helm-external-secrets/config/crds/bases/external-secrets.io_clustersecretstores.yaml

apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.19.0
  labels:
    external-secrets.io/component: controller
  name: clustersecretstores.external-secrets.io
spec:
  group: external-secrets.io
  names:
    categories:
    - external-secrets
    kind: ClusterSecretStore
    listKind: ClusterSecretStoreList
    plural: clustersecretstores
    shortNames:
    - css
    singular: clustersecretstore
  scope: Cluster
  versions:
  - additionalPrinterColumns:
    - jsonPath: .metadata.creationTimestamp
      name: AGE
      type: date
    - jsonPath: .status.conditions[?(@.type=="Ready")].reason
      name: Status
      type: string
    - jsonPath: .status.capabilities
      name: Capabilities
      type: string
    - jsonPath: .status.conditions[?(@.type=="Ready")].status
      name: Ready
      type: string
    name: v1
    schema:
      openAPIV3Schema:
        description: ClusterSecretStore represents a secure external location for
          storing secrets, which can be referenced as part of `storeRef` fields.
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: SecretStoreSpec defines the desired state of SecretStore.
            properties:
              conditions:
                description: Used to constrain a ClusterSecretStore to specific namespaces.
                  Relevant only to ClusterSecretStore.
                items:
                  description: |-
                    ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
                    for a ClusterSecretStore instance.
                  properties:
                    namespaceRegexes:
                      description: Choose namespaces by using regex matching
                      items:
                        type: string
                      type: array
                    namespaceSelector:
                      description: Choose namespace using a labelSelector
                      properties:
                        matchExpressions:
                          description: matchExpressions is a list of label selector
                            requirements. The requirements are ANDed.
                          items:
                            description: |-
                              A label selector requirement is a selector that contains values, a key, and an operator that
                              relates the key and values.
                            properties:
                              key:
                                description: key is the label key that the selector
                                  applies to.
                                type: string
                              operator:
                                description: |-
                                  operator represents a key's relationship to a set of values.
                                  Valid operators are In, NotIn, Exists and DoesNotExist.
                                type: string
                              values:
                                description: |-
                                  values is an array of string values. If the operator is In or NotIn,
                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                  the values array must be empty. This array is replaced during a strategic
                                  merge patch.
                                items:
                                  type: string
                                type: array
                                x-kubernetes-list-type: atomic
                            required:
                            - key
                            - operator
                            type: object
                          type: array
                          x-kubernetes-list-type: atomic
                        matchLabels:
                          additionalProperties:
                            type: string
                          description: |-
                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                            map is equivalent to an element of matchExpressions, whose key field is "key", the
                            operator is "In", and the values array contains only "value". The requirements are ANDed.
                          type: object
                      type: object
                      x-kubernetes-map-type: atomic
                    namespaces:
                      description: Choose namespaces by name
                      items:
                        maxLength: 63
                        minLength: 1
                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                        type: string
                      type: array
                  type: object
                type: array
              controller:
                description: |-
                  Used to select the correct ESO controller (think: ingress.ingressClassName)
                  The ESO controller is instantiated with a specific controller name and filters ES based on this property
                type: string
              provider:
                description: Used to configure the provider. Only one provider may
                  be set
                maxProperties: 1
                minProperties: 1
                properties:
                  akeyless:
                    description: Akeyless configures this store to sync secrets using
                      Akeyless Vault provider
                    properties:
                      akeylessGWApiURL:
                        description: Akeyless GW API Url from which the secrets to
                          be fetched from.
                        type: string
                      authSecretRef:
                        description: Auth configures how the operator authenticates
                          with Akeyless.
                        properties:
                          kubernetesAuth:
                            description: |-
                              Kubernetes authenticates with Akeyless by passing the ServiceAccount
                              token stored in the named Secret resource.
                            properties:
                              accessID:
                                description: the Akeyless Kubernetes auth-method access-id
                                type: string
                              k8sConfName:
                                description: Kubernetes-auth configuration name in
                                  Akeyless-Gateway
                                type: string
                              secretRef:
                                description: |-
                                  Optional secret field containing a Kubernetes ServiceAccount JWT used
                                  for authenticating with Akeyless. If a name is specified without a key,
                                  `token` is the default. If one is not specified, the one bound to
                                  the controller will be used.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              serviceAccountRef:
                                description: |-
                                  Optional service account field containing the name of a kubernetes ServiceAccount.
                                  If the service account is specified, the service account secret token JWT will be used
                                  for authenticating with Akeyless. If the service account selector is not supplied,
                                  the secretRef will be used instead.
                                properties:
                                  audiences:
                                    description: |-
                                      Audience specifies the `aud` claim for the service account token
                                      If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                      then this audiences will be appended to the list
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                required:
                                - name
                                type: object
                            required:
                            - accessID
                            - k8sConfName
                            type: object
                          secretRef:
                            description: |-
                              Reference to a Secret that contains the details
                              to authenticate with Akeyless.
                            properties:
                              accessID:
                                description: The SecretAccessID is used for authentication
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              accessType:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              accessTypeParam:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            type: object
                        type: object
                      caBundle:
                        description: |-
                          PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
                          if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
                          are used to validate the TLS connection.
                        format: byte
                        type: string
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          Akeyless Gateway certificate.
                        properties:
                          key:
                            description: The key where the CA certificate can be found
                              in the Secret or ConfigMap.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[-._a-zA-Z0-9]+$
                            type: string
                          name:
                            description: The name of the object located at the provider
                              type.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                            type: string
                          namespace:
                            description: |-
                              The namespace the Provider type is in.
                              Can only be defined when used in a ClusterSecretStore.
                            maxLength: 63
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                            type: string
                          type:
                            description: The type of provider to use such as "Secret",
                              or "ConfigMap".
                            enum:
                            - Secret
                            - ConfigMap
                            type: string
                        required:
                        - name
                        - type
                        type: object
                    required:
                    - akeylessGWApiURL
                    - authSecretRef
                    type: object
                  aws:
                    description: AWS configures this store to sync secrets using AWS
                      Secret Manager provider
                    properties:
                      additionalRoles:
                        description: AdditionalRoles is a chained list of Role ARNs
                          which the provider will sequentially assume before assuming
                          the Role
                        items:
                          type: string
                        type: array
                      auth:
                        description: |-
                          Auth defines the information necessary to authenticate against AWS
                          if not set aws sdk will infer credentials from your environment
                          see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
                        properties:
                          jwt:
                            description: AWSJWTAuth stores reference to Authenticate
                              against AWS using service account tokens.
                            properties:
                              serviceAccountRef:
                                description: ServiceAccountSelector is a reference
                                  to a ServiceAccount resource.
                                properties:
                                  audiences:
                                    description: |-
                                      Audience specifies the `aud` claim for the service account token
                                      If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                      then this audiences will be appended to the list
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                required:
                                - name
                                type: object
                            type: object
                          secretRef:
                            description: |-
                              AWSAuthSecretRef holds secret references for AWS credentials
                              both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
                            properties:
                              accessKeyIDSecretRef:
                                description: The AccessKeyID is used for authentication
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              secretAccessKeySecretRef:
                                description: The SecretAccessKey is used for authentication
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              sessionTokenSecretRef:
                                description: |-
                                  The SessionToken used for authentication
                                  This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
                                  see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            type: object
                        type: object
                      externalID:
                        description: AWS External ID set on assumed IAM roles
                        type: string
                      prefix:
                        description: Prefix adds a prefix to all retrieved values.
                        type: string
                      region:
                        description: AWS Region to be used for the provider
                        type: string
                      role:
                        description: Role is a Role ARN which the provider will assume
                        type: string
                      secretsManager:
                        description: SecretsManager defines how the provider behaves
                          when interacting with AWS SecretsManager
                        properties:
                          forceDeleteWithoutRecovery:
                            description: |-
                              Specifies whether to delete the secret without any recovery window. You
                              can't use both this parameter and RecoveryWindowInDays in the same call.
                              If you don't use either, then by default Secrets Manager uses a 30 day
                              recovery window.
                              see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
                            type: boolean
                          recoveryWindowInDays:
                            description: |-
                              The number of days from 7 to 30 that Secrets Manager waits before
                              permanently deleting the secret. You can't use both this parameter and
                              ForceDeleteWithoutRecovery in the same call. If you don't use either,
                              then by default Secrets Manager uses a 30-day recovery window.
                              see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
                            format: int64
                            type: integer
                        type: object
                      service:
                        description: Service defines which service should be used
                          to fetch the secrets
                        enum:
                        - SecretsManager
                        - ParameterStore
                        type: string
                      sessionTags:
                        description: AWS STS assume role session tags
                        items:
                          description: |-
                            Tag is a key-value pair that can be attached to an AWS resource.
                            see: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
                          properties:
                            key:
                              type: string
                            value:
                              type: string
                          required:
                          - key
                          - value
                          type: object
                        type: array
                      transitiveTagKeys:
                        description: AWS STS assume role transitive session tags.
                          Required when multiple rules are used with the provider
                        items:
                          type: string
                        type: array
                    required:
                    - region
                    - service
                    type: object
                  azurekv:
                    description: AzureKV configures this store to sync secrets using
                      Azure Key Vault provider
                    properties:
                      authSecretRef:
                        description: Auth configures how the operator authenticates
                          with Azure. Required for ServicePrincipal auth type. Optional
                          for WorkloadIdentity.
                        properties:
                          clientCertificate:
                            description: The Azure ClientCertificate of the service
                              principle used for authentication.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                          clientId:
                            description: The Azure clientId of the service principle
                              or managed identity used for authentication.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                          clientSecret:
                            description: The Azure ClientSecret of the service principle
                              used for authentication.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                          tenantId:
                            description: The Azure tenantId of the managed identity
                              used for authentication.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                        type: object
                      authType:
                        default: ServicePrincipal
                        description: |-
                          Auth type defines how to authenticate to the keyvault service.
                          Valid values are:
                          - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
                          - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
                        enum:
                        - ServicePrincipal
                        - ManagedIdentity
                        - WorkloadIdentity
                        type: string
                      customCloudConfig:
                        description: |-
                          CustomCloudConfig defines custom Azure endpoints for non-standard clouds.
                          Required when EnvironmentType is AzureStackCloud.
                          Optional for other environment types - useful for Azure China when using Workload Identity
                          with AKS, where the OIDC issuer (login.partner.microsoftonline.cn) differs from the
                          standard China Cloud endpoint (login.chinacloudapi.cn).
                          IMPORTANT: This feature REQUIRES UseAzureSDK to be set to true. Custom cloud
                          configuration is not supported with the legacy go-autorest SDK.
                        properties:
                          activeDirectoryEndpoint:
                            description: |-
                              ActiveDirectoryEndpoint is the AAD endpoint for authentication
                              Required when using custom cloud configuration
                            type: string
                          keyVaultDNSSuffix:
                            description: KeyVaultDNSSuffix is the DNS suffix for Key
                              Vault URLs
                            type: string
                          keyVaultEndpoint:
                            description: KeyVaultEndpoint is the Key Vault service
                              endpoint
                            type: string
                          resourceManagerEndpoint:
                            description: ResourceManagerEndpoint is the Azure Resource
                              Manager endpoint
                            type: string
                        required:
                        - activeDirectoryEndpoint
                        type: object
                      environmentType:
                        default: PublicCloud
                        description: |-
                          EnvironmentType specifies the Azure cloud environment endpoints to use for
                          connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
                          The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
                          PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud, AzureStackCloud
                          Use AzureStackCloud when you need to configure custom Azure Stack Hub or Azure Stack Edge endpoints.
                        enum:
                        - PublicCloud
                        - USGovernmentCloud
                        - ChinaCloud
                        - GermanCloud
                        - AzureStackCloud
                        type: string
                      identityId:
                        description: If multiple Managed Identity is assigned to the
                          pod, you can select the one to be used
                        type: string
                      serviceAccountRef:
                        description: |-
                          ServiceAccountRef specified the service account
                          that should be used when authenticating with WorkloadIdentity.
                        properties:
                          audiences:
                            description: |-
                              Audience specifies the `aud` claim for the service account token
                              If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                              then this audiences will be appended to the list
                            items:
                              type: string
                            type: array
                          name:
                            description: The name of the ServiceAccount resource being
                              referred to.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                            type: string
                          namespace:
                            description: |-
                              Namespace of the resource being referred to.
                              Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                            maxLength: 63
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                            type: string
                        required:
                        - name
                        type: object
                      tenantId:
                        description: TenantID configures the Azure Tenant to send
                          requests to. Required for ServicePrincipal auth type. Optional
                          for WorkloadIdentity.
                        type: string
                      useAzureSDK:
                        default: false
                        description: |-
                          UseAzureSDK enables the use of the new Azure SDK for Go (azcore-based) instead of the legacy go-autorest SDK.
                          This is experimental and may have behavioral differences. Defaults to false (legacy SDK).
                        type: boolean
                      vaultUrl:
                        description: Vault Url from which the secrets to be fetched
                          from.
                        type: string
                    required:
                    - vaultUrl
                    type: object
                  barbican:
                    description: Barbican configures this store to sync secrets using
                      the OpenStack Barbican provider
                    properties:
                      auth:
                        description: BarbicanAuth contains the authentication information
                          for Barbican.
                        properties:
                          password:
                            description: BarbicanProviderPasswordRef defines a reference
                              to a secret containing password for the Barbican provider.
                            properties:
                              secretRef:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - secretRef
                            type: object
                          username:
                            description: BarbicanProviderUsernameRef defines a reference
                              to a secret containing username for the Barbican provider.
                            maxProperties: 1
                            minProperties: 1
                            properties:
                              secretRef:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              value:
                                type: string
                            type: object
                        required:
                        - password
                        - username
                        type: object
                      authURL:
                        type: string
                      domainName:
                        type: string
                      region:
                        type: string
                      tenantName:
                        type: string
                    required:
                    - auth
                    type: object
                  beyondtrust:
                    description: Beyondtrust configures this store to sync secrets
                      using Password Safe provider.
                    properties:
                      auth:
                        description: Auth configures how the operator authenticates
                          with Beyondtrust.
                        properties:
                          apiKey:
                            description: APIKey If not provided then ClientID/ClientSecret
                              become required.
                            properties:
                              secretRef:
                                description: SecretRef references a key in a secret
                                  that will be used as value.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              value:
                                description: Value can be specified directly to set
                                  a value without using a secret.
                                type: string
                            type: object
                          certificate:
                            description: Certificate (cert.pem) for use when authenticating
                              with an OAuth client Id using a Client Certificate.
                            properties:
                              secretRef:
                                description: SecretRef references a key in a secret
                                  that will be used as value.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              value:
                                description: Value can be specified directly to set
                                  a value without using a secret.
                                type: string
                            type: object
                          certificateKey:
                            description: Certificate private key (key.pem). For use
                              when authenticating with an OAuth client Id
                            properties:
                              secretRef:
                                description: SecretRef references a key in a secret
                                  that will be used as value.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              value:
                                description: Value can be specified directly to set
                                  a value without using a secret.
                                type: string
                            type: object
                          clientId:
                            description: ClientID is the API OAuth Client ID.
                            properties:
                              secretRef:
                                description: SecretRef references a key in a secret
                                  that will be used as value.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              value:
                                description: Value can be specified directly to set
                                  a value without using a secret.
                                type: string
                            type: object
                          clientSecret:
                            description: ClientSecret is the API OAuth Client Secret.
                            properties:
                              secretRef:
                                description: SecretRef references a key in a secret
                                  that will be used as value.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              value:
                                description: Value can be specified directly to set
                                  a value without using a secret.
                                type: string
                            type: object
                        type: object
                      server:
                        description: Auth configures how API server works.
                        properties:
                          apiUrl:
                            type: string
                          apiVersion:
                            type: string
                          clientTimeOutSeconds:
                            description: Timeout specifies a time limit for requests
                              made by this Client. The timeout includes connection
                              time, any redirects, and reading the response body.
                              Defaults to 45 seconds.
                            type: integer
                          decrypt:
                            default: true
                            description: 'When true, the response includes the decrypted
                              password. When false, the password field is omitted.
                              This option only applies to the SECRET retrieval type.
                              Default: true.'
                            type: boolean
                          retrievalType:
                            description: The secret retrieval type. SECRET = Secrets
                              Safe (credential, text, file). MANAGED_ACCOUNT = Password
                              Safe account associated with a system.
                            type: string
                          separator:
                            description: A character that separates the folder names.
                            type: string
                          verifyCA:
                            type: boolean
                        required:
                        - apiUrl
                        - verifyCA
                        type: object
                    required:
                    - auth
                    - server
                    type: object
                  bitwardensecretsmanager:
                    description: BitwardenSecretsManager configures this store to
                      sync secrets using BitwardenSecretsManager provider
                    properties:
                      apiURL:
                        type: string
                      auth:
                        description: |-
                          Auth configures how secret-manager authenticates with a bitwarden machine account instance.
                          Make sure that the token being used has permissions on the given secret.
                        properties:
                          secretRef:
                            description: BitwardenSecretsManagerSecretRef contains
                              the credential ref to the bitwarden instance.
                            properties:
                              credentials:
                                description: AccessToken used for the bitwarden instance.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - credentials
                            type: object
                        required:
                        - secretRef
                        type: object
                      bitwardenServerSDKURL:
                        type: string
                      caBundle:
                        description: |-
                          Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
                          can be performed.
                        type: string
                      caProvider:
                        description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
                        properties:
                          key:
                            description: The key where the CA certificate can be found
                              in the Secret or ConfigMap.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[-._a-zA-Z0-9]+$
                            type: string
                          name:
                            description: The name of the object located at the provider
                              type.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                            type: string
                          namespace:
                            description: |-
                              The namespace the Provider type is in.
                              Can only be defined when used in a ClusterSecretStore.
                            maxLength: 63
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                            type: string
                          type:
                            description: The type of provider to use such as "Secret",
                              or "ConfigMap".
                            enum:
                            - Secret
                            - ConfigMap
                            type: string
                        required:
                        - name
                        - type
                        type: object
                      identityURL:
                        type: string
                      organizationID:
                        description: OrganizationID determines which organization
                          this secret store manages.
                        type: string
                      projectID:
                        description: ProjectID determines which project this secret
                          store manages.
                        type: string
                    required:
                    - auth
                    - organizationID
                    - projectID
                    type: object
                  chef:
                    description: Chef configures this store to sync secrets with chef
                      server
                    properties:
                      auth:
                        description: Auth defines the information necessary to authenticate
                          against chef Server
                        properties:
                          secretRef:
                            description: ChefAuthSecretRef holds secret references
                              for chef server login credentials.
                            properties:
                              privateKeySecretRef:
                                description: SecretKey is the Signing Key in PEM format,
                                  used for authentication.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - privateKeySecretRef
                            type: object
                        required:
                        - secretRef
                        type: object
                      serverUrl:
                        description: ServerURL is the chef server URL used to connect
                          to. If using orgs you should include your org in the url
                          and terminate the url with a "/"
                        type: string
                      username:
                        description: UserName should be the user ID on the chef server
                        type: string
                    required:
                    - auth
                    - serverUrl
                    - username
                    type: object
                  cloudrusm:
                    description: CloudruSM configures this store to sync secrets using
                      the Cloud.ru Secret Manager provider
                    properties:
                      auth:
                        description: CSMAuth contains a secretRef for credentials.
                        properties:
                          secretRef:
                            description: CSMAuthSecretRef holds secret references
                              for Cloud.ru credentials.
                            properties:
                              accessKeyIDSecretRef:
                                description: The AccessKeyID is used for authentication
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              accessKeySecretSecretRef:
                                description: The AccessKeySecret is used for authentication
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - accessKeyIDSecretRef
                            - accessKeySecretSecretRef
                            type: object
                        type: object
                      projectID:
                        description: ProjectID is the project, which the secrets are
                          stored in.
                        type: string
                    required:
                    - auth
                    type: object
                  conjur:
                    description: Conjur configures this store to sync secrets using
                      conjur provider
                    properties:
                      auth:
                        description: Defines authentication settings for connecting
                          to Conjur.
                        properties:
                          apikey:
                            description: Authenticates with Conjur using an API key.
                            properties:
                              account:
                                description: Account is the Conjur organization account
                                  name.
                                type: string
                              apiKeyRef:
                                description: |-
                                  A reference to a specific 'key' containing the Conjur API key
                                  within a Secret resource. In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              userRef:
                                description: |-
                                  A reference to a specific 'key' containing the Conjur username
                                  within a Secret resource. In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - account
                            - apiKeyRef
                            - userRef
                            type: object
                          jwt:
                            description: Jwt enables JWT authentication using Kubernetes
                              service account tokens.
                            properties:
                              account:
                                description: Account is the Conjur organization account
                                  name.
                                type: string
                              hostId:
                                description: |-
                                  Optional HostID for JWT authentication. This may be used depending
                                  on how the Conjur JWT authenticator policy is configured.
                                type: string
                              secretRef:
                                description: |-
                                  Optional SecretRef that refers to a key in a Secret resource containing JWT token to
                                  authenticate with Conjur using the JWT authentication method.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              serviceAccountRef:
                                description: |-
                                  Optional ServiceAccountRef specifies the Kubernetes service account for which to request
                                  a token for with the `TokenRequest` API.
                                properties:
                                  audiences:
                                    description: |-
                                      Audience specifies the `aud` claim for the service account token
                                      If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                      then this audiences will be appended to the list
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                required:
                                - name
                                type: object
                              serviceID:
                                description: The conjur authn jwt webservice id
                                type: string
                            required:
                            - account
                            - serviceID
                            type: object
                        type: object
                      caBundle:
                        description: CABundle is a PEM encoded CA bundle that will
                          be used to validate the Conjur server certificate.
                        type: string
                      caProvider:
                        description: |-
                          Used to provide custom certificate authority (CA) certificates
                          for a secret store. The CAProvider points to a Secret or ConfigMap resource
                          that contains a PEM-encoded certificate.
                        properties:
                          key:
                            description: The key where the CA certificate can be found
                              in the Secret or ConfigMap.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[-._a-zA-Z0-9]+$
                            type: string
                          name:
                            description: The name of the object located at the provider
                              type.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                            type: string
                          namespace:
                            description: |-
                              The namespace the Provider type is in.
                              Can only be defined when used in a ClusterSecretStore.
                            maxLength: 63
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                            type: string
                          type:
                            description: The type of provider to use such as "Secret",
                              or "ConfigMap".
                            enum:
                            - Secret
                            - ConfigMap
                            type: string
                        required:
                        - name
                        - type
                        type: object
                      url:
                        description: URL is the endpoint of the Conjur instance.
                        type: string
                    required:
                    - auth
                    - url
                    type: object
                  delinea:
                    description: |-
                      Delinea DevOps Secrets Vault
                      https://docs.delinea.com/online-help/products/devops-secrets-vault/current
                    properties:
                      clientId:
                        description: ClientID is the non-secret part of the credential.
                        properties:
                          secretRef:
                            description: SecretRef references a key in a secret that
                              will be used as value.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                          value:
                            description: Value can be specified directly to set a
                              value without using a secret.
                            type: string
                        type: object
                      clientSecret:
                        description: ClientSecret is the secret part of the credential.
                        properties:
                          secretRef:
                            description: SecretRef references a key in a secret that
                              will be used as value.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                          value:
                            description: Value can be specified directly to set a
                              value without using a secret.
                            type: string
                        type: object
                      tenant:
                        description: Tenant is the chosen hostname / site name.
                        type: string
                      tld:
                        description: |-
                          TLD is based on the server location that was chosen during provisioning.
                          If unset, defaults to "com".
                        type: string
                      urlTemplate:
                        description: |-
                          URLTemplate
                          If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
                        type: string
                    required:
                    - clientId
                    - clientSecret
                    - tenant
                    type: object
                  doppler:
                    description: Doppler configures this store to sync secrets using
                      the Doppler provider
                    properties:
                      auth:
                        description: Auth configures how the Operator authenticates
                          with the Doppler API
                        properties:
                          oidcConfig:
                            description: OIDCConfig authenticates using Kubernetes
                              ServiceAccount tokens via OIDC.
                            properties:
                              expirationSeconds:
                                default: 600
                                description: |-
                                  ExpirationSeconds sets the ServiceAccount token validity duration.
                                  Defaults to 10 minutes.
                                format: int64
                                type: integer
                              identity:
                                description: Identity is the Doppler Service Account
                                  Identity ID configured for OIDC authentication.
                                type: string
                              serviceAccountRef:
                                description: ServiceAccountRef specifies the Kubernetes
                                  ServiceAccount to use for authentication.
                                properties:
                                  audiences:
                                    description: |-
                                      Audience specifies the `aud` claim for the service account token
                                      If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                      then this audiences will be appended to the list
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                required:
                                - name
                                type: object
                            required:
                            - identity
                            - serviceAccountRef
                            type: object
                          secretRef:
                            description: SecretRef authenticates using a Doppler service
                              token stored in a Kubernetes Secret.
                            properties:
                              dopplerToken:
                                description: |-
                                  The DopplerToken is used for authentication.
                                  See https://docs.doppler.com/reference/api#authentication for auth token types.
                                  The Key attribute defaults to dopplerToken if not specified.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - dopplerToken
                            type: object
                        type: object
                        x-kubernetes-validations:
                        - message: Exactly one of 'secretRef' or 'oidcConfig' must
                            be specified
                          rule: (has(self.secretRef) && !has(self.oidcConfig)) ||
                            (!has(self.secretRef) && has(self.oidcConfig))
                      config:
                        description: Doppler config (required if not using a Service
                          Token)
                        type: string
                      format:
                        description: Format enables the downloading of secrets as
                          a file (string)
                        enum:
                        - json
                        - dotnet-json
                        - env
                        - yaml
                        - docker
                        type: string
                      nameTransformer:
                        description: Environment variable compatible name transforms
                          that change secret names to a different format
                        enum:
                        - upper-camel
                        - camel
                        - lower-snake
                        - tf-var
                        - dotnet-env
                        - lower-kebab
                        type: string
                      project:
                        description: Doppler project (required if not using a Service
                          Token)
                        type: string
                    required:
                    - auth
                    type: object
                  dvls:
                    description: DVLS configures this store to sync secrets using
                      Devolutions Server provider
                    properties:
                      auth:
                        description: Auth defines the authentication method to use.
                        properties:
                          secretRef:
                            description: SecretRef contains the Application ID and
                              Application Secret for authentication.
                            properties:
                              appId:
                                description: AppID is the reference to the secret
                                  containing the Application ID.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              appSecret:
                                description: AppSecret is the reference to the secret
                                  containing the Application Secret.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - appId
                            - appSecret
                            type: object
                        required:
                        - secretRef
                        type: object
                      insecure:
                        description: |-
                          Insecure allows connecting to DVLS over plain HTTP.
                          This is NOT RECOMMENDED for production use.
                          Set to true only if you understand the security implications.
                        type: boolean
                      serverUrl:
                        description: ServerURL is the DVLS instance URL (e.g., https://dvls.example.com).
                        type: string
                    required:
                    - auth
                    - serverUrl
                    type: object
                  fake:
                    description: Fake configures a store with static key/value pairs
                    properties:
                      data:
                        items:
                          description: FakeProviderData defines a key-value pair with
                            optional version for the fake provider.
                          properties:
                            key:
                              type: string
                            value:
                              type: string
                            version:
                              type: string
                          required:
                          - key
                          - value
                          type: object
                        type: array
                      validationResult:
                        description: ValidationResult is defined type for the number
                          of validation results.
                        type: integer
                    required:
                    - data
                    type: object
                  fortanix:
                    description: Fortanix configures this store to sync secrets using
                      the Fortanix provider
                    properties:
                      apiKey:
                        description: APIKey is the API token to access SDKMS Applications.
                        properties:
                          secretRef:
                            description: SecretRef is a reference to a secret containing
                              the SDKMS API Key.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                        type: object
                      apiUrl:
                        description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
                        type: string
                    type: object
                  gcpsm:
                    description: GCPSM configures this store to sync secrets using
                      Google Cloud Platform Secret Manager provider
                    properties:
                      auth:
                        description: Auth defines the information necessary to authenticate
                          against GCP
                        properties:
                          secretRef:
                            description: GCPSMAuthSecretRef contains the secret references
                              for GCP Secret Manager authentication.
                            properties:
                              secretAccessKeySecretRef:
                                description: The SecretAccessKey is used for authentication
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            type: object
                          workloadIdentity:
                            description: GCPWorkloadIdentity defines configuration
                              for workload identity authentication to GCP.
                            properties:
                              clusterLocation:
                                description: |-
                                  ClusterLocation is the location of the cluster
                                  If not specified, it fetches information from the metadata server
                                type: string
                              clusterName:
                                description: |-
                                  ClusterName is the name of the cluster
                                  If not specified, it fetches information from the metadata server
                                type: string
                              clusterProjectID:
                                description: |-
                                  ClusterProjectID is the project ID of the cluster
                                  If not specified, it fetches information from the metadata server
                                type: string
                              serviceAccountRef:
                                description: ServiceAccountSelector is a reference
                                  to a ServiceAccount resource.
                                properties:
                                  audiences:
                                    description: |-
                                      Audience specifies the `aud` claim for the service account token
                                      If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                      then this audiences will be appended to the list
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                required:
                                - name
                                type: object
                            required:
                            - serviceAccountRef
                            type: object
                          workloadIdentityFederation:
                            description: GCPWorkloadIdentityFederation holds the configurations
                              required for generating federated access tokens.
                            properties:
                              audience:
                                description: |-
                                  audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
                                  If specified, Audience found in the external account credential config will be overridden with the configured value.
                                  audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
                                type: string
                              awsSecurityCredentials:
                                description: |-
                                  awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
                                  when using the AWS metadata server is not an option.
                                properties:
                                  awsCredentialsSecretRef:
                                    description: |-
                                      awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
                                      Secret should be created with below names for keys
                                      - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
                                      - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
                                      - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
                                    properties:
                                      name:
                                        description: name of the secret.
                                        maxLength: 253
                                        minLength: 1
                                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                        type: string
                                      namespace:
                                        description: namespace in which the secret
                                          exists. If empty, secret will looked up
                                          in local namespace.
                                        maxLength: 63
                                        minLength: 1
                                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                        type: string
                                    required:
                                    - name
                                    type: object
                                  region:
                                    description: region is for configuring the AWS
                                      region to be used.
                                    example: ap-south-1
                                    maxLength: 50
                                    minLength: 1
                                    pattern: ^[a-z0-9-]+$
                                    type: string
                                required:
                                - awsCredentialsSecretRef
                                - region
                                type: object
                              credConfig:
                                description: |-
                                  credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
                                  For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
                                  serviceAccountRef must be used by providing operators service account details.
                                properties:
                                  key:
                                    description: key name holding the external account
                                      credential config.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: name of the configmap.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: namespace in which the configmap
                                      exists. If empty, configmap will looked up in
                                      local namespace.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                required:
                                - key
                                - name
                                type: object
                              externalTokenEndpoint:
                                description: |-
                                  externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
                                  credential_source.url in the provided credConfig. This field is merely to double-check the external token source
                                  URL is having the expected value.
                                type: string
                              serviceAccountRef:
                                description: |-
                                  serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
                                  when Kubernetes is configured as provider in workload identity pool.
                                properties:
                                  audiences:
                                    description: |-
                                      Audience specifies the `aud` claim for the service account token
                                      If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                      then this audiences will be appended to the list
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                required:
                                - name
                                type: object
                            type: object
                        type: object
                      location:
                        description: Location optionally defines a location for a
                          secret
                        type: string
                      projectID:
                        description: ProjectID project where secret is located
                        type: string
                      secretVersionSelectionPolicy:
                        default: LatestOrFail
                        description: |-
                          SecretVersionSelectionPolicy specifies how the provider selects a secret version
                          when "latest" is disabled or destroyed.
                          Possible values are:
                          - LatestOrFail: the provider always uses "latest", or fails if that version is disabled/destroyed.
                          - LatestOrFetch: the provider falls back to fetching the latest version if the version is DESTROYED or DISABLED
                        type: string
                    type: object
                  github:
                    description: |-
                      Github configures this store to push GitHub Actions secrets using the GitHub API provider.
                      Note: This provider only supports write operations (PushSecret) and cannot fetch secrets from GitHub
                    properties:
                      appID:
                        description: appID specifies the Github APP that will be used
                          to authenticate the client
                        format: int64
                        type: integer
                      auth:
                        description: auth configures how secret-manager authenticates
                          with a Github instance.
                        properties:
                          privateKey:
                            description: |-
                              SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                              In some instances, `key` is a required field.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                        required:
                        - privateKey
                        type: object
                      environment:
                        description: environment will be used to fetch secrets from
                          a particular environment within a github repository
                        type: string
                      installationID:
                        description: installationID specifies the Github APP installation
                          that will be used to authenticate the client
                        format: int64
                        type: integer
                      orgSecretVisibility:
                        description: |-
                          orgSecretVisibility controls the visibility of organization secrets pushed via PushSecret.
                          Valid values are "all" or "private".
                          When unset, new secrets are created with visibility "all" and existing secrets preserve
                          whatever visibility they already have in GitHub.
                        enum:
                        - all
                        - private
                        type: string
                      organization:
                        description: organization will be used to fetch secrets from
                          the Github organization
                        type: string
                      repository:
                        description: repository will be used to fetch secrets from
                          the Github repository within an organization
                        type: string
                      uploadURL:
                        description: Upload URL for enterprise instances. Default
                          to URL.
                        type: string
                      url:
                        default: https://github.com/
                        description: URL configures the Github instance URL. Defaults
                          to https://github.com/.
                        type: string
                    required:
                    - appID
                    - auth
                    - installationID
                    - organization
                    type: object
                  gitlab:
                    description: GitLab configures this store to sync secrets using
                      GitLab Variables provider
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with a GitLab instance.
                        properties:
                          SecretRef:
                            description: GitlabSecretRef contains the secret reference
                              for GitLab authentication credentials.
                            properties:
                              accessToken:
                                description: AccessToken is used for authentication.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            type: object
                        required:
                        - SecretRef
                        type: object
                      caBundle:
                        description: |-
                          Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
                          can be performed.
                        format: byte
                        type: string
                      caProvider:
                        description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
                        properties:
                          key:
                            description: The key where the CA certificate can be found
                              in the Secret or ConfigMap.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[-._a-zA-Z0-9]+$
                            type: string
                          name:
                            description: The name of the object located at the provider
                              type.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                            type: string
                          namespace:
                            description: |-
                              The namespace the Provider type is in.
                              Can only be defined when used in a ClusterSecretStore.
                            maxLength: 63
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                            type: string
                          type:
                            description: The type of provider to use such as "Secret",
                              or "ConfigMap".
                            enum:
                            - Secret
                            - ConfigMap
                            type: string
                        required:
                        - name
                        - type
                        type: object
                      environment:
                        description: Environment environment_scope of gitlab CI/CD
                          variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment
                          on how to create environments)
                        type: string
                      groupIDs:
                        description: GroupIDs specify, which gitlab groups to pull
                          secrets from. Group secrets are read from left to right
                          followed by the project variables.
                        items:
                          type: string
                        type: array
                      inheritFromGroups:
                        description: InheritFromGroups specifies whether parent groups
                          should be discovered and checked for secrets.
                        type: boolean
                      projectID:
                        description: ProjectID specifies a project where secrets are
                          located.
                        type: string
                      url:
                        description: URL configures the GitLab instance URL. Defaults
                          to https://gitlab.com/.
                        type: string
                    required:
                    - auth
                    type: object
                  ibm:
                    description: IBM configures this store to sync secrets using IBM
                      Cloud provider
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with the IBM secrets manager.
                        maxProperties: 1
                        minProperties: 1
                        properties:
                          containerAuth:
                            description: IBMAuthContainerAuth defines container-based
                              authentication with IAM Trusted Profile.
                            properties:
                              iamEndpoint:
                                type: string
                              profile:
                                description: the IBM Trusted Profile
                                type: string
                              tokenLocation:
                                description: Location the token is mounted on the
                                  pod
                                type: string
                            required:
                            - profile
                            type: object
                          secretRef:
                            description: IBMAuthSecretRef contains the secret reference
                              for IBM Cloud API key authentication.
                            properties:
                              iamEndpoint:
                                description: The IAM endpoint used to obain a token
                                type: string
                              secretApiKeySecretRef:
                                description: The SecretAccessKey is used for authentication
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            type: object
                        type: object
                      serviceUrl:
                        description: ServiceURL is the Endpoint URL that is specific
                          to the Secrets Manager service instance
                        type: string
                    required:
                    - auth
                    type: object
                  infisical:
                    description: Infisical configures this store to sync secrets using
                      the Infisical provider
                    properties:
                      auth:
                        description: Auth configures how the Operator authenticates
                          with the Infisical API
                        properties:
                          awsAuthCredentials:
                            description: AwsAuthCredentials represents the credentials
                              for AWS authentication.
                            properties:
                              identityId:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - identityId
                            type: object
                          azureAuthCredentials:
                            description: AzureAuthCredentials represents the credentials
                              for Azure authentication.
                            properties:
                              identityId:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              resource:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - identityId
                            type: object
                          gcpIamAuthCredentials:
                            description: GcpIamAuthCredentials represents the credentials
                              for GCP IAM authentication.
                            properties:
                              identityId:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              serviceAccountKeyFilePath:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - identityId
                            - serviceAccountKeyFilePath
                            type: object
                          gcpIdTokenAuthCredentials:
                            description: GcpIDTokenAuthCredentials represents the
                              credentials for GCP ID token authentication.
                            properties:
                              identityId:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - identityId
                            type: object
                          jwtAuthCredentials:
                            description: JwtAuthCredentials represents the credentials
                              for JWT authentication.
                            properties:
                              identityId:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              jwt:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - identityId
                            - jwt
                            type: object
                          kubernetesAuthCredentials:
                            description: KubernetesAuthCredentials represents the
                              credentials for Kubernetes authentication.
                            properties:
                              identityId:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              serviceAccountTokenPath:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - identityId
                            type: object
                          ldapAuthCredentials:
                            description: LdapAuthCredentials represents the credentials
                              for LDAP authentication.
                            properties:
                              identityId:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              ldapPassword:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              ldapUsername:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - identityId
                            - ldapPassword
                            - ldapUsername
                            type: object
                          ociAuthCredentials:
                            description: OciAuthCredentials represents the credentials
                              for OCI authentication.
                            properties:
                              fingerprint:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              identityId:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              privateKey:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              privateKeyPassphrase:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              region:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              tenancyId:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              userId:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - fingerprint
                            - identityId
                            - privateKey
                            - region
                            - tenancyId
                            - userId
                            type: object
                          tokenAuthCredentials:
                            description: TokenAuthCredentials represents the credentials
                              for access token-based authentication.
                            properties:
                              accessToken:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - accessToken
                            type: object
                          universalAuthCredentials:
                            description: UniversalAuthCredentials represents the client
                              credentials for universal authentication.
                            properties:
                              clientId:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              clientSecret:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - clientId
                            - clientSecret
                            type: object
                        type: object
                      caBundle:
                        description: |-
                          CABundle is a PEM-encoded CA certificate bundle used to validate
                          the Infisical server's TLS certificate. Mutually exclusive with CAProvider.
                        format: byte
                        type: string
                      caProvider:
                        description: |-
                          CAProvider is a reference to a Secret or ConfigMap that contains a CA certificate.
                          The certificate is used to validate the Infisical server's TLS certificate.
                          Mutually exclusive with CABundle.
                        properties:
                          key:
                            description: The key where the CA certificate can be found
                              in the Secret or ConfigMap.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[-._a-zA-Z0-9]+$
                            type: string
                          name:
                            description: The name of the object located at the provider
                              type.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                            type: string
                          namespace:
                            description: |-
                              The namespace the Provider type is in.
                              Can only be defined when used in a ClusterSecretStore.
                            maxLength: 63
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                            type: string
                          type:
                            description: The type of provider to use such as "Secret",
                              or "ConfigMap".
                            enum:
                            - Secret
                            - ConfigMap
                            type: string
                        required:
                        - name
                        - type
                        type: object
                      hostAPI:
                        default: https://app.infisical.com/api
                        description: HostAPI specifies the base URL of the Infisical
                          API. If not provided, it defaults to "https://app.infisical.com/api".
                        type: string
                      secretsScope:
                        description: SecretsScope defines the scope of the secrets
                          within the workspace
                        properties:
                          environmentSlug:
                            description: EnvironmentSlug is the required slug identifier
                              for the environment.
                            type: string
                          expandSecretReferences:
                            default: true
                            description: ExpandSecretReferences indicates whether
                              secret references should be expanded. Defaults to true
                              if not provided.
                            type: boolean
                          projectSlug:
                            description: ProjectSlug is the required slug identifier
                              for the project.
                            type: string
                          recursive:
                            default: false
                            description: Recursive indicates whether the secrets should
                              be fetched recursively. Defaults to false if not provided.
                            type: boolean
                          secretsPath:
                            default: /
                            description: SecretsPath specifies the path to the secrets
                              within the workspace. Defaults to "/" if not provided.
                            type: string
                        required:
                        - environmentSlug
                        - projectSlug
                        type: object
                    required:
                    - auth
                    - secretsScope
                    type: object
                  keepersecurity:
                    description: KeeperSecurity configures this store to sync secrets
                      using the KeeperSecurity provider
                    properties:
                      authRef:
                        description: |-
                          SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                          In some instances, `key` is a required field.
                        properties:
                          key:
                            description: |-
                              A key in the referenced Secret.
                              Some instances of this field may be defaulted, in others it may be required.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[-._a-zA-Z0-9]+$
                            type: string
                          name:
                            description: The name of the Secret resource being referred
                              to.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                            type: string
                          namespace:
                            description: |-
                              The namespace of the Secret resource being referred to.
                              Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                            maxLength: 63
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                            type: string
                        type: object
                      folderID:
                        type: string
                    required:
                    - authRef
                    - folderID
                    type: object
                  kubernetes:
                    description: Kubernetes configures this store to sync secrets
                      using a Kubernetes cluster provider
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with a Kubernetes instance.
                        maxProperties: 1
                        minProperties: 1
                        properties:
                          cert:
                            description: has both clientCert and clientKey as secretKeySelector
                            properties:
                              clientCert:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              clientKey:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            type: object
                          serviceAccount:
                            description: points to a service account that should be
                              used for authentication
                            properties:
                              audiences:
                                description: |-
                                  Audience specifies the `aud` claim for the service account token
                                  If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                  then this audiences will be appended to the list
                                items:
                                  type: string
                                type: array
                              name:
                                description: The name of the ServiceAccount resource
                                  being referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            required:
                            - name
                            type: object
                          token:
                            description: use static token to authenticate with
                            properties:
                              bearerToken:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            type: object
                        type: object
                      authRef:
                        description: A reference to a secret that contains the auth
                          information.
                        properties:
                          key:
                            description: |-
                              A key in the referenced Secret.
                              Some instances of this field may be defaulted, in others it may be required.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[-._a-zA-Z0-9]+$
                            type: string
                          name:
                            description: The name of the Secret resource being referred
                              to.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                            type: string
                          namespace:
                            description: |-
                              The namespace of the Secret resource being referred to.
                              Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                            maxLength: 63
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                            type: string
                        type: object
                      remoteNamespace:
                        default: default
                        description: Remote namespace to fetch the secrets from
                        maxLength: 63
                        minLength: 1
                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                        type: string
                      server:
                        description: configures the Kubernetes server Address.
                        properties:
                          caBundle:
                            description: CABundle is a base64-encoded CA certificate
                            format: byte
                            type: string
                          caProvider:
                            description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
                            properties:
                              key:
                                description: The key where the CA certificate can
                                  be found in the Secret or ConfigMap.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the object located at the
                                  provider type.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace the Provider type is in.
                                  Can only be defined when used in a ClusterSecretStore.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                              type:
                                description: The type of provider to use such as "Secret",
                                  or "ConfigMap".
                                enum:
                                - Secret
                                - ConfigMap
                                type: string
                            required:
                            - name
                            - type
                            type: object
                          url:
                            default: kubernetes.default
                            description: configures the Kubernetes server Address.
                            type: string
                        type: object
                    type: object
                  nebiusmysterybox:
                    description: NebiusMysterybox configures this store to sync secrets
                      using NebiusMysterybox provider
                    properties:
                      apiDomain:
                        description: NebiusMysterybox API endpoint
                        type: string
                      auth:
                        description: Auth defines parameters to authenticate in MysteryBox
                        properties:
                          serviceAccountCredsSecretRef:
                            description: |-
                              ServiceAccountCreds references a Kubernetes Secret key that contains a JSON
                              document with service account credentials used to get an IAM token.

                              Expected JSON structure:
                              {
                                "subject-credentials": {
                                  "alg": "RS256",
                                  "private-key": "-----BEGIN PRIVATE KEY-----\n<private-key>\n-----END PRIVATE KEY-----\n",
                                  "kid": "<public-key-id>",
                                  "iss": "<issuer-service-account-id>",
                                  "sub": "<subject-service-account-id>"
                                }
                              }
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                          tokenSecretRef:
                            description: Token authenticates with Nebius Mysterybox
                              by presenting a token.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                        type: object
                        x-kubernetes-validations:
                        - message: either serviceAccountCredsSecretRef or tokenSecretRef
                            must be set
                          rule: has(self.serviceAccountCredsSecretRef) || has(self.tokenSecretRef)
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          NebiusMysterybox server certificate.
                        properties:
                          certSecretRef:
                            description: |-
                              SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                              In some instances, `key` is a required field.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                        type: object
                    required:
                    - apiDomain
                    - auth
                    type: object
                  ngrok:
                    description: Ngrok configures this store to sync secrets using
                      the ngrok provider.
                    properties:
                      apiUrl:
                        default: https://api.ngrok.com
                        description: APIURL is the URL of the ngrok API.
                        type: string
                      auth:
                        description: Auth configures how the ngrok provider authenticates
                          with the ngrok API.
                        maxProperties: 1
                        minProperties: 1
                        properties:
                          apiKey:
                            description: APIKey is the API Key used to authenticate
                              with ngrok. See https://ngrok.com/docs/api/#authentication
                            properties:
                              secretRef:
                                description: SecretRef is a reference to a secret
                                  containing the ngrok API key.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            type: object
                        type: object
                      vault:
                        description: Vault configures the ngrok vault to sync secrets
                          with.
                        properties:
                          name:
                            description: Name is the name of the ngrok vault to sync
                              secrets with.
                            type: string
                        required:
                        - name
                        type: object
                    required:
                    - auth
                    - vault
                    type: object
                  onboardbase:
                    description: Onboardbase configures this store to sync secrets
                      using the Onboardbase provider
                    properties:
                      apiHost:
                        default: https://public.onboardbase.com/api/v1/
                        description: APIHost use this to configure the host url for
                          the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
                        type: string
                      auth:
                        description: Auth configures how the Operator authenticates
                          with the Onboardbase API
                        properties:
                          apiKeyRef:
                            description: |-
                              OnboardbaseAPIKey is the APIKey generated by an admin account.
                              It is used to recognize and authorize access to a project and environment within onboardbase
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                          passcodeRef:
                            description: OnboardbasePasscode is the passcode attached
                              to the API Key
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                        required:
                        - apiKeyRef
                        - passcodeRef
                        type: object
                      environment:
                        default: development
                        description: Environment is the name of an environmnent within
                          a project to pull the secrets from
                        type: string
                      project:
                        default: development
                        description: Project is an onboardbase project that the secrets
                          should be pulled from
                        type: string
                    required:
                    - apiHost
                    - auth
                    - environment
                    - project
                    type: object
                  onepassword:
                    description: OnePassword configures this store to sync secrets
                      using the 1Password Cloud provider
                    properties:
                      auth:
                        description: Auth defines the information necessary to authenticate
                          against OnePassword Connect Server
                        properties:
                          secretRef:
                            description: OnePasswordAuthSecretRef holds secret references
                              for 1Password credentials.
                            properties:
                              connectTokenSecretRef:
                                description: The ConnectToken is used for authentication
                                  to a 1Password Connect Server.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - connectTokenSecretRef
                            type: object
                        required:
                        - secretRef
                        type: object
                      connectHost:
                        description: ConnectHost defines the OnePassword Connect Server
                          to connect to
                        type: string
                      vaults:
                        additionalProperties:
                          type: integer
                        description: Vaults defines which OnePassword vaults to search
                          in which order
                        type: object
                    required:
                    - auth
                    - connectHost
                    - vaults
                    type: object
                  onepasswordSDK:
                    description: OnePasswordSDK configures this store to use 1Password's
                      new Go SDK to sync secrets.
                    properties:
                      auth:
                        description: Auth defines the information necessary to authenticate
                          against OnePassword API.
                        properties:
                          serviceAccountSecretRef:
                            description: ServiceAccountSecretRef points to the secret
                              containing the token to access 1Password vault.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                        required:
                        - serviceAccountSecretRef
                        type: object
                      cache:
                        description: |-
                          Cache configures client-side caching for read operations (GetSecret, GetSecretMap).
                          When enabled, secrets are cached with the specified TTL.
                          Write operations (PushSecret, DeleteSecret) automatically invalidate relevant cache entries.
                          If omitted, caching is disabled (default).
                          cache: {} is a valid option to set.
                        properties:
                          maxSize:
                            default: 100
                            description: |-
                              MaxSize is the maximum number of secrets to cache.
                              When the cache is full, least-recently-used entries are evicted.
                            minimum: 1
                            type: integer
                          ttl:
                            default: 5m
                            description: |-
                              TTL is the time-to-live for cached secrets.
                              Format: duration string (e.g., "5m", "1h", "30s")
                            type: string
                        type: object
                      integrationInfo:
                        description: |-
                          IntegrationInfo specifies the name and version of the integration built using the 1Password Go SDK.
                          If you don't know which name and version to use, use `DefaultIntegrationName` and `DefaultIntegrationVersion`, respectively.
                        properties:
                          name:
                            default: 1Password SDK
                            description: Name defaults to "1Password SDK".
                            type: string
                          version:
                            default: v1.0.0
                            description: Version defaults to "v1.0.0".
                            type: string
                        type: object
                      vault:
                        description: Vault defines the vault's name or uuid to access.
                          Do NOT add op:// prefix. This will be done automatically.
                        type: string
                    required:
                    - auth
                    - vault
                    type: object
                  oracle:
                    description: Oracle configures this store to sync secrets using
                      Oracle Vault provider
                    properties:
                      auth:
                        description: |-
                          Auth configures how secret-manager authenticates with the Oracle Vault.
                          If empty, use the instance principal, otherwise the user credentials specified in Auth.
                        properties:
                          secretRef:
                            description: SecretRef to pass through sensitive information.
                            properties:
                              fingerprint:
                                description: Fingerprint is the fingerprint of the
                                  API private key.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              privatekey:
                                description: PrivateKey is the user's API Signing
                                  Key in PEM format, used for authentication.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - fingerprint
                            - privatekey
                            type: object
                          tenancy:
                            description: Tenancy is the tenancy OCID where user is
                              located.
                            type: string
                          user:
                            description: User is an access OCID specific to the account.
                            type: string
                        required:
                        - secretRef
                        - tenancy
                        - user
                        type: object
                      compartment:
                        description: |-
                          Compartment is the vault compartment OCID.
                          Required for PushSecret
                        type: string
                      encryptionKey:
                        description: |-
                          EncryptionKey is the OCID of the encryption key within the vault.
                          Required for PushSecret
                        type: string
                      principalType:
                        description: |-
                          The type of principal to use for authentication. If left blank, the Auth struct will
                          determine the principal type. This optional field must be specified if using
                          workload identity.
                        enum:
                        - ""
                        - UserPrincipal
                        - InstancePrincipal
                        - Workload
                        type: string
                      region:
                        description: Region is the region where vault is located.
                        type: string
                      serviceAccountRef:
                        description: |-
                          ServiceAccountRef specified the service account
                          that should be used when authenticating with WorkloadIdentity.
                        properties:
                          audiences:
                            description: |-
                              Audience specifies the `aud` claim for the service account token
                              If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                              then this audiences will be appended to the list
                            items:
                              type: string
                            type: array
                          name:
                            description: The name of the ServiceAccount resource being
                              referred to.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                            type: string
                          namespace:
                            description: |-
                              Namespace of the resource being referred to.
                              Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                            maxLength: 63
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                            type: string
                        required:
                        - name
                        type: object
                      vault:
                        description: Vault is the vault's OCID of the specific vault
                          where secret is located.
                        type: string
                    required:
                    - region
                    - vault
                    type: object
                  ovh:
                    description: OVHcloud configures this store to sync secrets using
                      the OVHcloud provider.
                    properties:
                      auth:
                        description: Authentication method (mtls or token).
                        properties:
                          mtls:
                            description: OvhClientMTLS defines the configuration required
                              to authenticate to OVHcloud's Secret Manager using mTLS.
                            properties:
                              caBundle:
                                format: byte
                                type: string
                              caProvider:
                                description: |-
                                  CAProvider provides a custom certificate authority for accessing the provider's store.
                                  The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate.
                                properties:
                                  key:
                                    description: The key where the CA certificate
                                      can be found in the Secret or ConfigMap.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the object located at
                                      the provider type.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace the Provider type is in.
                                      Can only be defined when used in a ClusterSecretStore.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                  type:
                                    description: The type of provider to use such
                                      as "Secret", or "ConfigMap".
                                    enum:
                                    - Secret
                                    - ConfigMap
                                    type: string
                                required:
                                - name
                                - type
                                type: object
                              certSecretRef:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              keySecretRef:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - certSecretRef
                            - keySecretRef
                            type: object
                          token:
                            description: OvhClientToken defines the configuration
                              required to authenticate to OVHcloud's Secret Manager
                              using a token.
                            properties:
                              tokenSecretRef:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - tokenSecretRef
                            type: object
                        type: object
                      casRequired:
                        description: 'Enables or disables check-and-set (CAS) (default:
                          false).'
                        type: boolean
                      okmsTimeout:
                        default: 30
                        description: 'Setup a timeout in seconds when requests to
                          the KMS are made (default: 30).'
                        format: int32
                        minimum: 1
                        type: integer
                      okmsid:
                        description: specifies the OKMS ID.
                        type: string
                      server:
                        description: specifies the OKMS server endpoint.
                        type: string
                    required:
                    - auth
                    - okmsid
                    - server
                    type: object
                  passbolt:
                    description: |-
                      PassboltProvider provides access to Passbolt secrets manager.
                      See: https://www.passbolt.com.
                    properties:
                      auth:
                        description: Auth defines the information necessary to authenticate
                          against Passbolt Server
                        properties:
                          passwordSecretRef:
                            description: |-
                              SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                              In some instances, `key` is a required field.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                          privateKeySecretRef:
                            description: |-
                              SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                              In some instances, `key` is a required field.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                        required:
                        - passwordSecretRef
                        - privateKeySecretRef
                        type: object
                      host:
                        description: Host defines the Passbolt Server to connect to
                        type: string
                    required:
                    - auth
                    - host
                    type: object
                  passworddepot:
                    description: PasswordDepotProvider configures a store to sync
                      secrets with a Password Depot instance.
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with a Password Depot instance.
                        properties:
                          secretRef:
                            description: PasswordDepotSecretRef contains the secret
                              reference for Password Depot authentication.
                            properties:
                              credentials:
                                description: Username / Password is used for authentication.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            type: object
                        required:
                        - secretRef
                        type: object
                      database:
                        description: Database to use as source
                        type: string
                      host:
                        description: URL configures the Password Depot instance URL.
                        type: string
                    required:
                    - auth
                    - database
                    - host
                    type: object
                  previder:
                    description: Previder configures this store to sync secrets using
                      the Previder provider
                    properties:
                      auth:
                        description: PreviderAuth contains a secretRef for credentials.
                        properties:
                          secretRef:
                            description: PreviderAuthSecretRef holds secret references
                              for Previder Vault credentials.
                            properties:
                              accessToken:
                                description: The AccessToken is used for authentication
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - accessToken
                            type: object
                        type: object
                      baseUri:
                        type: string
                    required:
                    - auth
                    type: object
                  pulumi:
                    description: Pulumi configures this store to sync secrets using
                      the Pulumi provider
                    properties:
                      accessToken:
                        description: AccessToken is the access tokens to sign in to
                          the Pulumi Cloud Console.
                        properties:
                          secretRef:
                            description: SecretRef is a reference to a secret containing
                              the Pulumi API token.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                        type: object
                      apiUrl:
                        default: https://api.pulumi.com/api/esc
                        description: APIURL is the URL of the Pulumi API.
                        type: string
                      environment:
                        description: |-
                          Environment are YAML documents composed of static key-value pairs, programmatic expressions,
                          dynamically retrieved values from supported providers including all major clouds,
                          and other Pulumi ESC environments.
                          To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
                        type: string
                      organization:
                        description: |-
                          Organization are a space to collaborate on shared projects and stacks.
                          To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
                        type: string
                      project:
                        description: Project is the name of the Pulumi ESC project
                          the environment belongs to.
                        type: string
                    required:
                    - accessToken
                    - environment
                    - organization
                    - project
                    type: object
                  scaleway:
                    description: Scaleway configures this store to sync secrets using
                      the Scaleway provider.
                    properties:
                      accessKey:
                        description: AccessKey is the non-secret part of the api key.
                        properties:
                          secretRef:
                            description: SecretRef references a key in a secret that
                              will be used as value.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                          value:
                            description: Value can be specified directly to set a
                              value without using a secret.
                            type: string
                        type: object
                      apiUrl:
                        description: APIURL is the url of the api to use. Defaults
                          to https://api.scaleway.com
                        type: string
                      projectId:
                        description: 'ProjectID is the id of your project, which you
                          can find in the console: https://console.scaleway.com/project/settings'
                        type: string
                      region:
                        description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
                        type: string
                      secretKey:
                        description: SecretKey is the non-secret part of the api key.
                        properties:
                          secretRef:
                            description: SecretRef references a key in a secret that
                              will be used as value.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                          value:
                            description: Value can be specified directly to set a
                              value without using a secret.
                            type: string
                        type: object
                    required:
                    - accessKey
                    - projectId
                    - region
                    - secretKey
                    type: object
                  secretserver:
                    description: |-
                      SecretServer configures this store to sync secrets using SecretServer provider
                      https://docs.delinea.com/online-help/secret-server/start.htm
                    properties:
                      caBundle:
                        description: |-
                          PEM/base64 encoded CA bundle used to validate Secret ServerURL. Only used
                          if the ServerURL URL is using HTTPS protocol. If not set the system root certificates
                          are used to validate the TLS connection.
                        format: byte
                        type: string
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          Secret ServerURL certificate.
                        properties:
                          key:
                            description: The key where the CA certificate can be found
                              in the Secret or ConfigMap.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[-._a-zA-Z0-9]+$
                            type: string
                          name:
                            description: The name of the object located at the provider
                              type.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                            type: string
                          namespace:
                            description: |-
                              The namespace the Provider type is in.
                              Can only be defined when used in a ClusterSecretStore.
                            maxLength: 63
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                            type: string
                          type:
                            description: The type of provider to use such as "Secret",
                              or "ConfigMap".
                            enum:
                            - Secret
                            - ConfigMap
                            type: string
                        required:
                        - name
                        - type
                        type: object
                      domain:
                        description: Domain is the secret server domain.
                        type: string
                      password:
                        description: Password is the secret server account password.
                        properties:
                          secretRef:
                            description: SecretRef references a key in a secret that
                              will be used as value.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                          value:
                            description: Value can be specified directly to set a
                              value without using a secret.
                            type: string
                        type: object
                      serverURL:
                        description: |-
                          ServerURL
                          URL to your secret server installation
                        type: string
                      username:
                        description: Username is the secret server account username.
                        properties:
                          secretRef:
                            description: SecretRef references a key in a secret that
                              will be used as value.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                          value:
                            description: Value can be specified directly to set a
                              value without using a secret.
                            type: string
                        type: object
                    required:
                    - password
                    - serverURL
                    - username
                    type: object
                  senhasegura:
                    description: Senhasegura configures this store to sync secrets
                      using senhasegura provider
                    properties:
                      auth:
                        description: Auth defines parameters to authenticate in senhasegura
                        properties:
                          clientId:
                            type: string
                          clientSecretSecretRef:
                            description: |-
                              SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                              In some instances, `key` is a required field.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                        required:
                        - clientId
                        - clientSecretSecretRef
                        type: object
                      ignoreSslCertificate:
                        default: false
                        description: IgnoreSslCertificate defines if SSL certificate
                          must be ignored
                        type: boolean
                      module:
                        description: Module defines which senhasegura module should
                          be used to get secrets
                        type: string
                      url:
                        description: URL of senhasegura
                        type: string
                    required:
                    - auth
                    - module
                    - url
                    type: object
                  vault:
                    description: Vault configures this store to sync secrets using
                      the HashiCorp Vault provider.
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with the Vault server.
                        properties:
                          appRole:
                            description: |-
                              AppRole authenticates with Vault using the App Role auth mechanism,
                              with the role and secret stored in a Kubernetes Secret resource.
                            properties:
                              path:
                                default: approle
                                description: |-
                                  Path where the App Role authentication backend is mounted
                                  in Vault, e.g: "approle"
                                type: string
                              roleId:
                                description: |-
                                  RoleID configured in the App Role authentication backend when setting
                                  up the authentication backend in Vault.
                                type: string
                              roleRef:
                                description: |-
                                  Reference to a key in a Secret that contains the App Role ID used
                                  to authenticate with Vault.
                                  The `key` field must be specified and denotes which entry within the Secret
                                  resource is used as the app role id.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              secretRef:
                                description: |-
                                  Reference to a key in a Secret that contains the App Role secret used
                                  to authenticate with Vault.
                                  The `key` field must be specified and denotes which entry within the Secret
                                  resource is used as the app role secret.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - path
                            - secretRef
                            type: object
                          cert:
                            description: |-
                              Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
                              Cert authentication method
                            properties:
                              clientCert:
                                description: |-
                                  ClientCert is a certificate to authenticate using the Cert Vault
                                  authentication method
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              path:
                                default: cert
                                description: |-
                                  Path where the Certificate authentication backend is mounted
                                  in Vault, e.g: "cert"
                                type: string
                              secretRef:
                                description: |-
                                  SecretRef to a key in a Secret resource containing client private key to
                                  authenticate with Vault using the Cert authentication method
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              vaultRole:
                                description: VaultRole specifies the Vault role to
                                  use for TLS certificate authentication.
                                type: string
                            type: object
                          gcp:
                            description: |-
                              Gcp authenticates with Vault using Google Cloud Platform authentication method
                              GCP authentication method
                            properties:
                              location:
                                description: Location optionally defines a location/region
                                  for the secret
                                type: string
                              path:
                                default: gcp
                                description: 'Path where the GCP auth method is enabled
                                  in Vault, e.g: "gcp"'
                                type: string
                              projectID:
                                description: Project ID of the Google Cloud Platform
                                  project
                                type: string
                              role:
                                description: Vault Role. In Vault, a role describes
                                  an identity with a set of permissions, groups, or
                                  policies you want to attach to a user of the secrets
                                  engine.
                                type: string
                              secretRef:
                                description: Specify credentials in a Secret object
                                properties:
                                  secretAccessKeySecretRef:
                                    description: The SecretAccessKey is used for authentication
                                    properties:
                                      key:
                                        description: |-
                                          A key in the referenced Secret.
                                          Some instances of this field may be defaulted, in others it may be required.
                                        maxLength: 253
                                        minLength: 1
                                        pattern: ^[-._a-zA-Z0-9]+$
                                        type: string
                                      name:
                                        description: The name of the Secret resource
                                          being referred to.
                                        maxLength: 253
                                        minLength: 1
                                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                        type: string
                                      namespace:
                                        description: |-
                                          The namespace of the Secret resource being referred to.
                                          Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                        maxLength: 63
                                        minLength: 1
                                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                        type: string
                                    type: object
                                type: object
                              serviceAccountRef:
                                description: ServiceAccountRef to a service account
                                  for impersonation
                                properties:
                                  audiences:
                                    description: |-
                                      Audience specifies the `aud` claim for the service account token
                                      If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                      then this audiences will be appended to the list
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                required:
                                - name
                                type: object
                              workloadIdentity:
                                description: Specify a service account with Workload
                                  Identity
                                properties:
                                  clusterLocation:
                                    description: |-
                                      ClusterLocation is the location of the cluster
                                      If not specified, it fetches information from the metadata server
                                    type: string
                                  clusterName:
                                    description: |-
                                      ClusterName is the name of the cluster
                                      If not specified, it fetches information from the metadata server
                                    type: string
                                  clusterProjectID:
                                    description: |-
                                      ClusterProjectID is the project ID of the cluster
                                      If not specified, it fetches information from the metadata server
                                    type: string
                                  serviceAccountRef:
                                    description: ServiceAccountSelector is a reference
                                      to a ServiceAccount resource.
                                    properties:
                                      audiences:
                                        description: |-
                                          Audience specifies the `aud` claim for the service account token
                                          If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                          then this audiences will be appended to the list
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: The name of the ServiceAccount
                                          resource being referred to.
                                        maxLength: 253
                                        minLength: 1
                                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                        type: string
                                      namespace:
                                        description: |-
                                          Namespace of the resource being referred to.
                                          Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                        maxLength: 63
                                        minLength: 1
                                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                        type: string
                                    required:
                                    - name
                                    type: object
                                required:
                                - serviceAccountRef
                                type: object
                            required:
                            - role
                            type: object
                          iam:
                            description: |-
                              Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
                              AWS IAM authentication method
                            properties:
                              externalID:
                                description: AWS External ID set on assumed IAM roles
                                type: string
                              jwt:
                                description: Specify a service account with IRSA enabled
                                properties:
                                  serviceAccountRef:
                                    description: ServiceAccountSelector is a reference
                                      to a ServiceAccount resource.
                                    properties:
                                      audiences:
                                        description: |-
                                          Audience specifies the `aud` claim for the service account token
                                          If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                          then this audiences will be appended to the list
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: The name of the ServiceAccount
                                          resource being referred to.
                                        maxLength: 253
                                        minLength: 1
                                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                        type: string
                                      namespace:
                                        description: |-
                                          Namespace of the resource being referred to.
                                          Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                        maxLength: 63
                                        minLength: 1
                                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                        type: string
                                    required:
                                    - name
                                    type: object
                                type: object
                              path:
                                description: 'Path where the AWS auth method is enabled
                                  in Vault, e.g: "aws"'
                                type: string
                              region:
                                description: AWS region
                                type: string
                              role:
                                description: This is the AWS role to be assumed before
                                  talking to vault
                                type: string
                              secretRef:
                                description: Specify credentials in a Secret object
                                properties:
                                  accessKeyIDSecretRef:
                                    description: The AccessKeyID is used for authentication
                                    properties:
                                      key:
                                        description: |-
                                          A key in the referenced Secret.
                                          Some instances of this field may be defaulted, in others it may be required.
                                        maxLength: 253
                                        minLength: 1
                                        pattern: ^[-._a-zA-Z0-9]+$
                                        type: string
                                      name:
                                        description: The name of the Secret resource
                                          being referred to.
                                        maxLength: 253
                                        minLength: 1
                                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                        type: string
                                      namespace:
                                        description: |-
                                          The namespace of the Secret resource being referred to.
                                          Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                        maxLength: 63
                                        minLength: 1
                                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                        type: string
                                    type: object
                                  secretAccessKeySecretRef:
                                    description: The SecretAccessKey is used for authentication
                                    properties:
                                      key:
                                        description: |-
                                          A key in the referenced Secret.
                                          Some instances of this field may be defaulted, in others it may be required.
                                        maxLength: 253
                                        minLength: 1
                                        pattern: ^[-._a-zA-Z0-9]+$
                                        type: string
                                      name:
                                        description: The name of the Secret resource
                                          being referred to.
                                        maxLength: 253
                                        minLength: 1
                                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                        type: string
                                      namespace:
                                        description: |-
                                          The namespace of the Secret resource being referred to.
                                          Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                        maxLength: 63
                                        minLength: 1
                                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                        type: string
                                    type: object
                                  sessionTokenSecretRef:
                                    description: |-
                                      The SessionToken used for authentication
                                      This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
                                      see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
                                    properties:
                                      key:
                                        description: |-
                                          A key in the referenced Secret.
                                          Some instances of this field may be defaulted, in others it may be required.
                                        maxLength: 253
                                        minLength: 1
                                        pattern: ^[-._a-zA-Z0-9]+$
                                        type: string
                                      name:
                                        description: The name of the Secret resource
                                          being referred to.
                                        maxLength: 253
                                        minLength: 1
                                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                        type: string
                                      namespace:
                                        description: |-
                                          The namespace of the Secret resource being referred to.
                                          Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                        maxLength: 63
                                        minLength: 1
                                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                        type: string
                                    type: object
                                type: object
                              vaultAwsIamServerID:
                                description: 'X-Vault-AWS-IAM-Server-ID is an additional
                                  header used by Vault IAM auth method to mitigate
                                  against different types of replay attacks. More
                                  details here: https://developer.hashicorp.com/vault/docs/auth/aws'
                                type: string
                              vaultRole:
                                description: Vault Role. In vault, a role describes
                                  an identity with a set of permissions, groups, or
                                  policies you want to attach a user of the secrets
                                  engine
                                type: string
                            required:
                            - vaultRole
                            type: object
                          jwt:
                            description: |-
                              Jwt authenticates with Vault by passing role and JWT token using the
                              JWT/OIDC authentication method
                            properties:
                              kubernetesServiceAccountToken:
                                description: |-
                                  Optional ServiceAccountToken specifies the Kubernetes service account for which to request
                                  a token for with the `TokenRequest` API.
                                properties:
                                  audiences:
                                    description: |-
                                      Optional audiences field that will be used to request a temporary Kubernetes service
                                      account token for the service account referenced by `serviceAccountRef`.
                                      Defaults to a single audience `vault` it not specified.

                                      Deprecated: use serviceAccountRef.Audiences instead
                                    items:
                                      type: string
                                    type: array
                                  expirationSeconds:
                                    description: |-
                                      Optional expiration time in seconds that will be used to request a temporary
                                      Kubernetes service account token for the service account referenced by
                                      `serviceAccountRef`.

                                      Deprecated: this will be removed in the future.
                                      Defaults to 10 minutes.
                                    format: int64
                                    type: integer
                                  serviceAccountRef:
                                    description: Service account field containing
                                      the name of a kubernetes ServiceAccount.
                                    properties:
                                      audiences:
                                        description: |-
                                          Audience specifies the `aud` claim for the service account token
                                          If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                          then this audiences will be appended to the list
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: The name of the ServiceAccount
                                          resource being referred to.
                                        maxLength: 253
                                        minLength: 1
                                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                        type: string
                                      namespace:
                                        description: |-
                                          Namespace of the resource being referred to.
                                          Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                        maxLength: 63
                                        minLength: 1
                                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                        type: string
                                    required:
                                    - name
                                    type: object
                                required:
                                - serviceAccountRef
                                type: object
                              path:
                                default: jwt
                                description: |-
                                  Path where the JWT authentication backend is mounted
                                  in Vault, e.g: "jwt"
                                type: string
                              role:
                                description: |-
                                  Role is a JWT role to authenticate using the JWT/OIDC Vault
                                  authentication method
                                type: string
                              secretRef:
                                description: |-
                                  Optional SecretRef that refers to a key in a Secret resource containing JWT token to
                                  authenticate with Vault using the JWT/OIDC authentication method.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - path
                            type: object
                          kubernetes:
                            description: |-
                              Kubernetes authenticates with Vault by passing the ServiceAccount
                              token stored in the named Secret resource to the Vault server.
                            properties:
                              mountPath:
                                default: kubernetes
                                description: |-
                                  Path where the Kubernetes authentication backend is mounted in Vault, e.g:
                                  "kubernetes"
                                type: string
                              role:
                                description: |-
                                  A required field containing the Vault Role to assume. A Role binds a
                                  Kubernetes ServiceAccount with a set of Vault policies.
                                type: string
                              secretRef:
                                description: |-
                                  Optional secret field containing a Kubernetes ServiceAccount JWT used
                                  for authenticating with Vault. If a name is specified without a key,
                                  `token` is the default. If one is not specified, the one bound to
                                  the controller will be used.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              serviceAccountRef:
                                description: |-
                                  Optional service account field containing the name of a kubernetes ServiceAccount.
                                  If the service account is specified, the service account secret token JWT will be used
                                  for authenticating with Vault. If the service account selector is not supplied,
                                  the secretRef will be used instead.
                                properties:
                                  audiences:
                                    description: |-
                                      Audience specifies the `aud` claim for the service account token
                                      If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                      then this audiences will be appended to the list
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                required:
                                - name
                                type: object
                            required:
                            - mountPath
                            - role
                            type: object
                          ldap:
                            description: |-
                              Ldap authenticates with Vault by passing username/password pair using
                              the LDAP authentication method
                            properties:
                              path:
                                default: ldap
                                description: |-
                                  Path where the LDAP authentication backend is mounted
                                  in Vault, e.g: "ldap"
                                type: string
                              secretRef:
                                description: |-
                                  SecretRef to a key in a Secret resource containing password for the LDAP
                                  user used to authenticate with Vault using the LDAP authentication
                                  method
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              username:
                                description: |-
                                  Username is an LDAP username used to authenticate using the LDAP Vault
                                  authentication method
                                type: string
                            required:
                            - path
                            - username
                            type: object
                          namespace:
                            description: |-
                              Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
                              Namespaces is a set of features within Vault Enterprise that allows
                              Vault environments to support Secure Multi-tenancy. e.g: "ns1".
                              More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
                              This will default to Vault.Namespace field if set, or empty otherwise
                            type: string
                          tokenSecretRef:
                            description: TokenSecretRef authenticates with Vault by
                              presenting a token.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                          userPass:
                            description: UserPass authenticates with Vault by passing
                              username/password pair
                            properties:
                              path:
                                default: userpass
                                description: |-
                                  Path where the UserPassword authentication backend is mounted
                                  in Vault, e.g: "userpass"
                                type: string
                              secretRef:
                                description: |-
                                  SecretRef to a key in a Secret resource containing password for the
                                  user used to authenticate with Vault using the UserPass authentication
                                  method
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              username:
                                description: |-
                                  Username is a username used to authenticate using the UserPass Vault
                                  authentication method
                                type: string
                            required:
                            - path
                            - username
                            type: object
                        type: object
                      caBundle:
                        description: |-
                          PEM encoded CA bundle used to validate Vault server certificate. Only used
                          if the Server URL is using HTTPS protocol. This parameter is ignored for
                          plain HTTP protocol connection. If not set the system root certificates
                          are used to validate the TLS connection.
                        format: byte
                        type: string
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          Vault server certificate.
                        properties:
                          key:
                            description: The key where the CA certificate can be found
                              in the Secret or ConfigMap.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[-._a-zA-Z0-9]+$
                            type: string
                          name:
                            description: The name of the object located at the provider
                              type.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                            type: string
                          namespace:
                            description: |-
                              The namespace the Provider type is in.
                              Can only be defined when used in a ClusterSecretStore.
                            maxLength: 63
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                            type: string
                          type:
                            description: The type of provider to use such as "Secret",
                              or "ConfigMap".
                            enum:
                            - Secret
                            - ConfigMap
                            type: string
                        required:
                        - name
                        - type
                        type: object
                      checkAndSet:
                        description: |-
                          CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
                          Only applies to Vault KV v2 stores. When enabled, write operations must include
                          the current version of the secret to prevent unintentional overwrites.
                        properties:
                          required:
                            description: |-
                              Required when true, all write operations must include a check-and-set parameter.
                              This helps prevent unintentional overwrites of secrets.
                            type: boolean
                        type: object
                      forwardInconsistent:
                        description: |-
                          ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
                          leader instead of simply retrying within a loop. This can increase performance if
                          the option is enabled serverside.
                          https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
                        type: boolean
                      headers:
                        additionalProperties:
                          type: string
                        description: Headers to be added in Vault request
                        type: object
                      namespace:
                        description: |-
                          Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
                          Vault environments to support Secure Multi-tenancy. e.g: "ns1".
                          More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
                        type: string
                      path:
                        description: |-
                          Path is the mount path of the Vault KV backend endpoint, e.g:
                          "secret". The v2 KV secret engine version specific "/data" path suffix
                          for fetching secrets from Vault is optional and will be appended
                          if not present in specified path.
                        type: string
                      readYourWrites:
                        description: |-
                          ReadYourWrites ensures isolated read-after-write semantics by
                          providing discovered cluster replication states in each request.
                          More information about eventual consistency in Vault can be found here
                          https://www.vaultproject.io/docs/enterprise/consistency
                        type: boolean
                      server:
                        description: 'Server is the connection address for the Vault
                          server, e.g: "https://vault.example.com:8200".'
                        type: string
                      tls:
                        description: |-
                          The configuration used for client side related TLS communication, when the Vault server
                          requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
                          This parameter is ignored for plain HTTP protocol connection.
                          It's worth noting this configuration is different from the "TLS certificates auth method",
                          which is available under the `auth.cert` section.
                        properties:
                          certSecretRef:
                            description: |-
                              CertSecretRef is a certificate added to the transport layer
                              when communicating with the Vault server.
                              If no key for the Secret is specified, external-secret will default to 'tls.crt'.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                          keySecretRef:
                            description: |-
                              KeySecretRef to a key in a Secret resource containing client private key
                              added to the transport layer when communicating with the Vault server.
                              If no key for the Secret is specified, external-secret will default to 'tls.key'.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                        type: object
                      version:
                        default: v2
                        description: |-
                          Version is the Vault KV secret engine version. This can be either "v1" or
                          "v2". Version defaults to "v2".
                        enum:
                        - v1
                        - v2
                        type: string
                    required:
                    - server
                    type: object
                  volcengine:
                    description: Volcengine configures this store to sync secrets
                      using the Volcengine provider
                    properties:
                      auth:
                        description: |-
                          Auth defines the authentication method to use.
                          If not specified, the provider will try to use IRSA (IAM Role for Service Account).
                        properties:
                          secretRef:
                            description: |-
                              SecretRef defines the static credentials to use for authentication.
                              If not set, IRSA is used.
                            properties:
                              accessKeyID:
                                description: AccessKeyID is the reference to the secret
                                  containing the Access Key ID.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              secretAccessKey:
                                description: SecretAccessKey is the reference to the
                                  secret containing the Secret Access Key.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              token:
                                description: Token is the reference to the secret
                                  containing the STS(Security Token Service) Token.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - accessKeyID
                            - secretAccessKey
                            type: object
                        type: object
                      region:
                        description: Region specifies the Volcengine region to connect
                          to.
                        type: string
                    required:
                    - region
                    type: object
                  webhook:
                    description: Webhook configures this store to sync secrets using
                      a generic templated webhook
                    properties:
                      auth:
                        description: Auth specifies a authorization protocol. Only
                          one protocol may be set.
                        maxProperties: 1
                        minProperties: 1
                        properties:
                          ntlm:
                            description: NTLMProtocol configures the store to use
                              NTLM for auth
                            properties:
                              passwordSecret:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              usernameSecret:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - passwordSecret
                            - usernameSecret
                            type: object
                        type: object
                      body:
                        description: Body
                        type: string
                      caBundle:
                        description: |-
                          PEM encoded CA bundle used to validate webhook server certificate. Only used
                          if the Server URL is using HTTPS protocol. This parameter is ignored for
                          plain HTTP protocol connection. If not set the system root certificates
                          are used to validate the TLS connection.
                        format: byte
                        type: string
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          webhook server certificate.
                        properties:
                          key:
                            description: The key where the CA certificate can be found
                              in the Secret or ConfigMap.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[-._a-zA-Z0-9]+$
                            type: string
                          name:
                            description: The name of the object located at the provider
                              type.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                            type: string
                          namespace:
                            description: The namespace the Provider type is in.
                            maxLength: 63
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                            type: string
                          type:
                            description: The type of provider to use such as "Secret",
                              or "ConfigMap".
                            enum:
                            - Secret
                            - ConfigMap
                            type: string
                        required:
                        - name
                        - type
                        type: object
                      headers:
                        additionalProperties:
                          type: string
                        description: Headers
                        type: object
                      method:
                        description: Webhook Method
                        type: string
                      result:
                        description: Result formatting
                        properties:
                          jsonPath:
                            description: Json path of return value
                            type: string
                        type: object
                      secrets:
                        description: |-
                          Secrets to fill in templates
                          These secrets will be passed to the templating function as key value pairs under the given name
                        items:
                          description: WebhookSecret defines a secret that will be
                            passed to the webhook request.
                          properties:
                            name:
                              description: Name of this secret in templates
                              type: string
                            secretRef:
                              description: Secret ref to fill in credentials
                              properties:
                                key:
                                  description: |-
                                    A key in the referenced Secret.
                                    Some instances of this field may be defaulted, in others it may be required.
                                  maxLength: 253
                                  minLength: 1
                                  pattern: ^[-._a-zA-Z0-9]+$
                                  type: string
                                name:
                                  description: The name of the Secret resource being
                                    referred to.
                                  maxLength: 253
                                  minLength: 1
                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                  type: string
                                namespace:
                                  description: |-
                                    The namespace of the Secret resource being referred to.
                                    Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                  maxLength: 63
                                  minLength: 1
                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                  type: string
                              type: object
                          required:
                          - name
                          - secretRef
                          type: object
                        type: array
                      timeout:
                        description: Timeout
                        type: string
                      url:
                        description: Webhook url to call
                        type: string
                    required:
                    - url
                    type: object
                  yandexcertificatemanager:
                    description: YandexCertificateManager configures this store to
                      sync secrets using Yandex Certificate Manager provider
                    properties:
                      apiEndpoint:
                        description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
                        type: string
                      auth:
                        description: Auth defines the information necessary to authenticate
                          against Yandex.Cloud
                        properties:
                          authorizedKeySecretRef:
                            description: The authorized key used for authentication
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                        type: object
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          Yandex.Cloud server certificate.
                        properties:
                          certSecretRef:
                            description: |-
                              SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                              In some instances, `key` is a required field.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                        type: object
                      fetching:
                        description: FetchingPolicy configures the provider to interpret
                          the `data.secretKey.remoteRef.key` field in ExternalSecret
                          as certificate ID or certificate name
                        maxProperties: 1
                        minProperties: 1
                        properties:
                          byID:
                            description: ByID configures the provider to interpret
                              the `data.secretKey.remoteRef.key` field in ExternalSecret
                              as secret ID.
                            type: object
                          byName:
                            description: ByName configures the provider to interpret
                              the `data.secretKey.remoteRef.key` field in ExternalSecret
                              as secret name.
                            properties:
                              folderID:
                                description: The folder to fetch secrets from
                                type: string
                            required:
                            - folderID
                            type: object
                        type: object
                    required:
                    - auth
                    type: object
                  yandexlockbox:
                    description: YandexLockbox configures this store to sync secrets
                      using Yandex Lockbox provider
                    properties:
                      apiEndpoint:
                        description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
                        type: string
                      auth:
                        description: Auth defines the information necessary to authenticate
                          against Yandex.Cloud
                        properties:
                          authorizedKeySecretRef:
                            description: The authorized key used for authentication
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                        type: object
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          Yandex.Cloud server certificate.
                        properties:
                          certSecretRef:
                            description: |-
                              SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                              In some instances, `key` is a required field.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                        type: object
                      fetching:
                        description: FetchingPolicy configures the provider to interpret
                          the `data.secretKey.remoteRef.key` field in ExternalSecret
                          as secret ID or secret name
                        maxProperties: 1
                        minProperties: 1
                        properties:
                          byID:
                            description: ByID configures the provider to interpret
                              the `data.secretKey.remoteRef.key` field in ExternalSecret
                              as secret ID.
                            type: object
                          byName:
                            description: ByName configures the provider to interpret
                              the `data.secretKey.remoteRef.key` field in ExternalSecret
                              as secret name.
                            properties:
                              folderID:
                                description: The folder to fetch secrets from
                                type: string
                            required:
                            - folderID
                            type: object
                        type: object
                    required:
                    - auth
                    type: object
                type: object
              refreshInterval:
                description: Used to configure store refresh interval in seconds.
                  Empty or 0 will default to the controller config.
                type: integer
              retrySettings:
                description: Used to configure HTTP retries on failures.
                properties:
                  maxRetries:
                    format: int32
                    type: integer
                  retryInterval:
                    type: string
                type: object
            required:
            - provider
            type: object
          status:
            description: SecretStoreStatus defines the observed state of the SecretStore.
            properties:
              capabilities:
                description: SecretStoreCapabilities defines the possible operations
                  a SecretStore can do.
                type: string
              conditions:
                items:
                  description: SecretStoreStatusCondition contains condition information
                    for a SecretStore.
                  properties:
                    lastTransitionTime:
                      format: date-time
                      type: string
                    message:
                      type: string
                    reason:
                      type: string
                    status:
                      type: string
                    type:
                      description: SecretStoreConditionType represents the condition
                        of the SecretStore.
                      type: string
                  required:
                  - status
                  - type
                  type: object
                type: array
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}
  - additionalPrinterColumns:
    - jsonPath: .metadata.creationTimestamp
      name: AGE
      type: date
    - jsonPath: .status.conditions[?(@.type=="Ready")].reason
      name: Status
      type: string
    - jsonPath: .status.capabilities
      name: Capabilities
      type: string
    - jsonPath: .status.conditions[?(@.type=="Ready")].status
      name: Ready
      type: string
    deprecated: true
    name: v1beta1
    schema:
      openAPIV3Schema:
        description: ClusterSecretStore represents a secure external location for
          storing secrets, which can be referenced as part of `storeRef` fields.
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: SecretStoreSpec defines the desired state of SecretStore.
            properties:
              conditions:
                description: Used to constrain a ClusterSecretStore to specific namespaces.
                  Relevant only to ClusterSecretStore.
                items:
                  description: |-
                    ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
                    for a ClusterSecretStore instance.
                  properties:
                    namespaceRegexes:
                      description: Choose namespaces by using regex matching
                      items:
                        type: string
                      type: array
                    namespaceSelector:
                      description: Choose namespace using a labelSelector
                      properties:
                        matchExpressions:
                          description: matchExpressions is a list of label selector
                            requirements. The requirements are ANDed.
                          items:
                            description: |-
                              A label selector requirement is a selector that contains values, a key, and an operator that
                              relates the key and values.
                            properties:
                              key:
                                description: key is the label key that the selector
                                  applies to.
                                type: string
                              operator:
                                description: |-
                                  operator represents a key's relationship to a set of values.
                                  Valid operators are In, NotIn, Exists and DoesNotExist.
                                type: string
                              values:
                                description: |-
                                  values is an array of string values. If the operator is In or NotIn,
                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
                                  the values array must be empty. This array is replaced during a strategic
                                  merge patch.
                                items:
                                  type: string
                                type: array
                                x-kubernetes-list-type: atomic
                            required:
                            - key
                            - operator
                            type: object
                          type: array
                          x-kubernetes-list-type: atomic
                        matchLabels:
                          additionalProperties:
                            type: string
                          description: |-
                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                            map is equivalent to an element of matchExpressions, whose key field is "key", the
                            operator is "In", and the values array contains only "value". The requirements are ANDed.
                          type: object
                      type: object
                      x-kubernetes-map-type: atomic
                    namespaces:
                      description: Choose namespaces by name
                      items:
                        maxLength: 63
                        minLength: 1
                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                        type: string
                      type: array
                  type: object
                type: array
              controller:
                description: |-
                  Used to select the correct ESO controller (think: ingress.ingressClassName)
                  The ESO controller is instantiated with a specific controller name and filters ES based on this property
                type: string
              provider:
                description: Used to configure the provider. Only one provider may
                  be set
                maxProperties: 1
                minProperties: 1
                properties:
                  akeyless:
                    description: Akeyless configures this store to sync secrets using
                      Akeyless Vault provider
                    properties:
                      akeylessGWApiURL:
                        description: Akeyless GW API Url from which the secrets to
                          be fetched from.
                        type: string
                      authSecretRef:
                        description: Auth configures how the operator authenticates
                          with Akeyless.
                        properties:
                          kubernetesAuth:
                            description: |-
                              Kubernetes authenticates with Akeyless by passing the ServiceAccount
                              token stored in the named Secret resource.
                            properties:
                              accessID:
                                description: the Akeyless Kubernetes auth-method access-id
                                type: string
                              k8sConfName:
                                description: Kubernetes-auth configuration name in
                                  Akeyless-Gateway
                                type: string
                              secretRef:
                                description: |-
                                  Optional secret field containing a Kubernetes ServiceAccount JWT used
                                  for authenticating with Akeyless. If a name is specified without a key,
                                  `token` is the default. If one is not specified, the one bound to
                                  the controller will be used.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              serviceAccountRef:
                                description: |-
                                  Optional service account field containing the name of a kubernetes ServiceAccount.
                                  If the service account is specified, the service account secret token JWT will be used
                                  for authenticating with Akeyless. If the service account selector is not supplied,
                                  the secretRef will be used instead.
                                properties:
                                  audiences:
                                    description: |-
                                      Audience specifies the `aud` claim for the service account token
                                      If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                      then this audiences will be appended to the list
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                required:
                                - name
                                type: object
                            required:
                            - accessID
                            - k8sConfName
                            type: object
                          secretRef:
                            description: |-
                              Reference to a Secret that contains the details
                              to authenticate with Akeyless.
                            properties:
                              accessID:
                                description: The SecretAccessID is used for authentication
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              accessType:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              accessTypeParam:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            type: object
                        type: object
                      caBundle:
                        description: |-
                          PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
                          if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
                          are used to validate the TLS connection.
                        format: byte
                        type: string
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          Akeyless Gateway certificate.
                        properties:
                          key:
                            description: The key where the CA certificate can be found
                              in the Secret or ConfigMap.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[-._a-zA-Z0-9]+$
                            type: string
                          name:
                            description: The name of the object located at the provider
                              type.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                            type: string
                          namespace:
                            description: |-
                              The namespace the Provider type is in.
                              Can only be defined when used in a ClusterSecretStore.
                            maxLength: 63
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                            type: string
                          type:
                            description: The type of provider to use such as "Secret",
                              or "ConfigMap".
                            enum:
                            - Secret
                            - ConfigMap
                            type: string
                        required:
                        - name
                        - type
                        type: object
                    required:
                    - akeylessGWApiURL
                    - authSecretRef
                    type: object
                  alibaba:
                    description: Alibaba configures this store to sync secrets using
                      Alibaba Cloud provider
                    properties:
                      auth:
                        description: AlibabaAuth contains a secretRef for credentials.
                        properties:
                          rrsa:
                            description: AlibabaRRSAAuth authenticates against Alibaba
                              using RRSA (Resource-oriented RAM-based Service Authentication).
                            properties:
                              oidcProviderArn:
                                type: string
                              oidcTokenFilePath:
                                type: string
                              roleArn:
                                type: string
                              sessionName:
                                type: string
                            required:
                            - oidcProviderArn
                            - oidcTokenFilePath
                            - roleArn
                            - sessionName
                            type: object
                          secretRef:
                            description: AlibabaAuthSecretRef holds secret references
                              for Alibaba credentials.
                            properties:
                              accessKeyIDSecretRef:
                                description: The AccessKeyID is used for authentication
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              accessKeySecretSecretRef:
                                description: The AccessKeySecret is used for authentication
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - accessKeyIDSecretRef
                            - accessKeySecretSecretRef
                            type: object
                        type: object
                      regionID:
                        description: Alibaba Region to be used for the provider
                        type: string
                    required:
                    - auth
                    - regionID
                    type: object
                  aws:
                    description: AWS configures this store to sync secrets using AWS
                      Secret Manager provider
                    properties:
                      additionalRoles:
                        description: AdditionalRoles is a chained list of Role ARNs
                          which the provider will sequentially assume before assuming
                          the Role
                        items:
                          type: string
                        type: array
                      auth:
                        description: |-
                          Auth defines the information necessary to authenticate against AWS
                          if not set aws sdk will infer credentials from your environment
                          see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
                        properties:
                          jwt:
                            description: AWSJWTAuth authenticates against AWS using
                              service account tokens from the Kubernetes cluster.
                            properties:
                              serviceAccountRef:
                                description: ServiceAccountSelector is a reference
                                  to a ServiceAccount resource.
                                properties:
                                  audiences:
                                    description: |-
                                      Audience specifies the `aud` claim for the service account token
                                      If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                      then this audiences will be appended to the list
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                required:
                                - name
                                type: object
                            type: object
                          secretRef:
                            description: |-
                              AWSAuthSecretRef holds secret references for AWS credentials
                              both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
                            properties:
                              accessKeyIDSecretRef:
                                description: The AccessKeyID is used for authentication
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              secretAccessKeySecretRef:
                                description: The SecretAccessKey is used for authentication
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              sessionTokenSecretRef:
                                description: |-
                                  The SessionToken used for authentication
                                  This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
                                  see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            type: object
                        type: object
                      externalID:
                        description: AWS External ID set on assumed IAM roles
                        type: string
                      prefix:
                        description: Prefix adds a prefix to all retrieved values.
                        type: string
                      region:
                        description: AWS Region to be used for the provider
                        type: string
                      role:
                        description: Role is a Role ARN which the provider will assume
                        type: string
                      secretsManager:
                        description: SecretsManager defines how the provider behaves
                          when interacting with AWS SecretsManager
                        properties:
                          forceDeleteWithoutRecovery:
                            description: |-
                              Specifies whether to delete the secret without any recovery window. You
                              can't use both this parameter and RecoveryWindowInDays in the same call.
                              If you don't use either, then by default Secrets Manager uses a 30 day
                              recovery window.
                              see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
                            type: boolean
                          recoveryWindowInDays:
                            description: |-
                              The number of days from 7 to 30 that Secrets Manager waits before
                              permanently deleting the secret. You can't use both this parameter and
                              ForceDeleteWithoutRecovery in the same call. If you don't use either,
                              then by default Secrets Manager uses a 30 day recovery window.
                              see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
                            format: int64
                            type: integer
                        type: object
                      service:
                        description: Service defines which service should be used
                          to fetch the secrets
                        enum:
                        - SecretsManager
                        - ParameterStore
                        type: string
                      sessionTags:
                        description: AWS STS assume role session tags
                        items:
                          description: Tag defines a tag key and value for AWS resources.
                          properties:
                            key:
                              type: string
                            value:
                              type: string
                          required:
                          - key
                          - value
                          type: object
                        type: array
                      transitiveTagKeys:
                        description: AWS STS assume role transitive session tags.
                          Required when multiple rules are used with the provider
                        items:
                          type: string
                        type: array
                    required:
                    - region
                    - service
                    type: object
                  azurekv:
                    description: AzureKV configures this store to sync secrets using
                      Azure Key Vault provider
                    properties:
                      authSecretRef:
                        description: Auth configures how the operator authenticates
                          with Azure. Required for ServicePrincipal auth type. Optional
                          for WorkloadIdentity.
                        properties:
                          clientCertificate:
                            description: The Azure ClientCertificate of the service
                              principle used for authentication.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                          clientId:
                            description: The Azure clientId of the service principle
                              or managed identity used for authentication.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                          clientSecret:
                            description: The Azure ClientSecret of the service principle
                              used for authentication.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                          tenantId:
                            description: The Azure tenantId of the managed identity
                              used for authentication.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                        type: object
                      authType:
                        default: ServicePrincipal
                        description: |-
                          Auth type defines how to authenticate to the keyvault service.
                          Valid values are:
                          - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
                          - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
                        enum:
                        - ServicePrincipal
                        - ManagedIdentity
                        - WorkloadIdentity
                        type: string
                      environmentType:
                        default: PublicCloud
                        description: |-
                          EnvironmentType specifies the Azure cloud environment endpoints to use for
                          connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
                          The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
                          PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
                        enum:
                        - PublicCloud
                        - USGovernmentCloud
                        - ChinaCloud
                        - GermanCloud
                        type: string
                      identityId:
                        description: If multiple Managed Identity is assigned to the
                          pod, you can select the one to be used
                        type: string
                      serviceAccountRef:
                        description: |-
                          ServiceAccountRef specified the service account
                          that should be used when authenticating with WorkloadIdentity.
                        properties:
                          audiences:
                            description: |-
                              Audience specifies the `aud` claim for the service account token
                              If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                              then this audiences will be appended to the list
                            items:
                              type: string
                            type: array
                          name:
                            description: The name of the ServiceAccount resource being
                              referred to.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                            type: string
                          namespace:
                            description: |-
                              Namespace of the resource being referred to.
                              Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                            maxLength: 63
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                            type: string
                        required:
                        - name
                        type: object
                      tenantId:
                        description: TenantID configures the Azure Tenant to send
                          requests to. Required for ServicePrincipal auth type. Optional
                          for WorkloadIdentity.
                        type: string
                      vaultUrl:
                        description: Vault Url from which the secrets to be fetched
                          from.
                        type: string
                    required:
                    - vaultUrl
                    type: object
                  beyondtrust:
                    description: Beyondtrust configures this store to sync secrets
                      using Password Safe provider.
                    properties:
                      auth:
                        description: Auth configures how the operator authenticates
                          with Beyondtrust.
                        properties:
                          apiKey:
                            description: APIKey If not provided then ClientID/ClientSecret
                              become required.
                            properties:
                              secretRef:
                                description: SecretRef references a key in a secret
                                  that will be used as value.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              value:
                                description: Value can be specified directly to set
                                  a value without using a secret.
                                type: string
                            type: object
                          certificate:
                            description: Certificate (cert.pem) for use when authenticating
                              with an OAuth client Id using a Client Certificate.
                            properties:
                              secretRef:
                                description: SecretRef references a key in a secret
                                  that will be used as value.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              value:
                                description: Value can be specified directly to set
                                  a value without using a secret.
                                type: string
                            type: object
                          certificateKey:
                            description: Certificate private key (key.pem). For use
                              when authenticating with an OAuth client Id
                            properties:
                              secretRef:
                                description: SecretRef references a key in a secret
                                  that will be used as value.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              value:
                                description: Value can be specified directly to set
                                  a value without using a secret.
                                type: string
                            type: object
                          clientId:
                            description: ClientID is the API OAuth Client ID.
                            properties:
                              secretRef:
                                description: SecretRef references a key in a secret
                                  that will be used as value.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              value:
                                description: Value can be specified directly to set
                                  a value without using a secret.
                                type: string
                            type: object
                          clientSecret:
                            description: ClientSecret is the API OAuth Client Secret.
                            properties:
                              secretRef:
                                description: SecretRef references a key in a secret
                                  that will be used as value.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              value:
                                description: Value can be specified directly to set
                                  a value without using a secret.
                                type: string
                            type: object
                        type: object
                      server:
                        description: Auth configures how API server works.
                        properties:
                          apiUrl:
                            type: string
                          apiVersion:
                            type: string
                          clientTimeOutSeconds:
                            description: Timeout specifies a time limit for requests
                              made by this Client. The timeout includes connection
                              time, any redirects, and reading the response body.
                              Defaults to 45 seconds.
                            type: integer
                          decrypt:
                            default: true
                            description: 'When true, the response includes the decrypted
                              password. When false, the password field is omitted.
                              This option only applies to the SECRET retrieval type.
                              Default: true.'
                            type: boolean
                          retrievalType:
                            description: The secret retrieval type. SECRET = Secrets
                              Safe (credential, text, file). MANAGED_ACCOUNT = Password
                              Safe account associated with a system.
                            type: string
                          separator:
                            description: A character that separates the folder names.
                            type: string
                          verifyCA:
                            type: boolean
                        required:
                        - apiUrl
                        - verifyCA
                        type: object
                    required:
                    - auth
                    - server
                    type: object
                  bitwardensecretsmanager:
                    description: BitwardenSecretsManager configures this store to
                      sync secrets using BitwardenSecretsManager provider
                    properties:
                      apiURL:
                        type: string
                      auth:
                        description: |-
                          Auth configures how secret-manager authenticates with a bitwarden machine account instance.
                          Make sure that the token being used has permissions on the given secret.
                        properties:
                          secretRef:
                            description: BitwardenSecretsManagerSecretRef contains
                              the credential ref to the bitwarden instance.
                            properties:
                              credentials:
                                description: AccessToken used for the bitwarden instance.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - credentials
                            type: object
                        required:
                        - secretRef
                        type: object
                      bitwardenServerSDKURL:
                        type: string
                      caBundle:
                        description: |-
                          Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
                          can be performed.
                        type: string
                      caProvider:
                        description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
                        properties:
                          key:
                            description: The key where the CA certificate can be found
                              in the Secret or ConfigMap.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[-._a-zA-Z0-9]+$
                            type: string
                          name:
                            description: The name of the object located at the provider
                              type.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                            type: string
                          namespace:
                            description: |-
                              The namespace the Provider type is in.
                              Can only be defined when used in a ClusterSecretStore.
                            maxLength: 63
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                            type: string
                          type:
                            description: The type of provider to use such as "Secret",
                              or "ConfigMap".
                            enum:
                            - Secret
                            - ConfigMap
                            type: string
                        required:
                        - name
                        - type
                        type: object
                      identityURL:
                        type: string
                      organizationID:
                        description: OrganizationID determines which organization
                          this secret store manages.
                        type: string
                      projectID:
                        description: ProjectID determines which project this secret
                          store manages.
                        type: string
                    required:
                    - auth
                    - organizationID
                    - projectID
                    type: object
                  chef:
                    description: Chef configures this store to sync secrets with chef
                      server
                    properties:
                      auth:
                        description: Auth defines the information necessary to authenticate
                          against chef Server
                        properties:
                          secretRef:
                            description: ChefAuthSecretRef holds secret references
                              for chef server login credentials.
                            properties:
                              privateKeySecretRef:
                                description: SecretKey is the Signing Key in PEM format,
                                  used for authentication.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - privateKeySecretRef
                            type: object
                        required:
                        - secretRef
                        type: object
                      serverUrl:
                        description: ServerURL is the chef server URL used to connect
                          to. If using orgs you should include your org in the url
                          and terminate the url with a "/"
                        type: string
                      username:
                        description: UserName should be the user ID on the chef server
                        type: string
                    required:
                    - auth
                    - serverUrl
                    - username
                    type: object
                  cloudrusm:
                    description: CloudruSM configures this store to sync secrets using
                      the Cloud.ru Secret Manager provider
                    properties:
                      auth:
                        description: CSMAuth contains a secretRef for credentials.
                        properties:
                          secretRef:
                            description: CSMAuthSecretRef holds secret references
                              for Cloud.ru credentials.
                            properties:
                              accessKeyIDSecretRef:
                                description: The AccessKeyID is used for authentication
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              accessKeySecretSecretRef:
                                description: The AccessKeySecret is used for authentication
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - accessKeyIDSecretRef
                            - accessKeySecretSecretRef
                            type: object
                        type: object
                      projectID:
                        description: ProjectID is the project, which the secrets are
                          stored in.
                        type: string
                    required:
                    - auth
                    type: object
                  conjur:
                    description: Conjur configures this store to sync secrets using
                      conjur provider
                    properties:
                      auth:
                        description: Defines authentication settings for connecting
                          to Conjur.
                        properties:
                          apikey:
                            description: Authenticates with Conjur using an API key.
                            properties:
                              account:
                                description: Account is the Conjur organization account
                                  name.
                                type: string
                              apiKeyRef:
                                description: |-
                                  A reference to a specific 'key' containing the Conjur API key
                                  within a Secret resource. In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              userRef:
                                description: |-
                                  A reference to a specific 'key' containing the Conjur username
                                  within a Secret resource. In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - account
                            - apiKeyRef
                            - userRef
                            type: object
                          jwt:
                            description: Jwt enables JWT authentication using Kubernetes
                              service account tokens.
                            properties:
                              account:
                                description: Account is the Conjur organization account
                                  name.
                                type: string
                              hostId:
                                description: |-
                                  Optional HostID for JWT authentication. This may be used depending
                                  on how the Conjur JWT authenticator policy is configured.
                                type: string
                              secretRef:
                                description: |-
                                  Optional SecretRef that refers to a key in a Secret resource containing JWT token to
                                  authenticate with Conjur using the JWT authentication method.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              serviceAccountRef:
                                description: |-
                                  Optional ServiceAccountRef specifies the Kubernetes service account for which to request
                                  a token for with the `TokenRequest` API.
                                properties:
                                  audiences:
                                    description: |-
                                      Audience specifies the `aud` claim for the service account token
                                      If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                      then this audiences will be appended to the list
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                required:
                                - name
                                type: object
                              serviceID:
                                description: The conjur authn jwt webservice id
                                type: string
                            required:
                            - account
                            - serviceID
                            type: object
                        type: object
                      caBundle:
                        description: CABundle is a PEM encoded CA bundle that will
                          be used to validate the Conjur server certificate.
                        type: string
                      caProvider:
                        description: |-
                          Used to provide custom certificate authority (CA) certificates
                          for a secret store. The CAProvider points to a Secret or ConfigMap resource
                          that contains a PEM-encoded certificate.
                        properties:
                          key:
                            description: The key where the CA certificate can be found
                              in the Secret or ConfigMap.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[-._a-zA-Z0-9]+$
                            type: string
                          name:
                            description: The name of the object located at the provider
                              type.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                            type: string
                          namespace:
                            description: |-
                              The namespace the Provider type is in.
                              Can only be defined when used in a ClusterSecretStore.
                            maxLength: 63
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                            type: string
                          type:
                            description: The type of provider to use such as "Secret",
                              or "ConfigMap".
                            enum:
                            - Secret
                            - ConfigMap
                            type: string
                        required:
                        - name
                        - type
                        type: object
                      url:
                        description: URL is the endpoint of the Conjur instance.
                        type: string
                    required:
                    - auth
                    - url
                    type: object
                  delinea:
                    description: |-
                      Delinea DevOps Secrets Vault
                      https://docs.delinea.com/online-help/products/devops-secrets-vault/current
                    properties:
                      clientId:
                        description: ClientID is the non-secret part of the credential.
                        properties:
                          secretRef:
                            description: SecretRef references a key in a secret that
                              will be used as value.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                          value:
                            description: Value can be specified directly to set a
                              value without using a secret.
                            type: string
                        type: object
                      clientSecret:
                        description: ClientSecret is the secret part of the credential.
                        properties:
                          secretRef:
                            description: SecretRef references a key in a secret that
                              will be used as value.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                          value:
                            description: Value can be specified directly to set a
                              value without using a secret.
                            type: string
                        type: object
                      tenant:
                        description: Tenant is the chosen hostname / site name.
                        type: string
                      tld:
                        description: |-
                          TLD is based on the server location that was chosen during provisioning.
                          If unset, defaults to "com".
                        type: string
                      urlTemplate:
                        description: |-
                          URLTemplate
                          If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
                        type: string
                    required:
                    - clientId
                    - clientSecret
                    - tenant
                    type: object
                  device42:
                    description: Device42 configures this store to sync secrets using
                      the Device42 provider
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with a Device42 instance.
                        properties:
                          secretRef:
                            description: Device42SecretRef defines a reference to
                              a secret containing credentials for the Device42 provider.
                            properties:
                              credentials:
                                description: Username / Password is used for authentication.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            type: object
                        required:
                        - secretRef
                        type: object
                      host:
                        description: URL configures the Device42 instance URL.
                        type: string
                    required:
                    - auth
                    - host
                    type: object
                  doppler:
                    description: Doppler configures this store to sync secrets using
                      the Doppler provider
                    properties:
                      auth:
                        description: Auth configures how the Operator authenticates
                          with the Doppler API
                        properties:
                          secretRef:
                            description: DopplerAuthSecretRef defines a reference
                              to a secret containing credentials for the Doppler provider.
                            properties:
                              dopplerToken:
                                description: |-
                                  The DopplerToken is used for authentication.
                                  See https://docs.doppler.com/reference/api#authentication for auth token types.
                                  The Key attribute defaults to dopplerToken if not specified.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - dopplerToken
                            type: object
                        required:
                        - secretRef
                        type: object
                      config:
                        description: Doppler config (required if not using a Service
                          Token)
                        type: string
                      format:
                        description: Format enables the downloading of secrets as
                          a file (string)
                        enum:
                        - json
                        - dotnet-json
                        - env
                        - yaml
                        - docker
                        type: string
                      nameTransformer:
                        description: Environment variable compatible name transforms
                          that change secret names to a different format
                        enum:
                        - upper-camel
                        - camel
                        - lower-snake
                        - tf-var
                        - dotnet-env
                        - lower-kebab
                        type: string
                      project:
                        description: Doppler project (required if not using a Service
                          Token)
                        type: string
                    required:
                    - auth
                    type: object
                  fake:
                    description: Fake configures a store with static key/value pairs
                    properties:
                      data:
                        items:
                          description: FakeProviderData defines a key-value pair for
                            the fake provider used in testing.
                          properties:
                            key:
                              type: string
                            value:
                              type: string
                            version:
                              type: string
                          required:
                          - key
                          - value
                          type: object
                        type: array
                    required:
                    - data
                    type: object
                  fortanix:
                    description: Fortanix configures this store to sync secrets using
                      the Fortanix provider
                    properties:
                      apiKey:
                        description: APIKey is the API token to access SDKMS Applications.
                        properties:
                          secretRef:
                            description: SecretRef is a reference to a secret containing
                              the SDKMS API Key.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                        type: object
                      apiUrl:
                        description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
                        type: string
                    type: object
                  gcpsm:
                    description: GCPSM configures this store to sync secrets using
                      Google Cloud Platform Secret Manager provider
                    properties:
                      auth:
                        description: Auth defines the information necessary to authenticate
                          against GCP
                        properties:
                          secretRef:
                            description: GCPSMAuthSecretRef defines a reference to
                              a secret containing credentials for the GCP Secret Manager
                              provider.
                            properties:
                              secretAccessKeySecretRef:
                                description: The SecretAccessKey is used for authentication
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            type: object
                          workloadIdentity:
                            description: GCPWorkloadIdentity defines configuration
                              for using GCP Workload Identity authentication.
                            properties:
                              clusterLocation:
                                description: |-
                                  ClusterLocation is the location of the cluster
                                  If not specified, it fetches information from the metadata server
                                type: string
                              clusterName:
                                description: |-
                                  ClusterName is the name of the cluster
                                  If not specified, it fetches information from the metadata server
                                type: string
                              clusterProjectID:
                                description: |-
                                  ClusterProjectID is the project ID of the cluster
                                  If not specified, it fetches information from the metadata server
                                type: string
                              serviceAccountRef:
                                description: ServiceAccountSelector is a reference
                                  to a ServiceAccount resource.
                                properties:
                                  audiences:
                                    description: |-
                                      Audience specifies the `aud` claim for the service account token
                                      If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                      then this audiences will be appended to the list
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                required:
                                - name
                                type: object
                            required:
                            - serviceAccountRef
                            type: object
                        type: object
                      location:
                        description: Location optionally defines a location for a
                          secret
                        type: string
                      projectID:
                        description: ProjectID project where secret is located
                        type: string
                    type: object
                  github:
                    description: Github configures this store to push GitHub Actions
                      secrets using the GitHub API provider.
                    properties:
                      appID:
                        description: appID specifies the Github APP that will be used
                          to authenticate the client
                        format: int64
                        type: integer
                      auth:
                        description: auth configures how secret-manager authenticates
                          with a Github instance.
                        properties:
                          privateKey:
                            description: |-
                              SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                              In some instances, `key` is a required field.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                        required:
                        - privateKey
                        type: object
                      environment:
                        description: environment will be used to fetch secrets from
                          a particular environment within a github repository
                        type: string
                      installationID:
                        description: installationID specifies the Github APP installation
                          that will be used to authenticate the client
                        format: int64
                        type: integer
                      organization:
                        description: organization will be used to fetch secrets from
                          the Github organization
                        type: string
                      repository:
                        description: repository will be used to fetch secrets from
                          the Github repository within an organization
                        type: string
                      uploadURL:
                        description: Upload URL for enterprise instances. Default
                          to URL.
                        type: string
                      url:
                        default: https://github.com/
                        description: URL configures the Github instance URL. Defaults
                          to https://github.com/.
                        type: string
                    required:
                    - appID
                    - auth
                    - installationID
                    - organization
                    type: object
                  gitlab:
                    description: GitLab configures this store to sync secrets using
                      GitLab Variables provider
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with a GitLab instance.
                        properties:
                          SecretRef:
                            description: GitlabSecretRef defines a reference to a
                              secret containing credentials for the GitLab provider.
                            properties:
                              accessToken:
                                description: AccessToken is used for authentication.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            type: object
                        required:
                        - SecretRef
                        type: object
                      caBundle:
                        description: |-
                          Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
                          can be performed.
                        format: byte
                        type: string
                      caProvider:
                        description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
                        properties:
                          key:
                            description: The key where the CA certificate can be found
                              in the Secret or ConfigMap.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[-._a-zA-Z0-9]+$
                            type: string
                          name:
                            description: The name of the object located at the provider
                              type.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                            type: string
                          namespace:
                            description: |-
                              The namespace the Provider type is in.
                              Can only be defined when used in a ClusterSecretStore.
                            maxLength: 63
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                            type: string
                          type:
                            description: The type of provider to use such as "Secret",
                              or "ConfigMap".
                            enum:
                            - Secret
                            - ConfigMap
                            type: string
                        required:
                        - name
                        - type
                        type: object
                      environment:
                        description: Environment environment_scope of gitlab CI/CD
                          variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment
                          on how to create environments)
                        type: string
                      groupIDs:
                        description: GroupIDs specify, which gitlab groups to pull
                          secrets from. Group secrets are read from left to right
                          followed by the project variables.
                        items:
                          type: string
                        type: array
                      inheritFromGroups:
                        description: InheritFromGroups specifies whether parent groups
                          should be discovered and checked for secrets.
                        type: boolean
                      projectID:
                        description: ProjectID specifies a project where secrets are
                          located.
                        type: string
                      url:
                        description: URL configures the GitLab instance URL. Defaults
                          to https://gitlab.com/.
                        type: string
                    required:
                    - auth
                    type: object
                  ibm:
                    description: IBM configures this store to sync secrets using IBM
                      Cloud provider
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with the IBM secrets manager.
                        maxProperties: 1
                        minProperties: 1
                        properties:
                          containerAuth:
                            description: IBMAuthContainerAuth defines authentication
                              using IBM Container-based auth with IAM Trusted Profile.
                            properties:
                              iamEndpoint:
                                type: string
                              profile:
                                description: the IBM Trusted Profile
                                type: string
                              tokenLocation:
                                description: Location the token is mounted on the
                                  pod
                                type: string
                            required:
                            - profile
                            type: object
                          secretRef:
                            description: IBMAuthSecretRef defines a reference to a
                              secret containing credentials for the IBM provider.
                            properties:
                              secretApiKeySecretRef:
                                description: The SecretAccessKey is used for authentication
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            type: object
                        type: object
                      serviceUrl:
                        description: ServiceURL is the Endpoint URL that is specific
                          to the Secrets Manager service instance
                        type: string
                    required:
                    - auth
                    type: object
                  infisical:
                    description: Infisical configures this store to sync secrets using
                      the Infisical provider
                    properties:
                      auth:
                        description: Auth configures how the Operator authenticates
                          with the Infisical API
                        properties:
                          universalAuthCredentials:
                            description: UniversalAuthCredentials defines the credentials
                              for Infisical Universal Auth.
                            properties:
                              clientId:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              clientSecret:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - clientId
                            - clientSecret
                            type: object
                        type: object
                      hostAPI:
                        default: https://app.infisical.com/api
                        description: HostAPI specifies the base URL of the Infisical
                          API. If not provided, it defaults to "https://app.infisical.com/api".
                        type: string
                      secretsScope:
                        description: SecretsScope defines the scope of the secrets
                          within the workspace
                        properties:
                          environmentSlug:
                            description: EnvironmentSlug is the required slug identifier
                              for the environment.
                            type: string
                          expandSecretReferences:
                            default: true
                            description: ExpandSecretReferences indicates whether
                              secret references should be expanded. Defaults to true
                              if not provided.
                            type: boolean
                          projectSlug:
                            description: ProjectSlug is the required slug identifier
                              for the project.
                            type: string
                          recursive:
                            default: false
                            description: Recursive indicates whether the secrets should
                              be fetched recursively. Defaults to false if not provided.
                            type: boolean
                          secretsPath:
                            default: /
                            description: SecretsPath specifies the path to the secrets
                              within the workspace. Defaults to "/" if not provided.
                            type: string
                        required:
                        - environmentSlug
                        - projectSlug
                        type: object
                    required:
                    - auth
                    - secretsScope
                    type: object
                  keepersecurity:
                    description: KeeperSecurity configures this store to sync secrets
                      using the KeeperSecurity provider
                    properties:
                      authRef:
                        description: |-
                          SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                          In some instances, `key` is a required field.
                        properties:
                          key:
                            description: |-
                              A key in the referenced Secret.
                              Some instances of this field may be defaulted, in others it may be required.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[-._a-zA-Z0-9]+$
                            type: string
                          name:
                            description: The name of the Secret resource being referred
                              to.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                            type: string
                          namespace:
                            description: |-
                              The namespace of the Secret resource being referred to.
                              Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                            maxLength: 63
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                            type: string
                        type: object
                      folderID:
                        type: string
                    required:
                    - authRef
                    - folderID
                    type: object
                  kubernetes:
                    description: Kubernetes configures this store to sync secrets
                      using a Kubernetes cluster provider
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with a Kubernetes instance.
                        maxProperties: 1
                        minProperties: 1
                        properties:
                          cert:
                            description: has both clientCert and clientKey as secretKeySelector
                            properties:
                              clientCert:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              clientKey:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            type: object
                          serviceAccount:
                            description: points to a service account that should be
                              used for authentication
                            properties:
                              audiences:
                                description: |-
                                  Audience specifies the `aud` claim for the service account token
                                  If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                  then this audiences will be appended to the list
                                items:
                                  type: string
                                type: array
                              name:
                                description: The name of the ServiceAccount resource
                                  being referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  Namespace of the resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            required:
                            - name
                            type: object
                          token:
                            description: use static token to authenticate with
                            properties:
                              bearerToken:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            type: object
                        type: object
                      authRef:
                        description: A reference to a secret that contains the auth
                          information.
                        properties:
                          key:
                            description: |-
                              A key in the referenced Secret.
                              Some instances of this field may be defaulted, in others it may be required.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[-._a-zA-Z0-9]+$
                            type: string
                          name:
                            description: The name of the Secret resource being referred
                              to.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                            type: string
                          namespace:
                            description: |-
                              The namespace of the Secret resource being referred to.
                              Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                            maxLength: 63
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                            type: string
                        type: object
                      remoteNamespace:
                        default: default
                        description: Remote namespace to fetch the secrets from
                        maxLength: 63
                        minLength: 1
                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                        type: string
                      server:
                        description: configures the Kubernetes server Address.
                        properties:
                          caBundle:
                            description: CABundle is a base64-encoded CA certificate
                            format: byte
                            type: string
                          caProvider:
                            description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
                            properties:
                              key:
                                description: The key where the CA certificate can
                                  be found in the Secret or ConfigMap.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the object located at the
                                  provider type.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace the Provider type is in.
                                  Can only be defined when used in a ClusterSecretStore.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                              type:
                                description: The type of provider to use such as "Secret",
                                  or "ConfigMap".
                                enum:
                                - Secret
                                - ConfigMap
                                type: string
                            required:
                            - name
                            - type
                            type: object
                          url:
                            default: kubernetes.default
                            description: configures the Kubernetes server Address.
                            type: string
                        type: object
                    type: object
                  onboardbase:
                    description: Onboardbase configures this store to sync secrets
                      using the Onboardbase provider
                    properties:
                      apiHost:
                        default: https://public.onboardbase.com/api/v1/
                        description: APIHost use this to configure the host url for
                          the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
                        type: string
                      auth:
                        description: Auth configures how the Operator authenticates
                          with the Onboardbase API
                        properties:
                          apiKeyRef:
                            description: |-
                              OnboardbaseAPIKey is the APIKey generated by an admin account.
                              It is used to recognize and authorize access to a project and environment within onboardbase
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                          passcodeRef:
                            description: OnboardbasePasscode is the passcode attached
                              to the API Key
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                        required:
                        - apiKeyRef
                        - passcodeRef
                        type: object
                      environment:
                        default: development
                        description: Environment is the name of an environmnent within
                          a project to pull the secrets from
                        type: string
                      project:
                        default: development
                        description: Project is an onboardbase project that the secrets
                          should be pulled from
                        type: string
                    required:
                    - apiHost
                    - auth
                    - environment
                    - project
                    type: object
                  onepassword:
                    description: OnePassword configures this store to sync secrets
                      using the 1Password Cloud provider
                    properties:
                      auth:
                        description: Auth defines the information necessary to authenticate
                          against OnePassword Connect Server
                        properties:
                          secretRef:
                            description: OnePasswordAuthSecretRef holds secret references
                              for 1Password credentials.
                            properties:
                              connectTokenSecretRef:
                                description: The ConnectToken is used for authentication
                                  to a 1Password Connect Server.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - connectTokenSecretRef
                            type: object
                        required:
                        - secretRef
                        type: object
                      connectHost:
                        description: ConnectHost defines the OnePassword Connect Server
                          to connect to
                        type: string
                      vaults:
                        additionalProperties:
                          type: integer
                        description: Vaults defines which OnePassword vaults to search
                          in which order
                        type: object
                    required:
                    - auth
                    - connectHost
                    - vaults
                    type: object
                  oracle:
                    description: Oracle configures this store to sync secrets using
                      Oracle Vault provider
                    properties:
                      auth:
                        description: |-
                          Auth configures how secret-manager authenticates with the Oracle Vault.
                          If empty, use the instance principal, otherwise the user credentials specified in Auth.
                        properties:
                          secretRef:
                            description: SecretRef to pass through sensitive information.
                            properties:
                              fingerprint:
                                description: Fingerprint is the fingerprint of the
                                  API private key.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              privatekey:
                                description: PrivateKey is the user's API Signing
                                  Key in PEM format, used for authentication.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - fingerprint
                            - privatekey
                            type: object
                          tenancy:
                            description: Tenancy is the tenancy OCID where user is
                              located.
                            type: string
                          user:
                            description: User is an access OCID specific to the account.
                            type: string
                        required:
                        - secretRef
                        - tenancy
                        - user
                        type: object
                      compartment:
                        description: |-
                          Compartment is the vault compartment OCID.
                          Required for PushSecret
                        type: string
                      encryptionKey:
                        description: |-
                          EncryptionKey is the OCID of the encryption key within the vault.
                          Required for PushSecret
                        type: string
                      principalType:
                        description: |-
                          The type of principal to use for authentication. If left blank, the Auth struct will
                          determine the principal type. This optional field must be specified if using
                          workload identity.
                        enum:
                        - ""
                        - UserPrincipal
                        - InstancePrincipal
                        - Workload
                        type: string
                      region:
                        description: Region is the region where vault is located.
                        type: string
                      serviceAccountRef:
                        description: |-
                          ServiceAccountRef specified the service account
                          that should be used when authenticating with WorkloadIdentity.
                        properties:
                          audiences:
                            description: |-
                              Audience specifies the `aud` claim for the service account token
                              If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                              then this audiences will be appended to the list
                            items:
                              type: string
                            type: array
                          name:
                            description: The name of the ServiceAccount resource being
                              referred to.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                            type: string
                          namespace:
                            description: |-
                              Namespace of the resource being referred to.
                              Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                            maxLength: 63
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                            type: string
                        required:
                        - name
                        type: object
                      vault:
                        description: Vault is the vault's OCID of the specific vault
                          where secret is located.
                        type: string
                    required:
                    - region
                    - vault
                    type: object
                  passbolt:
                    description: PassboltProvider defines configuration for the Passbolt
                      provider.
                    properties:
                      auth:
                        description: Auth defines the information necessary to authenticate
                          against Passbolt Server
                        properties:
                          passwordSecretRef:
                            description: PasswordSecretRef is a reference to the secret
                              containing the Passbolt password
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                          privateKeySecretRef:
                            description: PrivateKeySecretRef is a reference to the
                              secret containing the Passbolt private key
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                        required:
                        - passwordSecretRef
                        - privateKeySecretRef
                        type: object
                      host:
                        description: Host defines the Passbolt Server to connect to
                        type: string
                    required:
                    - auth
                    - host
                    type: object
                  passworddepot:
                    description: PasswordDepotProvider configures a store to sync
                      secrets with a Password Depot instance.
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with a Password Depot instance.
                        properties:
                          secretRef:
                            description: PasswordDepotSecretRef defines a reference
                              to a secret containing credentials for the Password
                              Depot provider.
                            properties:
                              credentials:
                                description: Username / Password is used for authentication.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            type: object
                        required:
                        - secretRef
                        type: object
                      database:
                        description: Database to use as source
                        type: string
                      host:
                        description: URL configures the Password Depot instance URL.
                        type: string
                    required:
                    - auth
                    - database
                    - host
                    type: object
                  previder:
                    description: Previder configures this store to sync secrets using
                      the Previder provider
                    properties:
                      auth:
                        description: PreviderAuth contains a secretRef for credentials.
                        properties:
                          secretRef:
                            description: PreviderAuthSecretRef holds secret references
                              for Previder Vault credentials.
                            properties:
                              accessToken:
                                description: The AccessToken is used for authentication
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - accessToken
                            type: object
                        type: object
                      baseUri:
                        type: string
                    required:
                    - auth
                    type: object
                  pulumi:
                    description: Pulumi configures this store to sync secrets using
                      the Pulumi provider
                    properties:
                      accessToken:
                        description: AccessToken is the access tokens to sign in to
                          the Pulumi Cloud Console.
                        properties:
                          secretRef:
                            description: SecretRef is a reference to a secret containing
                              the Pulumi API token.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                        type: object
                      apiUrl:
                        default: https://api.pulumi.com/api/esc
                        description: APIURL is the URL of the Pulumi API.
                        type: string
                      environment:
                        description: |-
                          Environment are YAML documents composed of static key-value pairs, programmatic expressions,
                          dynamically retrieved values from supported providers including all major clouds,
                          and other Pulumi ESC environments.
                          To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
                        type: string
                      organization:
                        description: |-
                          Organization are a space to collaborate on shared projects and stacks.
                          To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
                        type: string
                      project:
                        description: Project is the name of the Pulumi ESC project
                          the environment belongs to.
                        type: string
                    required:
                    - accessToken
                    - environment
                    - organization
                    - project
                    type: object
                  scaleway:
                    description: Scaleway configures this store to sync secrets using
                      the Scaleway provider.
                    properties:
                      accessKey:
                        description: AccessKey is the non-secret part of the api key.
                        properties:
                          secretRef:
                            description: SecretRef references a key in a secret that
                              will be used as value.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                          value:
                            description: Value can be specified directly to set a
                              value without using a secret.
                            type: string
                        type: object
                      apiUrl:
                        description: APIURL is the url of the api to use. Defaults
                          to https://api.scaleway.com
                        type: string
                      projectId:
                        description: 'ProjectID is the id of your project, which you
                          can find in the console: https://console.scaleway.com/project/settings'
                        type: string
                      region:
                        description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
                        type: string
                      secretKey:
                        description: SecretKey is the non-secret part of the api key.
                        properties:
                          secretRef:
                            description: SecretRef references a key in a secret that
                              will be used as value.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                          value:
                            description: Value can be specified directly to set a
                              value without using a secret.
                            type: string
                        type: object
                    required:
                    - accessKey
                    - projectId
                    - region
                    - secretKey
                    type: object
                  secretserver:
                    description: |-
                      SecretServer configures this store to sync secrets using SecretServer provider
                      https://docs.delinea.com/online-help/secret-server/start.htm
                    properties:
                      password:
                        description: Password is the secret server account password.
                        properties:
                          secretRef:
                            description: SecretRef references a key in a secret that
                              will be used as value.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                          value:
                            description: Value can be specified directly to set a
                              value without using a secret.
                            type: string
                        type: object
                      serverURL:
                        description: |-
                          ServerURL
                          URL to your secret server installation
                        type: string
                      username:
                        description: Username is the secret server account username.
                        properties:
                          secretRef:
                            description: SecretRef references a key in a secret that
                              will be used as value.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                          value:
                            description: Value can be specified directly to set a
                              value without using a secret.
                            type: string
                        type: object
                    required:
                    - password
                    - serverURL
                    - username
                    type: object
                  senhasegura:
                    description: Senhasegura configures this store to sync secrets
                      using senhasegura provider
                    properties:
                      auth:
                        description: Auth defines parameters to authenticate in senhasegura
                        properties:
                          clientId:
                            type: string
                          clientSecretSecretRef:
                            description: |-
                              SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                              In some instances, `key` is a required field.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                        required:
                        - clientId
                        - clientSecretSecretRef
                        type: object
                      ignoreSslCertificate:
                        default: false
                        description: IgnoreSslCertificate defines if SSL certificate
                          must be ignored
                        type: boolean
                      module:
                        description: Module defines which senhasegura module should
                          be used to get secrets
                        type: string
                      url:
                        description: URL of senhasegura
                        type: string
                    required:
                    - auth
                    - module
                    - url
                    type: object
                  vault:
                    description: Vault configures this store to sync secrets using
                      the HashiCorp Vault provider.
                    properties:
                      auth:
                        description: Auth configures how secret-manager authenticates
                          with the Vault server.
                        properties:
                          appRole:
                            description: |-
                              AppRole authenticates with Vault using the App Role auth mechanism,
                              with the role and secret stored in a Kubernetes Secret resource.
                            properties:
                              path:
                                default: approle
                                description: |-
                                  Path where the App Role authentication backend is mounted
                                  in Vault, e.g: "approle"
                                type: string
                              roleId:
                                description: |-
                                  RoleID configured in the App Role authentication backend when setting
                                  up the authentication backend in Vault.
                                type: string
                              roleRef:
                                description: |-
                                  Reference to a key in a Secret that contains the App Role ID used
                                  to authenticate with Vault.
                                  The `key` field must be specified and denotes which entry within the Secret
                                  resource is used as the app role id.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              secretRef:
                                description: |-
                                  Reference to a key in a Secret that contains the App Role secret used
                                  to authenticate with Vault.
                                  The `key` field must be specified and denotes which entry within the Secret
                                  resource is used as the app role secret.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - path
                            - secretRef
                            type: object
                          cert:
                            description: |-
                              Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
                              Cert authentication method
                            properties:
                              clientCert:
                                description: |-
                                  ClientCert is a certificate to authenticate using the Cert Vault
                                  authentication method
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              secretRef:
                                description: |-
                                  SecretRef to a key in a Secret resource containing client private key to
                                  authenticate with Vault using the Cert authentication method
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            type: object
                          iam:
                            description: |-
                              Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
                              AWS IAM authentication method
                            properties:
                              externalID:
                                description: AWS External ID set on assumed IAM roles
                                type: string
                              jwt:
                                description: Specify a service account with IRSA enabled
                                properties:
                                  serviceAccountRef:
                                    description: ServiceAccountSelector is a reference
                                      to a ServiceAccount resource.
                                    properties:
                                      audiences:
                                        description: |-
                                          Audience specifies the `aud` claim for the service account token
                                          If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                          then this audiences will be appended to the list
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: The name of the ServiceAccount
                                          resource being referred to.
                                        maxLength: 253
                                        minLength: 1
                                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                        type: string
                                      namespace:
                                        description: |-
                                          Namespace of the resource being referred to.
                                          Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                        maxLength: 63
                                        minLength: 1
                                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                        type: string
                                    required:
                                    - name
                                    type: object
                                type: object
                              path:
                                description: 'Path where the AWS auth method is enabled
                                  in Vault, e.g: "aws"'
                                type: string
                              region:
                                description: AWS region
                                type: string
                              role:
                                description: This is the AWS role to be assumed before
                                  talking to vault
                                type: string
                              secretRef:
                                description: Specify credentials in a Secret object
                                properties:
                                  accessKeyIDSecretRef:
                                    description: The AccessKeyID is used for authentication
                                    properties:
                                      key:
                                        description: |-
                                          A key in the referenced Secret.
                                          Some instances of this field may be defaulted, in others it may be required.
                                        maxLength: 253
                                        minLength: 1
                                        pattern: ^[-._a-zA-Z0-9]+$
                                        type: string
                                      name:
                                        description: The name of the Secret resource
                                          being referred to.
                                        maxLength: 253
                                        minLength: 1
                                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                        type: string
                                      namespace:
                                        description: |-
                                          The namespace of the Secret resource being referred to.
                                          Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                        maxLength: 63
                                        minLength: 1
                                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                        type: string
                                    type: object
                                  secretAccessKeySecretRef:
                                    description: The SecretAccessKey is used for authentication
                                    properties:
                                      key:
                                        description: |-
                                          A key in the referenced Secret.
                                          Some instances of this field may be defaulted, in others it may be required.
                                        maxLength: 253
                                        minLength: 1
                                        pattern: ^[-._a-zA-Z0-9]+$
                                        type: string
                                      name:
                                        description: The name of the Secret resource
                                          being referred to.
                                        maxLength: 253
                                        minLength: 1
                                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                        type: string
                                      namespace:
                                        description: |-
                                          The namespace of the Secret resource being referred to.
                                          Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                        maxLength: 63
                                        minLength: 1
                                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                        type: string
                                    type: object
                                  sessionTokenSecretRef:
                                    description: |-
                                      The SessionToken used for authentication
                                      This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
                                      see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
                                    properties:
                                      key:
                                        description: |-
                                          A key in the referenced Secret.
                                          Some instances of this field may be defaulted, in others it may be required.
                                        maxLength: 253
                                        minLength: 1
                                        pattern: ^[-._a-zA-Z0-9]+$
                                        type: string
                                      name:
                                        description: The name of the Secret resource
                                          being referred to.
                                        maxLength: 253
                                        minLength: 1
                                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                        type: string
                                      namespace:
                                        description: |-
                                          The namespace of the Secret resource being referred to.
                                          Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                        maxLength: 63
                                        minLength: 1
                                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                        type: string
                                    type: object
                                type: object
                              vaultAwsIamServerID:
                                description: 'X-Vault-AWS-IAM-Server-ID is an additional
                                  header used by Vault IAM auth method to mitigate
                                  against different types of replay attacks. More
                                  details here: https://developer.hashicorp.com/vault/docs/auth/aws'
                                type: string
                              vaultRole:
                                description: Vault Role. In vault, a role describes
                                  an identity with a set of permissions, groups, or
                                  policies you want to attach a user of the secrets
                                  engine
                                type: string
                            required:
                            - vaultRole
                            type: object
                          jwt:
                            description: |-
                              Jwt authenticates with Vault by passing role and JWT token using the
                              JWT/OIDC authentication method
                            properties:
                              kubernetesServiceAccountToken:
                                description: |-
                                  Optional ServiceAccountToken specifies the Kubernetes service account for which to request
                                  a token for with the `TokenRequest` API.
                                properties:
                                  audiences:
                                    description: |-
                                      Optional audiences field that will be used to request a temporary Kubernetes service
                                      account token for the service account referenced by `serviceAccountRef`.
                                      Defaults to a single audience `vault` it not specified.

                                      Deprecated: use serviceAccountRef.Audiences instead
                                    items:
                                      type: string
                                    type: array
                                  expirationSeconds:
                                    description: |-
                                      Optional expiration time in seconds that will be used to request a temporary
                                      Kubernetes service account token for the service account referenced by
                                      `serviceAccountRef`.

                                      Deprecated: this will be removed in the future.
                                      Defaults to 10 minutes.
                                    format: int64
                                    type: integer
                                  serviceAccountRef:
                                    description: Service account field containing
                                      the name of a kubernetes ServiceAccount.
                                    properties:
                                      audiences:
                                        description: |-
                                          Audience specifies the `aud` claim for the service account token
                                          If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                          then this audiences will be appended to the list
                                        items:
                                          type: string
                                        type: array
                                      name:
                                        description: The name of the ServiceAccount
                                          resource being referred to.
                                        maxLength: 253
                                        minLength: 1
                                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                        type: string
                                      namespace:
                                        description: |-
                                          Namespace of the resource being referred to.
                                          Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                        maxLength: 63
                                        minLength: 1
                                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                        type: string
                                    required:
                                    - name
                                    type: object
                                required:
                                - serviceAccountRef
                                type: object
                              path:
                                default: jwt
                                description: |-
                                  Path where the JWT authentication backend is mounted
                                  in Vault, e.g: "jwt"
                                type: string
                              role:
                                description: |-
                                  Role is a JWT role to authenticate using the JWT/OIDC Vault
                                  authentication method
                                type: string
                              secretRef:
                                description: |-
                                  Optional SecretRef that refers to a key in a Secret resource containing JWT token to
                                  authenticate with Vault using the JWT/OIDC authentication method.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - path
                            type: object
                          kubernetes:
                            description: |-
                              Kubernetes authenticates with Vault by passing the ServiceAccount
                              token stored in the named Secret resource to the Vault server.
                            properties:
                              mountPath:
                                default: kubernetes
                                description: |-
                                  Path where the Kubernetes authentication backend is mounted in Vault, e.g:
                                  "kubernetes"
                                type: string
                              role:
                                description: |-
                                  A required field containing the Vault Role to assume. A Role binds a
                                  Kubernetes ServiceAccount with a set of Vault policies.
                                type: string
                              secretRef:
                                description: |-
                                  Optional secret field containing a Kubernetes ServiceAccount JWT used
                                  for authenticating with Vault. If a name is specified without a key,
                                  `token` is the default. If one is not specified, the one bound to
                                  the controller will be used.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              serviceAccountRef:
                                description: |-
                                  Optional service account field containing the name of a kubernetes ServiceAccount.
                                  If the service account is specified, the service account secret token JWT will be used
                                  for authenticating with Vault. If the service account selector is not supplied,
                                  the secretRef will be used instead.
                                properties:
                                  audiences:
                                    description: |-
                                      Audience specifies the `aud` claim for the service account token
                                      If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
                                      then this audiences will be appended to the list
                                    items:
                                      type: string
                                    type: array
                                  name:
                                    description: The name of the ServiceAccount resource
                                      being referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      Namespace of the resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                required:
                                - name
                                type: object
                            required:
                            - mountPath
                            - role
                            type: object
                          ldap:
                            description: |-
                              Ldap authenticates with Vault by passing username/password pair using
                              the LDAP authentication method
                            properties:
                              path:
                                default: ldap
                                description: |-
                                  Path where the LDAP authentication backend is mounted
                                  in Vault, e.g: "ldap"
                                type: string
                              secretRef:
                                description: |-
                                  SecretRef to a key in a Secret resource containing password for the LDAP
                                  user used to authenticate with Vault using the LDAP authentication
                                  method
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              username:
                                description: |-
                                  Username is an LDAP username used to authenticate using the LDAP Vault
                                  authentication method
                                type: string
                            required:
                            - path
                            - username
                            type: object
                          namespace:
                            description: |-
                              Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
                              Namespaces is a set of features within Vault Enterprise that allows
                              Vault environments to support Secure Multi-tenancy. e.g: "ns1".
                              More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
                              This will default to Vault.Namespace field if set, or empty otherwise
                            type: string
                          tokenSecretRef:
                            description: TokenSecretRef authenticates with Vault by
                              presenting a token.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                          userPass:
                            description: UserPass authenticates with Vault by passing
                              username/password pair
                            properties:
                              path:
                                default: userpass
                                description: |-
                                  Path where the UserPassword authentication backend is mounted
                                  in Vault, e.g: "userpass"
                                type: string
                              secretRef:
                                description: |-
                                  SecretRef to a key in a Secret resource containing password for the
                                  user used to authenticate with Vault using the UserPass authentication
                                  method
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              username:
                                description: |-
                                  Username is a username used to authenticate using the UserPass Vault
                                  authentication method
                                type: string
                            required:
                            - path
                            - username
                            type: object
                        type: object
                      caBundle:
                        description: |-
                          PEM encoded CA bundle used to validate Vault server certificate. Only used
                          if the Server URL is using HTTPS protocol. This parameter is ignored for
                          plain HTTP protocol connection. If not set the system root certificates
                          are used to validate the TLS connection.
                        format: byte
                        type: string
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          Vault server certificate.
                        properties:
                          key:
                            description: The key where the CA certificate can be found
                              in the Secret or ConfigMap.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[-._a-zA-Z0-9]+$
                            type: string
                          name:
                            description: The name of the object located at the provider
                              type.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                            type: string
                          namespace:
                            description: |-
                              The namespace the Provider type is in.
                              Can only be defined when used in a ClusterSecretStore.
                            maxLength: 63
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                            type: string
                          type:
                            description: The type of provider to use such as "Secret",
                              or "ConfigMap".
                            enum:
                            - Secret
                            - ConfigMap
                            type: string
                        required:
                        - name
                        - type
                        type: object
                      forwardInconsistent:
                        description: |-
                          ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
                          leader instead of simply retrying within a loop. This can increase performance if
                          the option is enabled serverside.
                          https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
                        type: boolean
                      headers:
                        additionalProperties:
                          type: string
                        description: Headers to be added in Vault request
                        type: object
                      namespace:
                        description: |-
                          Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
                          Vault environments to support Secure Multi-tenancy. e.g: "ns1".
                          More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
                        type: string
                      path:
                        description: |-
                          Path is the mount path of the Vault KV backend endpoint, e.g:
                          "secret". The v2 KV secret engine version specific "/data" path suffix
                          for fetching secrets from Vault is optional and will be appended
                          if not present in specified path.
                        type: string
                      readYourWrites:
                        description: |-
                          ReadYourWrites ensures isolated read-after-write semantics by
                          providing discovered cluster replication states in each request.
                          More information about eventual consistency in Vault can be found here
                          https://www.vaultproject.io/docs/enterprise/consistency
                        type: boolean
                      server:
                        description: 'Server is the connection address for the Vault
                          server, e.g: "https://vault.example.com:8200".'
                        type: string
                      tls:
                        description: |-
                          The configuration used for client side related TLS communication, when the Vault server
                          requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
                          This parameter is ignored for plain HTTP protocol connection.
                          It's worth noting this configuration is different from the "TLS certificates auth method",
                          which is available under the `auth.cert` section.
                        properties:
                          certSecretRef:
                            description: |-
                              CertSecretRef is a certificate added to the transport layer
                              when communicating with the Vault server.
                              If no key for the Secret is specified, external-secret will default to 'tls.crt'.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                          keySecretRef:
                            description: |-
                              KeySecretRef to a key in a Secret resource containing client private key
                              added to the transport layer when communicating with the Vault server.
                              If no key for the Secret is specified, external-secret will default to 'tls.key'.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                        type: object
                      version:
                        default: v2
                        description: |-
                          Version is the Vault KV secret engine version. This can be either "v1" or
                          "v2". Version defaults to "v2".
                        enum:
                        - v1
                        - v2
                        type: string
                    required:
                    - server
                    type: object
                  webhook:
                    description: Webhook configures this store to sync secrets using
                      a generic templated webhook
                    properties:
                      auth:
                        description: Auth specifies a authorization protocol. Only
                          one protocol may be set.
                        maxProperties: 1
                        minProperties: 1
                        properties:
                          ntlm:
                            description: NTLMProtocol configures the store to use
                              NTLM for auth
                            properties:
                              passwordSecret:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                              usernameSecret:
                                description: |-
                                  SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                                  In some instances, `key` is a required field.
                                properties:
                                  key:
                                    description: |-
                                      A key in the referenced Secret.
                                      Some instances of this field may be defaulted, in others it may be required.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[-._a-zA-Z0-9]+$
                                    type: string
                                  name:
                                    description: The name of the Secret resource being
                                      referred to.
                                    maxLength: 253
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                    type: string
                                  namespace:
                                    description: |-
                                      The namespace of the Secret resource being referred to.
                                      Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                    maxLength: 63
                                    minLength: 1
                                    pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                    type: string
                                type: object
                            required:
                            - passwordSecret
                            - usernameSecret
                            type: object
                        type: object
                      body:
                        description: Body
                        type: string
                      caBundle:
                        description: |-
                          PEM encoded CA bundle used to validate webhook server certificate. Only used
                          if the Server URL is using HTTPS protocol. This parameter is ignored for
                          plain HTTP protocol connection. If not set the system root certificates
                          are used to validate the TLS connection.
                        format: byte
                        type: string
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          webhook server certificate.
                        properties:
                          key:
                            description: The key where the CA certificate can be found
                              in the Secret or ConfigMap.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[-._a-zA-Z0-9]+$
                            type: string
                          name:
                            description: The name of the object located at the provider
                              type.
                            maxLength: 253
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                            type: string
                          namespace:
                            description: The namespace the Provider type is in.
                            maxLength: 63
                            minLength: 1
                            pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                            type: string
                          type:
                            description: The type of provider to use such as "Secret",
                              or "ConfigMap".
                            enum:
                            - Secret
                            - ConfigMap
                            type: string
                        required:
                        - name
                        - type
                        type: object
                      headers:
                        additionalProperties:
                          type: string
                        description: Headers
                        type: object
                      method:
                        description: Webhook Method
                        type: string
                      result:
                        description: Result formatting
                        properties:
                          jsonPath:
                            description: Json path of return value
                            type: string
                        type: object
                      secrets:
                        description: |-
                          Secrets to fill in templates
                          These secrets will be passed to the templating function as key value pairs under the given name
                        items:
                          description: WebhookSecret defines a secret to be used in
                            webhook templates.
                          properties:
                            name:
                              description: Name of this secret in templates
                              type: string
                            secretRef:
                              description: Secret ref to fill in credentials
                              properties:
                                key:
                                  description: |-
                                    A key in the referenced Secret.
                                    Some instances of this field may be defaulted, in others it may be required.
                                  maxLength: 253
                                  minLength: 1
                                  pattern: ^[-._a-zA-Z0-9]+$
                                  type: string
                                name:
                                  description: The name of the Secret resource being
                                    referred to.
                                  maxLength: 253
                                  minLength: 1
                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                  type: string
                                namespace:
                                  description: |-
                                    The namespace of the Secret resource being referred to.
                                    Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                  maxLength: 63
                                  minLength: 1
                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                  type: string
                              type: object
                          required:
                          - name
                          - secretRef
                          type: object
                        type: array
                      timeout:
                        description: Timeout
                        type: string
                      url:
                        description: Webhook url to call
                        type: string
                    required:
                    - result
                    - url
                    type: object
                  yandexcertificatemanager:
                    description: YandexCertificateManager configures this store to
                      sync secrets using Yandex Certificate Manager provider
                    properties:
                      apiEndpoint:
                        description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
                        type: string
                      auth:
                        description: Auth defines the information necessary to authenticate
                          against Yandex Certificate Manager
                        properties:
                          authorizedKeySecretRef:
                            description: The authorized key used for authentication
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                        type: object
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          Yandex.Cloud server certificate.
                        properties:
                          certSecretRef:
                            description: |-
                              SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                              In some instances, `key` is a required field.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                        type: object
                    required:
                    - auth
                    type: object
                  yandexlockbox:
                    description: YandexLockbox configures this store to sync secrets
                      using Yandex Lockbox provider
                    properties:
                      apiEndpoint:
                        description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
                        type: string
                      auth:
                        description: Auth defines the information necessary to authenticate
                          against Yandex Lockbox
                        properties:
                          authorizedKeySecretRef:
                            description: The authorized key used for authentication
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                        type: object
                      caProvider:
                        description: The provider for the CA bundle to use to validate
                          Yandex.Cloud server certificate.
                        properties:
                          certSecretRef:
                            description: |-
                              SecretKeySelector is a reference to a specific 'key' within a Secret resource.
                              In some instances, `key` is a required field.
                            properties:
                              key:
                                description: |-
                                  A key in the referenced Secret.
                                  Some instances of this field may be defaulted, in others it may be required.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[-._a-zA-Z0-9]+$
                                type: string
                              name:
                                description: The name of the Secret resource being
                                  referred to.
                                maxLength: 253
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                type: string
                              namespace:
                                description: |-
                                  The namespace of the Secret resource being referred to.
                                  Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
                                maxLength: 63
                                minLength: 1
                                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                                type: string
                            type: object
                        type: object
                    required:
                    - auth
                    type: object
                type: object
              refreshInterval:
                description: Used to configure store refresh interval in seconds.
                  Empty or 0 will default to the controller config.
                type: integer
              retrySettings:
                description: Used to configure HTTP retries on failures.
                properties:
                  maxRetries:
                    description: MaxRetries is the maximum number of retry attempts.
                    format: int32
                    type: integer
                  retryInterval:
                    description: RetryInterval is the interval between retry attempts.
                    type: string
                type: object
            required:
            - provider
            type: object
          status:
            description: SecretStoreStatus defines the observed state of the SecretStore.
            properties:
              capabilities:
                description: SecretStoreCapabilities defines the possible operations
                  a SecretStore can do.
                type: string
              conditions:
                items:
                  description: SecretStoreStatusCondition defines the observed condition
                    of the SecretStore.
                  properties:
                    lastTransitionTime:
                      format: date-time
                      type: string
                    message:
                      type: string
                    reason:
                      type: string
                    status:
                      type: string
                    type:
                      description: SecretStoreConditionType represents the condition
                        type of the SecretStore.
                      type: string
                  required:
                  - status
                  - type
                  type: object
                type: array
            type: object
        type: object
    served: false
    storage: false
    subresources:
      status: {}