then this audiences will be appended to the list
                                items:
                                  type: string
                                type: array
                              name:
                                description: The name of the ServiceAccount resource
                                  being referred to.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                  to the namespace of the referent.
                                type: string
                            required:
                            - name
                            type: object
                          token:
                            description: use static token to authenticate with
                            properties:
                              bearerToken:
                                description: |-
                                  A reference to a specific 'key' within a Secret resource,
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                            type: object
                        type: object
                      authRef:
                        description: A reference to a secret that contains the auth
                          information.
                        properties:
                          key:
                            description: |-
                              The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                              defaulted, in others it may be required.
                            type: string
                          name:
                            description: The name of the Secret resource being referred
                              to.
                            type: string
                          namespace:
                            description: |-
                              Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                              to the namespace of the referent.
                            type: string
                        type: object
                      remoteNamespace:
                        default: default
                        description: Remote namespace to fetch the secrets from
                        type: string
                      server:
                        description: configures the Kubernetes server Address.
                        properties:
                          caBundle:
                            description: CABundle is a base64-encoded CA certificate
                            format: byte
                            type: string
                          caProvider:
                            description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
                            properties:
                              key:
                                description: The key where the CA certificate can
                                  be found in the Secret or ConfigMap.
                                type: string
                              name:
                                description: The name of the object located at the
                                  provider type.
                                type: string
                              namespace:
                                description: |-
                                  The namespace the Provider type is in.
                                  Can only be defined when used in a ClusterSecretStore.
                                type: string
                              type:
                                description: The type of provider to use such as "Secret",
                                  or "ConfigMap".
                                enum:
                                - Secret
                                - ConfigMap
                                type: string
                            required:
                            - name
                            - type
                            type: object
                          url:
                            default: kubernetes.default
                            description: configures the Kubernetes server Address.
                            type: string
                        type: object
                    type: object
                  onboardbase:
                    description: Onboardbase configures this store to sync secrets
                      using the Onboardbase provider
                    properties:
                      apiHost:
                        default: https://public.onboardbase.com/api/v1/
                        description: APIHost use this to configure the host url for
                          the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
                        type: string
                      auth:
                        description: Auth configures how the Operator authenticates
                          with the Onboardbase API
                        properties:
                          apiKeyRef:
                            description: |-
                              OnboardbaseAPIKey is the APIKey generated by an admin account.
                              It is used to recognize and authorize access to a project and environment within onboardbase
                            properties:
                              key:
                                description: |-
                                  The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                  defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                  to the namespace of the referent.
                                type: string
                            type: object
                          passcodeRef:
                            description: OnboardbasePasscode is the passcode attached
                              to the API Key
                            properties:
                              key:
                                description: |-
                                  The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                  defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                  to the namespace of the referent.
                                type: string
                            type: object
                        required:
                        - apiKeyRef
                        - passcodeRef
                        type: object
                      environment:
                        default: development
                        description: Environment is the name of an environmnent within
                          a project to pull the secrets from
                        type: string
                      project:
                        default: development
                        description: Project is an onboardbase project that the secrets
                          should be pulled from
                        type: string
                    required:
                    - apiHost
                    - auth
                    - environment
                    - project
                    type: object
                  onepassword:
                    description: OnePassword configures this store to sync secrets
                      using the 1Password Cloud provider
                    properties:
                      auth:
                        description: Auth defines the information necessary to authenticate
                          against OnePassword Connect Server
                        properties:
                          secretRef:
                            description: OnePasswordAuthSecretRef holds secret references
                              for 1Password credentials.
                            properties:
                              connectTokenSecretRef:
                                description: The ConnectToken is used for authentication
                                  to a 1Password Connect Server.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                            required:
                            - connectTokenSecretRef
                            type: object
                        required:
                        - secretRef
                        type: object
                      connectHost:
                        description: ConnectHost defines the OnePassword Connect Server
                          to connect to
                        type: string
                      vaults:
                        additionalProperties:
                          type: integer
                        description: Vaults defines which OnePassword vaults to search
                          in which order
                        type: object
                    required:
                    - auth
                    - connectHost
                    - vaults
                    type: object
                  oracle:
                    description: Oracle configures this store to sync secrets using
                      Oracle Vault provider
                    properties:
                      auth:
                        description: |-
                          Auth configures how secret-manager authenticates with the Oracle Vault.
                          If empty, use the instance principal, otherwise the user credentials specified in Auth.
                        properties:
                          secretRef:
                            description: SecretRef to pass through sensitive information.
                            properties:
                              fingerprint:
                                description: Fingerprint is the fingerprint of the
                                  API private key.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                              privatekey:
                                description: PrivateKey is the user's API Signing
                                  Key in PEM format, used for authentication.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                            required:
                            - fingerprint
                            - privatekey
                            type: object
                          tenancy:
                            description: Tenancy is the tenancy OCID where user is
                              located.
                            type: string
                          user:
                            description: User is an access OCID specific to the account.
                            type: string
                        required:
                        - secretRef
                        - tenancy
                        - user
                        type: object
                      compartment:
                        description: |-
                          Compartment is the vault compartment OCID.
                          Required for PushSecret
                        type: string
                      encryptionKey:
                        description: |-
                          EncryptionKey is the OCID of the encryption key within the vault.
                          Required for PushSecret
                        type: string
                      principalType:
                        description: |-
                          The type of principal to use for authentication. If left blank, the Auth struct will
                          determine the principal type. This optional field must be specified if using
                          workload identity.
                        enum:
                        - ""
                        - UserPrincipal
                        - InstancePrincipal
                        - Workload
                        type: string
                      region:
                        description: Region is the region where vault is located.
                        type: string
                      serviceAccountRef:
                        description: |-
                          ServiceAccountRef specified the service account
                          that should be used when authenticating with WorkloadIdentity.
                        properties:
                          audiences:
                            description: |-
                              Audience specifies the `aud` claim for the service account token
                              If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                              then this audiences will be appended to the list
                            items:
                              type: string
                            type: array
                          name:
                            description: The name of the ServiceAccount resource being
                              referred to.
                            type: string
                          namespace:
                            description: |-
                              Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                              to the namespace of the referent.
                            type: string
                        required:
                        - name
                        type: object
                      vault:
                        description: Vault is the vault's OCID of the specific vault
                          where secret is located.
                        type: string
                    required:
                    - region
                    - vault
                    type: object
                  passbolt:
                    properties:
                      auth:
                        description: Auth defines the information necessary to authenticate
                          against Passbolt Server
                        properties:
                          passwordSecretRef:
                            description: |-
                              A reference to a specific 'key' within a Secret resource,
                              In some instances, `key` is a required field.
                            properties:
                              key:
                                description: |-
                                  The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                  defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                  to the namespace of the referent.
                                type: string
                            type: object
                          privateKeySecretRef:
                            description: |-
                              A reference to a specific 'key' within a Secret resource,
                              In some instances, `key` is a required field.
                            properties:
                              key:
                                description: |-
                                  The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                  defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                  to the namespace of the referent.
                                type: string
                            type: object
                        required:
                        - passwordSecretRef
                        - privateKeySecretRef
                        type: object
                      host:
                        description: Host defines the Passbolt Server to connect to
                        type: string
                    required:
                    - auth
                    - host
                    type: object
                  passworddepot:
                    description: Configures a store to sync secrets with a Password
                      Depot instance.
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with a Password Depot instance.
                        properties:
                          secretRef:
                            properties:
                              credentials:
                                description: Username / Password is used for authentication.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                            type: object
                        required:
                        - secretRef
                        type: object
                      database:
                        description: Database to use as source
                        type: string
                      host:
                        description: URL configures the Password Depot instance URL.
                        type: string
                    required:
                    - auth
                    - database
                    - host
                    type: object
                  pulumi:
                    description: Pulumi configures this store to sync secrets using
                      the Pulumi provider
                    properties:
                      accessToken:
                        description: AccessToken is the access tokens to sign in to
                          the Pulumi Cloud Console.
                        properties:
                          secretRef:
                            description: SecretRef is a reference to a secret containing
                              the Pulumi API token.
                            properties:
                              key:
                                description: |-
                                  The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                  defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                  to the namespace of the referent.
                                type: string
                            type: object
                        type: object
                      apiUrl:
                        default: https://api.pulumi.com/api/preview
                        description: APIURL is the URL of the Pulumi API.
                        type: string
                      environment:
                        description: |-
                          Environment are YAML documents composed of static key-value pairs, programmatic expressions,
                          dynamically retrieved values from supported providers including all major clouds,
                          and other Pulumi ESC environments.
                          To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
                        type: string
                      organization:
                        description: |-
                          Organization are a space to collaborate on shared projects and stacks.
                          To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
                        type: string
                    required:
                    - accessToken
                    - environment
                    - organization
                    type: object
                  scaleway:
                    description: Scaleway
                    properties:
                      accessKey:
                        description: AccessKey is the non-secret part of the api key.
                        properties:
                          secretRef:
                            description: SecretRef references a key in a secret that
                              will be used as value.
                            properties:
                              key:
                                description: |-
                                  The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                  defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                  to the namespace of the referent.
                                type: string
                            type: object
                          value:
                            description: Value can be specified directly to set a
                              value without using a secret.
                            type: string
                        type: object
                      apiUrl:
                        description: APIURL is the url of the api to use. Defaults
                          to https://api.scaleway.com
                        type: string
                      projectId:
                        description: 'ProjectID is the id of your project, which you
                          can find in the console: https://console.scaleway.com/project/settings'
                        type: string
                      region:
                        description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
                        type: string
                      secretKey:
                        description: SecretKey is the non-secret part of the api key.
                        properties:
                          secretRef:
                            description: SecretRef references a key in a secret that
                              will be used as value.
                            properties:
                              key:
                                description: |-
                                  The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                  defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                  to the namespace of the referent.
                                type: string
                            type: object
                          value:
                            description: Value can be specified directly to set a
                              value without using a secret.
                            type: string
                        type: object
                    required:
                    - accessKey
                    - projectId
                    - region
                    - secretKey
                    type: object
                  secretserver:
                    description: |-
                      SecretServer configures this store to sync secrets using SecretServer provider
                      https://docs.delinea.com/online-help/secret-server/start.htm
                    properties:
                      password:
                        description: Password is the secret server account password.
                        properties:
                          secretRef:
                            description: SecretRef references a key in a secret that
                              will be used as value.
                            properties:
                              key:
                                description: |-
                                  The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                  defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                  to the namespace of the referent.
                                type: string
                            type: object
                          value:
                            description: Value can be specified directly to set a
                              value without using a secret.
                            type: string
                        type: object
                      serverURL:
                        description: |-
                          ServerURL
                          URL to your secret server installation
                        type: string
                      username:
                        description: Username is the secret server account username.
                        properties:
                          secretRef:
                            description: SecretRef references a key in a secret that
                              will be used as value.
                            properties:
                              key:
                                description: |-
                                  The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                  defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                  to the namespace of the referent.
                                type: string
                            type: object
                          value:
                            description: Value can be specified directly to set a
                              value without using a secret.
                            type: string
                        type: object
                    required:
                    - password
                    - serverURL
                    - username
                    type: object
                  senhasegura:
                    description: Senhasegura configures this store to sync secrets
                      using senhasegura provider
                    properties:
                      auth:
                        description: Auth defines parameters to authenticate in senhasegura
                        properties:
                          clientId:
                            type: string
                          clientSecretSecretRef:
                            description: |-
                              A reference to a specific 'key' within a Secret resource,
                              In some instances, `key` is a required field.
                            properties:
                              key:
                                description: |-
                                  The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                  defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                  to the namespace of the referent.
                                type: string
                            type: object
                        required:
                        - clientId
                        - clientSecretSecretRef
                        type: object
                      ignoreSslCertificate:
                        default: false
                        description: IgnoreSslCertificate defines if SSL certificate
                          must be ignored
                        type: boolean
                      module:
                        description: Module defines which senhasegura module should
                          be used to get secrets
                        type: string
                      url:
                        description: URL of senhasegura
                        type: string
                    required:
                    - auth
                    - module
                    - url
                    type: object
                  vault:
                    description: Vault configures this store to sync secrets using
                      Hashi provider
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with the Vault server.
                        properties:
                          appRole:
                            description: |-
                              AppRole authenticates with Vault using the App Role auth mechanism,
                              with the role and secret stored in a Kubernetes Secret resource.
                            properties:
                              path:
                                default: approle
                                description: |-
                                  Path where the App Role authentication backend is mounted
                                  in Vault, e.g: "approle"
                                type: string
                              roleId:
                                description: |-
                                  RoleID configured in the App Role authentication backend when setting
                                  up the authentication backend in Vault.
                                type: string
                              roleRef:
                                description: |-
                                  Reference to a key in a Secret that contains the App Role ID used
                                  to authenticate with Vault.
                                  The `key` field must be specified and denotes which entry within the Secret
                                  resource is used as the app role id.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                              secretRef:
                                description: |-
                                  Reference to a key in a Secret that contains the App Role secret used
                                  to authenticate with Vault.
                                  The `key` field must be specified and denotes which entry within the Secret
                                  resource is used as the app role secret.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                            required:
                            - path
                            - secretRef
                            type: object
                          cert:
                            description: |-
                              Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
                              Cert authentication method
                            properties:
                              clientCert:
                                description: |-
                                  ClientCert is a certificate to authenticate using the Cert Vault
                                  authentication method
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                              secretRef:
                                description: |-
                                  SecretRef to a key in a Secret resource containing client private key to
                                  authenticate with Vault using the Cert authentication method
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                            type: object
                          iam:
                            description: |-
                              Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
                              AWS IAM authentication method
                            properties:
                              externalID:
                                description: AWS External ID set on assumed IAM roles
                                type: string
                              jwt:
                                description: Specify a service account with IRSA enabled
                                properties:
                                  serviceAccountRef:
                                    description: A reference to a ServiceAccount resource.
                                    properties:
                                      audiences:
                                        description: |-
                                          Audience specifies the `aud` claim for the service account token
                                          If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                          then this audiences will be appended to the list
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: The name of the ServiceAccount
                                          resource being referred to.
                                        type: string
                                      namespace:
                                        description: |-
                                          Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                          to the namespace of the referent.
                                        type: string
                                    required:
                                    - name
                                    type: object
                                type: object
                              path:
                                description: 'Path where the AWS auth method is enabled
                                  in Vault, e.g: "aws"'
                                type: string
                              region:
                                description: AWS region
                                type: string
                              role:
                                description: This is the AWS role to be assumed before
                                  talking to vault
                                type: string
                              secretRef:
                                description: Specify credentials in a Secret object
                                properties:
                                  accessKeyIDSecretRef:
                                    description: The AccessKeyID is used for authentication
                                    properties:
                                      key:
                                        description: |-
                                          The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                          defaulted, in others it may be required.
                                        type: string
                                      name:
                                        description: The name of the Secret resource
                                          being referred to.
                                        type: string
                                      namespace:
                                        description: |-
                                          Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                          to the namespace of the referent.
                                        type: string
                                    type: object
                                  secretAccessKeySecretRef:
                                    description: The SecretAccessKey is used for authentication
                                    properties:
                                      key:
                                        description: |-
                                          The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                          defaulted, in others it may be required.
                                        type: string
                                      name:
                                        description: The name of the Secret resource
                                          being referred to.
                                        type: string
                                      namespace:
                                        description: |-
                                          Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                          to the namespace of the referent.
                                        type: string
                                    type: object
                                  sessionTokenSecretRef:
                                    description: |-
                                      The SessionToken used for authentication
                                      This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
                                      see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
                                    properties:
                                      key:
                                        description: |-
                                          The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                          defaulted, in others it may be required.
                                        type: string
                                      name:
                                        description: The name of the Secret resource
                                          being referred to.
                                        type: string
                                      namespace:
                                        description: |-
                                          Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                          to the namespace of the referent.
                                        type: string
                                    type: object
                                type: object
                              vaultAwsIamServerID:
                                description: 'X-Vault-AWS-IAM-Server-ID is an additional
                                  header used by Vault IAM auth method to mitigate
                                  against different types of replay attacks. More
                                  details here: https://developer.hashicorp.com/vault/docs/auth/aws'
                                type: string
                              vaultRole:
                                description: Vault Role. In vault, a role describes
                                  an identity with a set of permissions, groups, or
                                  policies you want to attach a user of the secrets
                                  engine
                                type: string
                            required:
                            - vaultRole
                            type: object
                          jwt:
                            description: |-
                              Jwt authenticates with Vault by passing role and JWT token using the
                              JWT/OIDC authentication method
                            properties:
                              kubernetesServiceAccountToken:
                                description: |-
                                  Optional ServiceAccountToken specifies the Kubernetes service account for which to request
                                  a token for with the `TokenRequest` API.
                                properties:
                                  audiences:
                                    description: |-
                                      Optional audiences field that will be used to request a temporary Kubernetes service
                                      account token for the service account referenced by `serviceAccountRef`.
                                      Defaults to a single audience `vault` it not specified.
                                      Deprecated: use serviceAccountRef.Audiences instead
                                    items:
                                      type: string
                                    type: array
                                  expirationSeconds:
                                    description: |-
                                      Optional expiration time in seconds that will be used to request a temporary
                                      Kubernetes service account token for the service account referenced by
                                      `serviceAccountRef`.
                                      Deprecated: this will be removed in the future.
                                      Defaults to 10 minutes.
                                    format: int64
                                    type: integer
                                  serviceAccountRef:
                                    description: Service account field containing
                                      the name of a kubernetes ServiceAccount.
                                    properties:
                                      audiences:
                                        description: |-
                                          Audience specifies the `aud` claim for the service account token
                                          If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                          then this audiences will be appended to the list
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: The name of the ServiceAccount
                                          resource being referred to.
                                        type: string
                                      namespace:
                                        description: |-
                                          Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                          to the namespace of the referent.
                                        type: string
                                    required:
                                    - name
                                    type: object
                                required:
                                - serviceAccountRef
                                type: object
                              path:
                                default: jwt
                                description: |-
                                  Path where the JWT authentication backend is mounted
                                  in Vault, e.g: "jwt"
                                type: string
                              role:
                                description: |-
                                  Role is a JWT role to authenticate using the JWT/OIDC Vault
                                  authentication method
                                type: string
                              secretRef:
                                description: |-
                                  Optional SecretRef that refers to a key in a Secret resource containing JWT token to
                                  authenticate with Vault using the JWT/OIDC authentication method.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                            required:
                            - path
                            type: object
                          kubernetes:
                            description: |-
                              Kubernetes authenticates with Vault by passing the ServiceAccount
                              token stored in the named Secret resource to the Vault server.
                            properties:
                              mountPath:
                                default: kubernetes
                                description: |-
                                  Path where the Kubernetes authentication backend is mounted in Vault, e.g:
                                  "kubernetes"
                                type: string
                              role:
                                description: |-
                                  A required field containing the Vault Role to assume. A Role binds a
                                  Kubernetes ServiceAccount with a set of Vault policies.
                                type: string
                              secretRef:
                                description: |-
                                  Optional secret field containing a Kubernetes ServiceAccount JWT used
                                  for authenticating with Vault. If a name is specified without a key,
                                  `token` is the default. If one is not specified, the one bound to
                                  the controller will be used.
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                              serviceAccountRef:
                                description: |-
                                  Optional service account field containing the name of a kubernetes ServiceAccount.
                                  If the service account is specified, the service account secret token JWT will be used
                                  for authenticating with Vault. If the service account selector is not supplied,
                                  the secretRef will be used instead.
                                properties:
                                  audiences:
                                    description: |-
                                      Audience specifies the `aud` claim for the service account token
                                      If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                      then this audiences will be appended to the list
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                required:
                                - name
                                type: object
                            required:
                            - mountPath
                            - role
                            type: object
                          ldap:
                            description: |-
                              Ldap authenticates with Vault by passing username/password pair using
                              the LDAP authentication method
                            properties:
                              path:
                                default: ldap
                                description: |-
                                  Path where the LDAP authentication backend is mounted
                                  in Vault, e.g: "ldap"
                                type: string
                              secretRef:
                                description: |-
                                  SecretRef to a key in a Secret resource containing password for the LDAP
                                  user used to authenticate with Vault using the LDAP authentication
                                  method
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                              username:
                                description: |-
                                  Username is a LDAP user name used to authenticate using the LDAP Vault
                                  authentication method
                                type: string
                            required:
                            - path
                            - username
                            type: object
                          namespace:
                            description: |-
                              Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
                              Namespaces is a set of features within Vault Enterprise that allows
                              Vault environments to support Secure Multi-tenancy. e.g: "ns1".
                              More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
                              This will default to Vault.Namespace field if set, or empty otherwise
                            type: string
                          tokenSecretRef:
                            description: TokenSecretRef authenticates with Vault by
                              presenting a token.
                            properties:
                              key:
                                description: |-
                                  The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                  defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                  to the namespace of the referent.
                                type: string
                            type: object
                          userPass:
                            description: UserPass authenticates with Vault by passing
                              username/password pair
                            properties:
                              path:
                                default: user
                                description: |-
                                  Path where the UserPassword authentication backend is mounted
                                  in Vault, e.g: "user"
                                type: string
                              secretRef:
                                description: |-
                                  SecretRef to a key in a Secret resource containing password for the
                                  user used to authenticate with Vault using the UserPass authentication
                                  method
                                properties:
                                  key:
                                    description: |-
                                      The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                      defaulted, in others it may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                      to the namespace of the referent.
                                    type: string
                                type: object
                              username:
                                description: |-
                                  Username is a user name used to authenticate using the UserPass Vault
                                  authentication method
                                type: string
                            required:
                            - path
                            - username
                            type: object
                        type: object
                      caBundle:
                        description: |-
                          PEM encoded CA bundle used to validate Vault server certificate. Only used
                          if the Server URL is using HTTPS protocol. This parameter is ignored for
                          plain HTTP protocol connection. If not set the system root certificates
                          are used to validate the TLS connection.
                        format: byte
                        type: string
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          Vault server certificate.
                        properties:
                          key:
                            description: The key where the CA certificate can be found
                              in the Secret or ConfigMap.
                            type: string
                          name:
                            description: The name of the object located at the provider
                              type.
                            type: string
                          namespace:
                            description: |-
                              The namespace the Provider type is in.
                              Can only be defined when used in a ClusterSecretStore.
                            type: string
                          type:
                            description: The type of provider to use such as "Secret",
                              or "ConfigMap".
                            enum:
                            - Secret
                            - ConfigMap
                            type: string
                        required:
                        - name
                        - type
                        type: object
                      forwardInconsistent:
                        description: |-
                          ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
                          leader instead of simply retrying within a loop. This can increase performance if
                          the option is enabled serverside.
                          https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
                        type: boolean
                      headers:
                        additionalProperties:
                          type: string
                        description: Headers to be added in Vault request
                        type: object
                      namespace:
                        description: |-
                          Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
                          Vault environments to support Secure Multi-tenancy. e.g: "ns1".
                          More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
                        type: string
                      path:
                        description: |-
                          Path is the mount path of the Vault KV backend endpoint, e.g:
                          "secret". The v2 KV secret engine version specific "/data" path suffix
                          for fetching secrets from Vault is optional and will be appended
                          if not present in specified path.
                        type: string
                      readYourWrites:
                        description: |-
                          ReadYourWrites ensures isolated read-after-write semantics by
                          providing discovered cluster replication states in each request.
                          More information about eventual consistency in Vault can be found here
                          https://www.vaultproject.io/docs/enterprise/consistency
                        type: boolean
                      server:
                        description: 'Server is the connection address for the Vault
                          server, e.g: "https://vault.example.com:8200".'
                        type: string
                      tls:
                        description: |-
                          The configuration used for client side related TLS communication, when the Vault server
                          requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
                          This parameter is ignored for plain HTTP protocol connection.
                          It's worth noting this configuration is different from the "TLS certificates auth method",
                          which is available under the `auth.cert` section.
                        properties:
                          certSecretRef:
                            description: |-
                              CertSecretRef is a certificate added to the transport layer
                              when communicating with the Vault server.
                              If no key for the Secret is specified, external-secret will default to 'tls.crt'.
                            properties:
                              key:
                                description: |-
                                  The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                  defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                  to the namespace of the referent.
                                type: string
                            type: object
                          keySecretRef:
                            description: |-
                              KeySecretRef to a key in a Secret resource containing client private key
                              added to the transport layer when communicating with the Vault server.
                              If no key for the Secret is specified, external-secret will default to 'tls.key'.
                            properties:
                              key:
                                description: |-
                                  The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                  defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                  to the namespace of the referent.
                                type: string
                            type: object
                        type: object
                      version:
                        default: v2
                        description: |-
                          Version is the Vault KV secret engine version. This can be either "v1" or
                          "v2". Version defaults to "v2".
                        enum:
                        - v1
                        - v2
                        type: string
                    required:
                    - auth
                    - server
                    type: object
                  webhook:
                    description: Webhook configures this store to sync secrets using
                      a generic templated webhook
                    properties:
                      body:
                        description: Body
                        type: string
                      caBundle:
                        description: |-
                          PEM encoded CA bundle used to validate webhook server certificate. Only used
                          if the Server URL is using HTTPS protocol. This parameter is ignored for
                          plain HTTP protocol connection. If not set the system root certificates
                          are used to validate the TLS connection.
                        format: byte
                        type: string
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          webhook server certificate.
                        properties:
                          key:
                            description: The key the value inside of the provider
                              type to use, only used with "Secret" type
                            type: string
                          name:
                            description: The name of the object located at the provider
                              type.
                            type: string
                          namespace:
                            description: The namespace the Provider type is in.
                            type: string
                          type:
                            description: The type of provider to use such as "Secret",
                              or "ConfigMap".
                            enum:
                            - Secret
                            - ConfigMap
                            type: string
                        required:
                        - name
                        - type
                        type: object
                      headers:
                        additionalProperties:
                          type: string
                        description: Headers
                        type: object
                      method:
                        description: Webhook Method
                        type: string
                      result:
                        description: Result formatting
                        properties:
                          jsonPath:
                            description: Json path of return value
                            type: string
                        type: object
                      secrets:
                        description: |-
                          Secrets to fill in templates
                          These secrets will be passed to the templating function as key value pairs under the given name
                        items:
                          properties:
                            name:
                              description: Name of this secret in templates
                              type: string
                            secretRef:
                              description: Secret ref to fill in credentials
                              properties:
                                key:
                                  description: |-
                                    The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                    defaulted, in others it may be required.
                                  type: string
                                name:
                                  description: The name of the Secret resource being
                                    referred to.
                                  type: string
                                namespace:
                                  description: |-
                                    Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                    to the namespace of the referent.
                                  type: string
                              type: object
                          required:
                          - name
                          - secretRef
                          type: object
                        type: array
                      timeout:
                        description: Timeout
                        type: string
                      url:
                        description: Webhook url to call
                        type: string
                    required:
                    - result
                    - url
                    type: object
                  yandexcertificatemanager:
                    description: YandexCertificateManager configures this store to
                      sync secrets using Yandex Certificate Manager provider
                    properties:
                      apiEndpoint:
                        description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
                        type: string
                      auth:
                        description: Auth defines the information necessary to authenticate
                          against Yandex Certificate Manager
                        properties:
                          authorizedKeySecretRef:
                            description: The authorized key used for authentication
                            properties:
                              key:
                                description: |-
                                  The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                  defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                  to the namespace of the referent.
                                type: string
                            type: object
                        type: object
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          Yandex.Cloud server certificate.
                        properties:
                          certSecretRef:
                            description: |-
                              A reference to a specific 'key' within a Secret resource,
                              In some instances, `key` is a required field.
                            properties:
                              key:
                                description: |-
                                  The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                  defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                  to the namespace of the referent.
                                type: string
                            type: object
                        type: object
                    required:
                    - auth
                    type: object
                  yandexlockbox:
                    description: YandexLockbox configures this store to sync secrets
                      using Yandex Lockbox provider
                    properties:
                      apiEndpoint:
                        description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
                        type: string
                      auth:
                        description: Auth defines the information necessary to authenticate
                          against Yandex Lockbox
                        properties:
                          authorizedKeySecretRef:
                            description: The authorized key used for authentication
                            properties:
                              key:
                                description: |-
                                  The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                  defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                  to the namespace of the referent.
                                type: string
                            type: object
                        type: object
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          Yandex.Cloud server certificate.
                        properties:
                          certSecretRef:
                            description: |-
                              A reference to a specific 'key' within a Secret resource,
                              In some instances, `key` is a required field.
                            properties:
                              key:
                                description: |-
                                  The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
                                  defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
                                  to the namespace of the referent.
                                type: string
                            type: object
                        type: object
                    required:
                    - auth
                    type: object
                type: object
              refreshInterval:
                description: Used to configure store refresh interval in seconds.
                  Empty or 0 will default to the controller config.
                type: integer
              retrySettings:
                description: Used to configure http retries if failed
                properties:
                  maxRetries:
                    format: int32
                    type: integer
                  retryInterval:
                    type: string
                type: object
            required:
            - provider
            type: object
          status:
            description: SecretStoreStatus defines the observed state of the SecretStore.
            properties:
              capabilities:
                description: SecretStoreCapabilities defines the possible operations
                  a SecretStore can do.
                type: string
              conditions:
                items:
                  properties:
                    lastTransitionTime:
                      format: date-time
                      type: string
                    message:
                      type: string
                    reason:
                      type: string
                    status:
                      type: string
                    type:
                      type: string
                  required:
                  - status
                  - type
                  type: object
                type: array
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}