helm-external-secrets/config/crds/bases/external-secrets.io_clustersecretstores.yaml

apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.13.0
  name: clustersecretstores.external-secrets.io
spec:
  group: external-secrets.io
  names:
    categories:
    - externalsecrets
    kind: ClusterSecretStore
    listKind: ClusterSecretStoreList
    plural: clustersecretstores
    shortNames:
    - css
    singular: clustersecretstore
  scope: Cluster
  versions:
  - additionalPrinterColumns:
    - jsonPath: .metadata.creationTimestamp
      name: AGE
      type: date
    - jsonPath: .status.conditions[?(@.type=="Ready")].reason
      name: Status
      type: string
    deprecated: true
    name: v1alpha1
    schema:
      openAPIV3Schema:
        description: ClusterSecretStore represents a secure external location for
          storing secrets, which can be referenced as part of `storeRef` fields.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: SecretStoreSpec defines the desired state of SecretStore.
            properties:
              controller:
                description: 'Used to select the correct ESO controller (think: ingress.ingressClassName)
                  The ESO controller is instantiated with a specific controller name
                  and filters ES based on this property'
                type: string
              provider:
                description: Used to configure the provider. Only one provider may
                  be set
                maxProperties: 1
                minProperties: 1
                properties:
                  akeyless:
                    description: Akeyless configures this store to sync secrets using
                      Akeyless Vault provider
                    properties:
                      akeylessGWApiURL:
                        description: Akeyless GW API Url from which the secrets to
                          be fetched from.
                        type: string
                      authSecretRef:
                        description: Auth configures how the operator authenticates
                          with Akeyless.
                        properties:
                          kubernetesAuth:
                            description: Kubernetes authenticates with Akeyless by
                              passing the ServiceAccount token stored in the named
                              Secret resource.
                            properties:
                              accessID:
                                description: the Akeyless Kubernetes auth-method access-id
                                type: string
                              k8sConfName:
                                description: Kubernetes-auth configuration name in
                                  Akeyless-Gateway
                                type: string
                              secretRef:
                                description: Optional secret field containing a Kubernetes
                                  ServiceAccount JWT used for authenticating with
                                  Akeyless. If a name is specified without a key,
                                  `token` is the default. If one is not specified,
                                  the one bound to the controller will be used.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              serviceAccountRef:
                                description: Optional service account field containing
                                  the name of a kubernetes ServiceAccount. If the
                                  service account is specified, the service account
                                  secret token JWT will be used for authenticating
                                  with Akeyless. If the service account selector is
                                  not supplied, the secretRef will be used instead.
                                properties:
                                  audiences:
                                    description: Audience specifies the `aud` claim
                                      for the service account token If the service
                                      account uses a well-known annotation for e.g.
                                      IRSA or GCP Workload Identity then this audiences
                                      will be appended to the list
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                required:
                                - name
                                type: object
                            required:
                            - accessID
                            - k8sConfName
                            type: object
                          secretRef:
                            description: Reference to a Secret that contains the details
                              to authenticate with Akeyless.
                            properties:
                              accessID:
                                description: The SecretAccessID is used for authentication
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              accessType:
                                description: A reference to a specific 'key' within
                                  a Secret resource, In some instances, `key` is a
                                  required field.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              accessTypeParam:
                                description: A reference to a specific 'key' within
                                  a Secret resource, In some instances, `key` is a
                                  required field.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            type: object
                        type: object
                      caBundle:
                        description: PEM/base64 encoded CA bundle used to validate
                          Akeyless Gateway certificate. Only used if the AkeylessGWApiURL
                          URL is using HTTPS protocol. If not set the system root
                          certificates are used to validate the TLS connection.
                        format: byte
                        type: string
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          Akeyless Gateway certificate.
                        properties:
                          key:
                            description: The key the value inside of the provider
                              type to use, only used with "Secret" type
                            type: string
                          name:
                            description: The name of the object located at the provider
                              type.
                            type: string
                          namespace:
                            description: The namespace the Provider type is in.
                            type: string
                          type:
                            description: The type of provider to use such as "Secret",
                              or "ConfigMap".
                            enum:
                            - Secret
                            - ConfigMap
                            type: string
                        required:
                        - name
                        - type
                        type: object
                    required:
                    - akeylessGWApiURL
                    - authSecretRef
                    type: object
                  alibaba:
                    description: Alibaba configures this store to sync secrets using
                      Alibaba Cloud provider
                    properties:
                      auth:
                        description: AlibabaAuth contains a secretRef for credentials.
                        properties:
                          rrsa:
                            description: Authenticate against Alibaba using RRSA.
                            properties:
                              oidcProviderArn:
                                type: string
                              oidcTokenFilePath:
                                type: string
                              roleArn:
                                type: string
                              sessionName:
                                type: string
                            required:
                            - oidcProviderArn
                            - oidcTokenFilePath
                            - roleArn
                            - sessionName
                            type: object
                          secretRef:
                            description: AlibabaAuthSecretRef holds secret references
                              for Alibaba credentials.
                            properties:
                              accessKeyIDSecretRef:
                                description: The AccessKeyID is used for authentication
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              accessKeySecretSecretRef:
                                description: The AccessKeySecret is used for authentication
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            required:
                            - accessKeyIDSecretRef
                            - accessKeySecretSecretRef
                            type: object
                        type: object
                      regionID:
                        description: Alibaba Region to be used for the provider
                        type: string
                    required:
                    - auth
                    - regionID
                    type: object
                  aws:
                    description: AWS configures this store to sync secrets using AWS
                      Secret Manager provider
                    properties:
                      auth:
                        description: 'Auth defines the information necessary to authenticate
                          against AWS if not set aws sdk will infer credentials from
                          your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                        properties:
                          jwt:
                            description: Authenticate against AWS using service account
                              tokens.
                            properties:
                              serviceAccountRef:
                                description: A reference to a ServiceAccount resource.
                                properties:
                                  audiences:
                                    description: Audience specifies the `aud` claim
                                      for the service account token If the service
                                      account uses a well-known annotation for e.g.
                                      IRSA or GCP Workload Identity then this audiences
                                      will be appended to the list
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                required:
                                - name
                                type: object
                            type: object
                          secretRef:
                            description: AWSAuthSecretRef holds secret references
                              for AWS credentials both AccessKeyID and SecretAccessKey
                              must be defined in order to properly authenticate.
                            properties:
                              accessKeyIDSecretRef:
                                description: The AccessKeyID is used for authentication
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              secretAccessKeySecretRef:
                                description: The SecretAccessKey is used for authentication
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            type: object
                        type: object
                      region:
                        description: AWS Region to be used for the provider
                        type: string
                      role:
                        description: Role is a Role ARN which the SecretManager provider
                          will assume
                        type: string
                      service:
                        description: Service defines which service should be used
                          to fetch the secrets
                        enum:
                        - SecretsManager
                        - ParameterStore
                        type: string
                    required:
                    - region
                    - service
                    type: object
                  azurekv:
                    description: AzureKV configures this store to sync secrets using
                      Azure Key Vault provider
                    properties:
                      authSecretRef:
                        description: Auth configures how the operator authenticates
                          with Azure. Required for ServicePrincipal auth type.
                        properties:
                          clientId:
                            description: The Azure clientId of the service principle
                              used for authentication.
                            properties:
                              key:
                                description: The key of the entry in the Secret resource's
                                  `data` field to be used. Some instances of this
                                  field may be defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: Namespace of the resource being referred
                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
                                  defaults to the namespace of the referent.
                                type: string
                            type: object
                          clientSecret:
                            description: The Azure ClientSecret of the service principle
                              used for authentication.
                            properties:
                              key:
                                description: The key of the entry in the Secret resource's
                                  `data` field to be used. Some instances of this
                                  field may be defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: Namespace of the resource being referred
                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
                                  defaults to the namespace of the referent.
                                type: string
                            type: object
                        type: object
                      authType:
                        default: ServicePrincipal
                        description: 'Auth type defines how to authenticate to the
                          keyvault service. Valid values are: - "ServicePrincipal"
                          (default): Using a service principal (tenantId, clientId,
                          clientSecret) - "ManagedIdentity": Using Managed Identity
                          assigned to the pod (see aad-pod-identity)'
                        enum:
                        - ServicePrincipal
                        - ManagedIdentity
                        - WorkloadIdentity
                        type: string
                      identityId:
                        description: If multiple Managed Identity is assigned to the
                          pod, you can select the one to be used
                        type: string
                      serviceAccountRef:
                        description: ServiceAccountRef specified the service account
                          that should be used when authenticating with WorkloadIdentity.
                        properties:
                          audiences:
                            description: Audience specifies the `aud` claim for the
                              service account token If the service account uses a
                              well-known annotation for e.g. IRSA or GCP Workload
                              Identity then this audiences will be appended to the
                              list
                            items:
                              type: string
                            type: array
                          name:
                            description: The name of the ServiceAccount resource being
                              referred to.
                            type: string
                          namespace:
                            description: Namespace of the resource being referred
                              to. Ignored if referent is not cluster-scoped. cluster-scoped
                              defaults to the namespace of the referent.
                            type: string
                        required:
                        - name
                        type: object
                      tenantId:
                        description: TenantID configures the Azure Tenant to send
                          requests to. Required for ServicePrincipal auth type.
                        type: string
                      vaultUrl:
                        description: Vault Url from which the secrets to be fetched
                          from.
                        type: string
                    required:
                    - vaultUrl
                    type: object
                  fake:
                    description: Fake configures a store with static key/value pairs
                    properties:
                      data:
                        items:
                          properties:
                            key:
                              type: string
                            value:
                              type: string
                            valueMap:
                              additionalProperties:
                                type: string
                              type: object
                            version:
                              type: string
                          required:
                          - key
                          type: object
                        type: array
                    required:
                    - data
                    type: object
                  gcpsm:
                    description: GCPSM configures this store to sync secrets using
                      Google Cloud Platform Secret Manager provider
                    properties:
                      auth:
                        description: Auth defines the information necessary to authenticate
                          against GCP
                        properties:
                          secretRef:
                            properties:
                              secretAccessKeySecretRef:
                                description: The SecretAccessKey is used for authentication
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            type: object
                          workloadIdentity:
                            properties:
                              clusterLocation:
                                type: string
                              clusterName:
                                type: string
                              clusterProjectID:
                                type: string
                              serviceAccountRef:
                                description: A reference to a ServiceAccount resource.
                                properties:
                                  audiences:
                                    description: Audience specifies the `aud` claim
                                      for the service account token If the service
                                      account uses a well-known annotation for e.g.
                                      IRSA or GCP Workload Identity then this audiences
                                      will be appended to the list
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                required:
                                - name
                                type: object
                            required:
                            - clusterLocation
                            - clusterName
                            - serviceAccountRef
                            type: object
                        type: object
                      projectID:
                        description: ProjectID project where secret is located
                        type: string
                    type: object
                  gitlab:
                    description: GitLab configures this store to sync secrets using
                      GitLab Variables provider
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with a GitLab instance.
                        properties:
                          SecretRef:
                            properties:
                              accessToken:
                                description: AccessToken is used for authentication.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            type: object
                        required:
                        - SecretRef
                        type: object
                      projectID:
                        description: ProjectID specifies a project where secrets are
                          located.
                        type: string
                      url:
                        description: URL configures the GitLab instance URL. Defaults
                          to https://gitlab.com/.
                        type: string
                    required:
                    - auth
                    type: object
                  ibm:
                    description: IBM configures this store to sync secrets using IBM
                      Cloud provider
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with the IBM secrets manager.
                        properties:
                          secretRef:
                            properties:
                              secretApiKeySecretRef:
                                description: The SecretAccessKey is used for authentication
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            type: object
                        required:
                        - secretRef
                        type: object
                      serviceUrl:
                        description: ServiceURL is the Endpoint URL that is specific
                          to the Secrets Manager service instance
                        type: string
                    required:
                    - auth
                    type: object
                  kubernetes:
                    description: Kubernetes configures this store to sync secrets
                      using a Kubernetes cluster provider
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with a Kubernetes instance.
                        maxProperties: 1
                        minProperties: 1
                        properties:
                          cert:
                            description: has both clientCert and clientKey as secretKeySelector
                            properties:
                              clientCert:
                                description: A reference to a specific 'key' within
                                  a Secret resource, In some instances, `key` is a
                                  required field.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              clientKey:
                                description: A reference to a specific 'key' within
                                  a Secret resource, In some instances, `key` is a
                                  required field.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            type: object
                          serviceAccount:
                            description: points to a service account that should be
                              used for authentication
                            properties:
                              serviceAccount:
                                description: A reference to a ServiceAccount resource.
                                properties:
                                  audiences:
                                    description: Audience specifies the `aud` claim
                                      for the service account token If the service
                                      account uses a well-known annotation for e.g.
                                      IRSA or GCP Workload Identity then this audiences
                                      will be appended to the list
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                required:
                                - name
                                type: object
                            type: object
                          token:
                            description: use static token to authenticate with
                            properties:
                              bearerToken:
                                description: A reference to a specific 'key' within
                                  a Secret resource, In some instances, `key` is a
                                  required field.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            type: object
                        type: object
                      remoteNamespace:
                        default: default
                        description: Remote namespace to fetch the secrets from
                        type: string
                      server:
                        description: configures the Kubernetes server Address.
                        properties:
                          caBundle:
                            description: CABundle is a base64-encoded CA certificate
                            format: byte
                            type: string
                          caProvider:
                            description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
                            properties:
                              key:
                                description: The key the value inside of the provider
                                  type to use, only used with "Secret" type
                                type: string
                              name:
                                description: The name of the object located at the
                                  provider type.
                                type: string
                              namespace:
                                description: The namespace the Provider type is in.
                                type: string
                              type:
                                description: The type of provider to use such as "Secret",
                                  or "ConfigMap".
                                enum:
                                - Secret
                                - ConfigMap
                                type: string
                            required:
                            - name
                            - type
                            type: object
                          url:
                            default: kubernetes.default
                            description: configures the Kubernetes server Address.
                            type: string
                        type: object
                    required:
                    - auth
                    type: object
                  oracle:
                    description: Oracle configures this store to sync secrets using
                      Oracle Vault provider
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with the Oracle Vault. If empty, instance principal is used.
                          Optionally, the authenticating principal type and/or user
                          data may be supplied for the use of workload identity and
                          user principal.
                        properties:
                          secretRef:
                            description: SecretRef to pass through sensitive information.
                            properties:
                              fingerprint:
                                description: Fingerprint is the fingerprint of the
                                  API private key.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              privatekey:
                                description: PrivateKey is the user's API Signing
                                  Key in PEM format, used for authentication.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            required:
                            - fingerprint
                            - privatekey
                            type: object
                          tenancy:
                            description: Tenancy is the tenancy OCID where user is
                              located.
                            type: string
                          user:
                            description: User is an access OCID specific to the account.
                            type: string
                        required:
                        - secretRef
                        - tenancy
                        - user
                        type: object
                      compartment:
                        description: Compartment is the vault compartment OCID. Required
                          for PushSecret
                        type: string
                      encryptionKey:
                        description: EncryptionKey is the OCID of the encryption key
                          within the vault. Required for PushSecret
                        type: string
                      principalType:
                        description: The type of principal to use for authentication.
                          If left blank, the Auth struct will determine the principal
                          type. This optional field must be specified if using workload
                          identity.
                        type: string
                      region:
                        description: Region is the region where vault is located.
                        type: string
                      serviceAccountRef:
                        description: ServiceAccountRef specified the service account
                          that should be used when authenticating with WorkloadIdentity.
                        properties:
                          audiences:
                            description: Audience specifies the `aud` claim for the
                              service account token If the service account uses a
                              well-known annotation for e.g. IRSA or GCP Workload
                              Identity then this audiences will be appended to the
                              list
                            items:
                              type: string
                            type: array
                          name:
                            description: The name of the ServiceAccount resource being
                              referred to.
                            type: string
                          namespace:
                            description: Namespace of the resource being referred
                              to. Ignored if referent is not cluster-scoped. cluster-scoped
                              defaults to the namespace of the referent.
                            type: string
                        required:
                        - name
                        type: object
                      vault:
                        description: Vault is the vault's OCID of the specific vault
                          where secret is located.
                        type: string
                    required:
                    - region
                    - vault
                    type: object
                  vault:
                    description: Vault configures this store to sync secrets using
                      Hashi provider
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with the Vault server.
                        properties:
                          appRole:
                            description: AppRole authenticates with Vault using the
                              App Role auth mechanism, with the role and secret stored
                              in a Kubernetes Secret resource.
                            properties:
                              path:
                                default: approle
                                description: 'Path where the App Role authentication
                                  backend is mounted in Vault, e.g: "approle"'
                                type: string
                              roleId:
                                description: RoleID configured in the App Role authentication
                                  backend when setting up the authentication backend
                                  in Vault.
                                type: string
                              secretRef:
                                description: Reference to a key in a Secret that contains
                                  the App Role secret used to authenticate with Vault.
                                  The `key` field must be specified and denotes which
                                  entry within the Secret resource is used as the
                                  app role secret.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            required:
                            - path
                            - roleId
                            - secretRef
                            type: object
                          cert:
                            description: Cert authenticates with TLS Certificates
                              by passing client certificate, private key and ca certificate
                              Cert authentication method
                            properties:
                              clientCert:
                                description: ClientCert is a certificate to authenticate
                                  using the Cert Vault authentication method
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              secretRef:
                                description: SecretRef to a key in a Secret resource
                                  containing client private key to authenticate with
                                  Vault using the Cert authentication method
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            type: object
                          jwt:
                            description: Jwt authenticates with Vault by passing role
                              and JWT token using the JWT/OIDC authentication method
                            properties:
                              kubernetesServiceAccountToken:
                                description: Optional ServiceAccountToken specifies
                                  the Kubernetes service account for which to request
                                  a token for with the `TokenRequest` API.
                                properties:
                                  audiences:
                                    description: Optional audiences field that will
                                      be used to request a temporary Kubernetes service
                                      account token for the service account referenced
                                      by `serviceAccountRef`. Defaults to a single
                                      audience `vault` it not specified.
                                    items:
                                      type: string
                                    type: array
                                  expirationSeconds:
                                    description: Optional expiration time in seconds
                                      that will be used to request a temporary Kubernetes
                                      service account token for the service account
                                      referenced by `serviceAccountRef`. Defaults
                                      to 10 minutes.
                                    format: int64
                                    type: integer
                                  serviceAccountRef:
                                    description: Service account field containing
                                      the name of a kubernetes ServiceAccount.
                                    properties:
                                      audiences:
                                        description: Audience specifies the `aud`
                                          claim for the service account token If the
                                          service account uses a well-known annotation
                                          for e.g. IRSA or GCP Workload Identity then
                                          this audiences will be appended to the list
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: The name of the ServiceAccount
                                          resource being referred to.
                                        type: string
                                      namespace:
                                        description: Namespace of the resource being
                                          referred to. Ignored if referent is not
                                          cluster-scoped. cluster-scoped defaults
                                          to the namespace of the referent.
                                        type: string
                                    required:
                                    - name
                                    type: object
                                required:
                                - serviceAccountRef
                                type: object
                              path:
                                default: jwt
                                description: 'Path where the JWT authentication backend
                                  is mounted in Vault, e.g: "jwt"'
                                type: string
                              role:
                                description: Role is a JWT role to authenticate using
                                  the JWT/OIDC Vault authentication method
                                type: string
                              secretRef:
                                description: Optional SecretRef that refers to a key
                                  in a Secret resource containing JWT token to authenticate
                                  with Vault using the JWT/OIDC authentication method.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            required:
                            - path
                            type: object
                          kubernetes:
                            description: Kubernetes authenticates with Vault by passing
                              the ServiceAccount token stored in the named Secret
                              resource to the Vault server.
                            properties:
                              mountPath:
                                default: kubernetes
                                description: 'Path where the Kubernetes authentication
                                  backend is mounted in Vault, e.g: "kubernetes"'
                                type: string
                              role:
                                description: A required field containing the Vault
                                  Role to assume. A Role binds a Kubernetes ServiceAccount
                                  with a set of Vault policies.
                                type: string
                              secretRef:
                                description: Optional secret field containing a Kubernetes
                                  ServiceAccount JWT used for authenticating with
                                  Vault. If a name is specified without a key, `token`
                                  is the default. If one is not specified, the one
                                  bound to the controller will be used.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              serviceAccountRef:
                                description: Optional service account field containing
                                  the name of a kubernetes ServiceAccount. If the
                                  service account is specified, the service account
                                  secret token JWT will be used for authenticating
                                  with Vault. If the service account selector is not
                                  supplied, the secretRef will be used instead.
                                properties:
                                  audiences:
                                    description: Audience specifies the `aud` claim
                                      for the service account token If the service
                                      account uses a well-known annotation for e.g.
                                      IRSA or GCP Workload Identity then this audiences
                                      will be appended to the list
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                required:
                                - name
                                type: object
                            required:
                            - mountPath
                            - role
                            type: object
                          ldap:
                            description: Ldap authenticates with Vault by passing
                              username/password pair using the LDAP authentication
                              method
                            properties:
                              path:
                                default: ldap
                                description: 'Path where the LDAP authentication backend
                                  is mounted in Vault, e.g: "ldap"'
                                type: string
                              secretRef:
                                description: SecretRef to a key in a Secret resource
                                  containing password for the LDAP user used to authenticate
                                  with Vault using the LDAP authentication method
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              username:
                                description: Username is a LDAP user name used to
                                  authenticate using the LDAP Vault authentication
                                  method
                                type: string
                            required:
                            - path
                            - username
                            type: object
                          tokenSecretRef:
                            description: TokenSecretRef authenticates with Vault by
                              presenting a token.
                            properties:
                              key:
                                description: The key of the entry in the Secret resource's
                                  `data` field to be used. Some instances of this
                                  field may be defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: Namespace of the resource being referred
                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
                                  defaults to the namespace of the referent.
                                type: string
                            type: object
                        type: object
                      caBundle:
                        description: PEM encoded CA bundle used to validate Vault
                          server certificate. Only used if the Server URL is using
                          HTTPS protocol. This parameter is ignored for plain HTTP
                          protocol connection. If not set the system root certificates
                          are used to validate the TLS connection.
                        format: byte
                        type: string
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          Vault server certificate.
                        properties:
                          key:
                            description: The key the value inside of the provider
                              type to use, only used with "Secret" type
                            type: string
                          name:
                            description: The name of the object located at the provider
                              type.
                            type: string
                          namespace:
                            description: The namespace the Provider type is in.
                            type: string
                          type:
                            description: The type of provider to use such as "Secret",
                              or "ConfigMap".
                            enum:
                            - Secret
                            - ConfigMap
                            type: string
                        required:
                        - name
                        - type
                        type: object
                      forwardInconsistent:
                        description: ForwardInconsistent tells Vault to forward read-after-write
                          requests to the Vault leader instead of simply retrying
                          within a loop. This can increase performance if the option
                          is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
                        type: boolean
                      namespace:
                        description: 'Name of the vault namespace. Namespaces is a
                          set of features within Vault Enterprise that allows Vault
                          environments to support Secure Multi-tenancy. e.g: "ns1".
                          More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
                        type: string
                      path:
                        description: 'Path is the mount path of the Vault KV backend
                          endpoint, e.g: "secret". The v2 KV secret engine version
                          specific "/data" path suffix for fetching secrets from Vault
                          is optional and will be appended if not present in specified
                          path.'
                        type: string
                      readYourWrites:
                        description: ReadYourWrites ensures isolated read-after-write
                          semantics by providing discovered cluster replication states
                          in each request. More information about eventual consistency
                          in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
                        type: boolean
                      server:
                        description: 'Server is the connection address for the Vault
                          server, e.g: "https://vault.example.com:8200".'
                        type: string
                      version:
                        default: v2
                        description: Version is the Vault KV secret engine version.
                          This can be either "v1" or "v2". Version defaults to "v2".
                        enum:
                        - v1
                        - v2
                        type: string
                    required:
                    - auth
                    - server
                    type: object
                  webhook:
                    description: Webhook configures this store to sync secrets using
                      a generic templated webhook
                    properties:
                      body:
                        description: Body
                        type: string
                      caBundle:
                        description: PEM encoded CA bundle used to validate webhook
                          server certificate. Only used if the Server URL is using
                          HTTPS protocol. This parameter is ignored for plain HTTP
                          protocol connection. If not set the system root certificates
                          are used to validate the TLS connection.
                        format: byte
                        type: string
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          webhook server certificate.
                        properties:
                          key:
                            description: The key the value inside of the provider
                              type to use, only used with "Secret" type
                            type: string
                          name:
                            description: The name of the object located at the provider
                              type.
                            type: string
                          namespace:
                            description: The namespace the Provider type is in.
                            type: string
                          type:
                            description: The type of provider to use such as "Secret",
                              or "ConfigMap".
                            enum:
                            - Secret
                            - ConfigMap
                            type: string
                        required:
                        - name
                        - type
                        type: object
                      headers:
                        additionalProperties:
                          type: string
                        description: Headers
                        type: object
                      method:
                        description: Webhook Method
                        type: string
                      result:
                        description: Result formatting
                        properties:
                          jsonPath:
                            description: Json path of return value
                            type: string
                        type: object
                      secrets:
                        description: Secrets to fill in templates These secrets will
                          be passed to the templating function as key value pairs
                          under the given name
                        items:
                          properties:
                            name:
                              description: Name of this secret in templates
                              type: string
                            secretRef:
                              description: Secret ref to fill in credentials
                              properties:
                                key:
                                  description: The key of the entry in the Secret
                                    resource's `data` field to be used. Some instances
                                    of this field may be defaulted, in others it may
                                    be required.
                                  type: string
                                name:
                                  description: The name of the Secret resource being
                                    referred to.
                                  type: string
                                namespace:
                                  description: Namespace of the resource being referred
                                    to. Ignored if referent is not cluster-scoped.
                                    cluster-scoped defaults to the namespace of the
                                    referent.
                                  type: string
                              type: object
                          required:
                          - name
                          - secretRef
                          type: object
                        type: array
                      timeout:
                        description: Timeout
                        type: string
                      url:
                        description: Webhook url to call
                        type: string
                    required:
                    - result
                    - url
                    type: object
                  yandexlockbox:
                    description: YandexLockbox configures this store to sync secrets
                      using Yandex Lockbox provider
                    properties:
                      apiEndpoint:
                        description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
                        type: string
                      auth:
                        description: Auth defines the information necessary to authenticate
                          against Yandex Lockbox
                        properties:
                          authorizedKeySecretRef:
                            description: The authorized key used for authentication
                            properties:
                              key:
                                description: The key of the entry in the Secret resource's
                                  `data` field to be used. Some instances of this
                                  field may be defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: Namespace of the resource being referred
                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
                                  defaults to the namespace of the referent.
                                type: string
                            type: object
                        type: object
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          Yandex.Cloud server certificate.
                        properties:
                          certSecretRef:
                            description: A reference to a specific 'key' within a
                              Secret resource, In some instances, `key` is a required
                              field.
                            properties:
                              key:
                                description: The key of the entry in the Secret resource's
                                  `data` field to be used. Some instances of this
                                  field may be defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: Namespace of the resource being referred
                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
                                  defaults to the namespace of the referent.
                                type: string
                            type: object
                        type: object
                    required:
                    - auth
                    type: object
                type: object
              retrySettings:
                description: Used to configure http retries if failed
                properties:
                  maxRetries:
                    format: int32
                    type: integer
                  retryInterval:
                    type: string
                type: object
            required:
            - provider
            type: object
          status:
            description: SecretStoreStatus defines the observed state of the SecretStore.
            properties:
              conditions:
                items:
                  properties:
                    lastTransitionTime:
                      format: date-time
                      type: string
                    message:
                      type: string
                    reason:
                      type: string
                    status:
                      type: string
                    type:
                      type: string
                  required:
                  - status
                  - type
                  type: object
                type: array
            type: object
        type: object
    served: true
    storage: false
    subresources:
      status: {}
  - additionalPrinterColumns:
    - jsonPath: .metadata.creationTimestamp
      name: AGE
      type: date
    - jsonPath: .status.conditions[?(@.type=="Ready")].reason
      name: Status
      type: string
    - jsonPath: .status.capabilities
      name: Capabilities
      type: string
    - jsonPath: .status.conditions[?(@.type=="Ready")].status
      name: Ready
      type: string
    name: v1beta1
    schema:
      openAPIV3Schema:
        description: ClusterSecretStore represents a secure external location for
          storing secrets, which can be referenced as part of `storeRef` fields.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: SecretStoreSpec defines the desired state of SecretStore.
            properties:
              conditions:
                description: Used to constraint a ClusterSecretStore to specific namespaces.
                  Relevant only to ClusterSecretStore
                items:
                  description: ClusterSecretStoreCondition describes a condition by
                    which to choose namespaces to process ExternalSecrets in for a
                    ClusterSecretStore instance.
                  properties:
                    namespaceSelector:
                      description: Choose namespace using a labelSelector
                      properties:
                        matchExpressions:
                          description: matchExpressions is a list of label selector
                            requirements. The requirements are ANDed.
                          items:
                            description: A label selector requirement is a selector
                              that contains values, a key, and an operator that relates
                              the key and values.
                            properties:
                              key:
                                description: key is the label key that the selector
                                  applies to.
                                type: string
                              operator:
                                description: operator represents a key's relationship
                                  to a set of values. Valid operators are In, NotIn,
                                  Exists and DoesNotExist.
                                type: string
                              values:
                                description: values is an array of string values.
                                  If the operator is In or NotIn, the values array
                                  must be non-empty. If the operator is Exists or
                                  DoesNotExist, the values array must be empty. This
                                  array is replaced during a strategic merge patch.
                                items:
                                  type: string
                                type: array
                            required:
                            - key
                            - operator
                            type: object
                          type: array
                        matchLabels:
                          additionalProperties:
                            type: string
                          description: matchLabels is a map of {key,value} pairs.
                            A single {key,value} in the matchLabels map is equivalent
                            to an element of matchExpressions, whose key field is
                            "key", the operator is "In", and the values array contains
                            only "value". The requirements are ANDed.
                          type: object
                      type: object
                      x-kubernetes-map-type: atomic
                    namespaces:
                      description: Choose namespaces by name
                      items:
                        type: string
                      type: array
                  type: object
                type: array
              controller:
                description: 'Used to select the correct ESO controller (think: ingress.ingressClassName)
                  The ESO controller is instantiated with a specific controller name
                  and filters ES based on this property'
                type: string
              provider:
                description: Used to configure the provider. Only one provider may
                  be set
                maxProperties: 1
                minProperties: 1
                properties:
                  akeyless:
                    description: Akeyless configures this store to sync secrets using
                      Akeyless Vault provider
                    properties:
                      akeylessGWApiURL:
                        description: Akeyless GW API Url from which the secrets to
                          be fetched from.
                        type: string
                      authSecretRef:
                        description: Auth configures how the operator authenticates
                          with Akeyless.
                        properties:
                          kubernetesAuth:
                            description: Kubernetes authenticates with Akeyless by
                              passing the ServiceAccount token stored in the named
                              Secret resource.
                            properties:
                              accessID:
                                description: the Akeyless Kubernetes auth-method access-id
                                type: string
                              k8sConfName:
                                description: Kubernetes-auth configuration name in
                                  Akeyless-Gateway
                                type: string
                              secretRef:
                                description: Optional secret field containing a Kubernetes
                                  ServiceAccount JWT used for authenticating with
                                  Akeyless. If a name is specified without a key,
                                  `token` is the default. If one is not specified,
                                  the one bound to the controller will be used.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              serviceAccountRef:
                                description: Optional service account field containing
                                  the name of a kubernetes ServiceAccount. If the
                                  service account is specified, the service account
                                  secret token JWT will be used for authenticating
                                  with Akeyless. If the service account selector is
                                  not supplied, the secretRef will be used instead.
                                properties:
                                  audiences:
                                    description: Audience specifies the `aud` claim
                                      for the service account token If the service
                                      account uses a well-known annotation for e.g.
                                      IRSA or GCP Workload Identity then this audiences
                                      will be appended to the list
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                required:
                                - name
                                type: object
                            required:
                            - accessID
                            - k8sConfName
                            type: object
                          secretRef:
                            description: Reference to a Secret that contains the details
                              to authenticate with Akeyless.
                            properties:
                              accessID:
                                description: The SecretAccessID is used for authentication
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              accessType:
                                description: A reference to a specific 'key' within
                                  a Secret resource, In some instances, `key` is a
                                  required field.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              accessTypeParam:
                                description: A reference to a specific 'key' within
                                  a Secret resource, In some instances, `key` is a
                                  required field.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            type: object
                        type: object
                      caBundle:
                        description: PEM/base64 encoded CA bundle used to validate
                          Akeyless Gateway certificate. Only used if the AkeylessGWApiURL
                          URL is using HTTPS protocol. If not set the system root
                          certificates are used to validate the TLS connection.
                        format: byte
                        type: string
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          Akeyless Gateway certificate.
                        properties:
                          key:
                            description: The key where the CA certificate can be found
                              in the Secret or ConfigMap.
                            type: string
                          name:
                            description: The name of the object located at the provider
                              type.
                            type: string
                          namespace:
                            description: The namespace the Provider type is in. Can
                              only be defined when used in a ClusterSecretStore.
                            type: string
                          type:
                            description: The type of provider to use such as "Secret",
                              or "ConfigMap".
                            enum:
                            - Secret
                            - ConfigMap
                            type: string
                        required:
                        - name
                        - type
                        type: object
                    required:
                    - akeylessGWApiURL
                    - authSecretRef
                    type: object
                  alibaba:
                    description: Alibaba configures this store to sync secrets using
                      Alibaba Cloud provider
                    properties:
                      auth:
                        description: AlibabaAuth contains a secretRef for credentials.
                        properties:
                          rrsa:
                            description: Authenticate against Alibaba using RRSA.
                            properties:
                              oidcProviderArn:
                                type: string
                              oidcTokenFilePath:
                                type: string
                              roleArn:
                                type: string
                              sessionName:
                                type: string
                            required:
                            - oidcProviderArn
                            - oidcTokenFilePath
                            - roleArn
                            - sessionName
                            type: object
                          secretRef:
                            description: AlibabaAuthSecretRef holds secret references
                              for Alibaba credentials.
                            properties:
                              accessKeyIDSecretRef:
                                description: The AccessKeyID is used for authentication
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              accessKeySecretSecretRef:
                                description: The AccessKeySecret is used for authentication
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            required:
                            - accessKeyIDSecretRef
                            - accessKeySecretSecretRef
                            type: object
                        type: object
                      regionID:
                        description: Alibaba Region to be used for the provider
                        type: string
                    required:
                    - auth
                    - regionID
                    type: object
                  aws:
                    description: AWS configures this store to sync secrets using AWS
                      Secret Manager provider
                    properties:
                      additionalRoles:
                        description: AdditionalRoles is a chained list of Role ARNs
                          which the SecretManager provider will sequentially assume
                          before assuming Role
                        items:
                          type: string
                        type: array
                      auth:
                        description: 'Auth defines the information necessary to authenticate
                          against AWS if not set aws sdk will infer credentials from
                          your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
                        properties:
                          jwt:
                            description: Authenticate against AWS using service account
                              tokens.
                            properties:
                              serviceAccountRef:
                                description: A reference to a ServiceAccount resource.
                                properties:
                                  audiences:
                                    description: Audience specifies the `aud` claim
                                      for the service account token If the service
                                      account uses a well-known annotation for e.g.
                                      IRSA or GCP Workload Identity then this audiences
                                      will be appended to the list
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                required:
                                - name
                                type: object
                            type: object
                          secretRef:
                            description: AWSAuthSecretRef holds secret references
                              for AWS credentials both AccessKeyID and SecretAccessKey
                              must be defined in order to properly authenticate.
                            properties:
                              accessKeyIDSecretRef:
                                description: The AccessKeyID is used for authentication
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              secretAccessKeySecretRef:
                                description: The SecretAccessKey is used for authentication
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              sessionTokenSecretRef:
                                description: 'The SessionToken used for authentication
                                  This must be defined if AccessKeyID and SecretAccessKey
                                  are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            type: object
                        type: object
                      externalID:
                        description: AWS External ID set on assumed IAM roles
                        type: string
                      region:
                        description: AWS Region to be used for the provider
                        type: string
                      role:
                        description: Role is a Role ARN which the SecretManager provider
                          will assume
                        type: string
                      service:
                        description: Service defines which service should be used
                          to fetch the secrets
                        enum:
                        - SecretsManager
                        - ParameterStore
                        type: string
                      sessionTags:
                        description: AWS STS assume role session tags
                        items:
                          properties:
                            key:
                              type: string
                            value:
                              type: string
                          required:
                          - key
                          - value
                          type: object
                        type: array
                      transitiveTagKeys:
                        description: AWS STS assume role transitive session tags.
                          Required when multiple rules are used with SecretStore
                        items:
                          type: string
                        type: array
                    required:
                    - region
                    - service
                    type: object
                  azurekv:
                    description: AzureKV configures this store to sync secrets using
                      Azure Key Vault provider
                    properties:
                      authSecretRef:
                        description: Auth configures how the operator authenticates
                          with Azure. Required for ServicePrincipal auth type.
                        properties:
                          clientId:
                            description: The Azure clientId of the service principle
                              used for authentication.
                            properties:
                              key:
                                description: The key of the entry in the Secret resource's
                                  `data` field to be used. Some instances of this
                                  field may be defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: Namespace of the resource being referred
                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
                                  defaults to the namespace of the referent.
                                type: string
                            type: object
                          clientSecret:
                            description: The Azure ClientSecret of the service principle
                              used for authentication.
                            properties:
                              key:
                                description: The key of the entry in the Secret resource's
                                  `data` field to be used. Some instances of this
                                  field may be defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: Namespace of the resource being referred
                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
                                  defaults to the namespace of the referent.
                                type: string
                            type: object
                        type: object
                      authType:
                        default: ServicePrincipal
                        description: 'Auth type defines how to authenticate to the
                          keyvault service. Valid values are: - "ServicePrincipal"
                          (default): Using a service principal (tenantId, clientId,
                          clientSecret) - "ManagedIdentity": Using Managed Identity
                          assigned to the pod (see aad-pod-identity)'
                        enum:
                        - ServicePrincipal
                        - ManagedIdentity
                        - WorkloadIdentity
                        type: string
                      environmentType:
                        default: PublicCloud
                        description: 'EnvironmentType specifies the Azure cloud environment
                          endpoints to use for connecting and authenticating with
                          Azure. By default it points to the public cloud AAD endpoint.
                          The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
                          PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud'
                        enum:
                        - PublicCloud
                        - USGovernmentCloud
                        - ChinaCloud
                        - GermanCloud
                        type: string
                      identityId:
                        description: If multiple Managed Identity is assigned to the
                          pod, you can select the one to be used
                        type: string
                      serviceAccountRef:
                        description: ServiceAccountRef specified the service account
                          that should be used when authenticating with WorkloadIdentity.
                        properties:
                          audiences:
                            description: Audience specifies the `aud` claim for the
                              service account token If the service account uses a
                              well-known annotation for e.g. IRSA or GCP Workload
                              Identity then this audiences will be appended to the
                              list
                            items:
                              type: string
                            type: array
                          name:
                            description: The name of the ServiceAccount resource being
                              referred to.
                            type: string
                          namespace:
                            description: Namespace of the resource being referred
                              to. Ignored if referent is not cluster-scoped. cluster-scoped
                              defaults to the namespace of the referent.
                            type: string
                        required:
                        - name
                        type: object
                      tenantId:
                        description: TenantID configures the Azure Tenant to send
                          requests to. Required for ServicePrincipal auth type.
                        type: string
                      vaultUrl:
                        description: Vault Url from which the secrets to be fetched
                          from.
                        type: string
                    required:
                    - vaultUrl
                    type: object
                  conjur:
                    description: Conjur configures this store to sync secrets using
                      conjur provider
                    properties:
                      auth:
                        properties:
                          apikey:
                            properties:
                              account:
                                type: string
                              apiKeyRef:
                                description: A reference to a specific 'key' within
                                  a Secret resource, In some instances, `key` is a
                                  required field.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              userRef:
                                description: A reference to a specific 'key' within
                                  a Secret resource, In some instances, `key` is a
                                  required field.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            required:
                            - account
                            - apiKeyRef
                            - userRef
                            type: object
                          jwt:
                            properties:
                              account:
                                type: string
                              secretRef:
                                description: Optional SecretRef that refers to a key
                                  in a Secret resource containing JWT token to authenticate
                                  with Conjur using the JWT authentication method.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              serviceAccountRef:
                                description: Optional ServiceAccountRef specifies
                                  the Kubernetes service account for which to request
                                  a token for with the `TokenRequest` API.
                                properties:
                                  audiences:
                                    description: Audience specifies the `aud` claim
                                      for the service account token If the service
                                      account uses a well-known annotation for e.g.
                                      IRSA or GCP Workload Identity then this audiences
                                      will be appended to the list
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                required:
                                - name
                                type: object
                              serviceID:
                                description: The conjur authn jwt webservice id
                                type: string
                            required:
                            - account
                            - serviceID
                            type: object
                        type: object
                      caBundle:
                        type: string
                      caProvider:
                        description: Used to provide custom certificate authority
                          (CA) certificates for a secret store. The CAProvider points
                          to a Secret or ConfigMap resource that contains a PEM-encoded
                          certificate.
                        properties:
                          key:
                            description: The key where the CA certificate can be found
                              in the Secret or ConfigMap.
                            type: string
                          name:
                            description: The name of the object located at the provider
                              type.
                            type: string
                          namespace:
                            description: The namespace the Provider type is in. Can
                              only be defined when used in a ClusterSecretStore.
                            type: string
                          type:
                            description: The type of provider to use such as "Secret",
                              or "ConfigMap".
                            enum:
                            - Secret
                            - ConfigMap
                            type: string
                        required:
                        - name
                        - type
                        type: object
                      url:
                        type: string
                    required:
                    - auth
                    - url
                    type: object
                  delinea:
                    description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current
                    properties:
                      clientId:
                        description: ClientID is the non-secret part of the credential.
                        properties:
                          secretRef:
                            description: SecretRef references a key in a secret that
                              will be used as value.
                            properties:
                              key:
                                description: The key of the entry in the Secret resource's
                                  `data` field to be used. Some instances of this
                                  field may be defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: Namespace of the resource being referred
                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
                                  defaults to the namespace of the referent.
                                type: string
                            type: object
                          value:
                            description: Value can be specified directly to set a
                              value without using a secret.
                            type: string
                        type: object
                      clientSecret:
                        description: ClientSecret is the secret part of the credential.
                        properties:
                          secretRef:
                            description: SecretRef references a key in a secret that
                              will be used as value.
                            properties:
                              key:
                                description: The key of the entry in the Secret resource's
                                  `data` field to be used. Some instances of this
                                  field may be defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: Namespace of the resource being referred
                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
                                  defaults to the namespace of the referent.
                                type: string
                            type: object
                          value:
                            description: Value can be specified directly to set a
                              value without using a secret.
                            type: string
                        type: object
                      tenant:
                        description: Tenant is the chosen hostname / site name.
                        type: string
                      tld:
                        description: TLD is based on the server location that was
                          chosen during provisioning. If unset, defaults to "com".
                        type: string
                      urlTemplate:
                        description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
                        type: string
                    required:
                    - clientId
                    - clientSecret
                    - tenant
                    type: object
                  doppler:
                    description: Doppler configures this store to sync secrets using
                      the Doppler provider
                    properties:
                      auth:
                        description: Auth configures how the Operator authenticates
                          with the Doppler API
                        properties:
                          secretRef:
                            properties:
                              dopplerToken:
                                description: The DopplerToken is used for authentication.
                                  See https://docs.doppler.com/reference/api#authentication
                                  for auth token types. The Key attribute defaults
                                  to dopplerToken if not specified.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            required:
                            - dopplerToken
                            type: object
                        required:
                        - secretRef
                        type: object
                      config:
                        description: Doppler config (required if not using a Service
                          Token)
                        type: string
                      format:
                        description: Format enables the downloading of secrets as
                          a file (string)
                        enum:
                        - json
                        - dotnet-json
                        - env
                        - yaml
                        - docker
                        type: string
                      nameTransformer:
                        description: Environment variable compatible name transforms
                          that change secret names to a different format
                        enum:
                        - upper-camel
                        - camel
                        - lower-snake
                        - tf-var
                        - dotnet-env
                        - lower-kebab
                        type: string
                      project:
                        description: Doppler project (required if not using a Service
                          Token)
                        type: string
                    required:
                    - auth
                    type: object
                  fake:
                    description: Fake configures a store with static key/value pairs
                    properties:
                      data:
                        items:
                          properties:
                            key:
                              type: string
                            value:
                              type: string
                            valueMap:
                              additionalProperties:
                                type: string
                              type: object
                            version:
                              type: string
                          required:
                          - key
                          type: object
                        type: array
                    required:
                    - data
                    type: object
                  gcpsm:
                    description: GCPSM configures this store to sync secrets using
                      Google Cloud Platform Secret Manager provider
                    properties:
                      auth:
                        description: Auth defines the information necessary to authenticate
                          against GCP
                        properties:
                          secretRef:
                            properties:
                              secretAccessKeySecretRef:
                                description: The SecretAccessKey is used for authentication
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            type: object
                          workloadIdentity:
                            properties:
                              clusterLocation:
                                type: string
                              clusterName:
                                type: string
                              clusterProjectID:
                                type: string
                              serviceAccountRef:
                                description: A reference to a ServiceAccount resource.
                                properties:
                                  audiences:
                                    description: Audience specifies the `aud` claim
                                      for the service account token If the service
                                      account uses a well-known annotation for e.g.
                                      IRSA or GCP Workload Identity then this audiences
                                      will be appended to the list
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                required:
                                - name
                                type: object
                            required:
                            - clusterLocation
                            - clusterName
                            - serviceAccountRef
                            type: object
                        type: object
                      projectID:
                        description: ProjectID project where secret is located
                        type: string
                    type: object
                  gitlab:
                    description: GitLab configures this store to sync secrets using
                      GitLab Variables provider
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with a GitLab instance.
                        properties:
                          SecretRef:
                            properties:
                              accessToken:
                                description: AccessToken is used for authentication.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            type: object
                        required:
                        - SecretRef
                        type: object
                      environment:
                        description: Environment environment_scope of gitlab CI/CD
                          variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment
                          on how to create environments)
                        type: string
                      groupIDs:
                        description: GroupIDs specify, which gitlab groups to pull
                          secrets from. Group secrets are read from left to right
                          followed by the project variables.
                        items:
                          type: string
                        type: array
                      inheritFromGroups:
                        description: InheritFromGroups specifies whether parent groups
                          should be discovered and checked for secrets.
                        type: boolean
                      projectID:
                        description: ProjectID specifies a project where secrets are
                          located.
                        type: string
                      url:
                        description: URL configures the GitLab instance URL. Defaults
                          to https://gitlab.com/.
                        type: string
                    required:
                    - auth
                    type: object
                  ibm:
                    description: IBM configures this store to sync secrets using IBM
                      Cloud provider
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with the IBM secrets manager.
                        maxProperties: 1
                        minProperties: 1
                        properties:
                          containerAuth:
                            description: IBM Container-based auth with IAM Trusted
                              Profile.
                            properties:
                              iamEndpoint:
                                type: string
                              profile:
                                description: the IBM Trusted Profile
                                type: string
                              tokenLocation:
                                description: Location the token is mounted on the
                                  pod
                                type: string
                            required:
                            - profile
                            type: object
                          secretRef:
                            properties:
                              secretApiKeySecretRef:
                                description: The SecretAccessKey is used for authentication
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            type: object
                        type: object
                      serviceUrl:
                        description: ServiceURL is the Endpoint URL that is specific
                          to the Secrets Manager service instance
                        type: string
                    required:
                    - auth
                    type: object
                  keepersecurity:
                    description: KeeperSecurity configures this store to sync secrets
                      using the KeeperSecurity provider
                    properties:
                      authRef:
                        description: A reference to a specific 'key' within a Secret
                          resource, In some instances, `key` is a required field.
                        properties:
                          key:
                            description: The key of the entry in the Secret resource's
                              `data` field to be used. Some instances of this field
                              may be defaulted, in others it may be required.
                            type: string
                          name:
                            description: The name of the Secret resource being referred
                              to.
                            type: string
                          namespace:
                            description: Namespace of the resource being referred
                              to. Ignored if referent is not cluster-scoped. cluster-scoped
                              defaults to the namespace of the referent.
                            type: string
                        type: object
                      folderID:
                        type: string
                    required:
                    - authRef
                    - folderID
                    type: object
                  kubernetes:
                    description: Kubernetes configures this store to sync secrets
                      using a Kubernetes cluster provider
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with a Kubernetes instance.
                        maxProperties: 1
                        minProperties: 1
                        properties:
                          cert:
                            description: has both clientCert and clientKey as secretKeySelector
                            properties:
                              clientCert:
                                description: A reference to a specific 'key' within
                                  a Secret resource, In some instances, `key` is a
                                  required field.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              clientKey:
                                description: A reference to a specific 'key' within
                                  a Secret resource, In some instances, `key` is a
                                  required field.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            type: object
                          serviceAccount:
                            description: points to a service account that should be
                              used for authentication
                            properties:
                              audiences:
                                description: Audience specifies the `aud` claim for
                                  the service account token If the service account
                                  uses a well-known annotation for e.g. IRSA or GCP
                                  Workload Identity then this audiences will be appended
                                  to the list
                                items:
                                  type: string
                                type: array
                              name:
                                description: The name of the ServiceAccount resource
                                  being referred to.
                                type: string
                              namespace:
                                description: Namespace of the resource being referred
                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
                                  defaults to the namespace of the referent.
                                type: string
                            required:
                            - name
                            type: object
                          token:
                            description: use static token to authenticate with
                            properties:
                              bearerToken:
                                description: A reference to a specific 'key' within
                                  a Secret resource, In some instances, `key` is a
                                  required field.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            type: object
                        type: object
                      remoteNamespace:
                        default: default
                        description: Remote namespace to fetch the secrets from
                        type: string
                      server:
                        description: configures the Kubernetes server Address.
                        properties:
                          caBundle:
                            description: CABundle is a base64-encoded CA certificate
                            format: byte
                            type: string
                          caProvider:
                            description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
                            properties:
                              key:
                                description: The key where the CA certificate can
                                  be found in the Secret or ConfigMap.
                                type: string
                              name:
                                description: The name of the object located at the
                                  provider type.
                                type: string
                              namespace:
                                description: The namespace the Provider type is in.
                                  Can only be defined when used in a ClusterSecretStore.
                                type: string
                              type:
                                description: The type of provider to use such as "Secret",
                                  or "ConfigMap".
                                enum:
                                - Secret
                                - ConfigMap
                                type: string
                            required:
                            - name
                            - type
                            type: object
                          url:
                            default: kubernetes.default
                            description: configures the Kubernetes server Address.
                            type: string
                        type: object
                    required:
                    - auth
                    type: object
                  onepassword:
                    description: OnePassword configures this store to sync secrets
                      using the 1Password Cloud provider
                    properties:
                      auth:
                        description: Auth defines the information necessary to authenticate
                          against OnePassword Connect Server
                        properties:
                          secretRef:
                            description: OnePasswordAuthSecretRef holds secret references
                              for 1Password credentials.
                            properties:
                              connectTokenSecretRef:
                                description: The ConnectToken is used for authentication
                                  to a 1Password Connect Server.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            required:
                            - connectTokenSecretRef
                            type: object
                        required:
                        - secretRef
                        type: object
                      connectHost:
                        description: ConnectHost defines the OnePassword Connect Server
                          to connect to
                        type: string
                      vaults:
                        additionalProperties:
                          type: integer
                        description: Vaults defines which OnePassword vaults to search
                          in which order
                        type: object
                    required:
                    - auth
                    - connectHost
                    - vaults
                    type: object
                  oracle:
                    description: Oracle configures this store to sync secrets using
                      Oracle Vault provider
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with the Oracle Vault. If empty, use the instance principal,
                          otherwise the user credentials specified in Auth.
                        properties:
                          secretRef:
                            description: SecretRef to pass through sensitive information.
                            properties:
                              fingerprint:
                                description: Fingerprint is the fingerprint of the
                                  API private key.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              privatekey:
                                description: PrivateKey is the user's API Signing
                                  Key in PEM format, used for authentication.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            required:
                            - fingerprint
                            - privatekey
                            type: object
                          tenancy:
                            description: Tenancy is the tenancy OCID where user is
                              located.
                            type: string
                          user:
                            description: User is an access OCID specific to the account.
                            type: string
                        required:
                        - secretRef
                        - tenancy
                        - user
                        type: object
                      compartment:
                        description: Compartment is the vault compartment OCID. Required
                          for PushSecret
                        type: string
                      encryptionKey:
                        description: EncryptionKey is the OCID of the encryption key
                          within the vault. Required for PushSecret
                        type: string
                      principalType:
                        description: The type of principal to use for authentication.
                          If left blank, the Auth struct will determine the principal
                          type. This optional field must be specified if using workload
                          identity.
                        type: string
                      region:
                        description: Region is the region where vault is located.
                        type: string
                      serviceAccountRef:
                        description: ServiceAccountRef specified the service account
                          that should be used when authenticating with WorkloadIdentity.
                        properties:
                          audiences:
                            description: Audience specifies the `aud` claim for the
                              service account token If the service account uses a
                              well-known annotation for e.g. IRSA or GCP Workload
                              Identity then this audiences will be appended to the
                              list
                            items:
                              type: string
                            type: array
                          name:
                            description: The name of the ServiceAccount resource being
                              referred to.
                            type: string
                          namespace:
                            description: Namespace of the resource being referred
                              to. Ignored if referent is not cluster-scoped. cluster-scoped
                              defaults to the namespace of the referent.
                            type: string
                        required:
                        - name
                        type: object
                      vault:
                        description: Vault is the vault's OCID of the specific vault
                          where secret is located.
                        type: string
                    required:
                    - region
                    - vault
                    type: object
                  scaleway:
                    description: Scaleway
                    properties:
                      accessKey:
                        description: AccessKey is the non-secret part of the api key.
                        properties:
                          secretRef:
                            description: SecretRef references a key in a secret that
                              will be used as value.
                            properties:
                              key:
                                description: The key of the entry in the Secret resource's
                                  `data` field to be used. Some instances of this
                                  field may be defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: Namespace of the resource being referred
                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
                                  defaults to the namespace of the referent.
                                type: string
                            type: object
                          value:
                            description: Value can be specified directly to set a
                              value without using a secret.
                            type: string
                        type: object
                      apiUrl:
                        description: APIURL is the url of the api to use. Defaults
                          to https://api.scaleway.com
                        type: string
                      projectId:
                        description: 'ProjectID is the id of your project, which you
                          can find in the console: https://console.scaleway.com/project/settings'
                        type: string
                      region:
                        description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
                        type: string
                      secretKey:
                        description: SecretKey is the non-secret part of the api key.
                        properties:
                          secretRef:
                            description: SecretRef references a key in a secret that
                              will be used as value.
                            properties:
                              key:
                                description: The key of the entry in the Secret resource's
                                  `data` field to be used. Some instances of this
                                  field may be defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: Namespace of the resource being referred
                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
                                  defaults to the namespace of the referent.
                                type: string
                            type: object
                          value:
                            description: Value can be specified directly to set a
                              value without using a secret.
                            type: string
                        type: object
                    required:
                    - accessKey
                    - projectId
                    - region
                    - secretKey
                    type: object
                  senhasegura:
                    description: Senhasegura configures this store to sync secrets
                      using senhasegura provider
                    properties:
                      auth:
                        description: Auth defines parameters to authenticate in senhasegura
                        properties:
                          clientId:
                            type: string
                          clientSecretSecretRef:
                            description: A reference to a specific 'key' within a
                              Secret resource, In some instances, `key` is a required
                              field.
                            properties:
                              key:
                                description: The key of the entry in the Secret resource's
                                  `data` field to be used. Some instances of this
                                  field may be defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: Namespace of the resource being referred
                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
                                  defaults to the namespace of the referent.
                                type: string
                            type: object
                        required:
                        - clientId
                        - clientSecretSecretRef
                        type: object
                      ignoreSslCertificate:
                        default: false
                        description: IgnoreSslCertificate defines if SSL certificate
                          must be ignored
                        type: boolean
                      module:
                        description: Module defines which senhasegura module should
                          be used to get secrets
                        type: string
                      url:
                        description: URL of senhasegura
                        type: string
                    required:
                    - auth
                    - module
                    - url
                    type: object
                  vault:
                    description: Vault configures this store to sync secrets using
                      Hashi provider
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with the Vault server.
                        properties:
                          appRole:
                            description: AppRole authenticates with Vault using the
                              App Role auth mechanism, with the role and secret stored
                              in a Kubernetes Secret resource.
                            properties:
                              path:
                                default: approle
                                description: 'Path where the App Role authentication
                                  backend is mounted in Vault, e.g: "approle"'
                                type: string
                              roleId:
                                description: RoleID configured in the App Role authentication
                                  backend when setting up the authentication backend
                                  in Vault.
                                type: string
                              roleRef:
                                description: Reference to a key in a Secret that contains
                                  the App Role ID used to authenticate with Vault.
                                  The `key` field must be specified and denotes which
                                  entry within the Secret resource is used as the
                                  app role id.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              secretRef:
                                description: Reference to a key in a Secret that contains
                                  the App Role secret used to authenticate with Vault.
                                  The `key` field must be specified and denotes which
                                  entry within the Secret resource is used as the
                                  app role secret.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            required:
                            - path
                            - secretRef
                            type: object
                          cert:
                            description: Cert authenticates with TLS Certificates
                              by passing client certificate, private key and ca certificate
                              Cert authentication method
                            properties:
                              clientCert:
                                description: ClientCert is a certificate to authenticate
                                  using the Cert Vault authentication method
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              secretRef:
                                description: SecretRef to a key in a Secret resource
                                  containing client private key to authenticate with
                                  Vault using the Cert authentication method
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            type: object
                          iam:
                            description: Iam authenticates with vault by passing a
                              special AWS request signed with AWS IAM credentials
                              AWS IAM authentication method
                            properties:
                              externalID:
                                description: AWS External ID set on assumed IAM roles
                                type: string
                              jwt:
                                description: Specify a service account with IRSA enabled
                                properties:
                                  serviceAccountRef:
                                    description: A reference to a ServiceAccount resource.
                                    properties:
                                      audiences:
                                        description: Audience specifies the `aud`
                                          claim for the service account token If the
                                          service account uses a well-known annotation
                                          for e.g. IRSA or GCP Workload Identity then
                                          this audiences will be appended to the list
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: The name of the ServiceAccount
                                          resource being referred to.
                                        type: string
                                      namespace:
                                        description: Namespace of the resource being
                                          referred to. Ignored if referent is not
                                          cluster-scoped. cluster-scoped defaults
                                          to the namespace of the referent.
                                        type: string
                                    required:
                                    - name
                                    type: object
                                type: object
                              path:
                                description: 'Path where the AWS auth method is enabled
                                  in Vault, e.g: "aws"'
                                type: string
                              region:
                                description: AWS region
                                type: string
                              role:
                                description: This is the AWS role to be assumed before
                                  talking to vault
                                type: string
                              secretRef:
                                description: Specify credentials in a Secret object
                                properties:
                                  accessKeyIDSecretRef:
                                    description: The AccessKeyID is used for authentication
                                    properties:
                                      key:
                                        description: The key of the entry in the Secret
                                          resource's `data` field to be used. Some
                                          instances of this field may be defaulted,
                                          in others it may be required.
                                        type: string
                                      name:
                                        description: The name of the Secret resource
                                          being referred to.
                                        type: string
                                      namespace:
                                        description: Namespace of the resource being
                                          referred to. Ignored if referent is not
                                          cluster-scoped. cluster-scoped defaults
                                          to the namespace of the referent.
                                        type: string
                                    type: object
                                  secretAccessKeySecretRef:
                                    description: The SecretAccessKey is used for authentication
                                    properties:
                                      key:
                                        description: The key of the entry in the Secret
                                          resource's `data` field to be used. Some
                                          instances of this field may be defaulted,
                                          in others it may be required.
                                        type: string
                                      name:
                                        description: The name of the Secret resource
                                          being referred to.
                                        type: string
                                      namespace:
                                        description: Namespace of the resource being
                                          referred to. Ignored if referent is not
                                          cluster-scoped. cluster-scoped defaults
                                          to the namespace of the referent.
                                        type: string
                                    type: object
                                  sessionTokenSecretRef:
                                    description: 'The SessionToken used for authentication
                                      This must be defined if AccessKeyID and SecretAccessKey
                                      are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html'
                                    properties:
                                      key:
                                        description: The key of the entry in the Secret
                                          resource's `data` field to be used. Some
                                          instances of this field may be defaulted,
                                          in others it may be required.
                                        type: string
                                      name:
                                        description: The name of the Secret resource
                                          being referred to.
                                        type: string
                                      namespace:
                                        description: Namespace of the resource being
                                          referred to. Ignored if referent is not
                                          cluster-scoped. cluster-scoped defaults
                                          to the namespace of the referent.
                                        type: string
                                    type: object
                                type: object
                              vaultAwsIamServerID:
                                description: 'X-Vault-AWS-IAM-Server-ID is an additional
                                  header used by Vault IAM auth method to mitigate
                                  against different types of replay attacks. More
                                  details here: https://developer.hashicorp.com/vault/docs/auth/aws'
                                type: string
                              vaultRole:
                                description: Vault Role. In vault, a role describes
                                  an identity with a set of permissions, groups, or
                                  policies you want to attach a user of the secrets
                                  engine
                                type: string
                            required:
                            - vaultRole
                            type: object
                          jwt:
                            description: Jwt authenticates with Vault by passing role
                              and JWT token using the JWT/OIDC authentication method
                            properties:
                              kubernetesServiceAccountToken:
                                description: Optional ServiceAccountToken specifies
                                  the Kubernetes service account for which to request
                                  a token for with the `TokenRequest` API.
                                properties:
                                  audiences:
                                    description: 'Optional audiences field that will
                                      be used to request a temporary Kubernetes service
                                      account token for the service account referenced
                                      by `serviceAccountRef`. Defaults to a single
                                      audience `vault` it not specified. Deprecated:
                                      use serviceAccountRef.Audiences instead'
                                    items:
                                      type: string
                                    type: array
                                  expirationSeconds:
                                    description: 'Optional expiration time in seconds
                                      that will be used to request a temporary Kubernetes
                                      service account token for the service account
                                      referenced by `serviceAccountRef`. Deprecated:
                                      this will be removed in the future. Defaults
                                      to 10 minutes.'
                                    format: int64
                                    type: integer
                                  serviceAccountRef:
                                    description: Service account field containing
                                      the name of a kubernetes ServiceAccount.
                                    properties:
                                      audiences:
                                        description: Audience specifies the `aud`
                                          claim for the service account token If the
                                          service account uses a well-known annotation
                                          for e.g. IRSA or GCP Workload Identity then
                                          this audiences will be appended to the list
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: The name of the ServiceAccount
                                          resource being referred to.
                                        type: string
                                      namespace:
                                        description: Namespace of the resource being
                                          referred to. Ignored if referent is not
                                          cluster-scoped. cluster-scoped defaults
                                          to the namespace of the referent.
                                        type: string
                                    required:
                                    - name
                                    type: object
                                required:
                                - serviceAccountRef
                                type: object
                              path:
                                default: jwt
                                description: 'Path where the JWT authentication backend
                                  is mounted in Vault, e.g: "jwt"'
                                type: string
                              role:
                                description: Role is a JWT role to authenticate using
                                  the JWT/OIDC Vault authentication method
                                type: string
                              secretRef:
                                description: Optional SecretRef that refers to a key
                                  in a Secret resource containing JWT token to authenticate
                                  with Vault using the JWT/OIDC authentication method.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                            required:
                            - path
                            type: object
                          kubernetes:
                            description: Kubernetes authenticates with Vault by passing
                              the ServiceAccount token stored in the named Secret
                              resource to the Vault server.
                            properties:
                              mountPath:
                                default: kubernetes
                                description: 'Path where the Kubernetes authentication
                                  backend is mounted in Vault, e.g: "kubernetes"'
                                type: string
                              role:
                                description: A required field containing the Vault
                                  Role to assume. A Role binds a Kubernetes ServiceAccount
                                  with a set of Vault policies.
                                type: string
                              secretRef:
                                description: Optional secret field containing a Kubernetes
                                  ServiceAccount JWT used for authenticating with
                                  Vault. If a name is specified without a key, `token`
                                  is the default. If one is not specified, the one
                                  bound to the controller will be used.
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              serviceAccountRef:
                                description: Optional service account field containing
                                  the name of a kubernetes ServiceAccount. If the
                                  service account is specified, the service account
                                  secret token JWT will be used for authenticating
                                  with Vault. If the service account selector is not
                                  supplied, the secretRef will be used instead.
                                properties:
                                  audiences:
                                    description: Audience specifies the `aud` claim
                                      for the service account token If the service
                                      account uses a well-known annotation for e.g.
                                      IRSA or GCP Workload Identity then this audiences
                                      will be appended to the list
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                required:
                                - name
                                type: object
                            required:
                            - mountPath
                            - role
                            type: object
                          ldap:
                            description: Ldap authenticates with Vault by passing
                              username/password pair using the LDAP authentication
                              method
                            properties:
                              path:
                                default: ldap
                                description: 'Path where the LDAP authentication backend
                                  is mounted in Vault, e.g: "ldap"'
                                type: string
                              secretRef:
                                description: SecretRef to a key in a Secret resource
                                  containing password for the LDAP user used to authenticate
                                  with Vault using the LDAP authentication method
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              username:
                                description: Username is a LDAP user name used to
                                  authenticate using the LDAP Vault authentication
                                  method
                                type: string
                            required:
                            - path
                            - username
                            type: object
                          tokenSecretRef:
                            description: TokenSecretRef authenticates with Vault by
                              presenting a token.
                            properties:
                              key:
                                description: The key of the entry in the Secret resource's
                                  `data` field to be used. Some instances of this
                                  field may be defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: Namespace of the resource being referred
                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
                                  defaults to the namespace of the referent.
                                type: string
                            type: object
                          userPass:
                            description: UserPass authenticates with Vault by passing
                              username/password pair
                            properties:
                              path:
                                default: user
                                description: 'Path where the UserPassword authentication
                                  backend is mounted in Vault, e.g: "user"'
                                type: string
                              secretRef:
                                description: SecretRef to a key in a Secret resource
                                  containing password for the user used to authenticate
                                  with Vault using the UserPass authentication method
                                properties:
                                  key:
                                    description: The key of the entry in the Secret
                                      resource's `data` field to be used. Some instances
                                      of this field may be defaulted, in others it
                                      may be required.
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    type: string
                                  namespace:
                                    description: Namespace of the resource being referred
                                      to. Ignored if referent is not cluster-scoped.
                                      cluster-scoped defaults to the namespace of
                                      the referent.
                                    type: string
                                type: object
                              username:
                                description: Username is a user name used to authenticate
                                  using the UserPass Vault authentication method
                                type: string
                            required:
                            - path
                            - username
                            type: object
                        type: object
                      caBundle:
                        description: PEM encoded CA bundle used to validate Vault
                          server certificate. Only used if the Server URL is using
                          HTTPS protocol. This parameter is ignored for plain HTTP
                          protocol connection. If not set the system root certificates
                          are used to validate the TLS connection.
                        format: byte
                        type: string
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          Vault server certificate.
                        properties:
                          key:
                            description: The key where the CA certificate can be found
                              in the Secret or ConfigMap.
                            type: string
                          name:
                            description: The name of the object located at the provider
                              type.
                            type: string
                          namespace:
                            description: The namespace the Provider type is in. Can
                              only be defined when used in a ClusterSecretStore.
                            type: string
                          type:
                            description: The type of provider to use such as "Secret",
                              or "ConfigMap".
                            enum:
                            - Secret
                            - ConfigMap
                            type: string
                        required:
                        - name
                        - type
                        type: object
                      forwardInconsistent:
                        description: ForwardInconsistent tells Vault to forward read-after-write
                          requests to the Vault leader instead of simply retrying
                          within a loop. This can increase performance if the option
                          is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
                        type: boolean
                      namespace:
                        description: 'Name of the vault namespace. Namespaces is a
                          set of features within Vault Enterprise that allows Vault
                          environments to support Secure Multi-tenancy. e.g: "ns1".
                          More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
                        type: string
                      path:
                        description: 'Path is the mount path of the Vault KV backend
                          endpoint, e.g: "secret". The v2 KV secret engine version
                          specific "/data" path suffix for fetching secrets from Vault
                          is optional and will be appended if not present in specified
                          path.'
                        type: string
                      readYourWrites:
                        description: ReadYourWrites ensures isolated read-after-write
                          semantics by providing discovered cluster replication states
                          in each request. More information about eventual consistency
                          in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
                        type: boolean
                      server:
                        description: 'Server is the connection address for the Vault
                          server, e.g: "https://vault.example.com:8200".'
                        type: string
                      version:
                        default: v2
                        description: Version is the Vault KV secret engine version.
                          This can be either "v1" or "v2". Version defaults to "v2".
                        enum:
                        - v1
                        - v2
                        type: string
                    required:
                    - auth
                    - server
                    type: object
                  webhook:
                    description: Webhook configures this store to sync secrets using
                      a generic templated webhook
                    properties:
                      body:
                        description: Body
                        type: string
                      caBundle:
                        description: PEM encoded CA bundle used to validate webhook
                          server certificate. Only used if the Server URL is using
                          HTTPS protocol. This parameter is ignored for plain HTTP
                          protocol connection. If not set the system root certificates
                          are used to validate the TLS connection.
                        format: byte
                        type: string
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          webhook server certificate.
                        properties:
                          key:
                            description: The key the value inside of the provider
                              type to use, only used with "Secret" type
                            type: string
                          name:
                            description: The name of the object located at the provider
                              type.
                            type: string
                          namespace:
                            description: The namespace the Provider type is in.
                            type: string
                          type:
                            description: The type of provider to use such as "Secret",
                              or "ConfigMap".
                            enum:
                            - Secret
                            - ConfigMap
                            type: string
                        required:
                        - name
                        - type
                        type: object
                      headers:
                        additionalProperties:
                          type: string
                        description: Headers
                        type: object
                      method:
                        description: Webhook Method
                        type: string
                      result:
                        description: Result formatting
                        properties:
                          jsonPath:
                            description: Json path of return value
                            type: string
                        type: object
                      secrets:
                        description: Secrets to fill in templates These secrets will
                          be passed to the templating function as key value pairs
                          under the given name
                        items:
                          properties:
                            name:
                              description: Name of this secret in templates
                              type: string
                            secretRef:
                              description: Secret ref to fill in credentials
                              properties:
                                key:
                                  description: The key of the entry in the Secret
                                    resource's `data` field to be used. Some instances
                                    of this field may be defaulted, in others it may
                                    be required.
                                  type: string
                                name:
                                  description: The name of the Secret resource being
                                    referred to.
                                  type: string
                                namespace:
                                  description: Namespace of the resource being referred
                                    to. Ignored if referent is not cluster-scoped.
                                    cluster-scoped defaults to the namespace of the
                                    referent.
                                  type: string
                              type: object
                          required:
                          - name
                          - secretRef
                          type: object
                        type: array
                      timeout:
                        description: Timeout
                        type: string
                      url:
                        description: Webhook url to call
                        type: string
                    required:
                    - result
                    - url
                    type: object
                  yandexcertificatemanager:
                    description: YandexCertificateManager configures this store to
                      sync secrets using Yandex Certificate Manager provider
                    properties:
                      apiEndpoint:
                        description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
                        type: string
                      auth:
                        description: Auth defines the information necessary to authenticate
                          against Yandex Certificate Manager
                        properties:
                          authorizedKeySecretRef:
                            description: The authorized key used for authentication
                            properties:
                              key:
                                description: The key of the entry in the Secret resource's
                                  `data` field to be used. Some instances of this
                                  field may be defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: Namespace of the resource being referred
                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
                                  defaults to the namespace of the referent.
                                type: string
                            type: object
                        type: object
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          Yandex.Cloud server certificate.
                        properties:
                          certSecretRef:
                            description: A reference to a specific 'key' within a
                              Secret resource, In some instances, `key` is a required
                              field.
                            properties:
                              key:
                                description: The key of the entry in the Secret resource's
                                  `data` field to be used. Some instances of this
                                  field may be defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: Namespace of the resource being referred
                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
                                  defaults to the namespace of the referent.
                                type: string
                            type: object
                        type: object
                    required:
                    - auth
                    type: object
                  yandexlockbox:
                    description: YandexLockbox configures this store to sync secrets
                      using Yandex Lockbox provider
                    properties:
                      apiEndpoint:
                        description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
                        type: string
                      auth:
                        description: Auth defines the information necessary to authenticate
                          against Yandex Lockbox
                        properties:
                          authorizedKeySecretRef:
                            description: The authorized key used for authentication
                            properties:
                              key:
                                description: The key of the entry in the Secret resource's
                                  `data` field to be used. Some instances of this
                                  field may be defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: Namespace of the resource being referred
                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
                                  defaults to the namespace of the referent.
                                type: string
                            type: object
                        type: object
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          Yandex.Cloud server certificate.
                        properties:
                          certSecretRef:
                            description: A reference to a specific 'key' within a
                              Secret resource, In some instances, `key` is a required
                              field.
                            properties:
                              key:
                                description: The key of the entry in the Secret resource's
                                  `data` field to be used. Some instances of this
                                  field may be defaulted, in others it may be required.
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                type: string
                              namespace:
                                description: Namespace of the resource being referred
                                  to. Ignored if referent is not cluster-scoped. cluster-scoped
                                  defaults to the namespace of the referent.
                                type: string
                            type: object
                        type: object
                    required:
                    - auth
                    type: object
                type: object
              refreshInterval:
                description: Used to configure store refresh interval in seconds.
                  Empty or 0 will default to the controller config.
                type: integer
              retrySettings:
                description: Used to configure http retries if failed
                properties:
                  maxRetries:
                    format: int32
                    type: integer
                  retryInterval:
                    type: string
                type: object
            required:
            - provider
            type: object
          status:
            description: SecretStoreStatus defines the observed state of the SecretStore.
            properties:
              capabilities:
                description: SecretStoreCapabilities defines the possible operations
                  a SecretStore can do.
                type: string
              conditions:
                items:
                  properties:
                    lastTransitionTime:
                      format: date-time
                      type: string
                    message:
                      type: string
                    reason:
                      type: string
                    status:
                      type: string
                    type:
                      type: string
                  required:
                  - status
                  - type
                  type: object
                type: array
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}